Cyber Matters: Executives Must Understand Social Engineering

Cybersecurity isn’t just a technical problem. Even web users armed with the latest and greatest malicious software prevention techniques are exposed to risk from outsiders aiming to exploit a victim’s trust.

That lesson is the focus of a book titled “Unmasking the Social Engineer: The Human Element of Security,” by Christopher Hadnagy, which this week won the People’s Choice award in the Cybersecurity Canon. In early October we wrote about the Cybersecurity Canon, a collection of the best works of cybersecurity writing.

The book focuses on an important part of a hacker’s toolkit: social engineering. The method plays on human weaknesses to manipulate individuals and get them to do things they ordinarily might not do. Social engineering is most often seen in phishing attacks where attackers try to direct targets to visit fake websites and enter personal information, but some hackers use phone calls and even visit targets in person as part of an attempt to reveal passwords or other information that might be exploited.

Mr. Hadnagy, chief executive of Social-Engineer LLC, combined his experience of teaching and practicing social engineering in the real world with 60 years of research by Dr. Paul Ekman, a psychologist and professor at the University of California. The book serves not only as a guide for those wishing to learn the skills to deploy as penetration testers, but also for network defenders seeking to identify the tactics being used against them.

“Social engineering is 100% learnable,” said Mr. Hadnagy. “They’re not mystical powers.”

Mr. Hadnagy said penetration testing, the process of professional hackers identifying unpatched software vulnerabilities, has largely become “a checkbox” exercise by removing the human element. It is for this reason that the attackers are being so successful–they are able to exploit people by playing on their emotions to get them to take actions that are not in their best interests.

There Is No Patch for Human Emotions

“No one is 100% guaranteed to never fall for a social engineering event,” said Mr. Hadnagy, who admitted to recently clicking on a phishing email despite his familiarity with deploying phishing tests for clients. “I send 3 million phishing emails a year, I actively research and write about it every day and I clicked on a phish–I refuse to believe it’s because I’m a stupid human. It’s because that phish happened to be the right emotional trigger at the exact right time and I ended up taking an action I would never take on a normal basis.”

Everyone is susceptible. Executives must recognize they and their staff are generally ill-prepared to deal with the threat.

Mr. Hadnagy used the analogy of learning to box. After 15 minutes of computer-based training, no one would feel confident to go into the ring against a professional boxer. Users need ongoing training and development to increase their ability to detect and counter social engineering attempts, whether phishing emails, phone calls or face-to-face. “If the first time you get punched is by the guy that wants to kill you, you’re probably going to get knocked out,” he said.

Executives are prime targets for scammers due to the information they have access to. Oftentimes it is the executive themselves that unwittingly provides information attackers need to socially engineer them.

“Whenever we go after executives we’re using social media,” said Mr. Hadnagy. “We can find out about their likes and dislikes, their family, kids, hobbies and we’re using that to emotionally trigger them. Knowledge is power. You need to know what information is out there about you on the internet otherwise you can’t possibly defend against it.”

Global organizations are often more vulnerable to attacks because employees do not always know their colleagues in other departments. This provides scammers with the opportunity to impersonate, for example, human resources staff and then trick users into sharing personal information.

Rick Howard, chief security officer at the security vendor Palo Alto Networks and founder of the Cybersecurity Canon said “Unmasking the Social Engineer” deserved its place as winner of the People’s Choice award: “The book was well-received by the canon committee members and specifically by me as I try to defend my organization.”

From his own experience, Mr. Howard said improving awareness of social engineering requires a top-down approach: “From the bottom up, [training] tends to die on the vine because it involves a once a year course and that’s about as far as it goes.”

Mr. Howard said the chief executive and chief technology officer of Palo Alto Networks play an active role in educating the workforce, but acknowledged the difficulties in getting some executives to change their habits with regards to social media: “Easy to say, but harder to do.”

The above article first appeared in the “WSJ Pro Cybersecurity” newsletter. Used by permission. Please visit for more information.