Get Ready for a Brand New Experience
Get ready to be amazed! I’m so excited to announce that www.ErdalOzkaya.com is getting a major overhaul. Think of it as a glow-up, but for your favorite online reading spot.
Type and hit enter
Get ready to be amazed! I’m so excited to announce that www.ErdalOzkaya.com is getting a major overhaul. Think of it as a glow-up, but for your favorite online reading spot.
I’m thrilled to share that my blog has been recognized as one of the Top 50 Cybersecurity Blogs by Feedspot!
NIS2 The Next Wave of European Cybersecurity and the Vital Role of Network Observability
Ezlo A Review of Their Smart Home Solutions Ezlo, a prominent player in the smart home industry, offers a range of products and services aimed at making homes more connected and convenient. Their offerings include smart hubs, sensors, cameras, and a comprehensive platform called MiOS that ties everything together. Pros: Cons: Overall: Ezlo is a […]
I’m excited to announce that I will be participating as an expert in the renowned RSA Conference 2024. It is an incredible opportunity to engage with fellow cybersecurity enthusiasts and share insights on the evolving landscape of digital security.
The Persistent Threat Landscape- Insights from the Verizon DBIR 2023 The Evolving Threat Demands Evolving Defenses The 2023 Verizon DBIR sheds light on the persistence of well-known threats, alongside evolving attacker tactics. Staying informed about these trends is crucial to building effective defenses. By prioritizing the key takeaways outlined in this analysis, technical teams can […]
We define social engineering as involving clever manipulation of the natural human tendencies of trust in order to obtain information to help facilitate fraud, network intrusion, industrial espionage, identity theft, or network/system disruption. I also like the
definition from Bruce Schneider: Amateurs Hack Systems, Professional hack People. To gain the trust of the people social engineers trick their victims with different tactics such as:
Although social engineering attacks can seem terrifying, as explained throughout the book, the effects of these attacks can be significantly mitigated if appropriate measures are taken.
The following are the different measures which can help You to mitigate social-engineering attacks.
People
According to new research, 35% of enterprises reported an increase in cyberattacks this year, and social engineering tops the list of most frequent cyberattacks, which surpass the Advanced Persistent threat (APT) and Ransomware attacks (State of Cybersecurity 2021,
Part 2: Threat Landscape, Security Operations, and Cybersecurity Maturity, 2021). Therefore, it becomes imperative to study social engineering techniques and spread awareness about them.
With the development of new technologies, social engineering attacks keep changing; however, the fundamental principles of influence remain the same. In this paper, the study of principles of influence will be done to compare the methodology between two reputed books: “Social Engineering: The Science of Human Hacking,” 2nd Edition by Christopher Hadnagy, and “Learn Social Engineering” by Dr. Erdal Ozkaya.
Christopher and Erdal are renowned authors in the domain of information security. Christopher is the founder and CEO of Social-Engineer LLC, created the world’s first social engineering framework, and currently hosts a podcast based on social engineering. He is a well-known author who has written five books on social engineering (Social-Engineer, LLC, 2021).
On the other hand, Dr. Erdal is an award-winning author, speaker, and cybersecurity advisor who has received 8 MVP (Most Valuable Professional) awards from Microsoft. He is an active participant in major conferences related to Information Security (Microsoft MVP Award, n.d.).
Christopher credits his social engineering literacy to Dr. Robert Cialdini’s book “Influence: The Psychology of Persuasion” (William Morrow and Co., 1984). Robert presented six principles of influence: Reciprocity, Commitment/consistency, social proof, Authority, Liking, and Scarcity. However, Christopher broke these six ideas down into eight principles:
Principle One: Reciprocity, Principle Two: Obligation, Principle Three: Concession, Principle Four: Scarcity, Principle Five: Authority, Principle Six: Consistency and Commitment, Principle Seven: Liking and Principle Eight:
Social Proof in his book “Social Engineering: The Science of Human Hacking”, 2nd edition. The book is a best seller on Amazon.ca and ranked #9 in the Computer Security category (Social Engineering: The Science of Human Hacking: Hadnagy, Christopher: 9781119433385: Books – Amazon.Ca, 2018).
Dr. Erdal has discussed Influence and Persuasion briefly in his book “Learn Social Engineering.” He considers persuasion a critical aspect of social engineering. Influence and persuasion are techniques to persuade individuals and organizations to act or think in a certain way.
In one of the book’s chapters, “Influence tactics,” he defined the techniques used to influence people, which are Reciprocity, Obligation, Concession, Scarcity, Authority (Legal authority, Organizational authority, Social authority), Consistency and Commitment, Liking, and Social Proof (Ozkaya, 2018).
The book is a best seller on Amazon.com and ranks #390 in Computer Network Security (Learn Social Engineering: Learn the Art of Human Hacking with an Internationally Renowned Expert: Ozkaya, Dr. Erdal: 9781788837927: Amazon.Com: Books, 2018).
According to Chris, the first principle of influence is Reciprocity which aims to build rapport. When we genuinely give something to others, they tend to return a favor by doing something similar or more valuable.
Dr. Erdal illustrated a similar definition in his book. He explained the human psychology of giving and taking. Showing gratitude is an example of Reciprocity used by various politicians, employers, and even pharmaceutical companies where they provide free stuff initially to gain more gain and trust from the people.
Christopher explained how social engineers use the principle of obligation by influencing social events to make a target feel obligated to perform in a certain way. For instance: not holding the door for a lady or someone carrying boxes or other luggage is considered impolite, and social engineers take advantage of this habit.
Dr. Erdal describes obligation as a circumstance in which a target feels compelled to perform based on moral, legal, contractual, duty, or religious obligations. This method is used against a customer service representative who is obligated to assist consumers in any way possible.
