Follow Slashdot stories on Twitter


Forgot your password?
Book Reviews

Submission + - Social Engineering book review

brothke writes: "MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_01CBDB8F.DFA37970" This document is a Single File Web Page, also known as a Web Archive file. If you are seeing this message, your browser or editor doesn't support Web Archive files. Please download a browser that supports Web Archive, such as Windows® Internet Explorer®. ------=_NextPart_01CBDB8F.DFA37970 Content-Location: file:///C:/A443A227/SocEng.htm Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="windows-1252" Ben Rothke Ben Rothke 2 169 2011-03-06T04:48:00Z 2011-03-06T04:48:00Z 2 1183 6744 INS 56 15 7912 14.00 Clean Clean false false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Calibri","sans-serif"; mso-bidi-font-family:"Times New Roman";}

One can sum up a= ll of Social Engineering: The Art of Human Hacking in two sentences from page 297, where author Christopher Hadnagy wr= ites “tools are an important aspect of social engineering, but they do not make = the social engineer. A tool alone is useless; but the knowledge of how to leverage and utilize that tool is inva= luable”. Far too many people think that informa= tion security and data protection is simply about running tools, without understanding how to use them. In = this tremendous book, Hadnagy shows how crucial the human element is within information security.

With that, Social Engineering: The Art of Human Hacking is a fascinating and engrossing book on an important topic. The author takes the reader on a vast j= ourney of the many aspects of social engineering. Since social engineering is such a people oriented topic, a large pa= rt of the book is dedicated to sociological and psychological topics. This is an important area, as far too m= any technology books focus on the hardware and software elements, completely ig= noring the people element. The social eng= ineer can then use that gap to their advantage.

By the time that= you start chapter 2 on page 23, it is abundantly clear that the author knows wh= at he is talking about. This is in st= ark contrast with How To Become The Worlds No. 1 Hacker, where t= hat author uses plagiarism to try to weave a tale of being the world’s greatest= security expert. Here, Hadnagy uses his real knowledge and experience to take the reader on a long and engaging ride on = the subject. Coming in at 9 chapters and 360 pages, the author brings an encyclopedic knowledge and dishes it out in every chapter.

Two of the most popular books to date on social engineering to date have been Kevin Mitnick= ’s The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hacker= s, Intruders and Deceivers. The difference between those books and = Hadnagy, is that Mitnick for the most part details the events and stories around the attacks; while Hadnagy details the myriad specifics on how to carry out the= social engineering attack.

The book digs de= ep and details how the social engineer needs to use a formal context for the attack, and breaks down the specific details and line-items on how to execu= te on that. That approach is much more suited to performing social engineering, than simply reading about social engineering.

Chapter 1 goes t= hough the necessary introduction to the topic, with chapter 2 detailing the vario= us aspects of information gathering. = Once I started reading, it was hard to put the book down.

Social engineeri= ng is often misportrayed as the art of asking a question or two and then gaini= ng root access. In chapter 3 on elicitation, the author details th= e reality of the requirements on how to carefully and cautiously elicit information f= rom the target. Elicitation is not som= ething for the social engineer alone, even the US Department of Homeland Security = has a pamphlet that is uses to assist agents with elicitation.=

After elicitatio= n, chapter 4 details the art of pretexting, which is when an attacker creates = an invented scenario to use to extract information from the victim.=

Chapter 5 on min= d tricks starts getting into the psychological element of social engineering. The author details topics such as micro= expressions, modes of thinking, interrogation, neuro-linguistic programming and more.

Chapter 6 is on = influence and the power of persuasion. The a= uthor notes that people are trained from a young age in nearly every culture to listen to and respect authority. W= hen the social engineer takes on that role, it becomes a most powerful tool; far more powerful than any script or piece of software.

The author wisely waits until chapter 7 to discuss software tools used during a social engineering engagement. One of the author’s favorite and most powerful tools is Maltego, which is an open source intelligence and forensics application. While the author concludes that it is t= he human element that is the most powerful, and that a great tool in the hand = of a novice is worthless; the other side is that good tools (of which the author lists many), in the hands of an experienced social engineer, is an extremely powerful and often overwhelming combination.

Every chapter in= the book is superb, but chapter 9 – Pre= vention and Mitigation stands out. Aft= er spending 338 pages about how to use social engineering; chapter 9 details t= he steps a firm must put in place to ensure they do not become a victim of a social engineering attack. The chapter li= sts the following six steps that must be executed upon:

Learning to identify social engineering attacks=

Creating a personal security awareness program

Creating awareness of the value of the informat= ion that is being sought by social engineers

Keeping software updated

Developing scripts

Learning from social engineering audits

The author astut= ely notes that security awareness is not about 45- or 90-minute programs that o= nly occur annually; rather it is about creating a culture and set of information security standards that each person in the organization is committed to usi= ng their entire life. This is definit= ely not a small undertaking. Firms must create awareness and security engineering programs to deal with the above s= ix items. If they do not, they are th= em placing themselves at significant risk of being unable to effectively deal = with social network attacks.

As to awareness,= if nothing else, Social Engineering: The Art of Human Hacking demonstrates the importance of ensuring that social engineering is = an integral part of an information security awareness program. This can’t be underemphasized as even t= he definitive book on security awareness Managing an Information Security and Privacy Awareness and Training Program only has about 10 pages on social engineering attacks.

There are plenty= of security books on hardware, software, certification and more. Those were perhaps the easy ones to write. Until now, very few have de= alt with the human element, and the costs associated with ignoring that have be= en devastating. Social Engineering: The Art of Human Hacking is a book that is a long time in coming, but worth every page.

While seemingly geared to the information security staff, this is a book should be read by everyone, whether they are in technology or not. Social engineering is not something tha= t just occurs behind a keyboard. Social attackers know that. It is about t= ime everyone else did also.

