A best seller from the 1930s provides timeless social engineering insight for security professionals.
I want to thank Kevin Mitnick, Ira Winkler, Bruce Schneier and Michael Santarcangelo for bringing to light the challenges we face with social engineering. In their books and talks, they remind us that despite cool new tools and technologies, humans will always be the weakest security link and prey for fraudsters.
However, the best book on social engineering has really nothing to do with security and was originally published in 1936: How to Win Friends and Influence People by Dale Carnegie. It should be required reading for all security professionals.
His message is invaluable on many levels: "When dealing with people, let us remember we are not dealing with creatures of logic. We are dealing with creatures of emotion, creatures bustling with prejudices and motivated by pride and vanity."
Carnegie didn't write his book for con artists, but if you put your black hat on you will see how his advice could readily be used by today's nefarious social engineers:
- "There is only one way...to get anybody to do anything...and that is by making the other person want to do it." A person wants to do something either through the desire to be important or the desire to prevent future pain, Carnegie wrote. That's social engineering in a nutshell. What's nice is that Carnegie provided the antidote: Beware of flattery.
- "Bait the hook to suit the fish." A social engineer will try to customize the message or method based on the person or circumstance. Two techniques from the book could help them: (1) Arouse in others an eager want; and (2) Talk in terms of what the other person wants.
- "Dramatize your ideas." We've all seen the virus warnings in emails that practically scream, "As reported on CNN!" or "You must forward this!" A simple reminder: If a message is trying to invoke an emotion, then it's probably a con job.
Now wait, there's more. In addition to providing insight into the tactics used by the modern Internet fraudster, Carnegie's tips on how to lead and influence others can help build support for security initiatives. Put on your white hat and try using some of these techniques; I guarantee your security program will flourish.
- "Become genuinely interested in other people." We need to understand the points of view of our clients. Yes, those trouble-making users are actually clients of your security program. By understanding where they're coming from, you'll better understand where you need to go.
- "Be a good listener" and "Show respect for others' opinions." People want to do the right thing and they'll often tell you what that is if you let them. My goal in meetings is to not say a word. I like it best when others speak for me, telling me the best way to secure our organization. I just sit there and nod and they make it happen.
- "Begin with honest appreciation" and "Start in agreement." Our job in security (or audit) isn't to find fault and always point out the bad things. It's to ensure our organizations have appropriate protection based on risk. Therefore, as Blanchard and Johnson wrote in The One Minute Manager, catch them doing something good rather than something bad.
Who knew that a self-help book from the Depression era could arm a security professional with such useful knowledge? Take some time to learn a little psychology and people skills, and see the difference in your security program.