Social engineering is a vast topic which thoroughly deserves its place as a foundational element of all things security. As long as technology still allows us humans to interact with it — and while we wish to keep certain things away from public view — social engineering will have a crucial role in defeating both online and offline security.
It’s tricky to explain exactly what a ‘social engineer’ is. At one end of the spectrum we have James Bond, and at the other we have someone hitting send on a copy and pasted phishing email. Both would at times and by different audiences be classed as social engineers.
So why is this blog titled ‘Cyber Social Engineering’? Are you trying to make this a thing James? Well yes and no. When I get called a social engineer I always get a slight feeling I need to clarify that I only focus on email based human coercion. I personally feel a little undeserving of the full-fat social engineer title as outside of the cyber world there’s so much social engineering that can be done, and it’s all well beyond my capabilities.
But I am proud to be classed as a social engineer, and don’t want to start a ‘are you a cyber or non-cyber one mate?’ because it’s often not like that, there are many amazing social engineers that punch as hard on both sides.
Really the reason i’ve decided to use cyber social engineer is because cyber has strong roots in online processes and visual triggers, which are only a variable in a cyber context. The psychology at work and how the human is encouraged to act will always have its behavioral explanation and rightly be the purist understanding of social engineering. So in some respects I’m angling towards a slightly less pure part of social engineering, one where the human traits are deliberately left in an immature state to allow more of a hacking approach to take the lead.
Ultimately cyber social engineering is a term to keep me sane (er) and help me as someone who needs literalness and guidance to explore and forrage. It may only live on my website and in my notes, and who knows it might not live there for long! But until I start properly exploring what a cyber social engineering world might look like, I won’t know if it’s worthy of being a thing.
What it would be cool to uncover
I think a successful exploration would find further ways to break down the parts which email based identity deception leverage — knowingly and unknowingly. By defining the formula in its most modular form it can hopefully uncover areas where tech, UX or process can reduce the risks further.
As hinted at I am happy to come back empty handed, I’m not just going to force things which have no pragmatic use to take up people’s attention and cloud security more than it already is. But it’s an interesting horizon for me to look towards, so why not indulge that is my thinking.