There are those who loved school and those who, like Ferris Bueller, loved getting out of school. You really can’t get much more classic SE than Ferris Bueller’s Day Off, but where the movie focused on the power of manipulation and rapport to escape, SEORG is getting more and more reports of students focused on the study of SE in the classroom. What exciting news that InfoSec programs are taking SE so seriously! Our own Chris Hadnagy is even helping further this type of study as an adjunct instructor for Carnegie Mellon University.
“Incredible! One of the worst performances of my career, and they never doubted it for a second!”
We have had a fair number of people contact us over the last year or so regarding papers or research. As many of these people were students and unfortunately their work isn’t going to trend on Twitter like some of the big name company reports, we wanted to share a couple recent examples with the folks who would appreciate a bit of human hacking:
- Dnfalk’s study “Security Awareness in K-12 School Districts” used a test-retest research design to look at security awareness training using surveys, physical security assessments, and phishing tests. A great write-up can be found at his blog.
Interesting tidbits: 55% of the respondents did not know what a phishing attack was yet 82% felt their computer was secure; almost 8% had passwords hidden under keyboards though this dropped to 4% after the first assessment.
One of the great things about Dan’s study is that he is helping to establish baseline measurements of security awareness for his target population, K-12 staff, that can be applied to further research. He also laid out a research design that could be replicated by others in order to further validate the findings that “security through education” works (yeah, we liked that bit).
- Another student, Jeremy Miller, chose to examine social engineering techniques through the lense of cognitive biases for his Digital Forensics class.
Interesting tidbits: [paraphrased] Cognitive biases are used in a number of ways by various actors (e.g. pentesters) to take advantage of human nature and common stereotypes. Pretexts are a common example.
Not sure what a cognitive bias is or what it has to do with SE? Miller’s example of the Halo Effect might be helpful. “One does not need to be the most attractive, well dressed or beautiful person to take advantage of this cognitive effect. Yudkowsky shows that in light of the research done by Cialdini and others, any group of positive traits witnessed in the same person may be perceived due to bias. For example if someone seems kind and generous, perhaps one might believe that they are also intelligent and honest. Thus, social engineers can leverage this “affect heuristic” just by making themselves seem positively endowed in multiple desirable traits.”
Social-Engineer.org is proud to be a resource for those who are trying to understand how to hack the human. We’d love to hear from others in the classroom (that includes the school of hard-knocks) and what you are learning. So reach out. That’s what we’re here for.
Keep learning!
Sources:
[1] Yudkowsky, Eliezer. Rationality: From AI to Zombies. Machine Intelligence Research Institute. 2015.
https://www.social-engineer.org/general-blog/creating-connections-to-persuade-your-targets/
https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
https://dnfalk.com/security-awareness-in-k-12-school-districts/
https://www.social-engineer.org/general-blog/change-education-working/
https://www.social-engineer.org/podcast/ep-067-getting-physical-with-deviant-ollam/
https://www.social-engineer.org/framework/general-discussion/real-world-examples/phishing/
https://www.social-engineer.org/podcast/episode-028-getting-physical-with-social-engineering/
https://www.social-engineer.org/podcast/special-edition-march-2013-employee-security-educate-ignore/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-volume-4-issue-55/
https://www.social-engineer.org/framework/influencing-others/pretexting/successful-pretexting/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-volume-4-issue-54/
Excellent post, thanks for giving SE and those who study it some pub. Particularly like the Ferris reference!
Most importantly, you will be given the chance to practice these skills with individualized feedback from successful professional pentesters and social engineers with over twenty years of experience. Students will also leave the training with several of the most important digital tools necessary for the job in the form of software and individual licenses including visual study aids from Dr. Paul Ekman as well as a copy of Maltego and some other choice tools.
This course* qualifies for 40 Continuing Professional Education (CPE) credits; certificate available upon successful completion of the course. In addition to our public offerings, Social-Engineer Inc. offers closed (private) and hosted classes upon request.