Christopher defined the third principle of influence as the principle of concession in which he shared an example in his book, how a caller convinced him to donate charity for stray dogs. The caller knew that the author loves animals, hence requesting $250, which the author declined due to the hefty figure. Later caller asked him to pay $25, which he conceded to get money.
According to Dr. Erdal, Concession is an acknowledgment or acceptance used in the same way as reciprocation is. The difference between reciprocation and concession is that the target makes the initial request in concession. He further explained that humans are conditioned to repay a favor anytime someone does something nice for them.
Scarcity can be used to time, knowledge, or even goods you are giving away in an attempt as a social engineer. Scarcity will increase the perceived worth of what you have and persuade the target to make decisions based on that value. This is known as the Principle of Scarcity, according to Christopher.
Dr. Erdal described that scarcity is produced when items and opportunities are difficult to come by and become more appealing. Scarcity is likely the marketing team’s most regularly used tool. Keywords like “limited deal,” “1-day sale,” and “clearance sale” are frequently used to emphasize the products’ availability. Social engineers send scarcity-themed emails to their intended recipients to persuade people to click on the link as soon as they see it.
The fifth principle of influence: Authority, according to Christopher, is when someone in a position of power and authority makes a statement, it is taken more seriously by others. This trait manipulates the target who is convinced to obey the commands.
As per Dr. Erdal, the principle of authority is the power principle of influence where people follow the orders of individuals they think to be in a position of power over them. As Lawyers show respect for the judge and jury in court, Employees in organizations follow the orders of their superiors. Similarly, the police are respected by the public on the streets.
When you show authority to an individual or group of people via emails or fake websites, they are likely to get trapped in it.
The sixth principle of influence is Consistency and Commitment. As per Christopher, Consistency is a sign of confidence and strength, and People want their values to align with their views. Humans have a strong need to be perceived as constant, according to the principle of commitment. As a result, once we have made a public promise to something or someone, we are considerably more likely to follow through on it.
At the same time, Dr. Erdal said that Consistency is a highly desired principle of a human attribute in which people prefer to behave in the same way they did before in the same situation. Because it does not have to reprocess information when performing a task, the human brain prefers Consistency. Commitment and constancy will bind them to a terrible route where they will be forced to accept more significant responsibilities.
Christopher talks about the seventh principle of influence: Liking. He explained that people like other people who are like them. People enjoy being around those who share their interests as skilled social engineers; like is a powerful principle that can practically and symbolically open many doors for you.
A similar opinion is shared by Dr. Erdal, explaining that most people enjoy being liked, and they reciprocate by selecting those who like them. Salespeople understand that a buyer is more likely to buy from someone they like.
They know that if they show a customer’s liking, the buyer will also like them, resulting in a favorable sales environment. To gain the target’s trust, social engineer agreeably portrays themselves and try to like them.
Finally, for the eighth principle: social proof, Christopher said that people often do not want to be the first to do something. However, he discovered that employing social proof can help people decide actions they are not sure about. On the other hand, an interesting example is shared by Dr. Erdal for this principle: A group of people was advised to look up at the sky in the middle of the city in one experiment.
The end outcome was a success. Others began staring blankly into space, curious as to what was being observed. People who saw others doing this did the same, causing significant traffic jams as people stood in the middle of the road staring at the sky, while others watched from their cars. This was a demonstration of the strength of social proof.
The paper concludes that the principle of influence is a powerful tool to perform social engineering attacks. Both authors explain the fundamentals of principles differently; however, the concept of these principles is the same. The new techniques can be invented with new technologies and strategies; however, the fundamentals will remain the same.
The attacks are made on humans, and humans are considered the “weakest link” in Information Security. Thus, it becomes essential to spread awareness about it among people to minimize the impact. These principles are so powerful and can be used in any other situation of life to influence people. It can be used by politicians, employers, pharmaceuticals, armed forces, police officers, etc.
Improve information security by Learn Social Engineering.
This book will provide you with a holistic understanding of social engineering. It will help you to avoid and combat social engineering attacks by giving you a detailed insight into how a social engineer operates.
Learn Social Engineering starts by giving you a grounding in the different types of social engineering attacks, and the damages they cause. It then sets up the lab environment to use different tools and then perform social engineering steps such as information gathering. The book covers topics from baiting, phishing, and spear phishing, to pretexting and scareware.
By the end of the book, you will be in a position to protect yourself and
your systems from social engineering threats and attacks.
All in all, the book covers social engineering from A to Z , along with excerpts from many world wide known security experts.
This book targets security professionals, security analysts, penetration testers, or any stakeholder working with information security who wants to learn how to use social engineering techniques. Prior knowledge of Kali Linux is an added advantage
Awards of the book
Get it from Amazon here
Continue reading What is social engineering? Free Guide to stay secure in 2024
A Step-By-Step Guide to Cyber Risk Assessment A cyber risk assessment is a process of identifying, analyzing, and evaluating the cyber threats and vulnerabilities that could affect your organization’s assets, operations, and reputation. A cyber risk assessment can help you prioritize your security efforts, comply with regulations, and communicate with stakeholders. There are different approaches […]
Happy festive season 2024 festive season 2024 Merry Christmas! & Happy New year 🎄🎅🎁 It’s Festive time , a time of joy, love, and giving. It is also a time when we should be mindful of our safety and security. During the holiday season, crimes such as theft, burglary, and cyber attacks tend to increase.Therefore, […]
Xcitium Essentials Certification Program – Free We are delighted to announce the launch of the Xcitium Essentials certification program, a comprehensive and rigorous assessment of your skills and knowledge on the state-of-the-art, pre-emptive, protective runtime threat containment software technology that detects and blocks threats. By becoming a certified Xcitium Essentials professional, you will be able […]