Tactics that incorporate social engineering can be highly effective at bypassing security controls. Perhaps we are vulnerable to social engineering because of the traits and behaviors that allow us to quickly make decisions that sometimes turn out to be wrong. It’s important to study and understand such persuasion approaches, so we can adjust defenses appropriately. Yet, such research needs to be conducted in a responsible and ethical manner.
As a society, we’ve been fascinated with the ability of some people to persuade others through language. In the context of scams, such skills have been exhibited by con artists, who are able to persuade victims into taking actions against their own interests. I dislike the term “con artist,” because the reference to art seems to glorify the practice of defrauding people and organizations.
Similarly, social engineering, when employed to someone’s determent or without permission is a scam—not an opportunity to show off one’s persuasion prowess. Just because it’s possible to influence someone to give up sensitive data, grant access to a system or otherwise aid the social engineer’s objective doesn’t mean that the social engineer should take advantage of this vulnerability.
We’re all vulnerable to social engineering. Researching such practices in a responsible manner can help strengthen defenses against attacks that target humans through influence and persuasion. Yet, we should be careful not to forgo a sense of ethics when employing social engineering to test defenses. Remember, the difference between any security assessment and a malicious attack often merely amounts to permission.