Marketing and Public Relations: Social Engineering on an Industrial Scale

I stumbled across this article this morning in my Twitter feed: Richard Berman Energy Industry Talk Secretly Taped (Hat tip to Phil Plait AKA @BadAstronomer)

The ethics of the actions described are certainly up for debate.  That’s not what I want to ponder with you this morning.  What I do want to ponder is how the ven diagram looks for Social Engineering, Marketing, and Public Relations.  I think it looks kinda like this when you look at everything at the same scale:

Ven Diagram
This is my initial estimate at the overlap between the practices

You can see I think that there is a ton of overlap among these skill sets when you adjust for scale.  Social engineering is generally a targeted activity, e.g. spear phishing or pretexting phone call. However, regardless of scale, the objective of all three areas is the same: Influence someone to do or believe something that benefits another.

So what does that mean for information security professionals?  I think it means that as we draft our strategies to defend against social engineering attacks we need to make sure that the Marketing and PR Departments have a seat at the table.  Make friends with those folks.  Understand how they go about influencing the masses to purchase the goods and services your organization offers.  Then consider how you would use those techniques to sell malware or elicit information from a single target rather than a larger population.

Let me know what you think in the comments.

1 Comment

 Add your comment
  1. Great suggestion, engage the minds of people in your org who wake up every morning thinking about how to gain access and influence. “I get up every morning and I try to figure out how to screw with the labor unions — that’s my offenses”. Whether for noble purposes or not, the creative, clever and devious mind goes to work in the same way.

Leave a Reply

%d bloggers like this: