Over the years of being a professional social engineer (SE), I have been asked questions like, “Are you really testing your clients if you don’t use EVERY method possible?” Or, “You are acting like the bad guys, why do you need to have rules?” And even, “I don’t need to leave them feeling better if I am trying to breach, do I?” It is time to discuss these questions, why ethics in social engineering is so important, and crafting a social engineering code of ethics. How can you maintain a code of ethics and promote professionalism? How can you avoid letting the excitement and adrenaline that comes with hacking alter your ego and make you step out of those bounds?
Ethics – what are you talking about?
For anyone who has been to Social-Engineer, LLC’s training, they know that we have a motto, “Leave them feeling better for having met you.” This motto was not always part of our lifestyle in SE. There was a time in my life and career where winning was more important than the client’s feelings. That statement alone makes me cringe, but it is true. I needed to win, to feel good, and it was easy to do so. I would manipulate, trick, deceive anyone, and the resulting feeling wasn’t my concern.
Then, one day, something very negative happened, and I lost a client. It made me sit back and think about my methods. I realized that I was using anger, fear, and extreme versions of emotions to social engineer my clients. I started to challenge myself to perform the same attacks but to try and leave targets feeling better for having met me and guess what I found?
IT WAS HARD!! Not only was it hard, but I had to think harder and work more to get the same results. The result for the client was that they enjoyed their experience and their staff had more teachable moments. That experience started my quest to come up with a social engineering code of ethics for our company that we could apply to all social engineering practices.
Developing this ethical framework for a field that gets paid to hack humans via physical presence, phone and email was not easy. But from that is where “Leave them feeling better for having met you” came about. If you have been to one of our classes, you also know we send you out on homework each night. The lessons learned in improving and developing communication skills as well as getting information from strangers is invaluable. I wanted to see how we can apply these to our student engagements to help them grow as social engineers and people. This meant coming up with a list of tasks and rules to keep them from not creating fear, committing fraud, or breaking our social engineering code of ethics or the ethical code of a conference where we are training.
Would ethics ruin your social engineering?
Ok, so it is true that any hacker loves the feeling of the hack, but should that reduce the use of a code of ethics? And, what’s maybe even more important, would a social engineering code of ethics reduce the feelings that come from successful hacking. The very chemicals we are trying to release in the brains of our targets to elicit an action (dopamine and oxytocin) are also released in our brains when we feel validated and trusted. Those feelings can be addictive and make us want to take the risks of any action to win.
Telling people to take the longer and harder route to achieve the same results is not easy. The “hardcore” methods appear to be more fun and exciting, but when you take the professional road you will achieve the same results. Additionally, you will create an environment where the positive brain chemicals are released, while not harming other folks.
Why is this so important?
When I started off in this field there were very few professionals focusing on social engineering specifically. Now, 10 years later, it seems like everyone is hanging the “SE” shingle out. This is good. We need more people in this field as there is so much need. However, with more people entering the industry, there is a need to create ethics and policies that dictate how to be a professional SE, and how to conduct a social engineering business.
Social-Engineer, LLC will be working on a formal social engineering Code of Ethics, and we will add it to the framework in the coming weeks.
Stay safe, stay ethical, and leave people feeling better for having met you.