Last year I was invited to talk at the Brain Tank Minicon in Providence, Rhode Island. Having recently spoken at numerous other conferences on a rather narrow set of IT security-related topics, I decided to take my talk in a different direction. Now, I present a blogged version of that talk: Evolutionary Bias in Social Engineering.
While I have spent the bulk of professional career in cybersecurity, my academic background is in anthropology, the study of man. So, in a sense, my experience is a mix of Indiana Jones and Kevin Mitnick. Then again, anthropology has four main subfields – archaeology, linguistics, cultural anthropology, and biological or forensic anthropology – the latter three being where I tended to focus. And, while I was once more active on the technical side, I now mostly supervise staff or run vulnerability management, so, I suppose I’m more of a Temperance Brennan meets Michael Scott. While this isn’t the best combination for being popular in social settings, it does provide me with a unique perspective on social engineering.
Social engineering, or SE, simply put, is con-artistry. It is trickery and deception. It is the act of manipulating the human. And anthropology can provide insight into both sides of the issue: the attacker and the victim.
As stated above, anthropology is the study of man – or more accurately, the study of humans. Anthropological studies come in many forms, from researching old tomes to digging up old house wares to observing peoples in various environments to conducting surveys to affecting policy to studying non-human animals. Whatever broad subject matter the anthropologist is researching, it generally falls under one of the following umbrella items: artifacts, culture, language, or evolution.
The phrase “human nature” is often used in casual conversation. Human nature means something very different to an anthropologist than it does to the average person. When an anthropologist says it, they are talking about something that exists across cultures – all cultures – not present in one. Human nature, therefore, is best described as innate human behavior, exhibited by persons in all human societies. For example, language and language abstraction are part of human nature. Every society has at least one language and every language offers some form of conveying the abstract. While it is certainly arguable that other animals possess language, none have the observable ability to express abstract thoughts through that language. A shortlist of human universals includes: kin relationships, status determinations, materialism, fear of strangers/outsiders, facial expressions of emotion, facial recognition, sexual jealousy, use of weapons and tools, use of humor, and on the more negative side of the scale social manipulation, selfishness, greediness, impatience, ambition, and vanity, to name a few.
Social engineers rely on these human universals. They operate on the assumption that their tactics will work across people of varying backgrounds, social classes, ages, sexes, religions, and a wide variety of other differences. Why do they take advantage of these things?
It all comes down to one thing: sex.
Sexual reproduction leads to evolutionary changes in species over time. Evolution is a succinct way of saying “genetic changes, or changes in traits, in a species over successive generations.” In order for evolution to occur, the traits that must be heritable and they must be variable. Heritability refers to the passing of traits from one generation to the next through DNA. Variability is a product of a gene and the environment. In scientific terms, a genotype is the actually makeup of genes, while the phenotype is the physical representation of those genes. For example, a person with brown eyes may actually have genes for both brown and blue eyes. If so, that person’s phenotype is brown-eyed, while his genotype is Brown-blue.
We evolve traits that lead to higher reproductive success because reproductively successful parents pass down reproductively successful traits. We are all the products of reproductively successful parents. Keep in mind sexual reproduction isn’t perfect, and sometimes anomalies such as gene mutations, extra chromosomes, missing chromosomes, etc., occur that do not result in higher reproductive success.
Contrary to the popular beliefs of the 19th Century (and of some religious groups today), genes do not blend, they shuffle. This keeps variability, and thus, sexual competition, high. Think about it like this: two parents, one with blue-eyes and blond hair and the other with brown eyes and black hair, have 3 children. If genes blended, all three children would look the same with light brown eyes and brown hair. Instead, because genes shuffle, while all three children look like siblings, they are all unique.
Woman have far fewer reproductive cells (or gametes) than males. At birth, a woman has the highest number of the eggs she will ever have. In contrast, a man’s testes produce sperm throughout his entire life. Thinking about these gametes as commodities, the reproductive value for women is high, while it is quite low for males.
According to evolutionary psychologists, women exhibit a genetic preference for mates who can provide resources (food, shelter, resistance to parasites, etc.) to themselves and their children. Ideal mates for women include those with high social status, good health, and access to valuable material possessions such as money, a home, and food. Men exhibiting these characteristics tend to have more children.
