Social engineering is considered a type of security attack that targets the weakest link; that is, humans. However, rather than discuss how to audit social engineering preparedness or eliminate social engineering attacks, I pose—and answer—the question, do auditors need to acquire social engineering skills?
When I was in college 45 years ago, what is perceived and christened as social engineering today was referred to as social science and regarded as an effort to influence attitudes and/or behaviors of people to convince them to understand and accept a concept. In political science, it meant influencing a group of people on a large scale to produce desired characteristics that would persuade them to accept certain decisions (note that these are definitions I have formed from my own understanding, not from any reference book or material).
Based on my experience, I believe that auditors can benefit from acquiring social engineering skills for the following reasons:
- Necessary evil—The auditee may consider the audit to be a necessary evil because it must be carried out for legal or regulatory compliance.
- Interference—The auditee’s primary objective is to deliver their organization’s proprietary product or services, and an audit represents an interference that disrupts smooth business operations.
- Impact on performance—Some organizations’ human resources (HR) policies attach additional importance to audit findings by linking them to the personal performance of employees. This prompts the auditee to try to ensure that the auditor does not uncover or present their findings.
- Lack of readiness—The audit may have been forced on the auditee by either a third party or enterprise or senior management when the auditee was not ready.
Sometimes, auditors struggle to complete the audit because the auditee is uncooperative or tries to divert the focus of the audit. However, if an auditor knows how to apply principles of social engineering, they can achieve the cooperation necessary to finish the audit. The following are some instances where I successfully applied social engineering techniques to complete an audit:
- Instance 1—In this audit, 1 finding per observation was presented in the draft report. Based on the draft report, management stressed the importance of reducing the number of findings. Because several observations were a result of 1 control, I redrafted the report to highlight the issue with the control, thereby focusing on the control rather than the observations. This helped me win cooperation to complete the audit without compromising professional ethics.
- Instance 2—In a different audit, I faced a total lack of cooperation from the auditee’s managers because they had decided not to cooperate to demonstrate their unhappiness with the corporate office’s decision to audit. I was provided a meeting room, but meeting requests and requests for other information were not forthcoming. The coordinator assigned to the audit was the most junior employee in the organization and, as a result, he was unable to offer adequate help. To progress the audit, I had to use the pantry room and dining hall to meet with employees and have informal chats to understand their reasoning. I had to assure them that I would comment on the impact of this decision in the audit report to get the cooperation needed to complete the audit.
Based on these experiences, the following are some suggestions for aspiring auditors:
- Understand the background of the audit and be prepared with a strategy. Especially for an audit taking place due to compliance requirements, try to focus on controls rather than interruptions.
- Develop communication skills to establish communication with auditee employees.
- Understand the focus of auditee for service or product delivery and schedule meetings with relevant stakeholders. Try to avoid multiple interactions unless required.
- Ensure minimum interruptions to the auditee. This requires appropriate planning before commencing with the audit. It is a good idea to gain an understanding of the auditee’s challenges and communicate your expectations as an auditor.
- Be prepared for surprises.
By implementing these tips, auditors can embrace social engineering tactics and achieve the results they desire for their audit.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.