Many people assume that as professional social engineers (SE) we use EVERY method possible to achieve our objective. I have been asked, “If you’re acting like the bad guys, why do you need to have rules?” and “how will it be realistic if you apply ethics in your training?” This raises an important question. Are ethics and social engineering compatible? To answer that, let’s explore a couple of scenarios. First, an engagement with no code of ethics in place. Second, an engagement which implements a code of ethics. This will allow us to determine which will provide the best results. In each scenario we will also see how the person being tested and the person doing the testing are affected.

ethics and social engineering compatible

No Code of Ethics

In our first scenario, let’s pretend a client just hired us to do phishing and vishing to test their corporation’s employees. They have asked us to come up with real life pretexts. They want the testing to be as realistic as possible. We get into our attacker perspective. What would the bad guys do? They would exploit a person’s fear to get them to act in a way they usually would not. We then come up with an extreme fear-based pretext: An email from the boss asking the employee to enter their credentials in a “new HR portal” or else they won’t get paid that month.

Many people work paycheck to paycheck and are facing financial hardship. Consider the single parent depending on that paycheck to pay the rent. They click the link and enter their information, what will they remember from this exercise? How will they feel afterwards? More importantly, what was the lesson learned? It is very likely that upon finding out that they failed this test, the employees will feel resentment towards their company and distrust towards the IT security department.

The exploitation of someone’s visceral fear of not being able to provide for their family is not very effective when it comes to providing a lasting learning experience.

Applying the Code of Ethics

In our second scenario, the idea behind the testing is the same: to execute a realistic phishing and vishing simulated attack and improve the security posture of the corporation. Again, we step into attacker mode. The idea of using a fear-based pretext is the first thing that comes to mind. We then stop and think, how would this make the intended target feel? What would the repercussions be if we threatened a person with losing their job? And would we have provided a lasting learning experience? As we consider these questions, we conclude that we need to think a little harder to come up with pretext ideas that are realistic but ethical.

Are Ethics and Social Engineering Compatible?

Applying ethics enables us to be empathic. Being empathic allows us to put ourselves in the shoes of the employees being tested and ask ourselves: how would I feel if I was promised a much-needed bonus only to find out it was just a phishing test? More than likely, we would not think of the lesson to be learned but how we felt deceived.

Using pretexts that don’t take an emotional toll on the person enables us to provide a teachable moment that’s focused on the education we’re providing.

The Social Engineering Code of Ethics Accomplishes Important Goals

The Social Engineering Code of Ethics accomplishes these three important goals:

  • Promotes professionalism in the industry.
  • Establishes ethics and policies that dictate how to be a professional SE.
  • Provides guidance on how to conduct a social engineering business.

Clients Benefit from the Code of Ethics

Having a code of ethics as our guide benefits our clients and their employees. They have peace of mind knowing that we will not subject their employees to tests that involve emotionally damaging or demoralizing pretexts. The target (employee) also benefits as we provide a realistic and safe learning experience.

Social Engineers Benefit from the Code of Ethics

The SE doing the work also benefits when applying ethics. Shelby Dacko, one of the most experienced members of our vishing team had this to say:

“I’ve applied ethics in various ways on my vishing calls. For example, sometimes we get people on the line who are having a really bad day. On those occasions, I like to focus on just making them feel better. While they’re still my target, the flags become secondary. We are here to make people more secure and feel better for having met us, not tear them down while they’re already down. It makes them feel better and gives them some relief to have someone to talk to. It also benefits me because although my job is to test them, and I must follow through with that, I’m not doing it in a way that is going to affect the person in a negative way. That helps me feel good about the work that I do.”

Ethics Make Us Better Professionals

Are ethics and social engineering compatible? We unreservedly say yes! Being ethical makes us better professionals. It is easier to get a compromise or a “click” by using the scariest pretexts. But it takes ingenuity and the use of techniques such as elicitation and rapport building (among others) to extract information and influence people in a way that leaves them feeling better for having met us.

Some may say that the bad actors don’t display empathy, so why should we? The answer is simple: we are not the bad guys. As exhilarating as it may be to have the ability to influence and/or manipulate others, our goal is to train and educate our clients so that they can be safer in their workplace, as well as in their personal lives. An ethical social engineer would never show off their skills at the expense of someone else’s dignity. When we have empathy, we study and impersonate the bad guys, but never become them.

A Code of Ethics Anchored in Empathy

Our code of ethics is anchored in empathy. When we imagine how our target would feel, we can create a true learning experience. If we leave our target extremely upset or disappointed, they will focus on how terrible they feel instead of the lesson we want them to learn. On the other hand, using empathy when planning and executing an adversarial simulation attack ensures that we leave the target with a positive mindset. This results in a more effective testing method and training.

Do you want to make your business more secure? Our managed services identify risk and assess vulnerability within your organization’s human network. For more information on the services we offer, visit our website Social-Engineer.com.

At Social Engineer LLC, our purpose is to bring education and awareness to all users of technology. For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit:

https://www.Social-Engineer.com/Managed-Services/

Written by Rosa Rowles

Images
https://www.wired.com/story/how-we-learn-computer-science-ethics/
https://www.tabb.org/code_of_ethics.php