James Powell is a senior software engineer at Cisco with a psychology degree. He has been fascinated with the mechanisms of social engineering and manipulation since a very young age. In this talk he compares and contrasts examples of how how daughter manipulates him into giving her chocolate and candy with examples of how companies, adversaries, and even pets manipulate victims.
You Are Always Being Manipulated.
Most of it is benign. This realization came from an unlikely source: his daughter. Children are amazing manipulators; they are goal-oriented and have the benefit of living somewhat outside of our societal moral/ethical framework. This extends to every moment in life. It all can be used as training because everybody is trying to use social engineering on you for better or worse.
The Good Guys?
These are your training partners and instructors. They will provide you the training while they try to get you to do good, or at least neutral, things, like give them candy or pet them.
- Friends and Family
- Corporations (sometimes)*
* James includes corporations here but really states they belong “on the fence”
The Bad Guys
These are people trying to find shortcuts and loopholes in your psychology to get you to do things you don’t want t
- Scammers / Con Artists
- Phishing, like the “whaling” attacks used against the DNC.
- “Watering Hole” Attackers
- Corporations (sometimes), by way of manipulative advertising
Attack One: Build Trust
His daughter asks “Papa, are you happy with me?” every day (building in repetition!) to which James will almost always reply, “Yes, of course!” His daughter says “Then I will have chocolate for dinner.”
Not a question. Just a statement and a conclusion. In the real world, this might look like the following:
“Dan from IT” is a great name to build trust. Dan sounds like a perfectly believable name. “IT” sounds trustworthy. Dan might say he’s here to help and upgrade security patches on your system. You might tell “Dan” that you already upgraded and he’d say “Great job!” to give you good feels, and then say “Just log into this website to verify.”
Defense 1: Be Cautious
This sounds like blanket advice but reminding yourself consciously of it will train you to take it as an active step. Be cautious. Slow down. Think about the situation you’re in. You’ve never logged into a website to verify your updates before, have you?
Defense 2: Trust but Verify
Just like James would ask his wife if it’s OK for his daughter to have candy for dinner, you should check with somebody else if you need to verify your updates via a website. Of course, they will tell you “you shouldn’t have to ask.” Ask anyway.
Attack Two: Developing Reciprocity
When people do something for you, it creates an imbalance and pressure for you to do something else in return. Reciprocity is the act of restoring this balance. This all holds true for children as well as adversaries.
James’ daughter will “clean,” reinforce by saying “look how clean I made it!” and then she will finally ask “Can I have candy?”
Defense One: Ask Yourself: “Do I Know This Person?”
Do you know them? In real life? How well do you know them? What are their motivations? Why should you trust what they’re giving you?
Defense Two: Beware More Give Than Take
From there, ask if this situation is more give than take? If so, then be even more cautious.
Attack Three: Create a Sense of Urgency
The infomercial above might end with a phrase like “you won’t find a better deal than this!” This may be true, but the function of such a claim is to create urgency. Bringing this back to James’ daughter, it might look a little more like this:
Creating a sense of urgency gets people to panic and respond because they want the alarm to stop. James tells a story of his daughter crying in public. When he rushes to her aid, first she consoles HIM, and then starts asking for things vaguely. “Can you get it for me?” While he’s still panicked, she can get candy, toys, chocolate, whatever.
In the “cyber” world, creating urgency might look more like this:
Lesson 1: Follow a Process
Do you have one? If so, start there by making one. Got it? Good.
Lesson 2: Remember Lesson 1
Seriously, all it takes is one person making one stupid mistake to bring everything crashing down.
Rules of Thumb against Social Engineering
Train Like You Fight
Bringing the talk full circle, remember the assertion at the beginning: Every moment in life is an opportunity to train yourself against social engineering. Luckily, most of life is a low-risk environment.
Reward Your Training Partners
In James’ case – if she successfully tricks him, she gets a piece of candy. All it takes for her to win is if he moves before he thinks – not even following through on fulfilling the request. The exception here is advertising and marketing. They’re already getting paid 😉
James ends the talk by reminding the audience that they are physically in the city of Las Vegas – “one of the most well-oiled machines to get you to do things.” They’re also at DEF CON. The perfect training ground.