I’ve been performing social engineering tests for over a decade. I have social engineered my way into organisations from company offices to government facilities, hedge funds to sports stadiums, both in the UK and abroad. I’ve done social engineering tests in person, over the phone and via email. The more social engineering tests I do, the more ethical quandaries I come up against.
I’ve learned that while malicious social engineering can be easy, ethical social engineering is hard. There are quite a few limitations that quickly become apparent once you start your ethical social engineering test and even your social engineering career. As social engineers, we have so many more restrictions when it comes to performing our social engineering assignments.
All security testing involves ethical questions at some level; social engineering testing even more so. In social engineering testing, as opposed to most other security testing, you are targeting people rather than machines, people whom you may feel bad about misleading and who may be angry that they have been duped.
Everyone has different boundaries when it comes to social engineering, both in terms of what they feel comfortable doing themselves as a tester and in what they feel comfortable doing to other individuals as their targets. For example, some social engineers have no qualms about using crutches or a wheelchair to deceive someone into holding a door open for them; for others, this is a step too far. Some testers find it easy to lie to their targets, others find themselves unable to do so. Sometimes it can be easier for testers to perform remote social engineering, such as phishing attacks, where they do not have to speak directly with or even see their targets, potentially leading us to forget that there are real people at the end of our tests.
When the Ashley Madison information was leaked, it would have been easy to turn it into a social engineering scenario (and I am sure many malicious social engineers did just that). I considered sending an organisation I was testing some emails along the lines of “Find out who in your company uses Ashley Madison” – a ruse not everyone would be able to resist and an easy click-through for some office gossip. Although I am sure this test would have been successful, to my mind, it would not have been ethical.
Examples of other ethical questions I have come up against include:
- What kind of bribes, if any, are acceptable as part of a social engineering test?
- Is it ok to go after people’s personal information?
- To what extent can you use social media as part of your test?
- Should you name individuals in reports?
The ethics of social engineering testing is highly personal, and different people may have different answers to these questions. Whatever your answer is, it is important for both you as a social engineering tester and your client to consider the ethical impact of performing a test. Before you embark on a social engineering test, you must consider the ethical implications of any pretexts, scenarios, or ruses you are planning to use. If you want to err on the side of caution, discuss the ethical (as well as the legal) side of your plans with your client and potentially even a representative from their HR department.
Social engineering testing has an important role to play in any good security programme. It’s a great way of testing and improving security awareness among employees, especially if done on a regular basis. But make sure it is done lawfully and ethically.