How to Win Trust and Stop Hackers: Using Social Engineering for Good in Cybersecurity

nearly there actually uh can you guys hear me in the back without the mic are people virtual record should probably use the mic in which case I won't be walking around right welcome how's everyone's day going good uh man first talk after lunch if you fall asleep I understand I won't take it personally um I'm Josh Mason and today I want to introduce to you uh some of the ideas that I've been using in my life in my sales in my work uh and hopefully it brings some value to what you do in your roles so this is how to win trust and stop hackers one of the most difficult things for folks in cyber security is

influencing others trying to get them to change change their actions trying to get budget to go through trying to change policies trying to sell things it can be very very difficult it for me I think is the hardest thing in cyber security the technical can be learned the getting this software the tools in place can be done but trying to influence other people whether they're your colleagues your leadership your customers that I think is the hardest thing that we

do you could work for weeks and weeks and weeks trying to get something to happen and your outcomes might be resistance or push back or indifference and that's hard that that's what leads to burnout that's what makes people not want to keep doing this work so what I want to do is help you with that some of the things that I've been using that I think will help you as well start with a story I used to be an Air Force pilot I FL c130s and I I'll talk about that all day long if you let me but that's not what this is about I stopped flying and became a cyber warfare officer after some family and

health stuff and my first job as a cyber Warfare officer was as a flight Commander at horber field at their at the first Special Operations Communications Squadron my boss the squadron commander was essentially the sizo and CIO for 7,000 end points on that base and we managed That Base several different networks there we had seven seven different networks including uh secret and top secret for afnet socket ASO net it was a mess um we also had to manage bases that were outside of our own because it was the headquarters for Air Force Special Operations Command and we had people down range who relied on us and our servers and our services as well and it

was kind of a lot of work I learned in that job or I would bring things up in that job because we would have staff meeting almost every day I was essentially the deputy to the sizo the CIO and we would have things that would come down from Air Force from the Pentagon in general from headquarters afo that was across the street different strategies that they would want for the operation of the base that the networks relied on that we needed to be able to support and I having come from a flying a pilot in operations background I would tend to side with the base commander who is also a pilot because that's what happens in

the Air Force pilots lead everything unfortunately for everyone else in the Air Force that's not a pilot and I would push these ideas or I would bring up like well what about this or what about that because that's kind of I'm used to that that back and forth of what about this idea especially among Pilots bringing up those sorts of things was was normal was common was expected was trained into us actually that's how you were a good co-pilot and a good wingman is to at Ground speed zero ask about this and that and the other before you got in the plane and did things in the communications Squadron it meant we buted heads a lot I was looked

at as someone who couldn't just go along that wouldn't do the job that was asking all these things and it was super frustrating after about six months in that job my boss was getting promoted and moved up to the Pentagon and he gave me some six-month feedback he's like Josh I don't see you having a future in cyber security I was like that's okay I don't either I had been trying to get uh side duties where I could go and teach go back to the Air Force Academy and be a professor or go to this school over here and teach a course for a year he's like if you want to teach the Air Force Special Operations School is

right across the parking lot no kidding the next building over they have a spot for a cyber warfare officer that guy is about to leave he's also going to the Pentagon and you can go and teach there and if you don't like it you can come back and continue to do this with a different boss probably and so I got to go and teach at the Special Operation school and there I was introduced to a few different mentors the commandant and my department head they both had a a whole different mentality they're both stoics uh and they introduced me to Dale Carnes How to Win Friends and Influence People they were like Josh here you're

going to be training people and teaching them Concepts that you're not strong in this is a special operations school and you've been at this base for six months you haven't deployed in Special Operations in order to speak to folks and be useful you can't rely on what you thought you were doing as a pilot as a pilot we all trained we all came up through the same same path we all worked from the same books and if in a briefing you were like oh no it should be this because we drop it 500 feet because that's what the book says it's knowledge that everyone has now I was working working on things how do we do strategy and operations and

Special Operations where your commander is not actually truly your boss where you're maybe an Air Force person with a army unit working for the Navy in a place that's never going to be in the newspaper who is your boss and how do you actually teach that sort of thing so I had to learn how to speak to people in terms that they understood and IMB in them a mindset that I couldn't just rely on

expertise I learned how to influence people I used it for training I've used it in Consulting I use it in sales and it's what I want to tr teach you because if we can learn anything from my six months in cyber security at that base struggling and struggling and struggling to make things happen even when I was talking to someone who we had same goals we wanted to make things more secure we wanted to meet standards we wanted to fulfill our our our dis atigs I if saying dis stigs made anyone have some PTSD I'm sorry I understand what I realized in all of that is knowledge alone isn't enough inste we need to I'm going to say this word a lot

influence people we need to change people's mindsets there's not something special that you need to get there's not software there's not even a book that you need to go read everything that I'm going to be covering now you have the ability to do the hardest part is going to be thinking about what you've been doing how effective it is and how you might continue to do it again in the future and see if making little changes even in the order of words can change your output change your

outcomes I also want to include in here I'm autistic for me understanding what other people are thinking doesn't come naturally it's had to be learned so when I found how to win friends and influence people and have that mindset of oh this is the way to connect with people how to listen to people and have a a real conversation and understand where they're coming from and how to relate back to them was hugely influential I know there are a lot of folks in cyber security who are nura diverse and if you have a similar background to me where you need a road map on how to do things man I love instruction books I love guides I love

really good documentation if you give me software with amazing documentation even if it only does 25% of what you sold me but it has great documentation like I'm I'm still happy so allow this to be your documentation one of the key principles that Dale Carnegie shared and and he was teaching this stuff over a hundred years ago the first I think first uh version of how to win friends and influence people came out in like the 20s the 1920s none of this is new but the first principle talk in terms of the other person's interests and it seems obvious but in anything that we're doing if we can find a way to speak in the

other person's language or in their interest we will have way more impact so to follow that you all are in cyber security I'm not going to speak about how I would change things in a flying squatter while I feel like I could probably do 50 minutes on that from my past experience that's not valuable to you so thus we're going to speak about how can we get people to want to implement MFA how do we convince the CFO to give us budget to buy this next software how do we convince people to put in place the security protocols that that we've established and make them want to utilize them in their operations

another big Carnegie mindset is begin with praise and honest appreciation you all have taken your time today a Saturday during the holiday season to come and hear about cyber security to talk to others about cyber security to become better at your jobs even just a little bit when you could be enjoying some time with family getting your shopping done trying to prep for whatever travel I imagine a lot of you have coming up or ending the year with uh sales or projects there's a lot you could be doing and you've chosen to be here and I appreciate you taking the time not just to be in this room or in this building but in this room hearing

this I truly appreciate that when you start with honest appreciation people are more apt to listen to the rest of whatever it is you're going to say and it doesn't have to be false it doesn't have to be made up what I just said I I genuinely am uh Blown Away by how many folks are in this room we've got people standing and sitting on the floor in the back there are seats up here feel free to make friends if uh if you'd like but uh I am blown away by that once I started on this Rabbit Hole of understanding how to empower and influence other people I found the book influence by Robert Kini and he takes a different approach

than Dale Carnegie Dale Carnegie set out with researchers and they found the best books they interviewed a lot of people they try to find out how do people influence or how do people work with one another how do they sell how do they become good leaders what is it that they say and do and they took a a rather unscientific approach to it whereas Kini is a doctor of some sort I don't know probably a psychologist and he took that scientific approach to how do we influence people a lot of research a lot of trying to find out the core methodology and what does it really all boil down to some of the principles that he

mentions in his books and his talks and courses are Authority reciprocity and social proof and we'll be talking about how a little bit of those and how to work those into how we Influence People his approach wasn't the same as Carnegie's Carnegie no kidding was trying to help people be more effective as friends as in relationships at work in sales in marketing gini on the other hand wrote his book and in there B on how do you avoid getting tricked by tactics that people use and frankly it's a social engineering book you can read through it and find out how will people socially engineer you what should you look out for and what should you be mindful of and how should

you think about those things when you're when they're brought up to you I want to use them because not everything in there is negative not everything is malicious who uh anyone do system or network admin type stuff uh anyone have a detection rule for nmap yeah because if nmap's on your like running on your network you assume it's malicious right but is nmap a malicious software no it's a networking tool right was developed for Network admins to better understand their systems right in that same way what we'll be covering you could use maliciously or you could use it productively it's all up to you and how you approach things

one of the one of kin's uh sorry one of kin's principles is Authority if you can start with setting a baseline for your Authority whether it's your education your certifications or leaning on other principles if you get a uh assessment or a vulnerability scan and there's a report that comes out of that recommending this that and the other and these criticalities you can use that as Authority that a professional has said these are what we should be fixing or siza or nist comes out with recommendations of these are the things that you should protect should be going for full 50 right you're good scaring the crap out of me I like I cannot wrap up 30 minutes in

three it doesn't have to be our Authority it can be the authority of other sources that people trust and rely on it could be the the company's ethos it could be the company's strategy that you use as your Authority if you want to get across we should Implement MFA like siza nist everyone says if you can turn it on right you know it I know it but who has MFA implemented 100% across their organization it's not a lot of

