What is social engineering? Free Guide to stay secure in 2024
What is social engineering?
We define social engineering as involving clever manipulation of the natural human tendencies of trust in order to obtain information to help facilitate fraud, network intrusion, industrial espionage, identity theft, or network/system disruption. I also like the
definition from Bruce Schneider: Amateurs Hack Systems, Professional hack People. To gain the trust of the people social engineers trick their victims with different tactics such as:
- Pretending to be someone important
- Appearing to be just like you
- Trying to convince you to share confidential information
Staying safe from social engineering attacks
Although social engineering attacks can seem terrifying, as explained throughout the book, the effects of these attacks can be significantly mitigated if appropriate measures are taken.
The following are the different measures which can help You to mitigate social-engineering attacks.
People
- Establish a targeted security-awareness program that is interesting and interactive
- Create awareness posters, and make them visible within the company to help employees understand how the company is addressing Social Engineering
- Educate employees to be sceptical and on what to be on the lookout for in regard to common phishing and spear phishing schemes
- Leverage the help of technology, and use advanced spam filtering such
- Ensure employees do the following:
Monitor their online accounts regularly Ensure they do their sensitive transaction online only on websites that use secure protocol such as HTTPS “ https://www.erdalozkaya.com“ - Ensure they are aware of phone phishing, and train them not to share personal information over the phone or even in public places
- Ensure they are aware of the dangers of sharing sensitive information on social media web sites
- Beware of links to web forms that request personal information:
- Ensure they limit the amount of information they share in social media.
Use some simulations such as: http:/ / pleaserobme. com, where users can check if they are sharing their locations publicly: - Ensure they are aware of the fact that the internet is public, and make sure they know if something is online, it will most probably stay online even after you delete it. Please refer to the following link at https:/ / archive. org/
- Educate them on third-party applications, in that they can give the application access to connect to their social media websites and they can post on behalf of the employee
- Educate employees that they should not:
– Open emails that look suspicious
– Open attachments in emails of unknown origin
– Pay a ransom
Process
- Schedule random penetration testing which has social engineering in the scope
- Identify your critical data and ensure an external assessment is done to verify your internal test results
- Ensure the executive level is aware of the results
- Conduct periodic cybersecurity assessments
- Establish a framework and program for highly trusted or privileged employees.
- Establish a least-privileges policy, and ensure employees has access only to what they need and not more
- Perform regular backups, and utilize cloud power such as Microsoft Azure
- Follow ISO 27001 or similar regulations to secure your information security management systems
- Perform enhanced background screening at regular intervals
Technology
- Identity and access management, such as Microsoft MIM
- Security incident and event management system
- Non-signature-based malware technology such as Xcitium
- Application whitelisting such as App Locker or Device Guard in Windows 11
- Use a SIEM to correlate your logs
- Use reputable antivirus software
- Use an effective IDS/IPS solution that can help detect known attacks, and how far they managed to get into the network by signature, behavior, and community knowledge
- Keep your software up to date
- Use multi-factor authentication
According to new research, 35% of enterprises reported an increase in cyberattacks this year, and social engineering tops the list of most frequent cyberattacks, which surpass the Advanced Persistent threat (APT) and Ransomware attacks (State of Cybersecurity 2021,
Part 2: Threat Landscape, Security Operations, and Cybersecurity Maturity, 2021). Therefore, it becomes imperative to study social engineering techniques and spread awareness about them.
With the development of new technologies, social engineering attacks keep changing; however, the fundamental principles of influence remain the same. In this paper, the study of principles of influence will be done to compare the methodology between two reputed books: “Social Engineering: The Science of Human Hacking,” 2nd Edition by Christopher Hadnagy, and “Learn Social Engineering” by Dr. Erdal Ozkaya.
Christopher and Erdal are renowned authors in the domain of information security. Christopher is the founder and CEO of Social-Engineer LLC, created the world’s first social engineering framework, and currently hosts a podcast based on social engineering. He is a well-known author who has written five books on social engineering (Social-Engineer, LLC, 2021).
On the other hand, Dr. Erdal is an award-winning author, speaker, and cybersecurity advisor who has received 8 MVP (Most Valuable Professional) awards from Microsoft. He is an active participant in major conferences related to Information Security (Microsoft MVP Award, n.d.).
Christopher credits his social engineering literacy to Dr. Robert Cialdini’s book “Influence: The Psychology of Persuasion” (William Morrow and Co., 1984). Robert presented six principles of influence: Reciprocity, Commitment/consistency, social proof, Authority, Liking, and Scarcity. However, Christopher broke these six ideas down into eight principles:
Principle One: Reciprocity, Principle Two: Obligation, Principle Three: Concession, Principle Four: Scarcity, Principle Five: Authority, Principle Six: Consistency and Commitment, Principle Seven: Liking and Principle Eight:
Social Proof in his book “Social Engineering: The Science of Human Hacking”, 2nd edition. The book is a best seller on Amazon.ca and ranked #9 in the Computer Security category (Social Engineering: The Science of Human Hacking: Hadnagy, Christopher: 9781119433385: Books – Amazon.Ca, 2018).
Dr. Erdal has discussed Influence and Persuasion briefly in his book “Learn Social Engineering.” He considers persuasion a critical aspect of social engineering. Influence and persuasion are techniques to persuade individuals and organizations to act or think in a certain way.
In one of the book’s chapters, “Influence tactics,” he defined the techniques used to influence people, which are Reciprocity, Obligation, Concession, Scarcity, Authority (Legal authority, Organizational authority, Social authority), Consistency and Commitment, Liking, and Social Proof (Ozkaya, 2018).
The book is a best seller on Amazon.com and ranks #390 in Computer Network Security (Learn Social Engineering: Learn the Art of Human Hacking with an Internationally Renowned Expert: Ozkaya, Dr. Erdal: 9781788837927: Amazon.Com: Books, 2018).
According to Chris, the first principle of influence is Reciprocity which aims to build rapport. When we genuinely give something to others, they tend to return a favor by doing something similar or more valuable.
Dr. Erdal illustrated a similar definition in his book. He explained the human psychology of giving and taking. Showing gratitude is an example of Reciprocity used by various politicians, employers, and even pharmaceutical companies where they provide free stuff initially to gain more gain and trust from the people.
Christopher explained how social engineers use the principle of obligation by influencing social events to make a target feel obligated to perform in a certain way. For instance: not holding the door for a lady or someone carrying boxes or other luggage is considered impolite, and social engineers take advantage of this habit.
Dr. Erdal describes obligation as a circumstance in which a target feels compelled to perform based on moral, legal, contractual, duty, or religious obligations. This method is used against a customer service representative who is obligated to assist consumers in any way possible.
Christopher defined the third principle of influence as the principle of concession in which he shared an example in his book, how a caller convinced him to donate charity for stray dogs. The caller knew that the author loves animals, hence requesting $250, which the author declined due to the hefty figure. Later caller asked him to pay $25, which he conceded to get money.
According to Dr. Erdal, Concession is an acknowledgment or acceptance used in the same way as reciprocation is. The difference between reciprocation and concession is that the target makes the initial request in concession. He further explained that humans are conditioned to repay a favor anytime someone does something nice for them.
Scarcity can be used to time, knowledge, or even goods you are giving away in an attempt as a social engineer. Scarcity will increase the perceived worth of what you have and persuade the target to make decisions based on that value. This is known as the Principle of Scarcity, according to Christopher.
Dr. Erdal described that scarcity is produced when items and opportunities are difficult to come by and become more appealing. Scarcity is likely the marketing team’s most regularly used tool. Keywords like “limited deal,” “1-day sale,” and “clearance sale” are frequently used to emphasize the products’ availability. Social engineers send scarcity-themed emails to their intended recipients to persuade people to click on the link as soon as they see it.
The fifth principle of influence: Authority, according to Christopher, is when someone in a position of power and authority makes a statement, it is taken more seriously by others. This trait manipulates the target who is convinced to obey the commands.
As per Dr. Erdal, the principle of authority is the power principle of influence where people follow the orders of individuals they think to be in a position of power over them. As Lawyers show respect for the judge and jury in court, Employees in organizations follow the orders of their superiors. Similarly, the police are respected by the public on the streets.
When you show authority to an individual or group of people via emails or fake websites, they are likely to get trapped in it.
The sixth principle of influence is Consistency and Commitment. As per Christopher, Consistency is a sign of confidence and strength, and People want their values to align with their views. Humans have a strong need to be perceived as constant, according to the principle of commitment. As a result, once we have made a public promise to something or someone, we are considerably more likely to follow through on it.
