Killing Social Engineering
Killing Social Engineering
Part of a presentation I recently wrote for a security event.
Eh'den (Uri) Biber
I've been professionally involved in information security since 1987, while starting hacking a few years before. I've witnessed information security become more and more sophisticated and advanced for both attackers and defenders. However, when it comes to what is known by information security experts as "social engineering" - or, as I prefer to call it - human manipulation - it seems that little progress has been made in that field.
After years of trying to understand how people can be influenced due to my youngest son's autism that prevented him from being able to communicate with us I have been investigating in the last year the connection between neurology, human manipulation and information security. I've discovered a fascinating world, and the more I've learned the more I felt that it's time to kill social engineering as we know it.
It's time to grow up, it's time to approach the field via a scientific method.
Scientific method refers to a body of techniques for investigating phenomena, acquiring new knowledge, or correcting and integrating previous knowledge.[1] To be termed scientific, a method of inquiry must be based on gathering empirical and measurable evidence subject to specific principles of reasoning
(wikipedia)
Today the people known as experts in the field of social engineering use intuition, methods, practices, and sometimes technology to enhance their skills. But, at the end of the day they will all admit that their success rates varie from one situation to another. If you ask for scientific reasons to their success or failure they will provide answers originating in psychological explanations, sometimes they will talk about micro facial expressions, and body language reading, but none of them seems to focus on the root of everything - our human neurology.
This is also why all the information security awareness training I've seen (and sometimes wrote) were unscientific - the approach to the subject was based on endless assumptions; many of them were false and lead to negative results. None of the social engineering training I saw was driven from a factual scientific reason as to why we all are susceptible to manipulation.
In the last 20 years humanity has discovered more on how our brain works than in the last 2000 years, yet when it comes to information security we seem to disregard that progress. Why is it that when we go to a hackers conference we see presentations of people who go down to the core elements of the system they are hacking, but when it comes to human manipulation no one provides explanations on the issue through the perspective of human neurology?
In my presentation I will show how developments in science require us to move away from old paradigms and how technological changes require us to abandon "social engineering" and start talking about human manipulation as a neurological phenomena. All of us have embedded technology in our daily lives, even in Afghanistan people are connected to the Internet. The future of humanity is tied to our ability to provide current and future generations with an understanding of both why they can be manipulated and how technology plays an important role in it. I consider us, Information security experts, as educators. We have two choices - we can either help humanity reach a bright future or act like bystanders who watch a person destroying himself/herself without assisting him/her. Wayne Dyer, a famous American psychologist says that responsibility is to respond with ability. It is our responsibility to make a change. Let's not waste this wonderful rare moment of time, Let's begin.... NOW
(R.I.P. Social Engineering)
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Update – 13Th of July, 2011.
Due to popular demand I'm adding a link to the first presentation I gave on the subject back in February. Please be advised that the current presentation has been totally re-written from scratch, but for the sake of transparency I wish to include it as a reference.
So here you go, "social engineering in the 21st century", as was given to distinguish members of the dutch academic and research institute organizations.