Social Engineering Penetration Testing
Authors: Gavin Watson, Andrew Mason, and Richard Ackroyd
We know that the human element is often the weakest link in the security chain, and that attackers – whether they are after money, user information, corporate or state secrets – regularly take advantage of this fact to gain a foothold into computer systems and networks.
This book aims to show you how to plan and execute an effective social engineering penetration test and assessment, and how to write a helpful report about it.
About the authors
Gavin is the Professional Services Manager at RandomStorm and is responsible for devising and also delivering penetration testing and social engineering engagements.
Andrew is the co-founder and Technical Director at RandomStorm and has over 20 years experience in IT with recent years focused on Internet security.
Richard is a Senior Security Engineer for RandomStorm and is involved in the conducting penetration testing and social engineering assessments.
Inside the book
After a foreword (and obvious stamp of approval) by Chris Hadnagy, the well-known professional social engineer and author of the Social Engineering Framework, the book begins by explaining what social engineering is and offers many great examples, both fictional (from movies) and from real-life events (famous con men, hackers, breaches). I thought this to be a brilliant way to introduce the notion of social engineering and for readers to get a feel what actions and approaches can fall under that label.
Chapter 2 addresses all the things that make the human element the weakest link in the corporate security chain (and it’s not always primarily the employees’ fault), and the next one effectively explains the various manipulation techniques used by social engineers by offering realistic examples for each technique, and will give readers an idea of the talents that a successful social engineer has to have. Next, short and long game attack strategies are illustrated in detail.
Chapter 5 will be extremely interesting to business managers, as it delineates the process and challenges – both for the client and professional doing the work – of engaging a third party to perform social engineering work (compliance, legislative considerations, types of testing, and much more). It also explains the various social engineering team members and the skill sets that they usually have.
The authors teach readers how to help customers set realistic objectives for social engineering testing, and how to create scenarios to meet them, and show them the open source intelligence and tools social engineers use to prepare for attacks. Later, the authors also went through a thorough list of hardware that can aid social engineers in their attacks – cables, dongles, dropboxes, wireless access points, keyloggers, audio recording devices, etc.
The email attack vector got its own chapter, and addresses the issue of phishing attacks and gives real-wold examples that were and are often successful. The telephone and physical attack vectors got the same treatment.
Naturally, the book also addresses the topic of writing a usable, quality report about the performed social engineering assessment, and then turns to the ultimate good stuff: how to use the gained knowledge to harden their policies and procedures against this type of attacks, how to set up good staff awareness and training programs, and how to perform internal social engineering assessments (and why that’s a good idea).
This is an exhaustive tome about a topic that has sparked widespread interest in the last few years, and it’s a good blend of theory and practice (less of the former, much more of the latter).
This was an enjoyable and informative read that has something for everyone: people looking to learn about social engineering techniques in order to protect themselves against them; budding social engineering practitioners searching to widen their knowledge; and business people that are toying with the idea of engaging social engineers to test company defenses.