Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lesson, Subject Matter Expert Dean Pompilio defines the Social Engineer as someone who influences people to take actions that may not be in their best interest. You will learn that intrusion by a Social Engineer relies on:

  • psychological manipulation
  • facial expression
  • body language
  • misdirection
  • emotional highjacking

The SME discusses why SE is performed and describes SE attacks: how and where attacks are used, who does them, how people respond, and how they result in 100 percent success in physical breaches. You will learn about categories of Social Engineers, who the "natural" Social Engineers are, and what a Social Engineer's goals are (detailed below). Categories of Social Engineers - average citizens

  • governments
  • recruiters
  • posers and scam artists
  • disgruntled employers
  • identity thieves
  • spies
  • penetration testers
  • hackers

"Natural" Social Engineers - children

  • job seekers
  • bar patrons
  • sales and marketing personnel
  • interrogators
  • polygraphists

Goals of a Social Engineer - entertainment

  • ego gratification
  • entrance into or enhanced status within a social group
  • knowledge
  • power
  • social cause
  • money

Video Transcription

00:04
So as I mentioned
00:05
the actions that the target of the engineering takes
00:08
may not be in their best interest.
00:11
Going back to the idea of what I said earlier,
00:15
the human voice is the original social engineering tool.
00:18
Maybe there were some cave men wandering around looking for food, and one convinces the other one, Why don't you go in the cave and see if there's
00:26
any food left over from from that bear that just dragged in the You know it's killed from the day before?
00:33
The first person doesn't want to go there. Afraid, perhaps,
00:36
but they tricked the other person to doing it. Well, if you go in there and you find some deer meat, I'll give you, you know you can have most of it. I just want a little bit
00:45
getting something for nothing, right? These were some of the techniques
00:48
that this social engineer might try
00:50
in the modern day and age. It could be that if you help me out, I'll tell your boss you did a great job
00:56
or could be. If you don't help me out, I'm gonna complain to your boss and get you in trouble, right? That can go both ways,
01:02
so it's important to think about all the different aspects of our communication.
01:08
If we think about the psychological manipulation aspect, This is especially important
01:15
if you think about a skilled sales person or a skilled politician, for that matter.
01:19
They're trying to get information across which may not match their body language and may not match their physical,
01:27
uh, expressions on their face.
01:30
The words may not seem to match with what they're doing,
01:34
and typically a person who's paying attention notices these things.
01:40
So someone is, for instance, telling you something, which is bad news. But at the same time they're smiling,
01:47
right? That's that seems strange. That shouldn't be happening
01:49
unless that person is enjoying the fact that they're giving you bad news, which could be the case.
01:55
Or perhaps you someone is communicating with you and they're telling you something. And they are fidgeting. They're tapped, hopping from foot to foot, and their eyes are dark, darting around
02:06
that tells you that they're nervous. Maybe what they're talking about isn't something that should make them nervous, But they might be nervous anyway because perhaps they're lying. Perhaps they're trying to trick you and they can't stop their body from reacting to that stress
02:20
so they might have sweaty poems. They might be fidgeting with their clothing, touching their their lapel, playing with their ear. These air, all what are called, tells when a person might be
02:31
lying to you.
02:32
They're not guarantees to detect alive, but most people will notice that and think that something is not quite adding up.
02:39
Body language, facial expressions. These could be used to also help the engineer. If you're smiling when you're talking,
02:47
it's kind of comes across in your loins. You sound like you're genuinely happy person.
02:53
It helps when you smile when you talk on the phone. Most
02:55
phone telemarketers will tell you that
02:59
it helps when you're smiling. When you're talking to your target, they look at you and think, Well, that person's pretty friendly. There must like me there, smiling at me.
03:07
They might lower their guard. It might help the engineer get there, get closer to the information that they're trying to elicit from that target.
03:15
But we can also do things like misdirection.
03:19
You save one thing you do. Another
03:22
on example might be,
03:23
you know, telling someone something instead of asking them
03:29
or another common technique is
03:30
you ask someone a question
03:32
and they say, No, I don't think that's true right there, nodding their head, Yes, but they're saying, No, that's a mild form of our minor form of misdirection.
03:43
Or maybe you're shaking your head. No. Why're answering something? Yes, that tells the other person
03:49
and their mind. They're thinking the answer is no. But their words convey the answer. Yes,
03:53
