“I can’t” is a cybersecurity superpower! Why you say?

Social engineer and pen tester Chris Silvers, CISSP shared the power of “I can’t” with me in this clip:

To expand on this, imagine this:

A social engineer calls the helpdesk. She wants to convince them to reset a user’s password so she can compromise the account.

She tells the helpdesk 1st tier representative a convincing story about how hard her day was and seems to be on the verge of tears… The helpdesk rep feels bad for her and really wants to help.

BUT the organization’s policy forbids the helpdesk from changing passwords because of requests over the phone. Additionally, the 1st tier of helpdesk reps can’t change passwords, so this request would need to be escalated.

Even though the helpdesk rep feels guilty for not being able to help, he tells her “I’m so sorry, but I can’t help you because I don’t have the permissions to change passwords,” and asks her to submit her request through the proper channels.

Social engineers try to manipulate us by preying on our emotions. When a person is influenced by emotions, sometimes logic can go out the window.

There is power in “I can’t.” Or said another way, “least privilege.”

We all know the concept of least privilege, but looking at it from the outcome-based perspective of “I can’t” in a social engineering context really reveals its effectiveness.

When organizations perform risk assessments, they should also evaluate the likelihood and impact of social engineering attacks on high-risk job functions, and apply mitigations through least privilege, separation of duties, and training.

Here are a few security controls that address least privilege:

• NIST 800-53 r5: AC-6
• CMMC: AC.L2-3.1.5

The clip above with Chris is from GRC Academy podcast episode 24, “How To Stop Social Engineering in Its Tracks with Chris Silvers.” I’d highly recommend checking out the full episode!