Sunday, December 6, 2020
  • Phishing Attacks on Your Brand are Unrelenting, AI is the Only Way to Fight Back
  • Germany’s Anti-Semitic Phonetic Alphabet
  • DEF CON 28 Safe Mode Aerospace Village – Allan Tart’s & Fabian Landis’ ‘Low Cost VHF Receiver’
  • XKCD ‘Contiguous 41 States’
  • DEF CON 28 Safe Mode Aerospace Village – Matt Gaffney’s ‘MITM: The Mystery In The Middle’

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming
    • On-Demand
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library
  • Related Sites
    • MediaOps Inc.
    • DevOps.com
    • Container Journal
    • Digital Anarchist
    • SweetCode.io
  • Media Kit

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Security Bloggers Network Social Engineering 

Home » Cybersecurity » Social Engineering » Get the Skills You Need to Be a Successful Social Engineer

Get the Skills You Need to Be a Successful Social Engineer

by SEORG on March 4, 2020

2019 was amazing for us at Social-Engineer.org (SEORG). We reached exciting milestones and had fun and insightful experiences at DEF CON and DerbyCon. One thing these events clearly showed us is that interest in social engineering (SE) is exploding. In fact, the SEVillage Social Engineering Capture the Flag (SECTF) competition at DEF CON created so much excitement last year that our 11,000 square foot room was not only packed, but there was a long line at the door to get in! Why does this event generate so much energy? Well, for many the SECTF serves as a springboard leading to a career in cybersecurity as a professional social engineer, so anticipation for it is keen. This enthusiasm for social engineering begs the question, “what skills do you need to be a successful social engineer?”

The March newsletter answers that question by narrowing the focus to two specific skill groups: interpersonal and technical skills. We’ll also discuss how to use social engineering in the best possible way by employing ethics.

 

three skills you need to be a successful social engineer

Interpersonal Skills—A Necessary Foundation to Success as a Social Engineer

A solid foundation in interpersonal skills is necessary for success as a social engineer. As Christopher Hadnagy, CEO of Social-Engineer, LLC (SECOM) notes, “…understanding the way in which humans interact or react to situations can go a long way in helping you become a social engineer.” So, develop, practice and sharpen your people skills. A key element to this is emotional intelligence. In other words, learn to determine, understand, and respond to your emotional state and others. Doing so involves behaviors such as active listening, flexibility, patience, and knowing how and when to show empathy. Practice these skills with a goal to building rapport.

What’s the link between rapport and success as a social engineer? Rapport leads to liking and trust. The following example highlights how rapport can help you in a security audit.

Example

For example, let’s say you have an onsite engagement and your objective is to access a printer in an office building. To achieve that objective, you decide to build rapport with the receptionist. In order to do this, you enter the building with a coffee stained shirt. First, you introduce yourself to the receptionist and explain that you’ve spilled coffee all over your shirt and resume while driving to your interview. You say, “I brought an extra shirt with me just in case something like this happened. Can I use the restroom to change?” The receptionist sympathizes with your plight and say’s “sure, let me show you where the restroom is.” Now, as you’re walking to the restroom, you notice several pictures of a cat on the receptionist’s desk.

Next, you’re in your clean shirt and walking back to the receptionist. You want the rapport you’ve built to progress from sympathy to liking and trust. So, you sincerely thank the receptionist and say how fortunate the company is to have such a helpful and caring employee. In reply, the receptionist smiles and says, “it’s nice to be appreciated.” Additionally, you comment on the adorable cat pictures and share a story about your childhood pet cat. The receptionist loves your cat story and shares one of her own. Finally, you ask if you can print a new copy of your resume. The receptionist likes and trusts you and so, says, “sure, the printer’s over there.” Success!!

Did you notice—in this example negative tactics such as intimidation, anger, or fear were not used. I’ll talk more on this later in the subheading about ethics in social engineering.

Resources to Help You Develop, Practice, and Sharpen your Interpersonal Skills

To develop and strengthen interpersonal skills, take courses and attend conferences that focus on communications, psychology and human interactions. For instance, the new Human Hacking Conference (HHC) teaches the latest techniques in human deception, body language analysis, cognitive agility, intelligence research, and security best practices. Additionally, many leading experts in these fields have written books in which they share their knowledge and experience. Here are a few authors and their books that SEORG podcast guests recommend.

