John Orlando continues his two-part series on the ethics of social engineering for penetration testing. What follows in this column and the next is entirely Orlando’s work with minor edits.

* * *

Analysis

The cases described in the previous column have been deliberately ordered from least to most ethically troubling. I would argue that there are morally relevant differences between the shoulder-surfing and piggybacking cases on one hand, and the computer technicians and bribery cases on the other. For one, the latter two penetration-testing cases expose the employee being tested to significant psychological stress. The employee in the computer technician example is worried about losing his job, while the one is the bribery example is faced with an offer to do something illegal.

Moreover, the deception in the latter two cases is established by verbal manipulation. Why is this relevant? After all, all cases involve some level of misrepresentation, and we can just as easily misrepresent ourselves with our appearance and actions as we can with our words.

The difference is that when the deception is established verbally, the deceiver is plugging into deep-seated psychological triggers humans use to establish trust with others. Con men are good at playing on these triggers, and while people can be expected to follow procedures, they cannot be expected to resist the kind of psychological manipulation employed by skilled manipulator. We would say the same thing of an attractive consultant soliciting an executive to see if he would exchange sex for secrets. The enticement is unfair. Moreover, the episode will undermine the employee’s trust in the company.

There is also the question of the professionalism on the part of the consultant when he moves from providing security advice to acting. Once the deceiver starts the charade, he will not know how much acting will be needed to get the employee’s cooperation. At some point the question becomes whether the consultant is measuring the strength of the company’s security policies, or his own acting skills. The consultant has put himself or herself into a compromising situation that could undermine faith in the profession as a whole.

Finally, what is the employer going to do with the employee in the bribery case if he agrees? The employer cannot trust the employee anymore, yet if he fires the employee, he can be accused of entrapment.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.