Book Description
Cutting-edge social engineering testing techniques
"Provides all of the core areas and nearly everything [you] need to know about the fundamentals of the topic."--Slashdot Conduct ethical social engineering tests to identify an organization's susceptibility to attack. Written by a global expert on the topic, Social Engineering in IT Security discusses the roots and rise of social engineering and presents a proven methodology for planning a test, performing reconnaissance, developing scenarios, implementing the test, and accurately reporting the results. Specific measures you can take to defend against weaknesses a social engineer may exploit are discussed in detail. This practical guide also addresses the impact of new and emerging technologies on future trends in social engineering. - Explore the evolution of social engineering, from the classic con artist to the modern social engineer
- Understand the legal and ethical aspects of performing a social engineering test
- Find out why social engineering works from a victim's point of view
- Plan a social engineering test--perform a threat assessment, scope the test, set goals, implement project planning, and define the rules of engagement
- Gather information through research and reconnaissance
- Create a credible social engineering scenario
- Execute both on-site and remote social engineering tests
- Write an effective social engineering report
- Learn about various tools, including software, hardware, and on-site tools
- Defend your organization against social engineering attacks
Table of Contents
- Cover
- Title Page
- Copyright Page
- About the Author
- Contents at a Glance
- Contents
- Foreword
- Acknowledgments
- Introduction
- Chapter 1: Introduction to Social Engineering
- Different Types of Social Engineering
- Physical Social Engineering
- Remote Social Engineering
- Combination Attacks
- The History and Evolution of Social Engineering
- The Golden Age of Con Artistry
- Social Engineering in the 1920s: Charles Ponzi
- Social Engineering in the 1940s: The War Magician
- Social Engineering in the 1950s: Frank Abagnale
- Social Engineering in the 1970s–1990s: Kevin Mitnick
- Social Engineering Since 2000
- Who Are the Social Engineers Today?
- Opportunists with Little Preparation
- Organized External Attackers
- Internal Attackers
- Introduction to Social Engineering Testing
- The Social Engineering Test Methodology
- Final Thoughts
- Chapter 2: The Legal and Ethical Aspects of Social Engineering Tests
- Malicious Social Engineers vs. Ethical Social Engineers
- Radio DJs and Kate Middleton Prank Call
- The Epic Hacking of Mat Honan
- Condé Nast Transfers $8 Million to Spear Phisher
- Is It Legal? Is It Ethical? The Legal and Ethical Aspects of Social Engineering
- The Social Engineering Contract
- The Get Out of Jail Free Card
- Laws You May Break
- Legal and Ethical Options
- Legal Do’s and Don’ts
- Free Pizza and Social Engineering in Your Personal Life
- Final Thoughts
- Chapter 3: Why Social Engineering Works
- Misplaced Trust in the Social Engineer
- Detecting Deception
- Why Do We Trust?
