I’m a little behind on my reading, so I only just got to the January issue of the ISSA journal. In it was one of the best articles I’ve read on social engineering. The problem with most articles (or at least the ones I read), is that they approach social engineering from a technical perspective. However, far from what the name implies, social engineering is not in any way related to any of the engineering disciplines. SE is nothing more than a fancy name for a scam that happens to involve a computer. Rather than treat the SE threat as a technological threat, we should be treating it the same way we treat all scams – as a purely human threat and not a technological one. We should be turning to psychologists for help in tackling the problem, not networking experts.
In this article Dan Timko reports on research done by Robert Cialdini on the psychology of influence. Cialdini enumerates 6 basic methods people use to influence others. They are:
- Reciprocation
- Commitment and Consistency
- Social Proof
- Authority
- Liking
- Scarcity
I’m not going to go in depth into each of these, but if you’re interested, here is a good summary of each. Suffice it to say that these methods are by no means limited to marketers – scam artists (sorry,”social engineers”) use all 6 without even necessarily knowing it.
The solution to scam of all sorts, just like the threat, should be based on social science and human behavior, not technical countermeasures (although they do certainly have their place). While Dan recognizes and says this, he does not stick true to those principles, concluding only that the best defense against social engineering is a strong security policy, user education, and the rest of the things ISSA members have been preaching for ages. If you ask me the solution (if there really is one) to social engineering will not come from someone with a CISSP, CISM, or CISA, but from someone with a PhD in psychology. The quicker we realize that, the quicker we can come to a real solution.
