Monday, May 21, 2012

Social Engineering: Next Big Threat or Opportunity?

This topic has been pending for long...

I was quite fascinated with this topic and been doing some research and collecting some background information for the past few weeks. If you search for this word - Social Engineering, you will find tons of definitions that are associated with IT security.

The essence of the definition is that how much ever robust technical infrastructure you may have to protect to your IT systems/infrastructure, the weakest link in the entire security infrastructure is the Human being. Social Engineering exploits the good or vulnerable aspects of human beings so that they are persuaded to reveal the security information which they are not supposed to. As per techtarget, It is described as non-technical intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. Social Engineering is also called human hacking - exploiting their emotions such as fear, obligation - to break into security infrastructure.

These social engineering tactics could be embedded & designed in line with pop-up advertisements, email attachments and persuade you to do things that are malicious to the underlying system, often without the true awareness/knowledge of the persuasion.

For example, an intruder without an access card can request a benevolent/kind enough employee to open the door for him in the office. In this case, the intruder would know that specific employee is kind enough, but not assertive enough to ask the reason for opening the door. Social engineering in the context of Security is a big topic by itself.

As techtarget states, social engineering will remain the biggest threat to any security system, as our cultures become more dependent on information. I was trying to explore the reach of social engineering beyond Security. If it can be used for hacking and malicious purposes, why not use the same for benevolent needs of an organization? That's the starting point.

The other extreme I was thinking about is - How to use Social Engineering for inculcating constructive/positive new values into the system?. How can we leverage the Social Engineering aspects and weave them into the workplace/social fabric for making positive changes into their lives? By saying so, I mean - Engineering changes, Engineering the Society (need not be at large, but to a small group of people), Engineer the values of the system explicitly? How can these new concepts enable people to accomplish their personal/organizational goals?

By thinking too far in this topic, i felt it need not be difficult.

All our social life is getting digitized...- Our friends, Our interactions with friends, Our interactions with brands, Our aspirations, Our emails/messages, comments/feedbacks, purchases, interests, career choices - everything is digitized.

As old saying goes - Someone can derive a person's personality/behavior if they know enough about his/her friends.

If this is true, in digital world, it’s going to be lot more easier, because you don't just have information to his/her friends alone, but whole lot of other information. There are even tools available that could derive emotions embedded in your status updates/messages...

In fact, there was a recent research that confirms that none can hide from social network. Even if one prefers to stay away from Facebook, his/her profile can be predicted if any of his/her friends has activity in Facebook/social networks.

For example, if you are following a particular blog for quite a few years, there are chances that you are being socially engineered :-) The theme could be anything - Innovation in Outsourcing, Design thinking, Technology infusion in new business models, etc.. You will start to believe with lot of conviction & agree with those blog themes.

When you are thrown up 'Top news items of today'- there are remote chances that you are being engineered as well. What is the guarantee that they are indeed 'top' news items of today?. The news headlines and their priorities can be ordered to tweak your thinking and value systems.

And we are going to see more and more of that, in this information intensive digital society.

We are already witnessing - TV/Traditional print media has been doing doing this for ages. Of late, it does with ease because it has lots of insights on the society. If you sign-up for anti-corruption movement involuntarily, there are chances that you might have been engineered! Please note we are not discussing whether the cause is good or bad here.

All we are discussing is that social engineering tactics can be used to persuade or even inculcate new values in the society! And to be precise, it can be done in organizational context as well.

In my view, even agile movement with its 4 bullets Manifesto is a engineering process. People buy those values and stories against waterfall and become the new ambassadors to signup others.For example, Lean Manufacturing insists culture change first. In other words, it is social engineering.

The good news is, we have tools that enable Social Engineering implementations. For example, Gamification can define new means of success, rewards and collaboration. Charlie Bess of EDS advocates that we may see new DLLs/Libraries for common scenarios of gamification across industries. Good idea!

And this morning, I was reading Peter's blog from Australia and it highlights a very important point - Culture is going to be only competitive differentiator for next few years. Everything else can be replicated – be it processes, assets, IP, capabilities, etc. (The challenge is how do organizations create a sustainable culture when the average employee tenure is thinning dramatically)

Social Engineering holds an enormous potential in shaping up an organization's successful culture.

I know its a long post..:-) Hope it was interesting!

2 comments:

Venkataraman Ramachandran said...

Interesting thoughts. However, I think you were looking at it quite optimistically. The recent concern over Filter Bubble rises precisely from social engineering where increasing digitization of our lives bring in our choices within the confines of the algorithm which gradually box us by our previous choices and blind folds us from seeing the rich diversity of the Web. Serendipity could be killed by such an initiative. Definitely, social engineering has its benefits. However, we need to be prudent to ensure that it doesn't stifle the diversity of the web. Increasingly, as more and more people are participating in this digitization, their importance becomes even more pronounced.

Bala said...

Venkat,

Thanks for pointing me on 'Filter Bubbles'. Yes, filter bubble is connected to Social Engineering, indirectly.

Where, in case of Filter bubbles, we believe its the algorthims that will filter and choose what we will see in the Internet - In Social Engineering, there is lot more intent to it. The Algorithms or methods/techniques could be deployed intentionally by a specific set of 'people' to achieve something or create a perspective in YOU. In my view, Social Engineering has the potential to create lot more impact on the society/workplace if applied with 'will'.

Again, the same social engineering can be applied for a not-so-good reason as well, like in the case of security scenarios.