As a professional social engineer, it’s always interesting when I get asked, “What do you do for work?” When I explain that I get to test people by attempting to elicit sensitive information from them, the usual reaction is, “Cool! Can you get people’s social security numbers?” The truth is anyone with the right training and some experience could extract sensitive information from others. However, an ethical social engineer must adhere to scope.

Scope in Ethical Social Engineering

What is Scope?

Scope can be defined as the boundaries and requirements of a project. Scope is highly important in our line of work as it dictates what we can and cannot do during a social engineering engagement. These are some examples of what scope for a professional social engineer can involve:

  • Who we can elicit information from. The client will give us a list of approved names of targets.
  • What information, or flags, we can elicit from the employees.
  • What phone numbers can be spoofed for the Caller ID.
  • If and what information can be recorded.

In addition, the client must approve the pretext(s) that will be used during the campaign.

Operating within scope is important in any line of work, however it is especially important to professional social engineers. Oftentimes, our work involves activities that would be illegal were it not for the permission given to us by the client within the scope agreement.

Scope Benefits Both Parties

The scope statement defines the project. It also helps the executing team by having a clear understanding of what the expectations and goals of the project are. For example, if we were asked to perform a vishing test campaign for a client but did not have a list of approved employees to call or an approved list of flags to obtain, it would be difficult to fairly evaluate the result of the project. It would also greatly delay the process as we would be left wondering who to call and when, among other details. In particular, the scope statement is beneficial for these three reasons:

  • Scope benefits the client. With a clearly defined scope, the client can express what their specific goals are for the project.
  • Scope defines the boundaries of the project.
  • The scope statement guarantees a common and clear understanding of the project between the interested parties.

More Than a Simple Agreement

For a professional (and ethical) social engineer, scope is more than a simple agreement. Adhering to scope is part of our code of ethics. Our clients place great trust in us as professionals and by operating within the boundaries of scope, we can honor our clients wishes.

Scope in Ethical Social Engineering

Scope, along with our code of ethics, serves as a compass in the work that we do. This is done by accepting responsibility and ownership over our actions and their effects on the welfare of those involved with the engagement. This is why, before engaging in any social engineering engagement, we must be fully aware of the scope and effects on others and their well-being. By doing so we avoid any unethical, unlawful, or illegal, acts that could negatively affect our professional reputation.

Honoring scope and our code of ethics extends well beyond the duration of the project. After performing a social engineering engagement, the security of obtained information is a priority. As ethical social engineers we never misuse any information or privileges that were obtained during the engagement.

Social engineering engagements involve human vulnerability. We are not working with machines, but humans. We avoid publicizing vulnerabilities on social media or other mediums that would have a negative effect on others. At the end of the day, our goal is to educate and protect while leaving them better for having met us.

Written by: Rosa Rowles