Robin Dreeke

Chris Kirsch, SECTF winner and podcast guest recommends, It’s Not all About ME by Robin Dreeke. Dreeke has studied interpersonal relationships and behavior for 30+ years and is recognized as a leading expert in rapport building. His books are a must read for anyone who’s truly serious about developing, practicing and sharpening their people skills. We also highly recommend his books, The Code of Trust and Sizing People Up. Dreeke is also a trainer and speaker at the Human Hacking Conference. If you want to learn straight from Dreeke about the “Code of Trust” and “Sizing People Up,” sign up for next year’s HHC. In the meantime, listen to Dreeke explain how to use trust after building rapport in this amazing podcast, “In Robin Dreeke We Trust”.

Dr. Robert Cialdini

Rachel Tobac, SECTF participant and podcast guest recommends, Influence, by Dr. Robert Cialdini. Dr. Cialdini has spent his entire career researching the science of influence. As a result, he is internationally recognized as an expert in the fields of persuasion, compliance, and negotiation. Dr. Cialdini shares his view on the difference between influence verses manipulation as well as 5 words that can change your message in this perceptive podcast, “But Wait, there’s more! — with Dr. Cialdini”.

Joe Navarro

Social psychologist, and podcast guest, Amy Cuddy recommends, What Every Body is Saying, by Joe Navarro. Navarro is acknowledged as one of the world’s leading experts on nonverbal communication. His experience as a former FBI agent and spy catcher give him unique insights. He lectures and consults with major corporations worldwide. His book is also a SEORG favorite and a definite must-read! Navarro discusses his background and what led to his study of nonverbal communication, in this insightful podcast, “Help us Impress Joe’s Mother with Joe Navarro”. Navarro is also a trainer and speaker at the HHC. He teaches an amazing workshop on nonverbal communications. So, if you want to learn right from a master, make sure to register for next year’s HHC.

In addition to these amazing books and authors, we have another 100+ referrals. Please visit the Book List page of our website to see these recommendations and more! We update it regularly with referrals from The Social-Engineer Podcast.

Interpersonal Skills and Social Engineering—Is This Only for Extroverts?

Does all this emphasis on interpersonal skills mean that professional social engineering is for extroverts only? Not at all! Social engineering is for introverts, too. It all comes down to accepting new risks and challenges. For instance, self-acknowledged introvert and social engineering expert, Ryan MacDougall, offers this insight, “I kept taking risks that would challenge me directly to step out of my comfort zone.” Ryan discussed his personal experience, “From Introvert to SE, the Journey,” at DEF CON 26. You can watch it here. If you’re an introvert looking to enter this field, Ryan’s journey will inspire you.

Technical Skills —Continue to Build Your Social Engineering Skills

Now that you have your foundation, what technical skills should you acquire to continue building success as a social engineer? Ask any professional social engineer and they’ll tell you that information is their lifeblood. So, for starters, open source intelligence (OSINT) collection and analysis skills are a must. We recommend the Practical Open Source Intelligence for Everyday Social Engineers. In this course, you’ll learn and develop the following skills:

    • Search strategies
    • Techniques on how to categorize and organize information
    • How to craft and launch realistic social engineering attacks

Additionally, beginner security-related courses and certificates, such as those offered by Security+ and CEH, will provide training in these skills:

    • Risk mitigation
    • Threat management
    • Intrusion detection
    • Systems Administrator
    • Network Administrator
    • Security Administrator

Are you ready to expand your technical skills? Then the hands-on OSCP offers mid-level courses and certification for these skills:

    • Penetration testing
    • Advance web attacks and exploitation
    • Advance Windows exploitation
    • Wireless attacks

Practice Your Interpersonal and Technical Skills at the SECTF

The SECTF provides the perfect space to practice your interpersonal and technical skills. Many of last year’s contestants spent 100+ hours honing their OSINT skills prior to their live calls at DEF CON. A valuable takeaway is this; more OSINT leads to more captured flags during the live call portion. Why is that? Because, conducting thorough OSINT produces confidence. And, confidence is exactly what you need to effectively build rapport during the vishing call. The SECTF is also a great place to see how social engineering can be done ethically. In fact, a core requirement in this competition is that no one is victimized during the contest.

For Rachel Tobac and Whitney Maxwell, the SECTF was life changing. They share their inspirational journey from the SECTF competition to professional social engineering in this podcast.

Ethics—Using Social Engineering in the Best Possible Way

The explosive interest in social engineering is fantastic, but it also raises concerns. To explain why, I’m borrowing a quote from a professional painter and good friend of mine. “Everyone thinks they can paint, but not everyone can paint well.” The same is true with social engineering. Everyone thinks they can ‘social engineer.’ However, not everyone does it well. What do I mean? As a professional social engineer, you have a choice, will you use positive or negative tactics?

