Catch Me If You Can (DreamWorks Pictures, copyright 2002).

To most organizations, the work that I perform (penetration testing) is voodoo and heresy. When I factor in Social Engineering (SE), their curiosity becomes piqued, and they are almost always left feeling a bit of dread. They’re often shocked and amazed at how easy it is to infiltrate and exfiltrate their organization through lying, cheating, and stealing.

There are many great resources out there to learn about the mechanisms of an effective SE attack, but I’m going to keep things simple and easy to understand. It’s important to note that the best SE attacks are often the simplest. If you overthink the attack, you’re running the risk of botching it.

Humans are Decent and Helpful

Culturally, and as a species, we have evolved over millennia because of our ability to think critically, and work together to solve problems. This means our brains are hard-coded to have a baseline level of trust that is required for survival. The next time you’re driving your vehicle, consciously wonder why the oncoming car doesn’t veer into your lane unpredictably. Sure, it’s a ludicrous notion, but the important part is the reason why it’s ludicrous.

Humans are Opportunists

This concept, I suspect, will garnish the most groaning. Most don’t like to think of themselves as opportunists, but my experiences tell me otherwise. Being an opportunist doesn’t mean you’re a bad person, it just means your brain quickly calculates risk and reward at lightning speed. The trick is exploiting this mechanism to get people to do what they otherwise wouldn’t (or shouldn’t). As an example, I’ve successfully pulled C-level executives out of their office and into a conference room with a promise of little more than cake. Do you know what the difference between a CEO and mail-clerk is?

Humans Hate Anxiety

As with our hard-coded need to trust others, we’re also gifted with the benefit of anxiety. Sure, we’re no longer fleeing sabre-tooth tigers, but our brains haven’t caught up yet. Salespersons love this attack vector. By keeping a potential buyer suspended in a form of anxiety, a sale can be made. In fact, it’s the premise for politics as a whole.

So what do you do?

It would be overly simplistic to suggest user-awareness training alone is the answer, but it is certainly one of the most important cogs. In addition, the type of awareness training is crucial. If your organization tosses together a simple power-point and forces everyone into a 30 minute meeting to go over the same security tropes, the efficacy of that training is reduced. Here are some suggestions for sprucing things up, in a bid to keep your greatest defense (end-users) active and involved:

Attack your own organization. Set up a phishing engagement that includes more than simple emails with boring links. Practice vishing, try to gain unauthorized access to protected areas, and leave thumb-drives around with suggestive language that would incentivize someone to plug it in.

Build your security awareness training around your organization. By providing examples of an engagement perpetrated against your company, you’re embedding into the employee-psyche examples that are real and meaningful. There’s nothing like phishing your CEO and using his access to send yourself an email.

Generate Metrics. The world loves metrics, but that’s because they’re important. You want to track the success and failure of your social engineering engagements so that trends can be reported and your program updated based on the results.

This is a refresh of an article originally written for LinkedIn (https://www.linkedin.com/pulse/social-engineering-made-easy-matt-james/)

Here’s another article about the freebies your organization may be giving away, that makes social engineering easier.

https://www.linkedin.com/pulse/social-engineering-freebies-your-organization-hands-out-matt-james/