Cybersecurity isn’t just about technology – it’s fundamentally a battle of mindsets. The way we approach challenges shapes our strategies and determines our chances of success in this constantly shifting landscape. Two distinct mindsets dominate: the finite mindset and the infinite mindset.
What is social engineering? Free Guide to stay secure in 2024
What is social engineering?
We define social engineering as involving clever manipulation of the natural human tendencies of trust in order to obtain information to help facilitate fraud, network intrusion, industrial espionage, identity theft, or network/system disruption. I also like the
definition from Bruce Schneider: Amateurs Hack Systems, Professional hack People. To gain the trust of the people social engineers trick their victims with different tactics such as:
Pretending to be someone important
Appearing to be just like you
Trying to convince you to share confidential information
Staying safe from social engineering attacks
Although social engineering attacks can seem terrifying, as explained throughout the book, the effects of these attacks can be significantly mitigated if appropriate measures are taken.
The following are the different measures which can help You to mitigate social-engineering attacks.
People
Establish a targeted security-awareness program that is interesting and interactive
Create awareness posters, and make them visible within the company to help employees understand how the company is addressing Social Engineering
Educate employees to be sceptical and on what to be on the lookout for in regard to common phishing and spear phishing schemes
Leverage the help of technology, and use advanced spam filtering such
Ensure employees do the following:
Monitor their online accounts regularly Ensure they do their sensitive transaction online only on websites that use secure protocol such as HTTPS “ https://www.erdalozkaya.com“
Ensure they are aware of phone phishing, and train them not to share personal information over the phone or even in public places
Ensure they are aware of the dangers of sharing sensitive information on social media web sites
Beware of links to web forms that request personal information:
Ensure they limit the amount of information they share in social media.
Use some simulations such as: http:/ / pleaserobme. com, where users can check if they are sharing their locations publicly:
Ensure they are aware of the fact that the internet is public, and make sure they know if something is online, it will most probably stay online even after you delete it. Please refer to the following link at https:/ / archive. org/
Educate them on third-party applications, in that they can give the application access to connect to their social media websites and they can post on behalf of the employee
Educate employees that they should not:
– Open emails that look suspicious
– Open attachments in emails of unknown origin
– Pay a ransom
Process
Schedule random penetration testing which has social engineering in the scope
Identify your critical data and ensure an external assessment is done to verify your internal test results
Ensure the executive level is aware of the results
Conduct periodic cybersecurity assessments
Establish a framework and program for highly trusted or privileged employees.
Establish a least-privileges policy, and ensure employees has access only to what they need and not more
Perform regular backups, and utilize cloud power such as Microsoft Azure
Follow ISO 27001 or similar regulations to secure your information security management systems
Perform enhanced background screening at regular intervals
Technology
Identity and access management, such as Microsoft MIM
Security incident and event management system
Non-signature-based malware technology such as Xcitium
Application whitelisting such as App Locker or Device Guard in Windows 11
Use a SIEM to correlate your logs
Use reputable antivirus software
Use an effective IDS/IPS solution that can help detect known attacks, and how far they managed to get into the network by signature, behavior, and community knowledge
Keep your software up to date
Use multi-factor authentication
8 Principles of Influence in Social engineering
According to new research, 35% of enterprises reported an increase in cyberattacks this year, and social engineering tops the list of most frequent cyberattacks, which surpass the Advanced Persistent threat (APT) and Ransomware attacks (State of Cybersecurity 2021,
Part 2: Threat Landscape, Security Operations, and Cybersecurity Maturity, 2021). Therefore, it becomes imperative to study social engineering techniques and spread awareness about them.
With the development of new technologies, social engineering attacks keep changing; however, the fundamental principles of influence remain the same. In this paper, the study of principles of influence will be done to compare the methodology between two reputed books: “Social Engineering: The Science of Human Hacking,” 2nd Edition by Christopher Hadnagy, and “Learn Social Engineering” by Dr. Erdal Ozkaya.
Christopher and Erdal are renowned authors in the domain of information security. Christopher is the founder and CEO of Social-Engineer LLC, created the world’s first social engineering framework, and currently hosts a podcast based on social engineering. He is a well-known author who has written five books on social engineering (Social-Engineer, LLC, 2021).
On the other hand, Dr. Erdal is an award-winning author, speaker, and cybersecurity advisor who has received 8 MVP (Most Valuable Professional) awards from Microsoft. He is an active participant in major conferences related to Information Security (Microsoft MVP Award, n.d.).
Christopher credits his social engineering literacy to Dr. Robert Cialdini’s book “Influence: The Psychology of Persuasion” (William Morrow and Co., 1984). Robert presented six principles of influence: Reciprocity, Commitment/consistency, social proof, Authority, Liking, and Scarcity. However, Christopher broke these six ideas down into eight principles:
Social Proof in his book “Social Engineering: The Science of Human Hacking”, 2nd edition. The book is a best seller on Amazon.ca and ranked #9 in the Computer Security category (Social Engineering: The Science of Human Hacking: Hadnagy, Christopher: 9781119433385: Books – Amazon.Ca, 2018).
