Let’s play a word association game! When I say ‘counselor’, what are the first things that pop into your head? Is it Mr. Mackey? Deanna Troi? Maybe a more general sort of squishy and positive Stuart Smalley (now I’m really showing my age…)? If you’re like most people, you will probably think of someone helpful and supportive; someone who is there to help guide you through life’s challenges. You might even picture lying on a comfy couch talking about your relationship with your mother with this person.
Now what comes to mind when I say ‘social engineer’? You might think of Frank Abagnale, a member of your corporate pen testing team, or even a shady figure in a black hoodie hunched over a keyboard or dropping USBs in the parking lot. At the very least, you might get the sense that whoever they are, they’re out to trick you in some way (and maybe gloat about it).
Because I’ve had the privilege of having an interesting professional life, I can speak to both perspectives. I was a counselor for many years, dealing with clientele issues ranging from test anxiety all the way to suicidal ideation. I’m currently a professional social engineer, doing my best to provide safe but realistic security testing to our clients. In addition, I confess to owning a number of black hoodies. On the surface, these two professions have absolutely nothing in common. In the most extreme cases, I think that’s probably true. But I also believe there’s common ground that the best of you folks can use to up your security testing game.
Sith or Jedi?
Professional social engineers come from many walks of life and like most people, range from Sith to Jedi and everything in between. This newsletter is mostly directed to you Jedi types, who are interested in helping as opposed to humiliating your targets. Here’s the deal. Being a Sith is easy. If you want to trick, threaten, blackmail, or enrage your population into taking an insecure action, welcome to the noob zone. It takes very little skill or knowledge, and rarely any finesse – just a working knowledge of what buttons to push. I’ll even put it out there that there are some instances (for example nation-state action) in which this type of SE is warranted.
But I believe the vast majority of you are the hard-working SE testers that work in the trenches with your populations with the goal of always hardening the human firewall. Your work is difficult because you’re working with people, not things. They have good and bad days, personal issues, insecurities, and all of the rest of the baggage that comes from being a human. Your job is to understand how this affects their decisions and determine what to do about it.
Just like counseling
Did you read that last sentence? Because that is exactly the same thing I did with my clients when I was a counselor. So to summarize, both counseling and Jedi-style SE consist of:
- Understanding how/why people make decisions
- Determining the best course of action
Let me be the first to tell you – the concepts are simple. But implementation is not always easy. Since this newsletter is about the “how”, let’s start pulling all these threads together. Let me start with my counselor hat on.
Since ROI is important to everyone, including counselors, people have studied the efficacy of various therapeutic approaches a number of times. What they have found consistently is that the method used is far less important than the quality of the therapeutic relationship as a predictor of success. In other words, the therapists who connect with their clients are much more likely to be able to influence them into positive outcomes. In English, please? People want to say yes to people they like!
What does that mean to the social engineer?
I think one of the first steps to putting this all together is deciding what kind of relationship you’re going to have with your population. If you’re okay with them playing the Imperial March every time you show up in their office, understand that your sphere of influence won’t last much longer than when you leave the area. Punishment only works when it’s immediate and severe, and the behavioral change is rarely lasting. What you may be teaching, instead, is how to get around the system as opposed to how to be safe. And trust me; if your population doesn’t like or trust you, you have about a 0% chance of taking advantage of any teachable moments.
The best and brightest security professionals I know understand the value of developing real knowledge of their populations through (gasp) relationship development! Since many of us in this trade aren’t exactly renowned for our people skills, let’s spell out what that means.
The following are a few things for you to consider in developing a great working relationship with your population. For you linear types: better relationships = better understanding = better results. I wasn’t a math major, so bear with me on this one.
Develop rapport – simply put, connect with your population. Find things that you have in common, even if it’s just the desire to keep them safe. Good rapport is powerful. People are more likely to give you usable information, and in turn, are more likely to listen to your security messaging. Robin Dreeke has a great publication that breaks the large and vague concept into 10 easily digestible techniques.
Have empathy – being fooled and tested isn’t generally fun, especially in a work environment. So being able to place yourself in your population’s shoes and understand their experiences and challenges can go a long ways towards figuring out why they do the things they do. I’ve found that empathy is one of the first things that goes by the wayside when times get tough. You can’t just care when you have time or it’s convenient. People know the difference, and there is nothing more destructive to a security program than an adversarial relationship because the population knows you’re more interested in “pwning” them.
Active listening – what are people saying? Is it the same as what they actually mean, and how do you know? Active listening is actually quite a bit of work, but there are a number of ways to learn to do it better. Last month’s newsletter was a team effort in which we discussed the concept and shared our best tricks and tips.
Suspend that ego – people are experts in their own experience. If you really want to know what’s going on in your population, you need to be able to put away what you “know” and be willing to learn from someone else. If you think that sounds hard, you are absolutely right, especially if part of your professional (or personal) identity is tied up in being an expert. But being willing to learn from someone else could provide you with critical information and lead to unique solutions. By the way, if you learn to do this well, you will be amazed at how well this improves your ability to develop rapport.
So there you have it, my friends. There IS an intersection of skills between counseling and SE, and I believe that mastering that common area is the right road to a solid security program. Don’t get me wrong. Good relationships are a lot of work. But what I hope you find is that learning to do this well in a professional environment will help you be very good at your job.
Have fun, make new friends, and make good decisions!!!
Written By: Michele Fincher