Social engineering is effectively hacking human thought processes.
Social engineering is a major factor in the overall process but is not directly part of repurposing electronic systems.
A social engineer is usually classified as a hacker, and is sometimes described as a people hacker.
The social engineer specializes in manipulating the human subconscious into doing something unintended - or more specifically, doing something intended by the social engineer that will lead to immediate financial gain or subsequent future electronic system hacking.
Put simply, a social engineer manipulates human thought processes rather than electronic system processes and requires a different set of skills to the computer hacker.
For a better understanding of the social engineer, SecurityWeek spoke to Stephanie 'Snow' Carruthers, whose official title is Chief People Hacker at X-Force Red, IBM Security.
Her partner planned to attend DEFCON. She went with him, more for Vegas than DEFCON. But after falling asleep in a reverse engineering malware presentation she was encouraged to go and find something of more interest.
In little over three years, she had transformed from a special effects make-up artist into a social engineer.
A member of the audience asked her to test his employees to see how they stood up to social engineering.
A demand for 'whitehat' social engineering services was evident and growing, so she branched out into freelancing, including with cybersecurity consultancies.
She had started by falling asleep at a malware reverse engineering presentation, stumbled into lock-picking and social engineering villages, and progressed into a professional, and legitimate, chief people hacker with a major global company.
Snow believes a social engineer must possess a solid understanding of psychology but doesn't need to be a psychologist.
There are three elements to social engineering: people, technology, and business risk.
The skilled human social engineer with emotional awareness can determine such psychologic nuances from the target's social media posts in a way that AI cannot - at least, not yet.
The criminal element of social engineering has a similar divide: successful engineers with an understanding of human psychology are likely to engage in spear-phishing - with a quality that most people cannot recognize as a phish and cannot be trained to do so.
Both attempt to coax an unintended response from a system - a human nervous system for the social engineer, and an electronic man-made system for the computer hacker.
Spear-phishing from an elite social engineer is different.
Social engineering at the highest level is undetectable.
The difference between elite social engineering and computer hacking is the difference between an art and a science.
The attack path for computer hacking is ultimately visible; the attack path for the social engineer is only discoverable by inference.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 18 Mar 2024 14:28:04 +0000