------=_NextPart_01CBDB8F.DFA37970 Content-Location: file:///C:/A443A227/SocEng_files/themedata.thmx Content-Transfer-Encoding: base64 Content-Type: application/ UEsDBBQABgAIAAAAIQDp3g+//wAAABwCAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKyRy07DMBBF 90j8g+UtSpyyQAgl6YLHjseifMDImSQWydiyp1X790zSVEKoIBZsLNkz954743K9Hwe1w5icp0qv 8kIrJOsbR12l3zdP2a1WiYEaGDxhpQ+Y9Lq+vCg3h4BJiZpSpXvmcGdMsj2OkHIfkKTS+jgCyzV2 JoD9gA7NdVHcGOuJkTjjyUPX5QO2sB1YPe7l+Zgk4pC0uj82TqxKQwiDs8CS1Oyo+UbJFkIuyrkn 9S6kK4mhzVnCVPkZsOheZTXRNajeIPILjBLDsAyJX89nIBkt5r87nons29ZZbLzdjrKOfDZezE7B /xRg9T/oE9PMf1t/AgAA//8DAFBLAwQUAAYACAAAACEApdan58AAAAA2AQAACwAAAF9yZWxzLy5y ZWxzhI/PasMwDIfvhb2D0X1R0sMYJXYvpZBDL6N9AOEof2giG9sb69tPxwYKuwiEpO/3qT3+rov5 4ZTnIBaaqgbD4kM/y2jhdj2/f4LJhaSnJQhbeHCGo3vbtV+8UNGjPM0xG6VItjCVEg+I2U+8Uq5C ZNHJENJKRds0YiR/p5FxX9cfmJ4Z4DZM0/UWUtc3YK6PqMn/s8MwzJ5PwX+vLOVFBG43lExp5GKh qC/jU72QqGWq1B7Qtbj51v0BAAD//wMAUEsDBBQABgAIAAAAIQBreZYWgwAAAIoAAAAcAAAAdGhl bWUvdGhlbWUvdGhlbWVNYW5hZ2VyLnhtbAzMTQrDIBBA4X2hd5DZN2O7KEVissuuu/YAQ5waQceg 0p/b1+XjgzfO3xTVm0sNWSycBw2KZc0uiLfwfCynG6jaSBzFLGzhxxXm6XgYybSNE99JyHNRfSPV kIWttd0g1rUr1SHvLN1euSRqPYtHV+jT9yniResrJgoCOP0BAAD//wMAUEsDBBQABgAIAAAAIQAw 3UMpqAYAAKQbAAAWAAAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbOxZT2/bNhS/D9h3IHRvYyd2Ggd1 itixmy1NG8Ruhx5piZbYUKJA0kl9G9rjgAHDumGHFdhth2FbgRbYpfs02TpsHdCvsEdSksVYXpI2 2IqtPiQS+eP7/x4fqavX7scMHRIhKU/aXv1yzUMk8XlAk7Dt3R72L615SCqcBJjxhLS9KZHetY33 37uK11VEYoJgfSLXcduLlErXl5akD8NYXuYpSWBuzEWMFbyKcCkQ+AjoxmxpuVZbXYoxTTyU4BjI 3hqPqU/QUJP0NnLiPQaviZJ6wGdioEkTZ4XBBgd1jZBT2WUCHWLW9oBPwI+G5L7yEMNSwUTbq5mf t7RxdQmvZ4uYWrC2tK5vftm6bEFwsGx4inBUMK33G60rWwV9A2BqHtfr9bq9ekHPALDvg6ZWljLN Rn+t3slplkD2cZ52t9asNVx8if7KnMytTqfTbGWyWKIGZB8bc/i12mpjc9nBG5DFN+fwjc5mt7vq 4A3I4lfn8P0rrdWGizegiNHkYA6tHdrvZ9QLyJiz7Ur4GsDXahl8hoJoKKJLsxjzRC2KtRjf46IP AA1kWNEEqWlKxtiHKO7ieCQo1gzwOsGlGTvky7khzQtJX9BUtb0PUwwZMaP36vn3r54/RccPnh0/ +On44cPjBz9aQs6qbZyE5VUvv/3sz8cfoz+efvPy0RfVeFnG//rDJ7/8/Hk1ENJnJs6LL5/89uzJ i68+/f27RxXwTYFHZfiQxkSim+QI7fMYFDNWcSUnI3G+FcMI0/KKzSSUOMGaSwX9nooc9M0pZpl3 HDk6xLXgHQHlowp4fXLPEXgQiYmiFZx3otgB7nLOOlxUWmFH8yqZeThJwmrmYlLG7WN8WMW7ixPH v71JCnUzD0tH8W5EHDH3GE4UDklCFNJz/ICQCu3uUurYdZf6gks+VuguRR1MK00ypCMnmmaLtmkM fplW6Qz+dmyzewd1OKvSeoscukjICswqhB8S5pjxOp4oHFeRHOKYlQ1+A6uoSsjBVPhlXE8q8HRI GEe9gEhZteaWAH1LTt/BULEq3b7LprGLFIoeVNG8gTkvI7f4QTfCcVqFHdAkKmM/kAcQohjtcVUF 3+Vuhuh38ANOFrr7DiWOu0+vBrdp6Ig0CxA9MxEVvrxOuBO/gykbY2JKDRR1p1bHNPm7ws0oVG7L 4eIKN5TKF18/rpD7bS3Zm7B7VeXM9olCvQh3sjx3uQjo21+dt/Ak2SOQEPNb1Lvi/K44e//54rwo