What does this have to do with SE? The sexual selection pressures place on males pushes them to compete for access to resources and more power to increase the likelihood that they will be able to reproduce. SE, like many other competitive (often criminal) activities, allows men to eliminate potential rivals by taking away from the rivals and gaining for themselves. In other words, sexual reproduction leads to male competition. Men compete for access to women and to resources. As a result, a significantly disproportionate number of males are criminals, especially violent offenders.
Genetic traits associated with aggressive behavior, SE, violence, and other criminal behavior likely evolved before the ape-hominid split approximately 5 to 8 million years ago and possibly even before the ape-monkey split 15 to 20 million years ago. While aggressive behavior is observed in males of many animal species, apes have been observed engaging in decidedly tricky behavior. Regardless of when these traits initially evolved, the human brain has changed little in the last 10,000 years. We exhibit the same basic traits our distant ancestors exhibited. We essentially have “caveman brains.”
This may leave you wondering why, if males are genetically “programmed” to be competitive, are men susceptible to SE? The answer lies in another aspect of anthropological study: culture.
Our culture makes us vulnerable to aggressive actions through a number of factors including our reliance on social bonds, our tendency to trust, aversion to loss, fear of or respect for authority, and a seemingly natural desire to be helpful, among others. Looking at that shortlist, it may be easy to dismiss some of those items as cultural. Keep in mind that culture remains one of the hardest things to define and describe accurately in the English language. From the anthropological perspective alone it can mean many things. For the purposes of this article, culture is probably best described as generically as “a way of life.” Culture can also be thought of as a method of human progression.
Humans lack the protective mechanisms that other creatures have. Humans don’t have claws, thick fur, sharp teeth, or camouflage. Our culture is our defense mechanism. While we may not run all that fast and may not be very good at climbing trees, we have the ability to create weapons. We may not have thick fur or layers of blubber to protect us from the cold weather, but we have tools that can make fire and we can fashion clothing out of animal skins. Our sense of smell is not as heightened as it is in many animals, but we can warn others through the use of spoken and written languages where our enemies are located, which berries are safe to eat, and which part of the forest has the easiest prey. For those things we cannot fashion, grow, or hunt ourselves, we have developed bartering systems. The development of advanced technology has allowed us to rise to the top of the food chain and spread our kind over the entire globe. This is all because of our culture. We have survived where other creatures cannot because of our culture.
Culture creates mechanisms for the development of trust, learning, sharing, likability, and, thus, survival. As a result, culture has guided us to create trade, economics, business, government, religion, art, and music among many other things. It should be no surprise that anyone can take advantage of the cultural mechanisms for greater influence. For example, people tend to do favors for those who are generous to them. This is the basic rule of reciprocity. Giving gifts, material or otherwise, to people without reason will most likely result in a feeling that they owe you. The gift receiver will feel external and internal pressure to reciprocate with a “gift” of equal value, such as a favor or an item of monetary or other value. Similarly, we tend to assign value to items that are of limited supply. Businesses take advantage of this all the time, socially engineering their customers to the bank. Apple, Microsoft, and other technology manufacturers limit their early supply of technology to keep demand high and maximize early profits. Retailers like Target, Amazon, and QVC are always quick to point out when they have a “Limited Supply! Act Now!” EBay has made an entire enterprise from the idea that people will pay more when they know others want the same item. As one person bids, countless others stand by trying to decide if they should bid now or hold out to the final seconds.
And back to sex. We developed culture because we had no other defense mechanism. As we gained other evolutionary advantages – walking upright, bigger brains, language, etc. – we lost our tree swinging abilities, our huge fangs, and all of our fur. And while humans are the sexiest apes, and I mean that literally – we have the some of the largest penises and breasts relative to our bodies – we are just that: sexy apes. We maintain our aggressive sex-fueled competitiveness. And while men tend to be the more cutthroat sex, we are also more easily fooled by sex. Women could be particularly good social engineers by simply being sexy. Just visit your local gentlemen’s club for evidence.
If you are interested in reading more on the subject, I highly suggest the following resources:
• http://www.aaanet.org/resources/
• http://www.anthropologie.net/
• The Evolution of Desire, David M. Buss
• The Selfish Gene, Richard Dawkins
• Evolution and Human Behavior (journal)
No comments:
Post a Comment