hands dig more to that reciprocity is another great tactic people use this even without thinking about it one of uh Kini in the chapter that Kini covers on this they did studies of people holding doors just the simple Act of holding a door for someone as they're entering a room and then you getting up to the the teller up to the counter and like at a store for buying something asking oh I don't have enough change do you have like an extra dollar to the person behind them that they held the door for there was an exponential difference in someone's willingness to say like yeah here here's a dollar for those that they held the door for versus those that

they didn't and that's one little example but there was a lot more research done in that if we do one little thing to help someone else out their willingness to help us out is so much greater with that is there something that you could be doing in your organization from a security point of view that could help out marketing or sales or operations if you could put an hour of effort to get them to be interested in helping you fulfill your requirements would that be easier than fighting and fighting and fighting for weeks or months or quarters to get the same thing

implemented social proof is another one of the factors people tend to follow what others are doing they obviously at lunchtime everyone wanted to go get lunch some of us knew what time it was and we were hungry and we went others saw people just moving in that direction and followed there's a weird like Small hidden line between our conscious and our subconscious and acts like that there's things that we do that we don't think about that fall in line with that so often if you see a group doing it doing a thing subconsciously there's a little bit of you that automatically thinks that's an okay thing to do we we see it in criminal groups people use it often

for uh scams and crime but we could also use it in a productive manner if you can get uh proof that other organizations are implementing uh email filtering especially competitors say our competitors are doing this and they made a blog post about it you you don't even have to follow up with should do it ourselves if you were to bring that up with leadership there's a good chance if you just left a pause they might be like well could we do that too you didn't even plant it you're utilizing social proof without even needing to say the second half we'll put a lot of this into practice together I've got a few case studies because these are neat ideas

truthfully be told I've been reading this stuff and I I relisten to the audiobook for How to Win Friends and Influence People almost monthly because I find new ways that it applies to my situation for me it's not to be sacriligious but it's almost more helpful than like reading through the Bible just find I can play it faster but let's talk about the situation of MFA we all know it's not a silver bullet it doesn't stop everything right talking about that at lunch however it does stop a lot if you follow the news regularly you might be like me and be like well if you guys had MFA on that would not have happened right I'm

getting nods so you feeling what I'm how do we get our organizations to want to implement MFA everywhere we could share what what I just said here's all these examples of organizations that have uh been breached because they didn't have MFA on this business email compromise occurred because they had password reuse and account reuse right could we have stop that if that was an effective means of changing things we would have MFA on right instead what else could we point to we could point to siza and nist making those recommendations we could lean on company you sent me to this uh Sans training or you paid for me to take this course at for my Masters or you paid for

me to take this cissp course in that course validated what I know about the value of MFA I think that we should implement it leaning on that Authority especially Authority that you convinced them was already valuable they have already bought in a little bit if they paid for the training and that training taught you a thing that now you're bringing back to them that's why they sent you to the training right without making that connection for them they're already going to be thinking it like who i s of them there we should use what they [Music] learned sometimes it's the uh technical jargon that gets us lost I said MFA pretty sure everyone is there anyone who

doesn't know what I'm talking about multiactor authentication in this room that works fine CU those of you who didn't know what it is I'm or raise your hands I'm pretty sure just messing with me it's using two different methods for authenticating your marketing people your operations people your CEO might not know what MFA actually stands for or what it really means or why you would want a a token or an app on their phone or to get SMS messages and so you might need to explain that as well is there a way to speak in their language to get them to understand the value of what it is that you're trying to implement s right back to that talk in

terms of the other person's interest OPI abbreviation I made up if you're a bank and your leadership are finan Bank operations people there's a chance in 2024 that they understand some technical things you know what they really understand Bank stuff vaults and credit and securing loans and if you can start finding analogies to terms that they care about terms that they use regularly to relate back to what you're trying to do on the technical on the Cyber on the it side you can usually get them to buy in a lot quicker we might say oh we need to move from mature from nist uh level two to level three or we're working our way through CIS 18 and we're at 8 and we're

moving to nine and our inflammation implementation is segmentation which I think is a lot lower than that but you get get the idea I think your goals of maturing the organization are good they're righteous proud of you do they care what is it that they care about what what's the mission of the bank mission of the bank is to secure and provide financial services for customers if it's a credit union it might be certain kinds of customers might be Farmers it might be you get it in that can you instead of we need to make this change we need to make this maturity we need to implement MFA in order to mature in our cyber security say in order to