Chris Hadnagy, weighed the results and implications of positive verses negative interactions. His professional experiences convinced him that using negative tactics, like anger and fear, were counterproductive and harmful. So, he adopted a new mind set. To that end, he forged the motto, ‘leave others feeling better for having met you’. Now, he uses social engineering in the best possible way. He creates positive learning environments and interactions for his clients. So, genuine teachable moments are created. As a result, everyone involved can walk away feeling good.

He also saw the need for a code of ethics to provide guidance as well as to promote professionalism in the industry. With that in mind, he created the Social Engineering Code of Ethics. Leaders in the field quickly saw the value of it. In fact, a small country in Europe uses Hadnagy’s Social Engineering Code of Ethics in their internal documentation for social engineering and penetration testing courses.

For Hadnagy using social engineering in the best way possible, has brought him success and satisfaction. In fact, he credits his motto, ‘leave others feeling better for having met you’, as a reason he’s able to keep his clients. So, learn from an expert. Take the social engineering high road. You’ll be better for it…and so will others!

Bonus! 😃

Recently, Hadnagy visited the Hacker Valley Studio and talked with hosts Ron and Chris. You’ll benefit from their insightful discussion on how Hadnagy became a social engineer. He also shares experiences and insights that led to his developing the Social Engineering Code of Ethics. Look for episode 38 on the Hacker Valley Studio. But wait…there’s more! The SEVillage at DerbyCon8 hosted a panel with social engineering experts Chris Hadnagy, Chris Silvers, Rachel Tobac, Grifter and Jamison Scheeres. Listen to their thoughtful discussion of staying ethical while being a professional social engineer here.

What Else Can You Expect in March from SEORG?

What else can you look forward to in March from SEORG? We have an amazing blog in the works. Here’s a hint… it’ll be about an all-new and never seen before conference that happened in February. 😉

Psst… It’s the Human Hacking Conference!!

Stay tuned…

Written by: Social-Engineer

Sources:
https://www.social-engineer.org/social-engineering/the-sevillage-wrap-up-from-def-con-27/
https://www.ethicalhacker.net/columns/hadnagy/top-5-tips-to-make-social-engineering-your-career/
https://www.social-engineer.com/about/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-volume-4-issue-53/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-09-issue-115/
https://www.social-engineer.org/resources/sevillage-at-defcon-26-from-introvert-to-se-the-journey/
https://www.social-engineer.com/advanced-osi/
https://www.comptia.org/certifications/security
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
https://www.offensive-security.com/courses-and-certifications/
https://www.social-engineer.org/wp-content/uploads/2019/11/SECTF-DEFCON27-SECOM-2019.pdf
https://www.social-engineer.org/podcast/ep-110-from-sectf-to-pro-se-with-whitney-and-rachel/
https://www.social-engineer.com/it-is-important-to-have-ethics-in-social-engineering/
https://www.social-engineer.org/framework/general-discussion/code-of-ethics//
https://www.social-engineer.org/resources/ethics-in-social-engineering-sepanel-at-derbycon-viii/

Image:
https://www.business2community.com/infographics/10-important-work-skills-2020-infographic-0930249

The post Get the Skills You Need to Be a Successful Social Engineer appeared first on Security Through Education.


Recent Articles By Author
  • DEF CON® Kids: Preparing Them for the Future
  • The Danny Ocean of Social Engineer’s
  • Securing Devices at Home and Work
More from SEORG

*** This is a Security Bloggers Network syndicated blog from Security Through Education authored by SEORG. Read the original post at: https://www.social-engineer.org/newsletter/get-the-skills-you-need-to-be-a-successful-social-engineer/

March 4, 2020March 4, 2020 SEORG Chris Hadnagy, emotional intelligence, Ethics, Get the skills you need to be a successful social engineer, human hacking conference, interpersonal skills, Joe Navarro, Newsletter, Rachel Tobac, rapport building, Robert Cialdini, Robin Dreeke, Ryan Macdougal, sectf, social engineer, social engineering, social engineering code of ethics, technical skills, values, Whitney Maxwell
  • ← How to Communicate Risk: Profiles, Dashboards and Responsibilities
  • Visualizing Coronavirus Spread: Many Tools, Results Vary Widely →

TechStrong TV – Live

Watch latest episodes and shows
Featured Blog

Eric Kedrosky

The Future of Multi-Cloud Security: A Look Ahead at Intelligent Cloud Security Posture Management Solutions

