When you think about what a social engineer does, and how influence and manipulation are used by good and bad SEs, it is easy to think that to be an SE you need to have an evil personality or even have sociopathic tendencies. Is that true, are all social engineers bad?
At SECOM, we define social engineering as, “any act that influences a person to take an action that may or may not be in their best interest.” Now, according to grammar rules that I know about that statement can be read in two ways:
1) Any act that influences a person to take an action that may be in their best interest.
2) Any act that influences a person to take an action that may not be in their best interest.
In the first way, it sounds like you can use social engineering to influence a person to take an action that is in their best interest, and they may or may not know it. That doesn’t sound like a bad thing. An example of this is giving multiple choices to your child to allow them to feel empowered to make decisions, but all the choices are ones you as the parent want them to make, they just get to choose which one. That is a form of SE that does not have a negative flavor as you, the parent, are doing it in the best interest of the child. They get empowerment and self-confidence and you get the result you want.
The second way to say that statement does carry some negative overtones, and some could argue that is a form of manipulation, but sometimes you need to do a little damage to fix a bigger problem. A bad SE will use manipulation because it is easy to scare or intimidate a person into whatever action is required. At SECOM, we avoid that and use influence techniques to get our job done. It’s harder to do the job but re-enforces our motto of, “Leave them feeling better for having met you.” As an analogy, take the act of surgery. A doctor needs to do a small amount of damage, i.e. the incision, to access a larger problem, to say remove a tumor or inflamed appendix, etc. Sticking with that analogy, the doctor does what he/she needs to, to fix the larger problem, then stitches up the purposeful wound when they are done. To take that back to social engineering, as a professional “white-hat” social engineer we need to make a small wound, i.e. convince a user to disclose information, to help the client company deal with a gap in their security training which is the bigger problem. We test in a very controlled manner and give very clear recommendations on how to defend against the attacks we employ and encourage our clients to teach those techniques to their end-users. That helps them deal with real, malicious, attackers when the time comes that they are targeted. Notice we said when and not if, because it will and does happen daily. It is only a matter of time before your users are targeted by a social engineer. It is in that targeted user’s, and your company’s, best interest to be prepared and know how to handle those situations to prevent a breach or other compromise. That type of training can also carry into the user’s private life as they may be less likely to succumb to attacks against them personally or their family.
The Good Side of SE
Just because we get a paycheck to lie as part of our job does not imply we like to be dishonest in our personal lives, or even professionally, when it is not required. We can sleep at night because we know we are helping our clients improve their security posture without the risk or need to suffer a breach to get that same information. We can see improvement over time as the training evolves to the new tactics we employ, and it gets harder to compromise our clients. That is a win, and we are not hurting people to accomplish it. It is with a high level of ethics and a code of conduct that allow us to do our job and still show actual vulnerabilities to the client that are fixable. We report everything we use, and discover, to the client in a secure manner, and we don’t reveal the juicy details to anyone, no matter how tempting it might be to tweet their vulnerabilities at times. We, as professional social engineers, have a very interesting and unique job. We know we are helping companies become more secure and prevent compromise, and we see those advancements every month. It is also fun to tell stories about what we do because most people have no idea what it means to be a professional social engineer or what our day-to-day life is like in that profession. Without putting any client details at risk, or revealing who our clients actually are, it is often enlightening to those we tell stories to and then it makes them think about their life and their company’s security posture. We can call that second-hand security.
So, if you wonder “are social engineers bad people?” The answer is yes and no. Yes, there are bad social engineers out there, ones that look to ruin your life and business. But, look at all the good professional social engineers do, for both our clients and our friends and family. You will see it can be a very rewarding and beneficial job function in the information security industry. Every aspect of information security has a negative use, that is what we are fighting against. By thinking like the bad guys, while still remembering we are the good guys and using these techniques in a professional and conscientious manner, you can have a fulfilling career, secure your clients, and still leave people feeling better for having met you.
TLDR: No, there are wonderful people doing great work every day.