The power of saying NO as well as other amazing information from the team at Social-Engineer

Vol 04 Issue 51
December 2013 

In This Issue

  • The Power (and Terror) of "NO"
  • Social-Engineer News
  • Upcoming classes
THE NEWS

The Social-Engineer CTF Report has been released.  If you haven't downloaded your copy you can do that on our site.

_______________________________

The team at Social-Engineer is really excited to announce our brand new service - The Social-Engineer Mastermind Group.  For more info click below:

As a member of the newsletter you have the option to OPT-IN for special offers.  You can click here to do that.

_______________________________

Check out the schedule of upcoming training on Social-Engineer.com

REGISTER NOW!

Feb 10-14, 2014 Social Engineering For Penetration Testers – Orlando, Fl

May 19-23, 2014 Social Engineering For Penetration Testers - Dublin, Ireland

Nov 3-7, 2014 Social Engineering For Penetration Testers - Baltimore, MD

We are limiting the number of attendees in each class, so first come first serve.

  • 5 days of ground breaking training 
  • The Social Engineering Penetration Testing Course guide
  • Special tools to enhance your SE practice
  • A chance to take the first ever Social Engineering Pentesting Certification
  • Homework each night and one instructor led engagement
  • Lots more

If you want to ensure your spot on the list register now - Classes are filling up fast and early!


Do you like FREE Stuff?

How about the first chapter of Chris Hadnagy's Best Selling Book:  Social Engineering: The Art of Human Hacking?

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!  
 


To contribute your ideas or writing send an email to [email protected] 


 Special Thanks and Notices: 

If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes. 

A Special Thanks to: 

- Spy Associates for continually giving us some awesome products to test out.


- The EFF for supporting freedom of Speech

A special thanks to our Editor:

John 'J' Trinckes, Jr 


Check out Robin Dreeke's amazing book called "Its Not All About Me" packed with the top 10 techniques to building rapport fast. It is an awesome book!



Do you have a question about social engineering? Social Engineering Penetration Testing? Or any other security topic?

Reach out to us at [email protected] for help.

Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

The Power (and Terror) of "NO"

 

Strictly speaking, I’m a rookie when it comes to kids. I have a vague idea of developmental stages and what’s considered normal, but most of this comes from my education, not experience. I remember a time when my brother’s twins went through an intense ‘NO’ stage:  no going to bed, no eating anything (other than mac and cheese), and no wearing shoes of any kind. Despite my adoration for these children, I remember asking myself, “Why are they being so unpleasant?” With some time and perspective, a couple of things became clear to me: 1) now that they’re pre-teens, I realize they were only getting started with unpleasantness (kidding on that one...mostly) and 2) I was mistaking disagreement with disagreeableness. This is an easy thing to do. We like people who agree with us. People who agree with us validate us and our choices. Through this common ground, they become a part of our tribe. And we tend to feel the opposite about those who apparently make it their life’s work to be diametrically opposed to us.

 

Judith Sills, Ph.D., wrote a great article in Psychology Today about the importance and difficulties of saying “no”. We don’t like how it makes us, and others, feel and we definitely experience the consequences associated with having less influence over the people we deny. There’s simply no getting around it.  If you tell someone “no”, what are the chances of getting them to go along with you on anything else? It’s a simple matter of quid pro quo, right?

 


Quid Pro Quo or No?


Well yes, and no.

 

There is definitely a social weight associated with the give and take that affects influence. You can only rely on the kindness of others in a limited capacity if you are unable (or unwilling) to return the favor. In fact, our need to conform to group norms is so powerful that it’s a phenomenon that has been illustrated time and again. Solomon Asch’s classic 1951 study demonstrated that many people will change their views to be consistent with the group. This concept was replicated as recently as 2005 with almost identical results, but with the addition of brain scans. The results confirmed Asch’s original findings that group pressure can change a person’s perception of reality. It also demonstrated that the people who were able to resist the group felt emotional distress as a result. Though, the really unique piece about this research is the fMRI was able to show that completely different parts of the brain were involved in compliance (which engaged the perception portion) versus non-compliance (which activated an area associated with emotion).

 

This last piece brings up an interesting idea. Saying “yes”, being agreeable, and fitting in with the group has deep roots in social behavior along with our human need to belong. The above study also indicates that there are neurobiological responses to non-compliance, or not fitting in. This is supported by another study, which found that the body releases painkillers in response to social rejection just as it would to physical injury. Apparently, the need to fit in isn’t just a matter of social structure and harmony. We all know being rejected hurts our feelings, but it is perhaps a new insight to think that humans react to rejection physically as well as emotionally. So, when my nephew was yelling, “Noooo!!” to my suggestion that adding vegetables to his steady diet of mac and cheese was a reasonable request, it made me feel bad for a number of reasons. Many of us don’t even like being rejected by strangers, which has even stronger implications for social engineering and security.

 

The Security Implications

 

As security professionals, we need to become comfortable with saying “no” and training our organizations to say it as well. There is obviously a practical application to common courtesy when it comes to running an efficient business with a good reputation. It is easy to lose sight of all of the consequences when it’s not a conscious decision, but instead, a possible reaction to feeling bad or awkward.

 

Many of you know, we’ve hosted the Social-Engineer Capture the Flag at DEF CON for the past five years.  As time went on, what we’d really hoped to find is that companies were improving their defenses against inappropriate information gathering.  Unfortunately, that’s not the case.  The companies who have successfully shut down our contestants with a courteous, but firm denial of information have been very few and far between. What tends to happen more frequently is that information is denied out of not knowing the answer. Although pleading ignorance can be a great defense, it needs to be a conscious strategy. Security by accident isn’t really what we had in mind.

 

As a practitioner, are you making sure your organization is properly trained?  The biggest mistake we frequently see is that many companies think that canned quarterly training on a couple of slides is sufficient to overcome human nature and bad decision making. Malicious attackers take advantage of the fact that people who hold exploitable information (HINT: that is everyone in your company) are often distracted.  Individuals could also be under a lot of stress or be placed in a position to be made to feel that way.


To repeat what we’ve said in our report, security awareness training needs to be consistent, frequent, and personal. Anything else leaves you vulnerable. We learn to say “no” when we’re starting to assert our independence as human beings. Then, along the way, we learn what’s “nice” and what it takes to be included in the comfort of the tribe. People need to have it reinforced that not only is it okay to say “no”, it is often the wisest choice. We hope you think on this when planning your next training. Stay safe until then.

Written by Michele Fincher 

 

 

 

As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.


 

Also check out our friends at:

 


IRC                                    irc.freenode.net
CHANNEL                      #social-engineer
TWITTER                        @humanhacker  /  @SocEngineerInc
YOUTUBE                      http://youtube.com/SocialEngineerOrg