Recently I was listening to a podcast, Hacking Humans, by the team at the Cyberwire. Joe Carrigan was speaking about an article he had recently read. The article was about a study from eye movements in illusions. The specific illusion in question was an illusion where the magician throws the ball in the air several times, the last time the ball is thrown the magician catches the ball, yet pretends the ball is still being thrown. The person watching does not realize this then magically the ball disappears. When people are asked what happened to the ball or when the ball disappeared, they swear the ball was still in motion even after the ball has been laid in the lap of the magician.
Why does the audience still swear they see the ball even though it has disappeared? The article explains that the audience members are watching the eyes of the magician and not the ball, so when the magician’s eyes continue to show the movement of the ball, the audience is convinced that the ball is still in motion. However, when the audience members know the trick, they are no longer tricked.
At this point in this blog post, you, the reader, are probably wondering what this has to do with cybersecurity? Social engineering is a practice in information security in which a malicious actor uses psychology to manipulate and deceive users into revealing sensitive information. These types of attacks usually distribute malware. A social engineering attack can be carried out in multiple ways, and in many cases, have multiple layers. If you were to read Kevin Mitnick’s book, “The Art of Deception,” you would hear of many attacks that used many hacking attempts that use multiple layers of social engineering. It could be calling a company, pretending to be from another branch to get a company directory, then from there working up to get in touch with the CEO, and from there sending out an email with a malicious link and so forth. The point is there are many ways that social engineering attacks can be played out, but they all use deception.
The CIA had a guide for Trickery and Deception from the Cold-War that taught Agents how to deceive others in the field. One of the ways it taught to poison a drink was to light the other person’s cigarette and drop the poison in their drink. The reason this works is that the person will not take their eyes off of the fire. The social engineer would do the same thing; they deceive you by using fear of what is right in front of you, to exploit another hole. Social engineering attacks have the main purpose of taking your eyes off one thing, while a weak spot is exploited.
Social engineering awareness training is very important as can be seen from the example from the magician. Once the audience members understand the trick, they are never tricked again. A good trainer would know of many different ways in which social engineering attacks are carried out and would prevent them by giving explanations and testing employees. The training must be done in a way that the employees would understand the importance, and would be something that employees would want to do. Once they learn how to spot tricks, the company becomes safer.