provide and better fulfill our obligations to our customers and our creditors we need to improve our cyber security maturity and the next step in that would be implementing MFA are we at a point where we can start to provide a higher level of service to our customers that taking that question to them rather than saying are you now ready to have a budget discussion about MFA say are you ready to have a discussion about how we can better secure our customers data and finances because that's what they care about that's the other person's interest and it's just a few words it's just a small change in your terminology but it has great effects I'll lean on Kini and Carnegie

for their examples I would go into depth but it's going to take longer than what we have but that's an idea of how you can start to implement that commitment and consistency people are more willing to continue doing the thing than they are to start doing a new thing so if you've been able to plant a seed to start some inertia that can feed into further movement how that can relate and how you can use that if you want to implement MFA everywhere talk about things that you've already accomplished and the organization is already done we have already purchased E5 licenses for everyone in the organization we have invested this money and this time and we've moved our

infrastructure over in that one of the best next things that we can do is click a few buttons that automatically turn on MFA and require people to to register and download the app and turn all that on it's like well if their mind is already at the we've already paid for this we've already committed to going down this road as opposed to oh hey we want to turn on MFA because it also happens to come with our E5 licenses just starting with that their interest before and the commitment that they've already made in consistency we want to keep moving on this path that we've built on you're not going to see as much resistance going down that

methodology let's take another look a fishing filter this might be contentious anyone had an issue uh trying to implement something like this trying to implement a fishing filter what sort of push back have you gotten GNA miss my POS what are

you ah they worried about missing something because it goes into spam filter okay that makes sense yeah they're worried about false positives messing up business those are legitimate worries and obviously people have run into that exact thing but it's valuable right yeah so how do we fix this problem people are worried we know that it's valuable how do we make them feel that it's more valuable we can use a lot of these same principles rather than focusing on it's going to improve our maturity it's going to protect our organization it's what we should do because it's a better thing to do those all sound like they might sound like fighting words they might sound like well that's just your opinion dude

right however if we use some of the principles that we've talked about like honest appreciation let's start with find something find something that we do honestly appreciate about them like you guys have been uh speaking to the organization you all have been very helpful in accomplishing your cyber security uh awareness training or you all participated really well in the training that we had a couple months ago back in October if that fits if that's the case if you do have honest appreciation for them or some companies actually point out when someone does turn in like hit the report spam or report fishing let's bring that up like we've seen a lot of great true positives come back when

people hit that report fishing and we really appreciate it you are helping the organization be more secure and helping us to provide better quality and consistency for our customers and our colleagues one of the next things that we could do is Implement a fishing filter so you don't have to do that as much by starting with honest praise they're like well okay that doesn't sound so bad maybe it will be worth it you could also lean into scarcity we talk about scarcity in Social Engineering right oh this needs to be done now like you've only got the sale ends in one hour we could utilize scarcity in this is the fourth quarter of the year we need to

make sales I know marketing and sales and probably operations and finance are all interested in those things are there deals that we're leaving on the table because our sock 2 doesn't say that we've got an F MFA cross the Enterprise are there people who are there deals that we're missing out on because our competitors have implemented this by not having fishing filters that's not something we can attest to being complete and our Auditors can't show yes they are doing this thing that they say they're doing are we losing out on deals because of that because we know these guys are doing it and they just closed the $5 million deal other person's interest scarcity and if you can start with honest

appreciation you might not even need to say anything else they might be like well how do we get that implemented they might come to you requesting

it there's also social proof if you could get one Department to buy in maybe marketing is really where he'd be or sales because they have a lot of inbound and outbound email right I've done sales you can't miss customer or uh potential customer uh emails that that doesn't work well you don't close opportunities that way but internally if you could get it to turn it on because you could probably convince the IT department to turn it on you're like how is that working for them if you can go to marketing and say hey we turned this on in it it's working really well we haven't seen any issues and it's been working great for them

they've actually we've had less people clicking on links we've had less spam just showing up in inboxes is it something that we could turn on for you to make life easier if you can use those other principles as well now that you've shown it works over here you might have better input getting it to work over

there Executives easy and difficult to trick difficult the trick because if you don't think like them don't put things in their terms they might not be interested however if you can speak in their terms which is why I got myself an NBA so I can use that jargon you can move things you can make things happen so an EDR investment maybe we want to implement crowd strike falcon or maybe you don't want to implement crowd strike Falcon if anyone hears from crowd strike we'll all feel for you I another sponsor that they got a booth out there but Falcon works pretty damn well but it's expensive that's a lot of money how many sales people could you

hire or Implement Falcon across the Enterprise sales people bring things in Falcon we know it's valuable how do we prove to them that it's valuable you go in with specs you go in with proof you go in with white papers if you need to convince the CFO and the CEO and the COO to budget six figures seven figures depending on the size of your organization for this tool that will be implemented over six months and might you know cause some turmoil until it's in place and once every couple years might blue screen everything um how do you make that pitch well we could lean on Authority nist CIS siza all of them in either nist CSF 2.0