that misdirection might be noticed. It might not be. It depends on how skilled
03:58
the social engineer is.
04:00
You can practice in front of the mirror.
04:02
Facial expressions, especially might require some practice, you know, knowing how to show the difference between boredom
04:10
or surprise
04:12
or fear,
04:14
right? All these things have their own roots deep in our human psychology.
04:17
If you can't portray the facial expression correctly to match your words and your actions,
04:24
most likely the target will detect this and become uncomfortable, become a little bit suspicious.
04:30
So it's an important
04:31
consideration to take.
04:34
We also have the concept of emotional hijacking.
04:38
This means that you are trying to manipulate
04:41
the target into a into a emotional space or an emotional corner. If you will
04:46
and then try to find a way to give them a lifeline to pull them back out.
04:51
And usually that lifeline is information. That's a social engineer wants
04:56
you could first and try the authority approach.
05:00
You know, you call the your target up. You say
05:02
I am. You know Jim Smith. I'm I'm the assistant to the vice president of the bank. I need this report
05:12
completed today, but I can't do it. And because I can't get into my computer, I need you to help me reset the password.
05:17
Oh, I'm sorry. We can't reset the password until you onto you prove your identity. No, you do understand. This has to be done right now. If you don't help me, I'm gonna have to call my boss. He's gonna call your boss. You're gonna get a lot of trouble. You're gonna You're probably gonna end up with a you know, a meeting with your boss where he's gonna be very upset because I didn't get this done on time.
05:36
So there's ah, subtle bit of intimidation there. You're trying to force the person into a corner,
05:44
and then they say, Well, you know. Okay, Well, what What if I help you, you know. What is that gonna do for me? Well, if you help me, I'll tell your boss. Or I'll tell my boss to tell your boss that you did a fantastic job helping me out of my time of need.
05:59
He's gonna give you a great recommendation that's gonna go in your file. You're gonna look good to your boss. Maybe that'll help you get a raise. Someday you could see how that could play out. I'm giving a very short example.
06:10
But if the skilled social engineer might come up with a much more elaborate story to make that person feel like they've got no choice but to help
06:17
in that situation
06:18
if we consider social engineering attacks, we look at the news, we follow these kinds of stories. We know that very many people in different organizations are victims of these kinds of attacks.
06:31
Look at Edward Snowden, for instance.
06:34
He was able to socially engineer his fellow employees at the N ece of all places.
06:40
Those people should have known better.
06:42
He tricked them into giving him access to information that was classified that he didn't have access to
06:48
by his own admission. That's what he said he did.
06:51
I don't know what happened to those employees that gave up the information. They probably got
06:57
into some sort of trouble,
06:59
but he was obviously very skilled at creating a level of trust.
07:04
And he probably used appropriate language and body language and facial expressions to make them think it was no big deal. Hey, you know, I used to have access to this, but it went away. Can you help me out? Can I get this document from you? Whatever the whatever the scenario might have been if you were to ask random people for information, you know, on the street,
07:24
sometimes people will tell you things that they probably shoot it
07:27
or if you take. If you perform a function where you're asking people to take a survey,
07:32
I might be able to get them to give you the first name, their last name, maybe their birth date.
07:38
Perhaps you could even trick someone into giving you their social security number, their driver's license number.
07:43
All these are little clues, little pieces of info, which could be useful for not only something like identity theft. Obviously, hackers do this,
07:50
but for social engineering. You're getting clues to help build up a profile of this individual or their organization that they work for
07:58
in order to perpetrate your social engineering contest
08:03
or a social engineering on it.
08:05
Physical breaches
08:07
Pen testing Our social engineering contest in King can bypass physical security in many cases. As I mentioned, I use the example of a Dumpster dive
08:16
but doesn't have to be that you're physically there. You could
08:20
penetrate physical barriers because they're not stopping you from using the phone or from talking to somebody outside the building.
08:26
So some of those things might be might be useful for certain scenarios.
08:31
If you look at some categories for social engineers, we have things like your average citizen, right? Mom and Dad have to talk to their kids,
08:37
trying to convince your Children to do something and make it make them feel like it's their idea. That's the ultimate goal of any parent. Right that way. The child does the required behavior without feeling like they're being bossed around by mom and Dad.
08:52
But average people talk to their friends, their family. They might be social engineering, someone without even realizing it, because it's just a natural part of how humans communicate.
09:03
What about governments,
09:05
orry or recruiters?
09:07
Recruiters in the sense of a job recruiter? Sure, but what about someone's trying to recruit you to do something that you don't necessarily want to? D'oh.
09:15
Join a club. Join, join the military, Maybe
09:18
government social engineer, their citizens. They try to sell them on a certain idea, and then really, something else happens. But their body language, their their facial expressions there, smiling. When they say these things, people believe it.
09:30
And then later they find out Well, that wasn't quite true the way it worked out.
09:33
It's just a reality of life in this country and many other countries.
09:37
Social engineering happens at the highest levels. We have scam artists and posers. These are obvious people that will try to trick you out of giving them money or doing something for them. Usually you meet these kinds of people in bars or on the street, or it's some other place where you don't expect to be scammed like the grocery store
09:58
there's there's legions of these people operating all over the world, and they have been for thousands of years. There's nothing new about this
10:05
disgruntled employees.
10:07
These molds most likely would be the victims of social engineering rather than the people performing it. But they could be performing it as well.
10:16
Maybe they're upset that their boss passed him over for a promotion. So they try to learn enough information to embarrass that person.
10:22
That that could be a form of social engineering.
10:24
You're gonna quit the company anyway? They might think. Well, I'm not gonna get in trouble. I'll uncover some information about my boss that I that I don't like,
10:33
uh, put that information out into the public and then I'll quit my job. Right? That happens. Sometimes people do these things. It might be a petty form of revenge, but it does provide the social engineer with some gratification. Why did they What? Did they do it right?
10:48
Identity thieves. This is their bread and butter. Social engineering is how they find victims, how they tricked the victims and other get information in order to steal their identity, to open up
11:00
credit cards or whatever the case might be.
11:03
We also have spies,
11:07
spies that this is also their bread and butter. Every day, they have to think about maintaining a persona, maintaining
11:13
their profile, their facts, keeping their stories straight.
11:18
It's a very stressful job, obviously, so they have to become very practiced at many of the techniques that will talk about in this course.
11:24
We also have pen testers and hackers.
11:28
This course is designed obviously, for pen testers.
11:31
You could use this information to do bad things as well. That's the case with any kind of pen testing technology,
11:37
but we'll work. Focusing on is
11:39
social engineering from a pen testing perspective.
11:43
If you use these techniques for bad purposes, eventually that may catch up with you. If you break the law, you'll have to pay the price. So be careful how you use these tools. With great power comes great responsibility.
11:56
All right, So who are natural Social engineers?
11:58
Children? Top of the list, right?
12:01
Mommy, can I go out and play? Why don't you go ask your father?
12:05
All right, that's a typical response. The child goes, asks and Dad, Mom said, It's okay if I go out and play. If you say it's okay
12:13
Now. Dad has an incentive to want to agree, doesn't want to appear to be disagreeable with Mom,
12:20
so he might agree and give the child what what they want.
12:24
And, of course, Children at a very, very young age will figure out which parent is more likely to say yes,
12:28
and then they'll try to use that. Parents. Yes, to get a yes out of the parent, that's most likely to say No,
12:35
I'm sure I did this when I was a child. You want ice cream? You want cookies, you want to go out and play. You want a new toy.
12:41
You find a wayto maneuver around your parents, different personalities in order to make that happen. It's very common, and it's natural. It's normal
12:48
people. They're looking for jobs.
12:50
They might have to do some social engineering
12:54
in order to get the right information out of the potential employer or recruiter
12:58
or or their fellow co workers
13:01
trying to learn. What skills do you think our most valuable? What? What is it that you've been learning
13:07
to make yourself more marketable?
13:09
Are those air elicit a shin methods? Perhaps
13:13
Then we have people that are hanging around in bars. Uh, this is a good category social engineer because there's lots of parlor games, if you will. People that will make bets knowing that the game is fixed. You know, doing three card monte any number of those kinds of activities.
13:31
Our forms of social engineer because you're trying to trick somebody into doing something that they wouldn't do
13:35
by making it look fun, making it look like they might win some money. And really, what you want is the money that they're willing to bet which goes in this in the scam artist pocket.
13:45
