Authority
Authority can mean many different things. Therefore, within the context of social engineering, we will break down different types.
Definition
Authority and power are separate but related concepts. While power is the possession of control, or influence over others; authority refers to the right to exercise that power.
Types of Authority
- Legal
- Organizational
- Social
Legal is based upon government and law. This generally applies to law enforcement officers.
Purporting to be law enforcement or other government officials would almost certainly be illegal. We do not condone it. Therefore, our focus will be on organizational and social.
These categories are similar to the categories Max Weber defines. However, they are modified to fit more closely to use within social engineering.
Organizational
Typically this refers to a supervisory hierarchy. Someone within a position of power in an organization is going to have more power and access to more information than someone at the bottom of the hierarchy. In a penetration testing scenario, a consultant may impersonate the CIO or someone else with clearly defined organizational authority. The consultant may then be able to obtain passwords or other information from the help desk or any other employee who may perceive that the impersonated person has authority over them.
Jonathan J. Rusch writes “People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present.” Rusch cites an experiment, Robert B. Cialdini, Influence (revised edition 1993). , that showed 95 percent of nurses within 22 stations from three different hospitals were willing to administer patients a dangerous dose of medication based upon a phone call from a researcher purporting to be a physician the nurses had never met.
This experiment clearly shows that based upon orders and the perceived notion of authority, actions are taken when they may be against better judgment
Social
This refers to the “natural born leaders” of any social group. For instance, a social group could consist of co-workers, college friends, or any other gathering of people. In the book Influence, Robert B. Cialdini writes “When reacting to authority in an automatic fashion there is a tendency to often do so in response to the mere symbols of authority rather than to its substance.” For social authority to occur, it may not take an extraordinary amount of time or structure to define an authoritative figure. In any setting, a quick flash of social proof may help provide a person social authority. This can be an advantage in a social engineering engagement by asking or pressuring the target for information.
Conclusion
Choosing which category to use may depend on the target’s incentives. Combining the two categories could be extremely effective as well.
Image:
https://www.vecteezy.com/