Dr. Erdal has discussed Influence and Persuasion briefly in his book “Learn Social Engineering.” He considers persuasion a critical aspect of social engineering. Influence and persuasion are techniques to persuade individuals and organizations to act or think in a certain way.
In one of the book’s chapters, “Influence tactics,” he defined the techniques used to influence people, which are Reciprocity, Obligation, Concession, Scarcity, Authority (Legal authority, Organizational authority, Social authority), Consistency and Commitment, Liking, and Social Proof (Ozkaya, 2018).
The book is a best seller on Amazon.com and ranks #390 in Computer Network Security (Learn Social Engineering: Learn the Art of Human Hacking with an Internationally Renowned Expert: Ozkaya, Dr. Erdal: 9781788837927: Amazon.Com: Books, 2018).
According to Chris, the first principle of influence is Reciprocity which aims to build rapport. When we genuinely give something to others, they tend to return a favor by doing something similar or more valuable.
Dr. Erdal illustrated a similar definition in his book. He explained the human psychology of giving and taking. Showing gratitude is an example of Reciprocity used by various politicians, employers, and even pharmaceutical companies where they provide free stuff initially to gain more gain and trust from the people.
Christopher explained how social engineers use the principle of obligation by influencing social events to make a target feel obligated to perform in a certain way. For instance: not holding the door for a lady or someone carrying boxes or other luggage is considered impolite, and social engineers take advantage of this habit.
Dr. Erdal describes obligation as a circumstance in which a target feels compelled to perform based on moral, legal, contractual, duty, or religious obligations. This method is used against a customer service representative who is obligated to assist consumers in any way possible.
Christopher defined the third principle of influence as the principle of concession in which he shared an example in his book, how a caller convinced him to donate charity for stray dogs. The caller knew that the author loves animals, hence requesting $250, which the author declined due to the hefty figure. Later caller asked him to pay $25, which he conceded to get money.
According to Dr. Erdal, Concession is an acknowledgment or acceptance used in the same way as reciprocation is. The difference between reciprocation and concession is that the target makes the initial request in concession. He further explained that humans are conditioned to repay a favor anytime someone does something nice for them.
Scarcity can be used to time, knowledge, or even goods you are giving away in an attempt as a social engineer. Scarcity will increase the perceived worth of what you have and persuade the target to make decisions based on that value. This is known as the Principle of Scarcity, according to Christopher.
Dr. Erdal described that scarcity is produced when items and opportunities are difficult to come by and become more appealing. Scarcity is likely the marketing team’s most regularly used tool. Keywords like “limited deal,” “1-day sale,” and “clearance sale” are frequently used to emphasize the products’ availability. Social engineers send scarcity-themed emails to their intended recipients to persuade people to click on the link as soon as they see it.
The fifth principle of influence: Authority, according to Christopher, is when someone in a position of power and authority makes a statement, it is taken more seriously by others. This trait manipulates the target who is convinced to obey the commands.
As per Dr. Erdal, the principle of authority is the power principle of influence where people follow the orders of individuals they think to be in a position of power over them. As Lawyers show respect for the judge and jury in court, Employees in organizations follow the orders of their superiors. Similarly, the police are respected by the public on the streets.
When you show authority to an individual or group of people via emails or fake websites, they are likely to get trapped in it.
The sixth principle of influence is Consistency and Commitment. As per Christopher, Consistency is a sign of confidence and strength, and People want their values to align with their views. Humans have a strong need to be perceived as constant, according to the principle of commitment. As a result, once we have made a public promise to something or someone, we are considerably more likely to follow through on it.
At the same time, Dr. Erdal said that Consistency is a highly desired principle of a human attribute in which people prefer to behave in the same way they did before in the same situation. Because it does not have to reprocess information when performing a task, the human brain prefers Consistency. Commitment and constancy will bind them to a terrible route where they will be forced to accept more significant responsibilities.
Social engineering
Christopher talks about the seventh principle of influence: Liking. He explained that people like other people who are like them. People enjoy being around those who share their interests as skilled social engineers; like is a powerful principle that can practically and symbolically open many doors for you.
A similar opinion is shared by Dr. Erdal, explaining that most people enjoy being liked, and they reciprocate by selecting those who like them. Salespeople understand that a buyer is more likely to buy from someone they like.
They know that if they show a customer’s liking, the buyer will also like them, resulting in a favorable sales environment. To gain the target’s trust, social engineer agreeably portrays themselves and try to like them.
Finally, for the eighth principle: social proof, Christopher said that people often do not want to be the first to do something. However, he discovered that employing social proof can help people decide actions they are not sure about. On the other hand, an interesting example is shared by Dr. Erdal for this principle: A group of people was advised to look up at the sky in the middle of the city in one experiment.
