Book Review : Social Engineering The Art of Human Hacking
I was always fond of the idea of being intelligent, getting information or investigating someone to get information. I watched the British TV series “Sherlock” and “The Mentalist” and I admired the idea of observing the environment and people around you to easily get the information you need. I was also stunned by Kevin Metnik, the Father of Social Engineering and his achievements. I started by reading and learning about hacking, not hacking PC’s and servers but hacking humans. The book, Social Engineering: The Art of Human Hacking was just the kick start to it.
You can get the book as a pdf online or order it from Amazon for about $20 with shipping to Egypt, or do as I did and rent it from the Blue Kaizen library.
So many thanks to the Blue Kaizen Team, I wish you the best of the best.
What is Social Engineering?
Social Engineering (SE) is a blend of science, psychology and art. While it is amazing and complex, it is also very simple. It is defined as “Any act that influences a person to take an action that may or may not be in their best interest.”
We have defined it in very broad terms because we feel that social engineering is not always negative, but encompasses how we communicate with our parents, therapists, children, spouses and others.
• Social Engineering: The Art of Human Hacking is a fascinating and engrossing book on an important topic. The author takes the reader on a vast journey of the many aspects of social engineering. Since social engineering is such a people oriented topic, a large part of the book is dedicated to sociological and psychological topics. This is an important area, as far too many technology books focus on the hardware and software elements, completely ignoring the people element. The social engineer can then use that gap to their advantage.
• Chapter 1 goes though the necessary introduction to the topic, with chapter 2 detailing the various aspects of information gathering. Once I started reading, it was hard to put the book down.
• In chapter 3 on elicitation, the author details the reality of the requirements on how to carefully and cautiously elicit information from the target. Elicitation is not something for the social engineer alone, even the US Department of Homeland Security has a pamphlet(Pdf) that it uses to assist agents with elicitation.
• Chapter 4 details the art of pretexting, which is when an attacker creates an invented scenario to use to extract information from the victim.
• Chapter 5 on mind tricks starts getting into the psychological element of social engineering. The author details topics such as micro expressions, modes of thinking, interrogation, neuro-linguistic programming and more.
• Chapter 6 is on influence and the power of persuasion. The author notes that people are trained from a young age in nearly every culture to listen to and respect authority. When the social engineer takes on that role, it becomes a most powerful tool; far more powerful than any script or piece of software.
• The author wisely waits until chapter 7 to discuss software tools used during a social engineering engagement. One of the author’s favorite and most powerful tools is Maltego, which is an open source intelligence and forensics application. While the author concludes that it is the human element that is the most powerful, and that a great tool in the hand of a novice is worthless; the other side is that good tools (of which the author lists many), in the hands of an experienced social engineer, is an extremely powerful and often overwhelming combination.
• Every chapter in the book is superb, but chapter 9 – Prevention and Mitigation stands out. After spending 338 pages about how to use social engineering; chapter 9 details the steps a firm must put in place to ensure they do not become a victim of a socialengineering attack.
The chapter lists the following six steps that must be executed upon:
1) Learning to identify social engineering attacks
2) Creating a personal security awareness program
3) Creating awareness of the value of the information
that is being sought by social engineers
4) Keeping software updated
5) Developing scripts
6) Learning from social engineering audits
• As to awareness, if nothing else, Social Engineering: The Art of Human Hacking demonstrates the importance of ensuring that social engineering is an integral part of an information security awareness program. This can’t be underemphasized as even the definitive book on security awareness Managing an Information Security and Privacy Awareness and Training Program only has about 10 pages on social engineering attacks .
• The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering.
• Social Engineering in my point of view is a powerful attack, which gives you access to many attacks, but only to those who can master it …
With The Continued Growth Of Your Organization, The People And Hardware Deployed To Ensure That It Remains In Working Order Is Essential, Yet The Threat Picture Of Your “Environment” Is Not Always Clear Or Complete. In Fact, Most Often It’s Not What We Know That Is Harmful – It’s What We Don’t Know That Causes The Most Damage. This Being Stated, How Do You Develop A Clear Profile Of What The Current Deployment Of Your Infrastructure Resembles? What Are The Cutting Edge Tool Platforms Designed To Offer The Granularity Essential To Understand The Complexity Of Your Network, Both Physical And Resource Based
WHAT DOES MALTEGO DO?
• Maltego is a program that can be used to determine the relationships and real world links between:
» Groups of people (social networks)
» Web sites
» Internet infrastructure such as:
» DNS names
» IP addresses
» Documents and files
• These entities are linked using open source intelligence.
• Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.
• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections.
• Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.
About The Author
Khaled Battah, Information Security Engineer at Raya Data Center