Michael Clark

Prevent Catastrophic Data Loss in the Cloud

Rich Gardner

CISO Roundtable: What We’ve Heard, and What We’re Looking Forward To

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy

Most Read on the Boulevard

Brazil Govt’s Huge Leak: Health Data of 243M
Securing the Office of the Future
California Federal Court Weighs In (Again) on Social Media Scraping
Web App Security: Don’t Let the Code Injection Grinch Steal Holiday Joy
U.S. Election Security (and Insecurities)
Drupal Core: Behind the Vulnerability
The Future Of Work: The Hybrid Workforce
There’s a RAT in my code: new npm malware with Bladabindi trojan spotted
VMware Horizon Architecture: Planning Your Deployment
“Free” Symchanger Malware Tricks Users Into Installing Backdoor

Upcoming Webinars

Mon 07

The Battle for Container Security

December 7 @ 1:00 pm - 2:00 pm
Tue 08

XDR (Extended Detection and Response): The Next Generation of Protection

December 8 @ 11:00 am - 12:00 pm
Thu 10

Data Security for Contact Centers Leveraging Cloud Technologies

December 10 @ 3:00 pm - 4:00 pm
Mon 14

Issues and Answers in Cloud Security

December 14 @ 1:00 pm - 2:00 pm
Tue 15

3 Things to Get Right for Successful DevSecOps

December 15 @ 3:00 pm - 4:00 pm
Wed 16

Unsolved Problems in Open Source Security

December 16 @ 11:00 am - 12:00 pm
Wed 16

Securing Medical Apps in the Age of COVID-19: How to Close Security Gaps and Meet Accelerated Demand

December 16 @ 1:00 pm - 2:00 pm
Wed 16

Deliver your App Anywhere … Publicly or Privately

December 16 @ 3:00 pm - 4:00 pm
Thu 17

Secure Your Peace of Mind and Your Mobile App While Giving Developers Back Their Happy Coding Time

December 17 @ 11:00 am - 12:00 pm
Thu 17

Solving Kubernetes Security Challenges Using Red Hat OpenShift and Sysdig

December 17 @ 1:00 pm - 2:00 pm

More Webinars

Download Free eBook

7 Must-Read eBooks for Security Professionals

Recent Security Boulevard Chats

  • Cloud, DevSecOps and Network Security, All Together?
  • Security-as-Code with Tim Jefferson, Barracuda Networks
  • ASRTM with Rohit Sethi, Security Compass
  • Deception: Art or Science, Ofer Israeli, Illusive Networks
  • Tips to Secure IoT and Connected Systems w/ DigiCert

Industry Spotlight

Why Hackers Love the Pandemic
Cybersecurity Data Security Industry Spotlight Security Boulevard (Original) 

Why Hackers Love the Pandemic

December 4, 2020 Chris Hallenback | 2 days ago 0
Security and COVID-19: Securing the New Normal
Cybersecurity Data Security Industry Spotlight Network Security Security Boulevard (Original) 

Security and COVID-19: Securing the New Normal

December 3, 2020 DAVID CANELLOS | 3 days ago 0
Web App Security: Don’t Let the Code Injection Grinch Steal Holiday Joy
Cybersecurity Industry Spotlight Security Boulevard (Original) Threats & Breaches 

Web App Security: Don’t Let the Code Injection Grinch Steal Holiday Joy

December 2, 2020 Ameet Naik | 4 days ago 0

Top Stories

Brazil Govt’s Huge Leak: Health Data of 243M
Application Security Cloud Security Cyberlaw Cybersecurity Data Security Featured News Security Boulevard (Original) Spotlight Threats & Breaches Vulnerabilities 

Brazil Govt’s Huge Leak: Health Data of 243M

December 4, 2020 Richi Jennings | 1 day ago 0
Second Swiss Firm Said to Be CIA Encryption Puppet
Analytics & Intelligence Cyberlaw Cybersecurity Featured News Security Boulevard (Original) Spotlight Threat Intelligence 

Second Swiss Firm Said to Be CIA Encryption Puppet

November 30, 2020 Richi Jennings | Nov 30 0
Unisys Adds Visualization Tools to Stealth Platform
Cybersecurity Featured Network Security News Security Boulevard (Original) Spotlight 

Unisys Adds Visualization Tools to Stealth Platform

November 30, 2020 Michael Vizard | Nov 30 0

Security Humor

via the comic delivery system monikered Randall Munroe resident at XKCD !

XKCD ‘Contiguous 41 States’

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: info@securityboulevard.com

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • Privacy Policy
  • DMCA Compliance Statement

Other Mediaops Sites

  • Container Journal
  • DevOps.com
  • DevOps Connect
  • DevOps Institute
Copyright © 2020 MediaOps Inc. All rights reserved.

Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.