How to Legally Practice Social Engineering
Author: Tim O'Connor
Social Engineering is without question the most powerful and successful hacker skill of all time, but how can you become fluent enough in this skill to learn and defend against it if the practice is illegal?
If you want to learn a skill to protect yourself, your employees or your customers, you must be able practice that particular skill on the fly with real humans in real situations.
Social Engineering is like plying the art and skills of a con-man. However, isn’t that unethical and illegal?
There is a form of Social Engineering that is not only legal but often done for fun, profit and education. It is called “mentalism.”
The art and practice of mentalism is often associated with magicians but professional mentalists are often insulted by being called a magician. Magicians use ‘tricks’ and ask their audiences to enter a state of suspended disbelief (you know the lady was not really sawn in half but it’s fun to wonder how it appeared so). The mentalist’s job, however, is to gain the confidence of the audience and make them believe that something real has taken place. Unlike magician’s tricks, mentalist routines are not guaranteed to work because humans have unpredictable reactions based on their biases so the mentalist must gracefully maneuver around unexpected situations.
All Social Engineering exploits conducted in person, remotely or through code are some variation of a con-artists game. The “con” stands for confidence. Mentalists control the behavior and perceptions of people by gaining their confidence and manipulating their biases. Do you see the similarities?
By learning the skills of a mentalist, we are directly practicing and honing the very same skills as the hacker. In a number of good Security Awareness classes, mentalism routines are used to demonstrate and test the students’ ability to identify and defuse Social Engineering attempts. Likewise, many of the skills used in penetration testing are identical to those used by performing mentalists.
So we have established that a mentalist is a hacker of humans that uses Social Engineering to ply the trade and that the skills needed in both cyber-crime and lawful Social are not only closely related but are often the same. Where do we go from here?
One way that you might want to dive into learning Social Engineering through mentalism is to read the book Social Engineering: The Art of Human Hacking by Christopher Hadnagy. http://www.mentalismbooks.com/?p=37
Another approach is to follow the works of famous mentalists that have donated some of their time and careers to exposing Social Engineering fraud such as The Amazing Randi or Penn & Teller productions. While these performers have exposed many con artists, I don’t know any that were using computers and technology hacks as we encounter them in IT. It is important to remember that while the tools used during Social Engineering in IT are technology-based, the routines, skills and human biases leveraged are exactly the same. Since much of the materials produced by these entertainment professionals is in the form of video, it can be a more amusing and an easy introduction to mentalism.
Pictured below: Cadre's trainer, Tim O'Connor, with the Amazing Randi.
If you are convinced by this article to dive into mentalism and Social Engineering the best place to start is by reading Thirteen Steps to Mentalism by Tony Corinda. This collection of articles first codified the cold reading techniques and other skills used by con artists from the turn of the century. Alternatively you may consider the works by Banachek. Banachek, at 18 years of age, with oversight by James Randi, used Social Engineering skills to hack a $500,000 grant awarded to Washington University in St. Louis, Missouri for the establishment of the McDonnell Laboratory. He has written many books on mentalism useful to the Social Engineering practitioner such as Psychological Subtleties Vol. 1, Vol. 2 and Vol. 3, Psychophysiological Thought Reading, and Muscle Reading and the Ideomotor Response Revealed.
Once you have some basic routines down you can start to practice them on friends, fellow employees or even strangers in public places. Once you can read strangers on the spot, ad hoc in public you will have achieved the knowledge, skills and understanding to recognize and reverse engineer almost any Social Engineering attack you choose to analyze.
I hope that I have stimulated your interest in Social Engineering and its psychological underpinnings. Even if you do not decide to learn the arts of mentalism, I hope you will consider employing the most effective response to Social Engineering attacks, which is Security Awareness training. Security Awareness training does not turn your employees into mentalists but it does teach them to recognize cons, both those executed in person or through various technology. Security Awareness training is the best bang for the buck in cyber security and really the only way to stop attacks against the human element.