ny++JM+qMBRo3YvYRtu03fHCrntMGRuoKSM3pGm8Jew9QR8G9Tpz4iTFKSyN4FFnMjBwcKHAZg0S XH1EVTSIcApNe93TREKZkQ4lSrmEw6IZrqSt8dD4K3vUbOpDiK0cEqtdHtjhFT2cnzUKMkaq0Bxo c0YrmsBZma1cyYiCbq/DrK6FOjO3uhHNFEWHW6GyNrE5lIPJC9VgsLAmNDUIWiGw8iqc+TVrOOxg RgJtd+uj3C3GCxfpIhnhgGQ+0nrP+6hunJTHypwiWg8bDPrgeIrVStxamuwbcDuLk8rsGgvY5d57 Ey/lETzzElA7mY4sKScnS9BR22s1l5se8nHa9sZwTobHOAWvS91HYhbCZZOvhA37U5PZZPnMm61c MTcJ6nD1Ye0+p7BTB1Ih1RaWkQ0NM5WFAEs0Jyv/chPMelEKVFSjs0mxsgbB8K9JAXZ0XUvGY+Kr srNLI9p29jUrpXyiiBhEwREasYnYx+B+HaqgT0AlXHeYiqBf4G5OW9tMucU5S7ryjZjB2XHM0ghn 5VanaJ7JFm4KUiGDeSuJB7pVym6UO78qJuUvSJVyGP/PVNH7Cdw+rATaAz5cDQuMdKa0PS5UxKEK pRH1+wIaB1M7IFrgfhemIajggtr8F+RQ/7c5Z2mYtIZDpNqnIRIU9iMVCUL2oCyZ6DuFWD3buyxJ lhEyEVUSV6ZW7BE5JGyoa+Cq3ts9FEGom2qSlQGDOxl/7nuWQaNQNznlfHMqWbH32hz4pzsfm8yg lFuHTUOT278QsWgPZruqXW+W53tvWRE9MWuzGnlWALPSVtDK0v41RTjnVmsr1pzGy81cOPDivMYw WDREKdwhIf0H9j8qfGa/dugNdcj3obYi+HihiUHYQFRfso0H0gXSDo6gcbKDNpg0KWvarHXSVss3 6wvudAu+J4ytJTuLv89p7KI5c9k5uXiRxs4s7Njaji00NXj2ZIrC0Dg/yBjHmM9k5S9ZfHQPHL0F 3wwmTEkTTPCdSmDooQcmDyD5LUezdOMvAAAA//8DAFBLAwQUAAYACAAAACEADdGQn7YAAAAbAQAA JwAAAHRoZW1lL3RoZW1lL19yZWxzL3RoZW1lTWFuYWdlci54bWwucmVsc4SPTQrCMBSE94J3CG9v 07oQkSbdiNCt1AOE5DUNNj8kUeztDa4sCC6HYb6ZabuXnckTYzLeMWiqGgg66ZVxmsFtuOyOQFIW TonZO2SwYIKObzftFWeRSyhNJiRSKC4xmHIOJ0qTnNCKVPmArjijj1bkIqOmQci70Ej3dX2g8ZsB fMUkvWIQe9UAGZZQmv+z/TgaiWcvHxZd/lFBc9mFBSiixszgI5uqTATKW7q6xN8AAAD//wMAUEsB Ai0AFAAGAAgAAAAhAOneD7//AAAAHAIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVz XS54bWxQSwECLQAUAAYACAAAACEApdan58AAAAA2AQAACwAAAAAAAAAAAAAAAAAwAQAAX3JlbHMv LnJlbHNQSwECLQAUAAYACAAAACEAa3mWFoMAAACKAAAAHAAAAAAAAAAAAAAAAAAZAgAAdGhlbWUv dGhlbWUvdGhlbWVNYW5hZ2VyLnhtbFBLAQItABQABgAIAAAAIQAw3UMpqAYAAKQbAAAWAAAAAAAA AAAAAAAAANYCAAB0aGVtZS90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAA3RkJ+2AAAA GwEAACcAAAAAAAAAAAAAAAAAsgkAAHRoZW1lL3RoZW1lL19yZWxzL3RoZW1lTWFuYWdlci54bWwu cmVsc1BLBQYAAAAABQAFAF0BAACtCgAAAAA= ------=_NextPart_01CBDB8F.DFA37970 Content-Location: file:///C:/A443A227/SocEng_files/colorschememapping.xml Content-Transfer-Encoding: quoted-printable Content-Type: text/xml ------=_NextPart_01CBDB8F.DFA37970 Content-Location: file:///C:/A443A227/SocEng_files/filelist.xml Content-Transfer-Encoding: quoted-printable Content-Type: text/xml; charset="utf-8" ------=_NextPart_01CBDB8F.DFA37970--"

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Social Engineering book review

Comments Filter:

If graphics hackers are so smart, why can't they get the bugs out of fresh paint?