A Salesman's Guide to Social Engineering B-Sides London Edition
AGENDA● Introduction and Bio● What is Social Engineering?● A Talk about Sales? What the Hell, you said Social Engineering?!?● Profile? Process? Why not both!● Defences against Social Engineering● The Mystery Security Test● Recap● Q & A Session
BIO1st Masters Degree comprising of Psychology andEconomicsWorked as:-● Regulated Financial Adviser● Sales Manager● Sales TrainerEthical Hacking student at the University of Abertay,Dundee, Scotland..
What is Social Engineering?● Online definition:- The practice of tricking a user into giving, or giving access to, sensitive information, thereby bypassing most or all protection● My definition:- Bypassing the human firewall/intrusion detection system. Hacking the human mind.
Sales? But you said Social Engineering!● Terms are not mutually exclusive● Salesman == Social Engineer ● Good salesmen use a degree of Social Engineering Skills ● Bad salesmen dont● Social Engineers HAVE TO be good salesmen● Selling Concept ● “I want you to buy the concept I belong here” ● “I want you to buy the concept I need your username and password”.
Sales? But you said Social Engineering! The Master Salesman The Master Social Engineer● Recognises that each and every customer ● Recognises that each and every social and sale is different engineering attack is different● Can play different roles ● MUST act out a number of different roles● Uses a variety of questioning techniques ● Uses a variety of questioning techniques● Recognises that NO doesnt mean NO. Objections are good ● Isnt phased by objections and can recognise a programmed response● Is comfortable with awkward silences (Gavs Golden Rule, Know When to Shut ● Is not only comfortable with, but Up) appreciates, awkward silence● Will ask for repeat business, and ● Knows that one target won over can be referrals to other customers. used to win over other targets, or help provide a quick getaway..
Profile? Process? Why not both! DISCLAIMER● This is what I use, because it ● Works for me ● Made me plenty cash ● Has transferred smoothly to social engineering YOU MAY NOT AGREE WITH EVERYTHING THAT FOLLOWS● We are all entitled to our opinion.
Profile? Process? Why not both! Sales Process(1) Prospecting the target(2) Initial Contact and Needs Identification(3) (Sales) Presentation(4) Close(5) Objection Handle Steps 3 to 5 are circular can be repeated as often as necessary.
Profile? Process? Why not both! (1) Prospecting the Target(1) Know your target ● Profile without direct contact ● Google ● Maltego, etc(2) Know your limits (Backward planning) ● Salesman - QUANTITY ● Social Engineer - PERFORMANCE.
Profile? Process? Why not both! Simple Personality Test for a Salesman (or Social Engineer!)● Based on two of four areas examined by original Myers-Briggs test What we need to know – Sales 101 ● What theyll actually listen to ● How they make decisions based on what youve just said What we dont need to know ● If they are an Introvert or an Extrovert ● How they handle issues DANGER!● Further apart on the scales – Less likely to be compatible.
Profile? Process? Why not both! But Gav, how do I reel em in? What theyll actually listen to Sensor Intuitive● Needs to try things out first and ● Trust the gut first and look at the pays attention to the finer details. big picture. Detail can wait. Focus on one day at a time. ● Will ask you Why?● Will ask you What? and How? How they make decisions Thinker Feeler● Driven by facts, logic and reason. Will go with what the facts suggest ● Driven by their feelings as opposed to just hard evidence even if they dont like it● Balance pros and cons for them ● Appreciates alternative options and viewpoints● Very task focussed ● Very relationship focussed.
Profile? Process? Why not both! And this means what exactly?● Sensor-Thinker (Thinker)– Give them the facts then go though, step by step, why they should buy from/help you ● Facts then Logic● Sensor-Feeler (Feeler)– Stick to giving them the facts, but show them how what you have told them will affect the people involved (including them) ● Facts then Feelings● Intuitive-Thinker (Controller)– Will want to know what the bigger picture is, but will expect a range of well thought and presented options to deal with it ● Overview then Logic● Intuitive-Feeler (Entertainer)– Give em the big picture and then show how all the pieces fit together, who will be affected. Loves a story ● Overview then Feelings.
Profile? Process? Why not both! (2) Initial Contact and Needs Identification(1) Continue profiling(2) Work out needs of customer/target ● Through appropriate questioning(3) WATCH(4) LISTEN.
Profile? Process? Why not both! Questioning Techniques
Profile? Process? Why not both! What to Watch and Listen for Some Basic NLP● See as a target sees● 3 basic methods of perceiving the world ● Visual ● Auditory ● Kinaesthetic● Language is the quickest guide● Visual – I see what you mean, Youll have to watch that one● Auditory – That rings a bell, I hear what you are saying● Kinaesthetic – Lets touch base, Ive got a grasp of what you mean.
Profile? Process? Why not both! What to Watch and Listen for WATCH! RIGHT LEFT Creating Images Remembering Images RememberingCreating Words/Sounds Words/Sounds UNFOCUSSED STARE Processing Information Feelings (Usually Visual) Internal Dialogue (Words to Feelings) (Words to Sounds)
Profile? Process? Why not both! What to Watch and Listen for LISTEN! Visuals● Higher Pitched, quick talkers Auditories● Low pitch, good rhythm, smooth tone. Concentrating on sounding good Kinaesthetics● Constant pauses in speech. Tendency to be touchy- feely.
Profile? Process? Why not both! (3) (Sales) Presentation(1) Relay customer/targets needs back to them. ● According to profile ● In their language ● Features Vs Benefits ● Feature = Something the item has ● Benefit = Something the customer/target needs(2) AGREE on needs ● Ski downhill (contrast effect) ● Slight adjustments will not be noticed (heuristics).
Profile? Process? Why not both! The Contrast Effect PRESENTATION ORDER IS VITAL!!!!● Salesman - EXPENSIVE >>>>> CHEAP● Social Engineer – BIG request >>>>> REAL request.
Profile? Process? Why not both! Heuristics● The human brain has an auto-correct facility! ● “Aoccdrnig to rscheearch, it deosnt mttaer in waht oredr the ltteers in a wrod are, olny taht the frist and lsat ltteer be at the rghit pclae. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe”● Not readable by a computer● What about..... ● An ID badge with slight variations ● A document with some favourable additions
Profile? Process? Why not both! (4) Closing(1) Interpret buying signals ● Verbal - “So let me get this straight, I can have it in red, or black?” ● Non Verbal -
Profile? Process? Why not both! (4) Closing(1)(2) Use appropriate close ● Assumptive or Command Close – Assume they agree and ask for the business ● Alternative Close – Give them a choice, either way, you win IDEAL TIME TO USE SOME EMBEDDED COMMANDS!
Profile? Process? Why not both! Embedded Commands● Trojans of the human mind● Subconscious processing is different● Gavs Guide to embedding (1) Pause before the embedded command (2) Talk louder at the embedded command (3) Adopt a command tonality at the command (down-turn) (4) Pause after the embedded command● Inject the command into a seemingly innocuous statement● Add a command verb (Do, get, recall, buy, etc)● Fire away ● Salesman - “By now, youll know if you want to place an order”. ● Social Engineer - “I dont expect you to let me in right away”
Profile? Process? Why not both! (5) Objection Handling● OBJECTION == FREE LOOK AT TARGETS TRAIN OF THOUGHT● Two main types of objection to deal with● Sincere● A genuine concern that must be overcome● From reasoned consideration Insincere● Masks unrelated concerns● Indicator of a far bigger objection.
Profile? Process? Why not both! Dealing with the ObjectionGAVS GOLDEN RULE – Never, ever, ever, dismiss an objection out of hand – LISTEN! Understanding statement SPIN/PEGY● Situation ● Problem● Problem ● Effect● Implication ● Give up● Need ● You FEEL, FELT, FOUND
Defences against Social EngineeringWHAT THE BAD GUYS THINK If (Weak Link == Humans) Exploit Humans Else Exploit Other StuffTHEN Y U NO!!!!!!!!!!!!!!!!!!!! Have a set framework for defending against an attack? Stop considering SE tests unethical?
Defences against Social Engineering Defence against tools of a Social EngineerAttack 1 Attack 2 Defence? Defence?
Defences against Social Engineering What about Direct attacksDefence? Problem3 Golden Rules to enforce ● Calling companies to ensure that a visitor should be here ● Calling the member of staff they are meant to be visiting ● If in doubt, ask for help, dont just assumeToo much stick not enough carrot..
The Mystery Security Test● Mystery Security Test born from personally witnessed disregard for security in financial services● Banks, and many retail outlets, are assessed under the Mystery Shopper scheme Mystery Shopper● Secret shopper who will enter a branch or outlet with a predetermined list of objectives. They will not buy, rather they decline politely, leave and submit a report to the company● Checks that the customer experience is fair across the board and that staff are providing the best service at all times. Money can be LOST based on these results● Mystery Shoppers can be internal, external and their arrival is never announced● Considered ethical.
The Mystery Security Test The Mystery Security Test● Smaller targets chosen● Secret security tester will enter branch, retail outlet, office or other unit with a list of objectives to achieve. This will include securing valuable information like passwords, key combinations, and details of non-public areas and practices● Will hold a get out of jail card like a pen-tester● Security led, this will check that customer data is safe in the hands of your employees. Ask yourself a question. Would your customer be happy with great service, but knowing their data is insecure?● Could be done internally, or externally ● A key factor in running a financial services company is that customer data is safe. The only security measure in place at the moment is fines when it all goes wrong.
Recap● Whether you like it or not, Social Engineering is a growing threat and YOU have fallen victim● We are training people daily to attack our human weaknesses● Attackers are using psychology to know what buttons to press. Do you know what personality type you are yet?● We have a false sense of security that current policies will protect us against everything● Finally we saw that while difficult, Social Engineering attacks can be defended against..
Black Hat Objection Handling The Magical Number Seven● The human brain has a number of buffers to help process incoming information. What if we could overflow them?● Millers Law:- We can store around seven SMALL pieces of information in our short term memory buffer● In reality, only 3 or 4 pieces of meaningful information● In order to fill this buffer, we can ● Supply information in awkward chunks ● Open threads of information and not fully close them● When the buffer is full, requests more likely to be dealt with directly by subconscious.