At the same time, Dr. Erdal said that Consistency is a highly desired principle of a human attribute in which people prefer to behave in the same way they did before in the same situation. Because it does not have to reprocess information when performing a task, the human brain prefers Consistency. Commitment and constancy will bind them to a terrible route where they will be forced to accept more significant responsibilities.
Christopher talks about the seventh principle of influence: Liking. He explained that people like other people who are like them. People enjoy being around those who share their interests as skilled social engineers; like is a powerful principle that can practically and symbolically open many doors for you.
A similar opinion is shared by Dr. Erdal, explaining that most people enjoy being liked, and they reciprocate by selecting those who like them. Salespeople understand that a buyer is more likely to buy from someone they like.
They know that if they show a customer’s liking, the buyer will also like them, resulting in a favorable sales environment. To gain the target’s trust, social engineer agreeably portrays themselves and try to like them.
Finally, for the eighth principle: social proof, Christopher said that people often do not want to be the first to do something. However, he discovered that employing social proof can help people decide actions they are not sure about. On the other hand, an interesting example is shared by Dr. Erdal for this principle: A group of people was advised to look up at the sky in the middle of the city in one experiment.
The end outcome was a success. Others began staring blankly into space, curious as to what was being observed. People who saw others doing this did the same, causing significant traffic jams as people stood in the middle of the road staring at the sky, while others watched from their cars. This was a demonstration of the strength of social proof.
The paper concludes that the principle of influence is a powerful tool to perform social engineering attacks. Both authors explain the fundamentals of principles differently; however, the concept of these principles is the same. The new techniques can be invented with new technologies and strategies; however, the fundamentals will remain the same.
The attacks are made on humans, and humans are considered the “weakest link” in Information Security. Thus, it becomes essential to spread awareness about it among people to minimize the impact. These principles are so powerful and can be used in any other situation of life to influence people. It can be used by politicians, employers, pharmaceuticals, armed forces, police officers, etc.
Learn Social Engineering
Improve information security by Learn Social Engineering.
Key Features
- Learn to implement information security using social engineering
- Get hands-on experience of using different tools such as Kali Linux, the Social Engineering toolkit and so on
- Practical approach towards learning social engineering, for IT security
Book Description
This book will provide you with a holistic understanding of social engineering. It will help you to avoid and combat social engineering attacks by giving you a detailed insight into how a social engineer operates.
Learn Social Engineering starts by giving you a grounding in the different types of social engineering attacks, and the damages they cause. It then sets up the lab environment to use different tools and then perform social engineering steps such as information gathering. The book covers topics from baiting, phishing, and spear phishing, to pretexting and scareware.
By the end of the book, you will be in a position to protect yourself and
your systems from social engineering threats and attacks.
All in all, the book covers social engineering from A to Z , along with excerpts from many world wide known security experts.
What you will learn
- Learn to implement information security using social engineering
- Learn social engineering for IT security
- Understand the role of social media in social engineering
- Get acquainted with Practical Human hacking skills
- Learn to think like a social engineer
- Learn to beat a social engineer
Who this book is for
This book targets security professionals, security analysts, penetration testers, or any stakeholder working with information security who wants to learn how to use social engineering techniques. Prior knowledge of Kali Linux is an added advantage
Table of Contents
- Introduction to social engineering
- The psychology of social engineering (mind tricks used)
- Fundamentals of influence and persuasion
- Information gathering
- Targeting and Recon
- Elicitation
- Pretexting
- The tools used in social engineering
- Prevention and mitigation
- Case studies of social engineering
- Ask the Experts- Part 1
- Ask the Experts – Part 2
- Ask the Experts – Part 3
- Ask the Experts- Part 4
Awards of the book
Get it from Amazon here
prevent social engineering attacks phishing – social engineering definition examples – social engineering attack techniques – phishing pretexting baiting quid pro – What is social engineering in simple terms? What are examples of social engineering?
How social engineering attacks happen? What is the idea of social engineering? Staying safe from social engineering attacks – Free Guide to stay secure in 2024 – What is social engineering? Free Guide to stay secure in 2024 – protect against social engineering – What is social engineering in simple terms? What are examples of social engineering? How social engineering attacks happen?What is the idea of social engineering?
About Author
