Confessions of a Spy
Updated: Jan 16, 2020
It was only upon leaving the Central Intelligence Agency (CIA) in 2010 and directly entering the private security industry that I learned there was a specific field called Social Engineering. Popular literature described it as a process by which someone manipulates humans in order to beach security, whether it be the security of the organization and/or the individual’s personal security. It generally carried a very negative connotation. Ironically, I then realized that I had spent the better part of my CIA career as a Senior Intelligence Officer that very effectively utilized social engineering skills to accomplish “the mission.” This became a dilemma for me. Was it something inherently evil? Or was it a mere tool which could be utilized for evil as well as for good? The more I thought about the topic, the more the passion stirred within me.
In 2015, Webster University invited me to teach as an adjunct professor in their Master of Cyber Security degree program. While addressing Intelligence and Counterintelligence issues as they related to Cyberwarfare, I decided to incorporate my knowledge and skills as a spy in showing how individuals are effectively targeted and manipulated by adversaries utilizing a variety of social engineering techniques.
What made my course truly impactful for my students was an assigned capture the flag social engineering project. Modeled somewhat after the annual SECTF competition held in Las Vegas, I individually assigned each of my students a U.S. corporate entity as their social engineering target. The purpose of the exercise was to collect as many flags as possible and develop a proposal for breaching the target entity’s security. The flags were specific pieces of information, which addressed potential exploitable vulnerabilities in a target’s security system. As a first step, each student conducted Phase I open source intelligence (OSINT) collection on their respective target by scouring a multitude of sites available on the World Wide Web. Once they demonstrated proficiency in OSINT collection and exhausted most of the available resources, I allowed them to move onto Phase II. During this stage, and under careful supervision, my students utilized information collected to formulate a variety of social engineering techniques utilized against their target to gather additional flags. They concluded their project by detailing their Phase I and II process as well as information uncovered. Without exception, students overwhelmingly completed the project with a much greater awareness regarding the threats posed by social engineering and how to help protect themselves as well as their respective organizations from such attacks.
In addition to my university platform, I began sharing this knowledge by writing articles for major trade publications as well as speaking at industry conferences focused on security, fraud and financial systems. While attendees were typically intrigued by the topic and wanted to learn more, I found a severe deficiency in publicly available resources covering this topic. As a result, it is not surprising that the general public continues to remain very uninformed and completely susceptible to social engineering attacks whether delivered by phishing (email), smishing (SMS), vishing (telephonic) or face-to-face interaction. However, what is of more serious concern is the general apathy of those who believe that they will never fall victim to such security breach attempts. As long as they keep their head in the sand just like the Ostridge, they will feel safe. However, this lack of understanding as well as apathy play perfectly into the hands of cyber criminals when we consider that according to Verizon’s 2018 Data Breach Digest, over 90 percent of successful breaches actually begin with social engineering.
It was for this reason that I decided to establish the Counterintelligence Institute. My mission is to assist corporations, government offices, academic institutes and non-profit organizations in the protection of their proprietary information and personal data records against security breach attempts initiated by social engineering. I focus on transforming the human factor from being the weakest link in security to becoming the most effective defensive tool against such threats.
See for yourself: