It was only upon leaving my career at the Central Intelligence Agency (CIA) in 2010 and entering the private security industry that I learned there was a specific field called social engineering, also referred to as human hacking.
What is social engineering? Popular literature described it as a process by which someone manipulates humans in order to breach security, whether it be the security of the organization or the individual’s personal security, and it generally carried a very negative connotation.
Although I was just learning about the approach, I realized that I had spent much of my CIA career as an intelligence officer who, in fact, used social engineering skills quite effectively to accomplish my missions. It became a bit of a personal dilemma for me. Was the intentional manipulation of fellow human beings something inherently evil? Or was it simply a tool that could be used for evil as well as good? The more I thought about the topic, the more the passion stirred within me to analyze the methodology of social engineering and its impact upon the security of organizations as well as individuals.
In 2015, Webster University invited me to teach as an adjunct professor in their master’s degree program for cybersecurity. While addressing intelligence and counterintelligence issues as they related to cyberwarfare, I decided to incorporate my knowledge and skills as a spy in explaining how individuals are effectively targeted and manipulated by adversaries using a variety of social engineering techniques.
Not wanting to bore them with long lectures, I assigned each of my students with a Fortune 100 target company for a “capture the flag” exercise. Under close supervision, they acquired key bits of information (flags) using creative online research tools as well as a variety of social engineering ploys. They prepared and presented before the class their proposal for how to breach the security of their target firm to accomplish the objective. While fortunately not allowed to execute their plan, students loved this approach and found that it transformed the way they viewed cybersecurity threats and how best to mitigate such risks.
In addition to my university platform, I began sharing this knowledge by writing articles for major trade publications as well as being an industry fraud, financial systems and security speaker for conferences. While attendees were typically intrigued and wanted to learn more about social engineering, I found a severe deficiency in publicly available resources covering the topic.
To address this need, I first established a security awareness training company called the Counterintelligence Institute in order to assist client organizations learn how to protect proprietary information and personal data records against security breach attempts initiated by social engineering. However, the only individuals who benefit from my security awareness training speaker services are those employed by my clients. Since I wanted to share some of my insights with the wider public, I wrote a book titled “Confessions of a CIA Spy: The Art of Human Hacking.”
So what can you learn from a former CIA spy who spent his career artfully manipulating innocent people to steal high value secrets? Plenty! For example:
The motivations and objectives behind why security breaches happen that are conducted by criminal groups and other threat actors
The dangers of social media including carefully crafted insights into a victim’s motivations and vulnerabilities that are leveraged during spear phishing, smishing, vishing and other advanced human hacking techniques to obtain even closely held information
The psychology behind why humans are susceptible to manipulation or social engineering, and how influence techniques are used to bypass security protocols
What are elicitation techniques used by social engineers to obtain protected information from victims who often don’t know why people are using them
And much, much more...
As a former spy, I know that deception and manipulation can be very powerful forces. Denying that they exist will only increase their power over you.