- Appearing Trustworthy
- Respect for Authority
- Factors that Increase Our Tendency to Obey
- Indicators of Authority
- Helpfulness
- Motivators to Aid the Social Engineer
- Positive Motivations: Reciprocity
- Negative Motivations: Pressuring the Victim
- Lack of Personal Responsibility
- Bystander Effect
- Lack of Awareness
- People Don’t Realize Social Engineering Is a Threat
- People Don’t Think They Will Be Targeted by Social Engineers
- People Think They Would Never Fall for a Social Engineering Scam
- People Don’t Know What to Do When They Face a Social Engineering Attack
- Final Thoughts
- Chapter 4: Planning Your Social Engineering Test
- Assessing the Threat
- Types of Attackers
- Current Awareness Levels
- Scoping the Social Engineering Test
- Type of Test
- Time to Allocate to Test
- Goals and Deliverables
- Planning the Project
- Test Plan
- Team Plan
- Communications Plan
- Risk Management Plan
- Defining the Rules of Engagement
- Restrictions on Testing
- Calling Off the Test
- Permission to Test
- Who Should Be Informed About the Test
- Case Study: Social Engineering a Banking Call Center
- Final Thoughts
- Chapter 5: Research and Reconnaissance
- What Types of Information to Look for in the Reconnaissance Phase
- Where to Look for Information
- Company Websites
- Recruitment Websites
- Newspapers and the Press
- WHOIS
- Conferences and Public Events
- Official Filings
- Commercial Sources
- Gray Literature
- Information Gathering on Social Networks
- Specific Social Networking Sites
- Physical Reconnaissance
- Dumpster Diving
- Telephone Reconnaissance
- Reconnaissance for Call Centers
- Challenges During the Research and Reconnaissance Phase
- Final Thoughts
- Chapter 6: Creating the Scenario
- Brainstorming Potential Scenarios
- Validating Scenarios
- Adding Credibility
- Character Development
- Costumes
- Props
- Identifying Possible Pitfalls
- Assigning Roles
- Practicing Again and Again
- Final Thoughts
- Chapter 7: Executing the Social Engineering Test
- Executing a Phishing Test
- A Non–Social Engineering Phishing Test
- Executing a Telephone Social Engineering Test
- Executing an Onsite Social Engineering Test
- The Basic Routine
- Common Actions once Inside
- Recording the Test
- Trophy Gathering
- Creating a Good Road Apple/Physical Bait
- Walking Through Doors: Access Codes and Tailgating
- Coffee/Smoking Break Analysis
- Building Rapport
- How to Make Small Talk
- What to Do If You Are Challenged
- What Else Can Go Wrong
- Final Thoughts
- Chapter 8: Writing the Social Engineering Report
- Continuous Feedback and Reporting
- Recording Events During the Test
- How Much Time Should You Allow for Report Writing?
- Planning the Report
- Establish Who Your Target Readers Are
- Specific Client Requests
- Risk Ratings for Social Engineering Findings
- Standard Report Contents
- Executive Summary
- Technical Details
- Example Report
- Appendixes
- The Quality Assurance Process
- Distributing the Report
- Final Thoughts
- Chapter 9: Tools of the Trade
- Research and Reconnaissance Tools
- Maltego
- Cree.py
- Spokeo
- The Wayback Machine
- Metadata Collectors: FOCA and Metagoofil
- Scenario Creation Tools
- Test Execution Tools
- What to Bring on Your Social Engineering Test
- Recording Devices
- Bugging Devices
- Keystroke Loggers
- Disguised Storage Devices
- The Cell Phone
- Phone Tools and Caller ID Spoofing
- The Social-Engineer Toolkit
- Final Thoughts
- Chapter 10: Defense Against the Dark Arts
- Indicators That You May Be Experiencing a Social Engineering Attack
- The Person’s Attitude
- Establishing a Connection
- The Nature of the Request
- Pressure/Urgency
- Small Mistakes
- Difficulty of Independent Validation
- Have You Been Social Engineered?
- Social Engineering Checklist: Have You Been Social Engineered?
- Responding to Social Engineering Attacks
- Security Policies and Procedures
- Data Classification Policy
- Physical Security Policy: Visitors
- Social Engineering Education and Awareness
- Physical and Technical Controls
- Social Engineering Tests as Defense
- Final Thoughts
- Chapter 11: Social Engineering: Past, Present, and Future
- Same Tricks, New Technology
- The Spanish Prisoner, 16th Century
- The Letter from Jerusalem, 19th Century
- Advance Fee Fraud Revival, Early 20th Century
- Advance Fee Fraud Scams Since the 1970s
- New Technology, New Targets, New Delivery
- Seeing Around Corners
- Remote Controllable Cockroaches
- Biometrics
- The Internet of Things
- Easier Profiling, More Believable Attacks
- Social Networks
- The Cloud
- Wearable Tech
- Countering Surveillance
- Implanted Tech
- Final Thoughts
- Index