Social engineering – the non-technical kind of intrusion that relies heavily on human interaction – is presumed to require a mastery of the social graces, a certain finesse, and a highly polished public persona. After all, social engineering is a form of trickery. It requires the mental seduction of a perfect stranger to coax a victim into divulging information he would never reveal otherwise.
You would think that such a role would be ideally suited to the extrovert and a perpetually awkward fit for the average introvert. You would think so, but you would be wrong.
“While it is true that extroverts will have an easier time approaching a crowd, or approaching a stranger, there is one significant challenge that extroverts have: active listening,” explains Chris Hadnagy, who runs social-engineer.org and social-engineer.com and is also the author of Social Engineering: The Art of Human Hacking.
“An extrovert enjoys talking to others and enjoys being the center of attention, and therefore may have a problem listening,” he adds.
Extroverts are far more prone to thinking ahead of the conversation in order to form the next question, spin the next tale, or deliver a witty line with perfect timing. They also have more trouble with remembering details they did hear – those annoying facts that can be so critical to convincing a mark that a request for information is legitimate. The extrovert is more attuned to body language and social cues than to the details within the conversation.
Introverts, on the other hand, rarely miss the tiniest tick of information. They seldom fail to finish a thought to a logical end or to accept a statement as true without ample evidence. The very things, in other words, that make introverts so awesome at coding and all things Internet also makes them incredibly good at stealth work.
There is, however, one thing that extroverts trump introverts at – being the victim.
"While victims could be either [introverts or extroverts], the more valuable victims are the extroverts,” says Avi Turiel, Director of Product Marketing, at Commtouch, a provider of Internet security technology for integration in the solutions provided by more than 150 security companies and service providers including 1&1, Check Point, F-Secure, Google, Microsoft, Panda Security, Rackspace, US Internet, WatchGuard and Webroot.
“They are more likely to forward messages on Facebook and other social media, inadvertently spreading the attack," says Turiel.
Extroverts are also more likely to serve as personal escorts for thieves.
“Our consultant identified an employee who was always chatty, talked to everyone in the elevators and such,” explains Gary Bahadur, CEO of KRAA Security, a security software and consultancy firm. “By striking up a conversation with this person, our consultant continued talking and being friendly as they exited the elevator and the target walked our guy right through the card key access door without question. That easy rapport was easy to take advantage of in this situation to bypass security measures.”
Innies, Outies and In-Betweenies
It would be nice, wouldn’t it, if humans came so neatly packaged? The extroverts would all have that little white pasty on the shirt that cheerfully proclaims “Hi! I’m Mr. Extrovert” to everyone everywhere and the introvert would wear a wallflower in her lapel. But humans are messy and confused beings who often wear more than one personality trait and rarely bother to clue us in as to which they are modeling today.
“In answer to your question, the best social engineers are both introvert and extrovert,” says Matt Malone, founder of Assero Security Services, a security consultancy that services small businesses.
“I am working on a case currently with the FBI where one social engineer was both,” he says. “At first he was even helping our investigation as an introverted and awkward, clumsy database admin, only to find out he was none of those.”
This blend of traits is learned, however. The perfect social engineer need not be born in the gray areas between extrovert and introvert.
“This is not a natural personality blend, but rather a learned blend,” says Angel Tucker, an expert Personality Profiler and author. “They have learned to either be the ‘I’ or the ‘C.’”
Tucker is referring to the Extrovert/Introvert blend identified in the DiSC system as an I/C - "I" represents the "inspiring" type, a.k.a. extroverts, and "C" which represents the "cautious" type, or introverts.
There are other names assigned to extroverts and introverts in the ongoing attempt to account for all the shades of gregariousness and internal reflection. But by whatever name, most experts point to the introvert as “Most Likely to Succeed” at social engineering.
“The temperament type that would most likely become a social engineer would be a melancholy (introvert). Melancholies are task orientated and perfectionists,” says Dr. Loosenort who holds a PhD in Christian Psychology, Clinical Counseling,
Marriage and Family Therapy, is privately licensed, and a member of the National Christian Counseling Association. Dr. Loosenort is also ordained by the National Conservative Christian Church.
“Melancholies are very deep thinkers, which can add to their success at social engineering,” he adds. “If they have to interact with others to accomplish their task. this is doable for the melancholy (introvert).”
However, Dr. Loosenort says the introvert is trumped by many of the blended personality varieties which are not all that hard to find since “pure temperaments” are rare.
“If a person were Melancholy blended with Choleric this would even increase the ability to succeed at social engineering,” he says. “A Choleric is organized, disciplined, loves to control others, and is a ‘chameleon.’ The Choleric will adapt to any type of people, places or events to accomplish the goals they have set, to control the situation they are in, and make it benefit them.”
But even Dr. Loosenort says the extrovert is a sweet mark for social engineers.
“Sanguines (extroverts) tend to be very impulsive and make quick decisions. The Sanguine temperament is very upbeat optimistic person who lives for today,” he says. “So even if they make a mistake or are taken advantage they are able shake it off realizing tomorrow is a new day.”
His description of extroverts makes them sound a bit like mindless parrots, attractive to most people but a far cry from the smooth intellect needed to pull off a data heist. “Sanguines love to shop and spend money and are attracted to colorful things,” he says.
The Victim Labels the Thief
But there are those who say that innie, outie or in-betweenie, the thief’s personality matters not at all since it is the victim that labels one a thief.
“Introversion or extroversion doesn’t really matter,” says Rob Rachwald, director of security strategy at Imperva, a business security company. “Social engineering is about catching someone off guard during what seems like a regular moment. For example, hacker forum tutorials teach social engineering using an example of getting free food at a drive in. Does it matter if the cashier is an extro/introvert?”
“Kevin Mitnick, in his book on hacking, described how he’d call a company to see what anti-virus they had. He claimed he was with Symantec and was checking to see if the company had upgraded to the latest version,” Rachwald added. “If they said, ‘Yes,’ he knew they used Symantec. If they say, ‘No, we use another vendor,’ he’d call another person back and find out what vendor it was. Again, intro/extroversion are not factors.”
Another way to look at which personality type is “best” for social engineering (and presumably worst for those of us who must protect our companies against security breaches) is to look at which personalities security firms and ethical hacking companies look to hire.
“So which is better for social engineering? I personally feel that the teachable person is the best for social engineering,” says Hadnagy. “Whether introverted or extroverted, the person who can practice active listening, has observation skills and proper elicitation is the one that will succeed at social engineering.”
“With all that being said there are some strengths that the extroverted person will have,” he adds. “They usually require less motivation to try something new, to take a risk, and to change or alter forms of communication. That can be a huge strength in social engineering. If I was growing my professional social engineering team, I would look for a person who was a humble, teachable extrovert to be an in-person SE Pentesting lead.”
Well, that’s one for the parrots but the winnings aren’t as good. It looks like the extroverts get the glad-handing job at the security firms while the introverts will get rich on the spoils from the dark side.