The end outcome was a success. Others began staring blankly into space, curious as to what was being observed. People who saw others doing this did the same, causing significant traffic jams as people stood in the middle of the road staring at the sky, while others watched from their cars. This was a demonstration of the strength of social proof.
The paper concludes that the principle of influence is a powerful tool to perform social engineering attacks. Both authors explain the fundamentals of principles differently; however, the concept of these principles is the same. The new techniques can be invented with new technologies and strategies; however, the fundamentals will remain the same.
The attacks are made on humans, and humans are considered the “weakest link” in Information Security. Thus, it becomes essential to spread awareness about it among people to minimize the impact. These principles are so powerful and can be used in any other situation of life to influence people. It can be used by politicians, employers, pharmaceuticals, armed forces, police officers, etc.
Learn Social Engineering
Improve information security by Learn Social Engineering.
Key Features
Learn to implement information security using social engineering
Get hands-on experience of using different tools such as Kali Linux, the Social Engineering toolkit and so on
Practical approach towards learning social engineering, for IT security
Learn Social Engineering
Book Description
This book will provide you with a holistic understanding of social engineering. It will help you to avoid and combat social engineering attacks by giving you a detailed insight into how a social engineer operates.
Learn Social Engineering starts by giving you a grounding in the different types of social engineering attacks, and the damages they cause. It then sets up the lab environment to use different tools and then perform social engineering steps such as information gathering. The book covers topics from baiting, phishing, and spear phishing, to pretexting and scareware.
By the end of the book, you will be in a position to protect yourself and
your systems from social engineering threats and attacks.
All in all, the book covers social engineering from A to Z , along with excerpts from many world wide known security experts.
What you will learn
Learn to implement information security using social engineering
Learn social engineering for IT security
Understand the role of social media in social engineering
Get acquainted with Practical Human hacking skills
Learn to think like a social engineer
Learn to beat a social engineer
Who this book is for
This book targets security professionals, security analysts, penetration testers, or any stakeholder working with information security who wants to learn how to use social engineering techniques. Prior knowledge of Kali Linux is an added advantage
Table of Contents
Introduction to social engineering
The psychology of social engineering (mind tricks used)
Siber olay müdahalesi alanındaki en güncel trend ve uygulamaların konuşulup workshopların yer alacağı etkinliğimizde, özellikle siber güvenlik profesyonelleri, olay müdahale ekipleri ve güvenlik yöneticileri için DFIR trendleri hakkında konuşma ve best practice’leri sunma fırsatı yakalayacağız.
Konusunda yetkin konuşmacılarımız, siber olay müdahale yöntemlerinden, güvenlik operasyon merkezlerine, APT saldırılarının incelenmesinden iş sürekliliği için DFIR’ın önemine kadar birçok konuyu ele alacaklar.
A thought-provoking panel discussion is scheduled for February 8. It will be moderated by Patric J.M. Versteeg, MSc. and feature Alexandre Horvath, Dr. Erdal Ozkaya, Dan Lohrmann, and Michele Myauo, Ph.D as panelists. Register today to gain expert insights into the finite and infinite business mindset in cybersecurity and the role of an infinite mindset toward building a holistic security approach. Save your spot: https://bit.ly/3vuy0x5
7. Siber Güvenlik Ekosisteminin Geliştirilmesi Zirvesi Türkiye Bilişim Derneği tarafından bu yıl 5 Mart 2024 tarihinde Bilgi Teknolojileri ve İletişim Kurumu (BTK) Ana Konferans Salonunda gerçekleştirilecek olan, “7. Siber Güvenlik Ekosisteminin Geliştirilmesi Zirvesi”’nde Siber Güvenlik Stratejisti ve TBD ABD Temsilcisi, Sn. Dr. Erdal ÖZKAYA “2024’te Bizi Bekleyen Siber Tehditler” üzerine Davetli Konuşmasını gerçekleştirecektir. Siz değerli […]
Ready to connect with the global software development community? Join me at TUYAFED Federation of Software Developers’s epic event celebrating Turkey’s 100th Republic anniversary! Expect 3000+ participants from 100 countries. I’ll be speaking – will you be there? Register now:
A Step-By-Step Guide to Cyber Risk Assessment A cyber risk assessment is a process of identifying, analyzing, and evaluating the cyber threats and vulnerabilities that could affect your organization’s assets, operations, and reputation. A cyber risk assessment can help you prioritize your security efforts, comply with regulations, and communicate with stakeholders. There are different approaches […]
The impact of cyber breaches on stock prices : Stock prices are influenced by a variety of factors, including supply and demand, company health, economic reports, and trader sentiment.
my book, Cybersecurity Leadership Demystified, has been selected as courseware material for the Executive Cybersecurity Master program at Solvay Brussels School of Economics and Management.