Authority can be construed to mean many different things. Within the context of Social Engineering, we will break down different types of Authority and how it can be used.
Authority is used within Social Engineering in order to gain access to property or information. Different types of Authority can be used, including:
Legal Authority is based upon government and law. This generally applies to law enforcement officers. Purporting to be law enforcement or other government official and using this type of Authority would almost certainly be illegal and is not condoned within our discussion of Social Engineering. Therefore, our focus will be on Organizational and Social Authority.
These categories are similar to the categories Max Weber has defined, but are modified to fit more closely to use within Social Engineering.
Organizational Authority is quite simply any Authority defined by means of an Organization. Typically this refers to a supervisory hierarchy. Someone within a position of power in an organization is going to have more power and access to more information than someone at the bottom of the hierarchy. In a penetration testing scenario, a consultant may impersonate the CIO or someone else with clearly defined Organizational Authority. The consultant may then be able to obtain passwords or other information from the help desk or any other employee who may perceive that the impersonated person has authority over them.
Jonathan J. Rusch writes “People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present.” Rusch cites an experiment, Robert B. Cialdini, Influence (revised edition 1993). , that showed 95 percent of nurses within 22 stations from three different hospitals were willing to administer patients a dangerous dose of medication based upon a phone call from a researcher purporting to be a physician the nurses had never met.
This experiment clearly shows that based upon orders and the perceived notion of authority, actions are taken when they may be against better judgment.
Social Authority refers to the “natural born leaders” of any social group. A social group could consist of co-workers, college friends, or any other gathering of people. In the book Influence, Robert B. Cialdini writes “When reacting to authority in an automatic fashion there is a tendency to often do so in response to the mere symbols of authority rather than to its substance.” For Social Authority to occur, it may not take an extraordinary amount of time or structure to define an authoritative figure. In any setting, a quick flash of social proof may help provide a person social authority.
Social Authority can be used to an advantage in Social Engineering by asking or pressuring the target for information. If the target refuses and is therefore not liked by the leader of the group, the target may fall out of favor with the entire group. It is perceived to be advantageous to comply with the leader’s Social Authority.
Choosing which category of Authority to use may depend on the target’s incentives. Combining the two categories could be extremely effective as well.