No matter how much security technology we purchase, we still face a fundamental security problem: people. This is a realization that we’ve been grappling with as an industry for quite a while. As a security practitioner and during my time as a research analyst and industry adviser at Gartner, I spent countless hours evaluating security technologies and helping organizations decide which technologies and products would best enable them to secure data. But one malicious or negligent human can often intentionally or unintentionally nullify the effectiveness of technology based controls. The truth is that humans are both our biggest threat and they serve as our last line of defense.
To make humans an effective last line of defense, we need to first grapple with two disturbing truths: 1) All humans are master deceivers; and, 2) we are all easily deceived.
Let me explain… Each of us are trained in the ways of deception beginning early in our childhood. Early-on we were taught that lies make life easier and social situations more comfortable. Do you remember going to family reunions and being told to just act like you enjoy being there? Shake crazy uncle Bob’s hand even though he freaked you out? Eat your peas without complaining? And as we get older, we refine the talent even more – from learning how to expertly navigate questions like, “do these jeans make my butt look fat?” to when your significant other asks if you like their new hair style, to when your boss asks for your ‘honest opinion’ about his/her new strategy.
And those are just lies from the ‘little white lie’ category; we haven’t even started to get into the whoppers that we and others tell to hide things, get away with things, trick people, cheat, mislead, and outright steal from each other. And yet, we all know people who have believed both benign and malicious lies. And – if we are truthful with ourselves – we’ll even admit that each one of us has been deceived badly more than a few times over the course of our lives.
If I were to give the main reason that we fall for scams, social engineering and the like, it is because our brains our easily fooled. Our brain’s job is to filter and present reality. Each of our brains take-in a massive amount of input and then decide what is important, what the implications are of the input, and what (if any) response is needed. And our brains do that very efficiently by employing several shortcuts. Over the millennia, magicians, pickpockets, con-artists, scammers, and others have learned how to hijack these mental shortcuts and use them to their advantage.
In my keynotes, I love using examples from magic, pickpocketing, and hypnosis to quickly and easily demonstrate how our brains can be manipulated. In this article, we don’t have the benefit of many of the visual aspects of what I’d usually demonstrate, however I’ll do my best to provide some of the high-level theory and principles.
Principle 1: Misdirection and attention
Our brains are programmed to constantly scan and determine what to ‘lock on’ to. This is referred to by brain scientists as our “spotlight of attention.” Magicians and pickpockets are masters at exploiting vulnerabilities in our attentional spotlight. They will draw your attention to one object or area while doing the ‘dirty work’ at the periphery or completely outside of the attentional spotlight. They frequently use a large visible action to cover for a smaller action.
We think that we are masters of our attention, but it is extremely easy for our attention to be hijacked. Unfortunately, it isn’t just illusionists that know and take advantage of this; criminals and scam artists do as well. The world is still recovering from NotPetya. This malware was originally widely believed to be what it appeared to be – ransomware. However, it was even more malicious. It was a wiper disguised as ransomware and very likely initiated as a state sponsored cyberattack.
Another example of misdirection in the cybersecurity world is when attackers launch a DDoS attack against a financial services company to cause diversions from the account takeover attacks. The end user and the bank see the extremely visible effects of the DDoS attack, and the account takeover and fraud activities are obfuscated for a time.
Principle 2: Influence and rapport
Another principle that comes into play when hijacking our brains is that of influence and rapport. Hypnotists, magicians, pickpockets, as well as criminals and con-artists are all masters at pulling the levers of influence and building rapport. Street and stage magicians, hypnotists, and pickpockets work to ensure that their participants quickly form a level of trust. This allows them to gain complicity as the performer shows them where to stand, what to do, and so on.
Robert Cialdini, Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University, wrote Influence: The Psychology of Persuasion, what is most often referred to as the definitive book on how influence works. Cialdini’s theory of influence is based on six key principles: reciprocity, commitment and consistency, social proof, authority, liking, scarcity. He also recently added a seventh principle: the unity principle. The principle is about shared identities; what Seth Godin would refer to as Tribes. The more we identify ourselves with others, the more we are influenced by them.
Rather than describing each of the influence factors here, I encourage you to review Chaldini’s work, or one of the many derivative works based on his research. Needless to say, however, scam artists and phishers around the world leverage many of these tactics as they bait their hooks! The influence tactics are also additive; meaning that a savvy phisher will employ multiple influence tactics within a single message to make the lure attractive. For instance, if a phisher creates a message using scarcity/urgency, authority, social proof, and reciprocity all in one phishing email, they bring more fire power to their message than a simple message that uses none or only one of the tactics.
Principle 3: Framing and context
Framing is of critical importance for performers, politicians, and marketers… as well as social engineers and con-artists. The concept of framing is derived from the social sciences. And it is basically the context, world view, or lens that a person views reality (or a specific situation) through. Framing can also be a social engineer or attacker’s way to hide in plain sight (costuming, persona development, and playing to the situation).
An example of framing that I use in presentations is where a specific effect can be presented in multiple ways depending on the frame that I’m trying to play to. For instance, if I have a sealed envelope that contains a written record of a participant’s upcoming choice, I can reveal that as either a prediction (if I want to play the part of a psychic) or as an example of how I can influence the participant to think or choose something (playing the part of a mentalist or Svengali-like hypnotist).
Simply stated – a frame gives us the context to interpret or understand the information we are presented or the situation in which we find ourselves. In fact, there are political, religious, and marketing organizations all dedicated to understanding the frames that people have and how to work within or to expand those frames so that people are open to new or different/challenging ideas. Frames are an extremely powerful force – and they are not always fact-based. When frames and facts collide, the facts are pushed aside and the frame is embraced tightly. FrameWorks President Susan Bales is known to often say, “When the facts don’t fit the frame, the facts get rejected, not the frame.” (PDF)
Since everything operates within a frame, scammers, phishers, con-artists, and other unsavory types learn how to play to the frame. They will impersonate respected authority figures – such as in Business Email Compromise attacks. Framing also takes place in the way that language is used, the choice of medium for an attack, and more. For a great breakdown of framing in the context of social engineering, I encourage you to read the ‘Framing’ entry in the ‘Influencing Others’ section of The Social Engineering Framework at Social-Engineer.org.
Understanding how our brains can be used against us is a critical first step in learning how to combat the attacks of savvy attackers. The immediate take-away is that we need to give ourselves permission to slow down and think before acting. Doing so takes us out of situations where we are just acting in a reflexive/automatic manner and allows us to process things a bit more logically. Then we can mentally rewind the actions and potential motivations behind what people are saying, the emails that we are receiving, and situations that we are in to see if someone might have just tried to hijack our brain.
About the author: Perry Carpenter is Chief Evangelist and Strategy Officer at KnowBe4. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner Research, in addition to covering areas of IAM strategy, CISO program management mentoring, and technology service provider success strategies.
Source: infosec island