In an ever more interconnected and digital world, social engineering has arisen as a formidable menace to both individuals and organizations alike. It encompasses the exploitation of human psychology to deceive employees and attain unauthorized access to confidential information.
In the world of penetration testing and red teaming, performed by global corporations to assess security vulnerabilities and establish protective measures, we interviewed Hussein Nasser Eddin, the CEO of Crownox, a leading provider of risk mitigation solutions for Fortune 500 companies and high-net-worth individuals. He emphasized the significance of the human factor in surmounting security obstacles and, by extension, the importance of social engineering penetration testing to uncover these vulnerabilities.
Attackers frequently blend aspects of psychology, trickery, and technology to execute their strategies. According to an IBM study, a staggering 95% of all breaches can be linked to human susceptibility.
The Psychological Pillars of Social Engineering
According to Robert Cialdini, a behavioral psychologist and the author of “Influence: The Psychology of Persuasion,” social engineering extensively utilizes the six Principles of Influence. These fundamental principles include Reciprocity, Consistency, Consensus, Authority, Liking, and Scarcity.
-
Reciprocity
People have a tendency to respond in kind to favors, as they have an aversion to feeling indebted. Upon receiving a gift or favor, people naturally lean towards finding opportunities to give back in return.
-
Consistency
Individuals have a propensity to maintain behavior that aligns with their previous actions, potentially leading from small actions to more substantial ones. When individuals verbally or in writing a pledge to an idea, they are more likely to stick to that commitment due to its harmony with their self-image. This commitment endures even if the initial motivation behind it is removed.
-
Consensus
People tend to emulate actions they witness others engaging in, particularly when they find themselves uncertain about the best initial steps to take. In situations where individuals face ambiguity or uncertainty, observing others who have already taken action provides them with a reference point. This reference point serves as a guideline, helping them navigate unfamiliar terrain. When people witness others making choices or embracing particular behaviors, they perceive it as an indicator of the appropriate response within that context.
-
Authority
People have an inclination to heed the directives of authority figures, even when those directives involve objectionable actions. The concept of authority extends beyond conventional positions of power and extends into a spectrum of roles and symbols that we deem as authoritative. Notably, our determination of who qualifies as an authority figure can be surprisingly broad and nuanced. For instance, specific attire, such as a white coat in a hospital setting, can wield considerable influence over our perception of authority. In this scenario, individuals adorned in medical attire are often accorded heightened respect and trust in their judgments, highlighting the impact of visual cues on our compliance with authority.
-
Liking
The principle of liking underscores the powerful sway that individuals we hold in high regard have over our decisions and actions. According to the science of persuasion, there are three key factors contributing to liking: similarity, compliments, and cooperation. These elements shed light on why individuals are drawn to those who resemble them, appreciate their qualities, and collaborate with them.
-
Scarcity
The perception of limited availability can ignite a heightened demand for a particular item or experience. The concept of scarcity capitalizes on the innate human inclination to place a premium on things that appear to be rare, exclusive, or not easily attainable. When individuals believe that an item or opportunity is scarce, it triggers a sense of urgency and an amplified desire to possess it.
Social engineering penetration testing stands out as a highly effective method that businesses can employ to identify and counteract the risks associated with such attacks. Below are some of the techniques used by Crownox in its pentests:
-
Pretexting
Pretexting takes place when attackers mimic colleagues, police officers, bankers, or other figures of authority, and request victims to furnish personal data, documents, or information. These attackers cultivate trust with their targets by assuming authoritative roles.
-
Tailgating
Tailgating is a method in which an individual without proper authorization gains entry to a secure or restricted area by leveraging the trust and politeness of others. This involves an attacker closely shadowing an authorized person through a controlled entry point, capitalizing on the presumption that the authorized person’s access is valid.
-
Piggybacking
Piggybacking is similar to tailgating, but the critical difference lies in the fact that, in piggybacking, the authorized individual not only recognizes the presence of the other person but also willingly grants permission for them to utilize their credentials. For example, when authorized individuals arrive at the entrance of a facility, someone may approach them, pretending to require assistance, such as claiming they’ve forgotten their access badge or by carrying heavy boxes. In both cases, the authorized individuals may decide to help these individuals gain access to the building.