or cis1 18 endpoint detection and uh response is a low tier thing to implement it is one of those where like I'd want to implement it as soon as possible right as a security person even if it's just defender on the Windows machines that they have like turning that on and making sure that it's configured like who would want to have that off versus on yeah so we know how do we get them to know so the authority we lean on my training my education my years in the business these organizations PCI that we have to comply with or Hippa that we have to comply with or as a bank the things that we have to comply with say that we need to

have this as a minimum lean on that then you can get into social proof other organizations Implement these things and they don't show up in the news the banks that do show up in the news as that being breached the healthcare organizations that do show up are they implementing these do we know that our competitors have just implemented uh Sentinel one or Google Cloud Mandan recently is there something that you could use competitors for social proof that also leads into that scarcity if our competitors are doing it and we're not that's something C sweets care about they don't want to be left out

what it really comes down to is empathy understanding what matters to that other person and rather than trying to get your value across trying to get their value across you know your stuff they hired you to know cyber security your value is in that you know these things where you can really IDE is now that you understand those how can you make it valuable to

them there's a bit of this that might feel like you're uh you're using people with influence with things that could be social engineering we don't want to take advantage of people so where is that line is is using these principles is using these ideas right I have a minor in philosophy uh I'm thanks I've been my first University course was in ethics this matters to me a lot and I'll lean on Manuel Kant what is right is to treat people as an ends in themselves and not as a means to an end and I've written papers and I could go on for hours on what that means but it's are you treating people as human beings and helping to provide for

them based off of that or are you using them and trying to influence them for your own means for your benefit alone and not theirs a lot of this stuff what we do in cyber security the reason I love still being in cyber security is that we help people we help Society we help companies there is a there are criminals out there there's organizations that want to steal your data want to take advantage of all the things that we put out there if we do our jobs right we make that less we protect people we protect companies and know I don't know you might not be in cyber security because you want to help people but I got a good feeling that you

do similar to Cops firefighters and Military there are those who do it for self-righteous reasons but from what I've seen most are doing it in order to help in order to make Society or their communities better if your goal is collaboration improving the organization helping the company meet its goals and remain secure and safe if you're acting in that capacity and you're not treating people as a means to an ends then you're doing things right having that alignment with goals because what you want and what they want you haven't try to convince them away from something they want instead you're using what they want to also to accomplish it together they want to make better sales

so saying that being more secure competing or matching your competitors getting things out so you can be have a a better quarter isn't wrong instead it's helping them reach their goals in a way that they didn't even know was an option so we started kind of late G to run through this real fast the first thing that you can do if you do nothing else begin to build rapport work with other organizations uh inside your company inside your client base uh inside your Community if you have the goal of mutual support of helping other people accomplish their goals through what you know and through what you can do it's going to go a long ways if you

just start with that mindset of collaboration instead of my cyber security goals but our organizational goals that'll move the needle forward and offer value um I'll probably close with this I'm a huge fan of the book uh the Phoenix project anyone read it it's about it and cyber security and devc or devops there's a turning point in that book in that organization in that mindset of stopping to look for what I'm trying to accomplish and more what is the business trying to accomplish and ironically they're not it's not a battle in instead if I can get behind what the organization is trying to do if I can turn my expertise behind what marketing or sales

or Ops or even it if there's a battle between cyber and it if we can help them accomplish their goals even if it doesn't necessarily make ours move forward but if it's something that you can add value to that overall will move everything forward so start with offering value Patch Tuesday comes out you're you're not in charge of patches but you know it's going to be a pain in butt to uh update everything across the Enterprise do you have the time do you have the time to get over there and be like hey could I help out could I bring donuts could I bring coffee it's going to be a crappy Wednesday through Friday for the IT team that is in charge of

that how could you add value to them so that when you need to make things move reciprocity collaboration they want to help you out right uh and yeah establish credibility and Authority don't come in with I know all the right things instead if you are able to build that up you will create a wave behind you you start with collaboration you start with getting people to trust you you'll be surprised months weeks or weeks months years down the line people will turn to you and ask for your opinion on what needs to happen as opposed to fighting you in those meetings all right so I've learned a lot I hope you have all learned a little bit from this

and have an idea of where you can go what you can do in your organization um if uh you've got any questions we'll speak in the hall or in the other room um that way they can start with the next group and yeah sorry racing through the end of this uh if you need to get a hold of me I'm on LinkedIn Joshua C Mason and yeah thank you all [Applause]