For this, we must make a considerable mental effort, but as we always prefer to save, we use economic and rapid decision-making methods: heuristics, shortcuts, intuitions, which usually have not very nice consequences. When our cognitive abilities are overwhelmed, our brain loses its effectiveness and can be easily deceived, abused, confused, distracted or manipulated.
Here are some brain biases that are very easy to apply into the field of IT security and are quite useful for influence or attack.
Then, we socially reject ingratitude. When someone has helped us with the suitcase or has cleaned the windshield, even without our having requested it, we tend to give a tip. And this easily leads to the trap of small concessions: if someone frequently invites us or gives us small favors, even if we have never asked for them or wish them, we cannot avoid saying “yes” when that person later asks us something, no matter how big it is.
Share all the information available with people in your environment | Image from Wall Street International.
Necessity of association: We imitate what everyone is doing. Somehow we think that, if everybody does it, it should be fine, especially if they are similar to us. This can be exemplified in the marketing of many products: “10 million readers cannot be wrong” or “150,000 copies sold”. We follow this behavior rule from children, imitating the behavior of our parents, teachers, classmates and friends. That is why individuals in the same group tend to behave in a similar way.
This behavior emerges with greater force in uncertain situations, where it is not clear how to react. In this case, the behavior of the group is systematically considered. If you want someone to do something for you, show them how many people have done it before.
Attack: You receive a call from a person who claims to be doing a survey and mentions the name of other people in your department who have already cooperated with him, previously investigated. Believing that cooperation of other people validates the authenticity of the petition, you agree to participate. The attacker proceeds to ask a series of questions; after that he can trick the victim and ask for usernames and passwords, internal addresses of servers, etc.
Countermeasure: Check the evidence provided and never validate the judgment exclusively on the behavior of others.
Commitment: Once a decision has been made, we act in a consistent approach with the commitment made. Consistency is seen as a moral force, as a praiseworthy quality. When a person gives its word and sticks to it, we perceive it as trustful and honest.
Once we have committed ourselves to something, we do not want to appear inconsistent or untrustworthy and we tend to comply with our given word. In fact, our commitment is stronger when it is made public and apparently coming from an internal motivation, in other words, when we believe that it has come from our brain without any kind of influence.
This commitment leads to stupidly absurd behaviors like ending up watching a movie in the cinema because “I paid the entrance”, ending a book because “I always finish what I start” or in a restaurant eating a dish that we didn’t like just because “I’ve asked for it.”
Attack: The attacker contacts a newcomer to the organization informing him of the need to comply with the security policies and procedures, in order to access the company’s information systems. When the victim has committed to comply with all the rules and to do everything that is requested, the attacker can demand anything with the excuse of following a security procedure, which the victim will surely accept.
Countermeasure: Always test the commitments made and analyze new situations to make decisions in the future.
Authority: You tend to listen and follow directions from someone in a position of authority. We absolutely trust experts under any circumstance, even though these experts make recommendations on matters that do not correspond to them. If Stephen Hawking advised on the dangers of Artificial Intelligence, it had to be taken very seriously, despite his expertise only in Theoretical Physics. Of course, we need to delegate to experts. T
he problem arises when an attacker exploits our good faith in authority, using its appearance supported by titles, badges, or any symbolism.
Attack: The attacker pretends to belong to the IT department or to be an executive of the company, cloning a fake badge or any stratagem that validates its authority lowering automatically the defenses of a victim.
Countermeasure: Ask yourself, is this person a real expert? Can I trust him?
Never let yourself be guided by appearances | Image from Wall Street International.
Preference: We tend to say “yes” to people we find attractive, or to people who flatter us. We like the people who adulate us. The more you flatter ‘correctly’ a person, the easier that person will say yes to anything.
Even if you are aware that the compliments are not sincere. Also, there is an effect very related to the preference, named as “halo effect”, that is, to associate all types of positive characteristics to attractive people. We perceive attractive people as smarter, friendlier and more capable. In short, the more attractive you show yourself, the more persuasive you become.
Attack: The attacker pretends to share the same interests as the victim. He seeks to find an emotional connection to awake positive feelings, so his victim will have no guard against him, if he decides to attack in some way.
Countermeasure: Never let yourself be guided by appearances.
You do not have to be an expert to carry out social engineering attacks, so there are no computer systems to help us prevent these situations. Network security does not depend on software, but on the ability of users to protect themselves using purely common sense.
Therefore, we are the only ones responsible of knowing how to properly interpret the security policies and enforce them. Additionally, I add these last relevant points for the prevention of social engineering attacks:
- Well-founded suspicions: Never fall to anything that look suspicious, regardless of how promising the benefits may seem. Promises too good to be true are just that, simple promises.
- Fear is not an option: Do not be intimidated by threats. Many criminals use the element of surprise to frighten and lead us to do something that, under other circumstances, we would not do. It is always better to ignore the frightening tactics.
- Sharing knowledge: Share all the information available with people in your environment so they are more protected. Do not let them fall into the trap of cybercrime.
- Prevention is better than cure: Invest in effective training for your own benefit. Explore and use the built-in security features of the sites and web pages you visit frequently. Some sites, such as Facebook, provide information on the latest threats and tips, which will allow you to surf safely online.
Fernando Velázquez is a cryptographer, cybersecurity professional, privacy consultant and writer. He is the author of several articles on general Information Security topics.
He is the founder and Chief Technology Officer of Shield CyberSpace Boundaries (S.C.B) an organization specialized in Digital Rights Management, Online Privacy, Malware Analysis, Security and Computer Science.