Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

What’s Your Goal?

I work with lots of people in different roles when it comes to teaching ethical influence. Over the years I’ve worked with senior leaders, middle managers, supervisors, claim reps, underwriters, field sales reps, insurance agents, business owners, financial reps and many others. I’m always amazed at how often people try to persuade without a clear goal in mind.You may think a salesperson always has a clear goal; i.e.,to make the sale. True enough, but that’s still a little vague in my book. Let me share an example to help you see what I mean.During the Principles of Persuasion Workshop© we have an activity where participants work in teams to come up with a persuasive argument to get a high school student, Jimmy, back in school after he’s been expelled for foul language and insubordination. Participants generally do a good job at applying the principles of influence to persuade the school board to let Jimmy back in but very few clearly state when they want Jimmy back in school. That leaves the final decision up to the school board, which could opt for another week or two out of school. Participants would do much better to say something like this at the conclusion, “It’s our sincere hope that you’ll let Jimmy back in school tomorrow.” Why is this so important? Because if the board says no there is a moment of power the teams can leverage.Studies show when someone says “No” to you, if you make a concession and ask for a smaller request immediately your odds of hearing “Yes” are much better. This is an application of the principle of reciprocity because when we give a little, people often feel compelled to give a little in return.Robert Cialdini had his research assistants run an experiment that shows how powerful this concept can be in real life.  These students randomly asked people around the Arizona State University campus if they would be willing to be a chaperone on a day trip to the zoo for a group of juvenile delinquents. As you might expect, very few people wanted to spend a day at the zoo with those kids so only 17% said they would be willing to help.At a later date the research assistants roamed the campus and started with a bigger initial request. They randomly asked people if they would be willing to be a big brother or sister to some juvenile delinquents. They made sure people knew this was a weekly commitment of two hours and they were looking for people to sign up for two years. No one was willing to give up that much time. As soon as people said no the research assistants would ask, “If you can’t do that, would be willing to be a chaperone on a day trip to the zoo for a group of juvenile delinquents?” So basically they were asking for the exact some thing they’d asked for earlier but this time 50% said yes – triple the initial response rate!Two things were at play during the second scenario. First, the contrast phenomenon came into play. By comparison, a day at the zoo is nothing compared to a two-year commitment so it’s much easier to say yes to the zoo after thinking about being a big brother/sister. The second thing was the principle of reciprocity was engaged by way of concessions. When the research assistants counter-offered immediately, many people felt compelled to do the same.Let’s go back to the scenario with Jimmy. By clearly stating what the team wants – to have Jimmy back in school tomorrow – they will be more effective persuaders. They might hear a “Yes” to the initial request but if they don’t they can make a counter offer that’s very likely to be accepted. This is a far better approach than leaving the timing up to the board.How does this work for you? Two ways. Clearly state what you want. Think about the times when you’ve not clearly stated what you wanted and left if to someone else to decide the outcome. Perhaps you interviewed for a job but didn’t clearly state the salary or benefits you wanted. Or maybe you were trying to make a sale but didn’t make the first offer.Don’t censure yourself. For example, you want a job and would like to earn $95,000 but inside you’re thinking they might say no so you ask for $85,000. If you hear no then you might end up at $80,000 or less. Ask for $95,000 because you might just get it but if not you can retreat to $90,000 and are more likely to get that than if you’d started at $90,000 or $85,000.Next time you go into a situation where you’re trying to persuade someone don’t just focus on building your persuasive communication. Give lots of thought to what your ultimate goal is. What would you like to have happen if everything worked out as you wanted? But don’t stop there; clearly communicate your desired outcome. Be ready in case you hear “no,” which means having multiple fallback positions ready. This allows you to leverage the moment of power after “no.” Do these few things and you’re on your way to becoming a much more effective persuader.Brian Ahearn, CMCT® Chief Influence Officer influencePEOPLE Helping You Learn to Hear “Yes”.

