Deploying Disney: How Social Engineers Take Advantage of Childhood Lessons
People tend to believe that social engineering (SE) is an exercise in "BS-ing," or a way to trick users, but it's actually a distinct science. The founders of this science developed social engineering techniques in order to help people through difficult situations and change their world. The responsibility of the professional social engineer is to expose the weaknesses inherent in current corporate cultures—not to show off by proving that we can break through a company's security. The purpose of social engineering is to connect companies to the reality that risk lies everywhere, and that the company must protect its business and users from the harms that we all face.
Think of social engineering as being like healthcare coverage. Everyone is susceptible to disease and sickness, so companies provide healthcare benefits to keep employees and the business safe from the risks of illness. (For the business, those risks include loss of productivity, profit, and personnel.) Likewise, companies need to conduct social engineering tests and gain an understanding of how susceptible their information assets are to ever-growing threats.
The Level of Risk Is Rising
During the hard economic times that the U.S. has experienced in 2008 (and the likelihood of rougher times ahead), newer and more creative threats have bombarded business. The security market as a whole is undergoing a huge uptick in risk due to current socioeconomic conditions. More people are "turning to the dark side" and finding profit in ways that they might once have considered taboo. It reminds me of what Les Stroud from the TV show Survivorman says: "Normally, I would never do this, but when it's your only chance for survival, you do whatever it takes." Much of the American public is in survival mode, as highlighted by the recent news of attacks, exposure of massive-scale information-theft networks (Ghostnet), and even the ever-present Conficker worm. All of these events are indicators that more and more people are looking to information theft as a source of income.
This growing risk doesn't just come from increased monetary pressures or the sheer number of attackers peeking out of the woodwork—it also comes from the victims. Yep, that's right! And this is where social engineering comes into the picture.