The Need for Ethics When Researching Social Engineering

Tactics that incorporate social engineering can be highly effective at bypassing security controls. Perhaps we are vulnerable to social engineering because of the traits and behaviors that allow us to quickly make decisions that sometimes turn out to be wrong. It’s important to study and understand such persuasion approaches, so we can adjust defenses appropriately. Yet, such research needs to be conducted in a responsible and ethical manner.

As a society, we’ve been fascinated with the ability of some people to persuade others through language. In the context of scams, such skills have been exhibited by con artists, who are able to persuade victims into taking actions against their own interests. I dislike the term “con artist,” because the reference to art seems to glorify the practice of defrauding people and organizations.

Similarly, social engineering, when employed to someone’s determent or without permission is a scam—not an opportunity to show off one’s persuasion prowess. Just because it’s possible to influence someone to give up sensitive data, grant access to a system or otherwise aid the social engineer’s objective doesn’t mean that the social engineer should take advantage of this vulnerability.

We’re all vulnerable to social engineering. Researching such practices in a responsible manner can help strengthen defenses against attacks that target humans through influence and persuasion. Yet, we should be careful not to forgo a sense of ethics when employing social engineering to test defenses. Remember, the difference between any security assessment and a malicious attack often merely amounts to permission.

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more