< Day Day Up > |
Every attack exploits a weakness. In warfare , it might be a weakness in defense technology, troop morale , or inferior numbers . In computer attacks, the weaknesses are in design, implementation, configuration, procedure, and proper use of technology. Risk analysis is a process by which to identify those weaknesses and mitigate them in a cost-effective way. It is rarely possible to cancel out all risks. In social engineering, it is never possible. The weakness here is the frail human psyche. As an aspiring social engineer, you must concentrate on two areas in order to hone the effectiveness of your attacks. First, you must develop the ability to feel comfortable around people and to make other people comfortable around you. This can be as simple as smiling, or as complicated as advanced rapport-building skills. Rapport is a state in which you feel strongly connected to another person, begin to like him, and feel that you have many natural similarities. The Merriam-Webster dictionary defines rapport as "a relation marked by harmony, conformity , accord, or affinity." This state is achieved by matching verbal (what you say) and nonverbal (how you say it) components of human interaction. In a state of rapport, other people will like you more and will like what you say more than if you just blurt it out. They will tend to think you have their best interests at heart, since they perceive you as so much like them. Second, give some thought to the state of mind you should be in while carrying out a social engineering performance. This question might sound irrelevant, but consider this analogy: would you launch an attack on a system from a machine that runs out of memory and has a slow hard drive, a faulty CPU, and a blinking monitor? Why run a social engineering attack while stammering, distracted, and with a confused look on your face? Focusing your state of mind is crucial for effective social engineering. If you are in the proper state of mind, your language flows more easily and you can establish rapport. You sound more convincing and you get the information you want faster. Moreover, it is likely that this equanimity will spill over onto your targets, creating a relationship that can later be used to elevate privileges or to achieve other goals. Finally, social scientists have summarized several "weapons of persuasion" that we can use for social engineering. Dr. Robert Cialdini, a leading expert on persuasion and influence, has defined six conditions that launch automated subroutines in people. These subroutines, or shortcuts , can be used to deal with complicated interactions in everyday life. They include:
These concepts merely scratch the surface of psychological persuasion and its use in social engineering. Even more advanced manipulation techniques exist. If you think this material is purely theoretical, you will be surprised to learn that at least one celebrated hacker was formally trained in these advanced influence techniques by the famous persuasion trainer. Others are sure to follow. |
< Day Day Up > |