It doesn't necessarily go to to the victim people that are in sales and marketing. They were born to social engineer. This is what they're made to dio. If they're good at it, that could become very successful sales people
13:58
because they can look at a target,
14:00
read their body language, read their attitudes, read there, there are listen to their words, read their facial expression
14:05
and they figure out how to adapt and how to modify their technique in order to enhance their chances of making that sale.
14:13
If your interrogator or someone running a polygraph machine,
14:16
maybe you're you've got some techniques that you need to use in order to get information out of the person that's being interrogated or was going through a lie detector test.
14:26
The questions that are asked, the way there ask the way they're framed,
14:30
the elicit a shin techniques. All these have their impact on the eventual result of the pen test on it.
14:37
Or, in the case of some of these people, has the end result on how they do their job.
14:41
People that are good at this could be very successful.
14:45
So in a general sense, why social engineering perform? I've been talking about pen testing reasons.
14:50
So if you're trying to find vulnerabilities in an organization, maybe their physical securities vulnerability, maybe their security awareness program is not very good.
15:00
And a social engineer can find those holes, find those gaps
15:03
and
15:05
get information that they shouldn't be able to access in order to prove that there's a need for improvement.
15:11
If you're defending against
15:13
social engineering, your organization in general, you've got many people defending against many
15:18
hackers or social engineers.
15:22
If you're performing it, if they're on the offense, that it's that is one too many. One engineer potentially interacting with many different individuals in order to get the information that's desired
15:31
in general people
15:33
as a human nature aspect, will always try to look for
15:37
the path of least resistance to get something They're looking for shortcuts, looking for easy way out.
15:43
And this could be
15:46
of, Ah, a, uh,
15:48
impetus. If you will, to do social engineering, you might not think yourself well. I'm gonna socially engineer myself into a better
15:54
ah, job at work.
15:56
But it might work out that way. You're maneuvering. You're saying certain things. A certain people doing certain favors for other people trying to build a reputation, trying to build up a report and that could be later exploited in order to get what that person wants.
16:10
And, of course, if you're practicing
16:14
social engineering techniques because you're doing a fantastic about two, you need to work with your family and friends and just
16:21
don't tell him that you're practicing. But just do the practicing.
16:23
Talk to your mother, talked to your brother, talk to your best friend whatever it is,
16:27
and just practice a few techniques. It's harmless because maybe you already you already know that you trust this person. They trust you. You're not using the information for a bad purpose, but it gives you the advantage of having Maur experience before you attempt it on a live target.
16:42
What are the goals of social engineering? What is it you're trying to achieve? It could just be entertainment,
16:48
right? The person that's doing this, maybe they have a large ego. They want to satisfy or gratify that ego
16:55
so they do it just because it's fun for them to trick someone into doing something that they didn't want to dio. They stand back and watch their target
17:03
make a fool of themselves, Perhaps because of social engineer, made them think it was a good idea.
17:07
Some people get their kicks that way. Those are Those are not very nice people, in my opinion. But that happens
17:14
could also be that you're trying Thio,
17:17
dude, what's known as our social climbing right? People that are
17:22
maybe they come from a blue collar background, but they want the lifestyle of the rich and famous
17:26
so they might socially an engineer their way into a group that contains some wealthy people hoping to find targets within that group that they can use the leverage access to other people that have money and
17:40
a lifestyle of leisure. That might be what they're after, and they can find a way to trick
17:45
trick people into letting them into that inner circle.
17:48
That's a form of a scam artist type activity, but it it makes sense if we think about in a social engineering context.
17:55
Some people just want the knowledge and power that comes from being able to size up a situation and say the right thing or do the right thing to get something for your effort.
18:07
And that could be could feed back into the ego gratification that I mentioned earlier.
18:11
But it could just be that you want this knowledge in power because it advances your agenda to do something else. Maybe you've got, ah, social cause that you're trying to promote
18:21
and social engineering techniques can help that
18:23
or could just be there trying to make money, good old fashioned motivator of dollars and cents. That goes a long way to get people to do something that they know is wrong and know it's illegal. But it's easy for them, so they do it anyway because they can make money.
18:38
It's a good motivator

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor