Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
A Salesman's Guide to Social Engineering B-Sides London Edition
1.
2. AGENDA
●
Introduction and Bio
●
What is Social Engineering?
●
A Talk about Sales? What the Hell, you said Social
Engineering?!?
●
Profile? Process? Why not both!
●
Defences against Social Engineering
●
The Mystery Security Test
●
Recap
●
Q & A Session
4. BIO
1st Masters Degree comprising of Psychology and
Economics
Worked as:-
●
Regulated Financial Adviser
●
Sales Manager
●
Sales Trainer
Ethical Hacking student at the University of Abertay,
Dundee, Scotland..
5.
6. What is Social Engineering?
●
Online definition:- The practice of tricking a
user into giving, or giving access to, sensitive
information, thereby bypassing most or all
protection
●
My definition:- Bypassing the human
firewall/intrusion detection system. Hacking
the human mind.
18. Sales? But you said Social Engineering!
●
Terms are not mutually exclusive
●
Salesman == Social Engineer
●
Good salesmen use a degree of Social Engineering Skills
●
Bad salesmen don't
●
Social Engineers HAVE TO be good salesmen
●
Selling Concept
●
“I want you to buy the concept I belong here”
●
“I want you to buy the concept I need your username and
password”.
19. Sales? But you said Social Engineering!
The Master Salesman The Master Social Engineer
●
Recognises that each and every customer ●
Recognises that each and every social
and sale is different engineering attack is different
●
Can play different roles ●
MUST act out a number of different
roles
●
Uses a variety of questioning techniques
●
Uses a variety of questioning techniques
●
Recognises that NO doesn't mean NO.
Objections are good ●
Isn't phased by objections and can
recognise a programmed response
●
Is comfortable with awkward silences
(Gav's Golden Rule, Know When to Shut ●
Is not only comfortable with, but
Up) appreciates, awkward silence
●
Will ask for repeat business, and ●
Knows that one target won over can be
referrals to other customers. used to win over other targets, or help
provide a 'quick getaway'..
20.
21. Profile? Process? Why not both!
DISCLAIMER
●
This is what I use, because it
●
Works for me
●
Made me plenty cash
●
Has transferred smoothly to social engineering
YOU MAY NOT AGREE WITH
EVERYTHING THAT FOLLOWS
●
We are all entitled to our opinion.
22. Profile? Process? Why not both!
Sales Process
(1) Prospecting the target
(2) Initial Contact and Needs Identification
(3) (Sales) Presentation
(4) Close
(5) Objection Handle
Steps 3 to 5 are circular can be repeated as
often as necessary.
23. Profile? Process? Why not both!
(1) Prospecting the Target
(1) Know your target
●
Profile without direct contact
●
Google
●
Maltego, etc
(2) Know your limits (Backward planning)
●
Salesman - QUANTITY
●
Social Engineer - PERFORMANCE.
24. Profile? Process? Why not both!
Simple Personality Test for a Salesman (or Social Engineer!)
●
Based on two of four areas examined by original Myers-Briggs test
What we need to know – Sales 101
●
What they'll actually listen to
●
How they make decisions based on what you've just said
What we don't need to know
●
If they are an Introvert or an Extrovert
●
How they handle 'issues'
DANGER!
●
Further apart on the scales – Less likely to be 'compatible'.
25. Profile? Process? Why not both!
But Gav, how do I reel 'em in?
What they'll actually listen to
Sensor Intuitive
●
Needs to try things out first and ●
Trust the gut first and look at the
pays attention to the finer details. big picture. Detail can wait.
Focus on one day at a time. ●
Will ask you 'Why?'
●
Will ask you 'What?' and 'How?'
How they make decisions
Thinker
Feeler
●
Driven by facts, logic and reason.
Will go with what the facts suggest
●
Driven by their feelings as opposed
to just hard evidence
even if they don't like it
●
Balance pros and cons for them
●
Appreciates alternative options and
viewpoints
●
Very task focussed ●
Very relationship focussed.
26. Profile? Process? Why not both!
And this means what exactly?
●
Sensor-Thinker (Thinker)– Give them the facts then go though, step by step, why
they should buy from/help you
●
Facts then Logic
●
Sensor-Feeler (Feeler)– Stick to giving them the facts, but show them how what
you have told them will affect the people involved (including them)
●
Facts then Feelings
●
Intuitive-Thinker (Controller)– Will want to know what the bigger picture is, but
will expect a range of well thought and presented options to deal with it
●
Overview then Logic
●
Intuitive-Feeler (Entertainer)– Give 'em the big picture and then show how all
the pieces fit together, who will be affected. Loves a story
●
Overview then Feelings.
28. Profile? Process? Why not both!
(2) Initial Contact and Needs
Identification
(1) Continue profiling
(2) Work out needs of customer/target
●
Through appropriate questioning
(3) WATCH
(4) LISTEN.
30. Profile? Process? Why not both!
What to Watch and Listen for
Some Basic NLP
●
See as a target sees
●
3 basic methods of perceiving the world
●
Visual
●
Auditory
●
Kinaesthetic
●
Language is the quickest guide
●
Visual – I see what you mean, You'll have to watch that one
●
Auditory – That rings a bell, I hear what you are saying
●
Kinaesthetic – Lets touch base, I've got a grasp of what you mean.
31. Profile? Process? Why not both!
What to Watch and Listen for
WATCH!
RIGHT LEFT
Creating Images Remembering Images
Remembering
Creating Words/Sounds
Words/Sounds
UNFOCUSSED STARE
Processing Information
Feelings (Usually Visual) Internal Dialogue
(Words to Feelings) (Words to Sounds)
32. Profile? Process? Why not both!
What to Watch and Listen for
LISTEN!
Visuals
●
Higher Pitched, quick talkers
Auditories
●
Low pitch, good rhythm, smooth tone. Concentrating
on sounding good
Kinaesthetics
●
Constant pauses in speech. Tendency to be 'touchy-
feely'.
33. Profile? Process? Why not both!
(3) (Sales) Presentation
(1) Relay customer/targets needs back to them.
●
According to profile
●
In their 'language'
●
Features Vs Benefits
●
Feature = Something the item has
●
Benefit = Something the customer/target needs
(2) AGREE on needs
●
'Ski downhill' (contrast effect)
●
Slight adjustments will not be noticed (heuristics).
34. Profile? Process? Why not both!
The Contrast Effect
PRESENTATION ORDER IS VITAL!!!!
●
Salesman - EXPENSIVE >>>>> CHEAP
●
Social Engineer – BIG request >>>>> REAL request.
35. Profile? Process? Why not both!
Heuristics
●
The human brain has an 'auto-correct' facility!
●
“Aoccdrnig to rscheearch, it deosn't mttaer in waht
oredr the ltteers in a wrod are, olny taht the frist and
lsat ltteer be at the rghit pclae. Tihs is bcuseae the
huamn mnid deos not raed ervey lteter by istlef, but the
wrod as a wlohe”
●
Not readable by a computer
●
What about.....
●
An ID badge with slight variations
●
A document with some 'favourable' additions
36. Profile? Process? Why not both!
(4) Closing
(1) Interpret buying signals
●
Verbal - “So let me get this straight, I can have it in red, or
black?”
●
Non Verbal -
37. Profile? Process? Why not both!
(4) Closing
(1)
(2) Use appropriate close
●
Assumptive or Command Close – 'Assume' they agree and
ask for the business
●
Alternative Close – Give them a 'choice', either way, you win
IDEAL TIME TO USE SOME EMBEDDED COMMANDS!
38. Profile? Process? Why not both!
Embedded Commands
●
Trojans of the human mind
●
Subconscious processing is different
●
Gav's Guide to embedding
(1) Pause before the embedded command
(2) Talk louder at the embedded command
(3) Adopt a 'command' tonality at the command (down-turn)
(4) Pause after the embedded command
●
Inject the command into a seemingly innocuous statement
●
Add a command verb (Do, get, recall, buy, etc)
●
Fire away
●
Salesman - “By now, you'll know if you want to place an order”.
●
Social Engineer - “I don't expect you to let me in right away”
39. Profile? Process? Why not both!
(5) Objection Handling
●
OBJECTION == FREE LOOK AT TARGETS TRAIN OF THOUGHT
●
Two main types of objection to deal with
●
Sincere
●
A genuine concern that must be overcome
●
From reasoned consideration
Insincere
●
Masks unrelated concerns
●
Indicator of a far bigger objection.
40. Profile? Process? Why not both!
Dealing with the Objection
GAV'S GOLDEN RULE – Never, ever, ever, dismiss an objection out of hand – LISTEN!
Understanding statement
SPIN/PEGY
●
Situation ●
Problem
●
Problem ●
Effect
●
Implication ●
Give up
●
Need ●
You
FEEL, FELT, FOUND
41.
42. Defences against Social Engineering
WHAT THE BAD GUYS THINK
If (Weak Link == Humans)
Exploit Humans
Else
Exploit Other Stuff
THEN Y U NO!!!!!!!!!!!!!!!!!!!!
Have a set framework for defending against an attack?
Stop considering SE tests unethical?
43. Defences against Social Engineering
Defence against tools of a Social Engineer
Attack 1 Attack 2
Defence? Defence?
44. Defences against Social Engineering
What about 'Direct' attacks
Defence?
Problem
3 Golden Rules to enforce
●
Calling companies to ensure that a 'visitor' should be here
●
Calling the member of staff they are meant to be visiting
●
If in doubt, ask for help, don't just assume
Too much 'stick' not enough 'carrot'..
45.
46. The Mystery Security Test
●
Mystery Security Test born from personally witnessed disregard for security
in financial services
●
Banks, and many retail outlets, are assessed under the Mystery Shopper
scheme
Mystery Shopper
●
Secret shopper who will enter a branch or outlet with a predetermined list of
objectives. They will not buy, rather they decline politely, leave and submit
a report to the company
●
Checks that the customer experience is fair across the board and that staff
are providing the best service at all times. Money can be LOST based on
these results
●
Mystery Shoppers can be internal, external and their arrival is never
announced
●
Considered ethical.
47. The Mystery Security Test
The Mystery Security Test
●
Smaller targets chosen
●
Secret security tester will enter branch, retail outlet, office or other unit with
a list of objectives to achieve. This will include securing valuable information
like passwords, key combinations, and details of non-public areas and
practices
●
Will hold a 'get out of jail' card like a pen-tester
●
Security led, this will check that customer data is safe in the hands of your
employees. Ask yourself a question. Would your customer be happy with
great service, but knowing their data is insecure?
●
Could be done internally, or externally
●
A key factor in running a financial services company is that customer
data is safe. The only security measure in place at the moment is fines
when it all goes wrong.
48. Recap
●
Whether you like it or not, Social Engineering is a growing
threat and YOU have fallen victim
●
We are training people daily to attack our human
weaknesses
●
Attackers are using psychology to know what buttons to
press. Do you know what personality type you are yet?
●
We have a false sense of security that current policies will
protect us against everything
●
Finally we saw that while difficult, Social Engineering
attacks can be defended against..
51. Black Hat Objection Handling
The Magical Number Seven
●
The human brain has a number of 'buffers' to help process incoming
information. What if we could overflow them?
●
Miller's Law:- 'We can store around seven SMALL pieces of
information in our short term memory buffer'
●
In reality, only 3 or 4 pieces of meaningful information
●
In order to fill this buffer, we can
●
Supply information in awkward chunks
●
Open threads of information and not fully close them
●
When the buffer is full, requests more likely to be dealt with directly
by subconscious.