Physical Security: What You Aren’t Thinking About

security issuesOften it’s the little security issues we overlook that hurt us the most.    By: Brand BarneySecurity cameras? Check. Guards? Check. Locked doors? Check. Privacy monitors? Umm . . .When it comes to data security, many health organizations don’t always worry as much about the physical aspect. While many foundational security issues may have been addressed, organizations are likely to have overlooked details such assecurity issuesUnlocked office doors during the dayWindow blindsReception desksLack of screensavers and privacy monitorsTheft of devices/hardwareMalware in left-behind devicesPeople may think physical security only applies after hours. However, most data thefts occur in the middle of the day, when the staff is too busy with various assignments to look at the person walking out of the office with a server, company laptop, phone, etc.Organizations may also think data thefts are large events that take months of planning, looking like something from those heist movies. (Oceans 11, anyone?) However, most data thieves use simpler plans.The majority of physical data thefts take less than only minutes in planning and execution.Tweet: The majority of physical data thefts take only minutes to plan and execute. #HIPAA http://bit.ly/1NhmmCB TweetMalicious entities (hackers) strike quickly, take what data they can and leave with little to no trace. In this case, data thieves take advantage of the lack of physical security in healthcare organizations.  Here are some issues that your organization may not have considered.Taking devicesThe main problem offices have with devices is a nurse and a client use the same type of mobile device, such as an iPad. A thief could walk in, take an iPad off the reception desk when no one was looking, and walk out, all within five minutes. Would you stop someone if they were walking out of your office with an iPad? Probably not, because you would assume it was theirs. But within a few potential minutes, that hacker has access to the network and whatever data or PHI is on that iPad. This type of theft can and does happen, and sadly it’s not limited to your office, hospital, etc. Many workforce members work long hours and take devices with PHI on them home, stopping at a grocery store or a child’s school on the way home from work. Theft is quite likely if a device is left alone and unsecured in or out of the workplace, and that breach can cause quite a bit of heartburn.See also: Balancing Mobile Convenience and PHI SecurityLeaving devicesYou don’t often think of thieves leaving something behind, but for hackers, an easy way to further the data heist is to leave behind malware. Here’s an example: A receptionist at a large hospital notices a flash drive was left on the desk. It’s labeled “HR,” so the receptionist decides to just drop it off at the Human Resources Department. The person in HR takes it and plugs it into a computer without a second thought. But that flash drive was full of malware and now the hospital’s system is infected and likely losing data.Be suspicious of any unfamiliar hardware or device that randomly appears.Windows and peeping eyesOften a thief doesn’t have to enter an office to steal information. They can look through a window and see information on the computer screens of workers. This can be remedied simply by putting up blinds in offices that have sensitive information.Follow for more data security articles like thisReception desks reveal more than you thinkReceptions desks are filled with tidbits of information and loose PHI that cause data thieves to grin. Things like passwords written on sticky notes, computers without privacy monitors, and patient records lying out in the open are all fair game for social engineers.Reception desks also get the most traffic, which is why they are typically the first target. Social engineers can steal a lot of information without being noticed. It’s critical to the safety of your patient’s data that your receptionists are properly trained to handle social engineers and aware of everything that’s going on.See also: Healthcare Reception Desks: Breeding Ground for HIPAA Compromisephysical security, data theftCheck-in and check-outKeeping track of clients coming in and out may seem insignificant, but it can help discourage thieves and provide information should your data get stolen.Having check-ins helps your staff to acknowledge and remember the clients that come in, making it harder for social engineers to slip in and out unnoticed. Make sure all clients/vendors that come into the building sign in and out when entering secure zones (like a data center, or networking areas/server areas), and always assess who really needs access to those very sensitive areas.Unlocked doors: a social engineer’s paradiseSocial engineers love an entity that doesn’t pay as much attention to physical security. It makes their jobs that much easier, and if you aren’t paying attention to these areas, what else might that attacker poke around at? A social engineer can go into a hospital, walk into an unlocked office, sit down on an unlocked computer, steal phi, and then leave all within ten minutes.But if the office door is locked, then the social engineer usually won’t bother.Hackers and thieves are often lazy. Why go to a lot of trouble to get past a locked door if there’s an unlocked one down the hall? By locking office doors and computers, you deter many data thieves (what’s crazy is this very basic concept translates to all areas of security).Fighting back: it’s surprisingly easyMost of these risks can be prevented with little effort. Here are some suggestions:In risk analysis, look for physical security risksLock all office doors when not in use day and nightRequire passwords to access computers and mobile devices (encrypt your data or don’t have data on devices)Use screensavers and privacy monitors on computersInstall and use blinds in all office windowsKeep logs of who goes in and outKeep track of devices that go in and outHave policies in place for stolen equipment (Make sure to have a good Incident Response Plan and know your Breach Notification Policy front and back.)Train staff against social engineeringLimit access to PHI through role-based access.Have staff report suspicious people and devicesMake sure all reception desks protect PHI from prying eyesSee also: Common HIPAA Violations: HIPAA Quiz/HIPAA TestMost social engineering and data thefts can be prevented by following these simple practices. If your organization is taking into account the smaller issues, a social engineer, or a thief will be less likely to bother you because it’s not worth the effort.It’s the greatest benefit from the littlest effort.Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.Read the SecurityMetrics HIPAA Security Rule Report

Ironing out the Buying Thought Process

I’ve been on the road a lot lately. In a recent stretch I was gone Monday through Thursday or Friday four weeks in row. When I returned from a recent trip, my wife, Jane, had gone to Myrtle Beach to spend time with her family. I was left with a daunting task: two-dozen shirts to iron!But there was a problem; our iron was ruined not long ago when I dropped it on the floor. Before I could start ironing I needed to buy a new iron, something I knew nothing about. I’d like to let you in on my thought process as I made the purchase. I don’t think I’m much different than any of you reading this so perhaps it will help you understand why you do what you do when it comes to certain purchasing decisions.Let’s start with this fact – the vast majority of our decision-making takes place at the subconscious level. Martin Lindstrom, author of Buyology (yes, I spelled it correctly) contends non-conscious forces drive upwards of 85% of our decision-making. People who’ve been in sales for any length of time understand this and that’s why it’s often said, “People buy based on emotion then justify with logic.”My first decision was where to go to get the iron. I ended up at Target. I guess I could have stopped by Sears, Wal-Mart or some lesser-known stores but I didn’t even consider them because prior experiences at Target have been good, their prices are reasonable and Target is burned into my subconscious more than the other stores because of their advertising. After asking a clerk where I could find irons I ended up in front of shelving full of irons ranging in price from $12.99 to $89.99. Immediately I knew I would not spend anywhere close to $12.99 because having some cheap irons in the past and using them at hotels is frustrating. I also knew there was no way I’d pay anywhere near $89.99 for an iron because ironing as little as I do doesn’t necessitate one that would be used in a laundry mat.As I looked at all the different the models I saw several options from Shark. I’d heard of Shark and seen some commercials and remembered their products seemed unique although I couldn’t recall specifics. Other than glancing at some other brands I really gave all my attention to the Shark models.As I looked at the Shark irons they did look different than all the others and the price range was reasonable with the low-end model for $29.99 (Lightweight Professional) and the top of the line model for $49.99 (Ultimate Professional). There was one other model for $39.99 (Professional Steam Power).At this point I did what most discriminating shoppers do – I compared. Did I need 1800 watts, 1600 or 1500? Was the 9.5 inch base, 9.0 or 8.5 best for me? Does it matter that one is 3.6 lbs., 3.3 lbs. or 2.0 lbs.? Decisions, decisions, decision, all of which I knew nothing about. That led me to one more decision criteria; what do people say about each model? That was easy enough to look up on my phone as I stood in the aisle. Each iron had 4.5 stars, some with more than 100 reviews. I felt comfortable because people just like me (principle of consensus) thought highly of each model so I felt better and better about my potential Shark decision.With all that going on in my head which model did I buy? I bought the $39.99 model, which is what most people would do. I remember thinking, “Do I really need the top of the line and will those subtle feature differences be worth it?” I also thought, “If I buy the low-end model will I regret it because maybe it turns out a be a little cheap?” The middle seemed to be a safe alternative. Most companies offer three product models (cars, shoes, bread makers, etc.) exactly because of the thinking I outlined above. Some people will want the top of the line, some will default the cheapest but most people will buy in the middle. If a company removes its high priced model the average sale will drop because some people buy the top of the line but also because more people will shift from the mid-range product down to the lowest priced model. Pay attention next time you’re in a store and see if you begin to notice the three choice offerings.Although I’m in tune with buying, selling and psychology, I must admit, it was an interesting exercise to really pay attention to what was driving my purchasing decision. I got home and used that iron for three hours as I knocked out all the shirts at once. I must say, I was pleased with my purchase – at least that’s what my mind told me.Brian Ahearn, CMCT® Chief Influence OfficerinfluencePEOPLE Helping You Learn to Hear “Yes”.