Security BSides Las Vegas is so close now, you can almost taste the dry desert air and feel your eyes and sinuses drying to a crisp… Ah, Vegas!
With that image in your mind, it’s time to get on with the very last of the sessions we will be previewing before next week’s show.
Previously we covered sessions about OMENS, how to have Fun with WebSockets Using Socket Puppet and Open Source Penetration Testing and Forensics.
We also learned about Vulnerabilities in Application Whitelisting, Honing Communications Skills, Baking Assurance into Software, Using Machine Learning to Support Information Security, and a workshop Introduction to Wireless Pen Testing and Assessment.
Earlier this week we took a look at a session titled Stop Shooting Blanks – No Magic Bullets in Your Arsenal.
Now for our final session on social engineering called Diamonds, Fitness and Cults: Manipulation for Fun and Profit, which is being presented by by Kati Rodzon (@krodzon).
Why is the diamond a sign of love and devotion, and why do baseball players always step over the first base line? Rozdon says these are both examples of how small manipulations can make changes in the behavior of millions of people.
Rodzon will use her extensive background in the behavioral sciences to demonstrate just how easy it can be to social engineer people and affect their behavior to your advantage – and changing behavior is much easier that you might think.
Rodzon, Manager of Security Behavior Design at MAD Security, has spent nearly a decade studying human behavior modification, exploring the power of social pressure on groups and analyzing the ability of contingencies – reinforcement and punishment – to change behavior.
When she is not measuring an organization’s culture and making a customized behavior modification plan, she helps with everything from curriculum development to creating effective social engineering tools and testing scenarios for MAD’s penetration testing team.
Rodzon says her BSidesLV talk is essentially a history lesson on social engineering operations conducted on a massive scale.
“While the case studies will be humorous, like how Americans got suckered into believing diamonds are the symbol for love, it is important for every individual – as well as company – to understand how the same tactics have worked over generations and across cultures,” Rodzon said.
Rodzon says it should be no surprise that humans are very predictable in their behavior and can be easily manipulated when social engineering techniques are applied correctly.
“With the rise in malicious social engineering, it’s very important for us to become more aware of the mechanisms that allow these successful attempts at manipulating us,” she said.
“By gaining more insight into social engineering history, we can notice the patterns, pick out the successful techniques, and use them to our advantage today.”
The information she will present in her session is generally good for everyone to understand, whether as individuals applying the techniques in their personal lives, or as members of a large population within an organization.
“Knowing how efficient techniques can change anything from taking up a simple habit to getting 20,000 users to stop circumventing security policies by using unsecured cloud software is something anyone can use,” Rodzon said.
“Everyone can agree that improving employee productivity and behavior is going to be an asset to any size team, and implementing advantageous behavior modifications can greatly impact the success of an organization overall.”
Aside from presenting an entertaining look at historic mass-manipulation events, Rodzon says the audience should walk away from the session with at least a handful of proven techniques that they can use on their friends and families, their dog, or even on large groups of people in order to influence them to do almost anything.
“This can be beneficial in all facets of life, from implementing a new exercise regimen to ensuring all the members of an enterprise understand the importance of learning about social engineering,” Rodzon said. “All rely on the same skills and concepts that can be used to program people’s behavior.”
While behavior change is rather simple, Rodzon says that if it is not conducted with care it can create even bigger issues than the ones your were seeking to solve in the first place.
“People often react as a group and easily give into social pressure, and that’s important to realize when attempting to alter the way someone thinks or feels,” Rodzon said. “The art of training is a constantly moving target, and keeping up with the latest techniques can prove to be challenging, if not more challenging, than keeping up with the latest 0-day attacks.
“So we will also be going over the cautionary areas of behavior modification to ensure that you don’t end up training your dog to use the fridge as a buffet, when you just wanted them to fetch you a beer.”
Rodzon adds the caveat that being human does not necessarily qualify you as an expert in human behavior, and so more research, practical experience and continued learning on the subject would be required to master social engineering and behavior modification techniques.
“Just like defending against attackers, behavior modification is a dynamic topic, and security professionals will need to keep the ball rolling by carrying out more studies in order to provide reliable and durable information to create more awareness on the topic.”
- Wendy Nather: The Best CISOs are Social Engineering Masters
- Game of Pwns: Syrian Electronic Army and Information Warfare
- Malicious QR Codes – Where’s the SeQRity?
- The Misinformation Age & Social Media Engineering
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock