Book Review: Social Engineering: The Science of Human Hacking

EH-Net - Book Review - Social Engineering Science of Human Hacking - Hadnagy SE Village DEF CONIn his new book, “Social Engineering: The Science of Human Hacking, 2nd Edition,” Chris Hadnagy really hits the mark by providing a great overview of social engineering techniques, explaining how and why they work, and giving the reader plenty of real-world examples to back it all up. The target audience is humans as Chris explains. If you are human, I guarantee you’ll take something away from this book regardless of your personal experience with social engineering.

You may be new to the topic of SE, you might be a veteran, or you may be in an entirely different profession and just have an interest in the topic. Whatever your background or reasons may be for checking out this book, you’ll definitely learn something from reading it. Chris has really done a terrific job with this book, and, in my opinion, he has achieved his stated goal of motivating the reader.


Free Webinar: The Future of Social Engineering with Chris Hadnagy

Sign up now for this free event on August 16, 2018 at 1:00 EDT


Overview of “The Science of Human Hacking”

Let me share a few things about this book that are different from the first edition, although admittedly I did not read the first edition in its entirety. Although the title of both books is “Social Engineering”, the subtitle of the first edition of the book is “The Art of Human Hacking,” whereas this second edition is subtitled “The Science of Human Hacking.” So to state the obvious, the first observation is that we’ve moved from an art to a science. This is an interesting topic and discussion in and of itself. Is hacking an art? Or a science? No, really. If you haven’t thought about that before, think about that for just a moment. Mind blown? Debating with yourself? Good. A good argument could be made either way. Art is interpretive and subjective. Science is methodical and based on experimentation. As such, the book, and social engineering as a discipline within penetration testing, has moved from interpretation to knowledge based on experience.

Secondly, Chris makes a few promises to the reader including not quoting Wikipedia, telling many stories, providing references for further study, and welcoming all suggestions and criticism. While I can’t speak for the fourth (yet?) I can confirm the first three. With the exception of maybe one image sourced from Wikipedia, there were no real references pointing there. There were, however a whole bunch of references to additional books and websites for further learning.

Stories? Oh yeah. There are a lot of them. They are excellent real-world examples based on experiences in social engineering engagements. A few of the things I learned from these stories: 1) Sea cucumber is likely something to stay away from, 2) Don’t trust anyone named “Paul,” 3) Sometimes even Chris gets caught, and 4) There’s way more to social engineering than saying “Hi, I’m here to fix your computers.” Maybe a couple of those are just a reference to some of the humor that’s tossed into the book (although, I’m not sure if the “Paul” thing was purposefully done or not, but he always seems to use this name in his examples). I will now always be skeptical of anyone that introduces themselves as Paul.

When Chris discusses malicious social engineering, he specifically covers four different vectors: SMiShing, Vishing, Phishing, and Impersonation. Each of these topics is discussed and analyzed in sufficient detail, with enough examples to give both new social engineers and seasoned veterans some great new ideas. The concept of the social engineering pyramid is introduced and each layer (OSINT, Pretext Development, Attack Plan, Attack Launch, and Reporting – yes, reporting) is covered throughout the books’ chapters. In regards to OSINT (Open Source Intelligence), both technical and non-technical methods are discussed. While Chris does specifically mention he doesn’t want to provide an abundance of tools, there are a few honorable mentions tossed in. These include SET (the Social Engineering Toolkit), IntelTechniques (website), FOCA (Fingerprinting Organizations with Collected Archives), and Maltego. All of these are great tools and should be included in your toolkit or arsenal. One item I was surprised not to see included or mentioned is the OSINT Framework which is essentially a repository of sources for finding information (and does point to IntelTechniques for several categories). I highly recommend you check out each of these tools if you haven’t. They are essentials you should have experience and familiarity with.

Content Highlights

EH-Net - Book Review - Social Engineering Science of Human Hacking - CoverRight about now you’re thinking “this is all well and good, but are you going to tell what’s in the book?” I’m certainly not going to tell you everything, but given the large amount of cooking analogies used in the book, let me see if I can whet your appetite a little bit.

In Chapter 3, “Profiling People Through Communication,” Chris discusses four natural thoughts that typically run through your head as you spot someone approaching that you anticipate will try to communicate. These thoughts include: who are you, what do you want, are you a threat, and how long will this take. This is just the natural human thought process at work. This is similar to what I’ve explained to my kids regarding their guinea pigs, “each time you approach them, they’re thinking what are you, and are you going to eat me?” The human thought process isn’t too much different. The point is that if you, as the social engineer, can answer those four questions in your initial interaction, you can put the person at ease and direct the conversation from there.

To do this successfully, you need to have an understanding of several different types of communication styles presented in the book using the DISC acronym: Direct, Influencer, Supporter, Conscientious. First, you need to know yourself and your own communication style. These are not “one size fits all,” and, while there are many websites out there where you can do a self-assessment, Chris provides some suggestions on how to determine your communication style and why the assessment websites aren’t necessarily accurate. The chapter ends with a terrific example of two conflicting communication styles experienced at one of his book signings. Having an understanding of these communication styles is not only useful for social engineering but there are plenty of other uses, such as company psychology for managing people, as well.

Pretexting is largely emphasized throughout the book as an important and integral part of social engineering. This is essentially the story, and all of its associated details, that you’re trying to play out. Will you be a delivery driver? A safety inspector? Perhaps a pest control specialist? Whatever scenario you choose, which should be derived from your information gathering and open source intelligence collected on the target, you need to ensure that you have the details to go with it. If your target doesn’t normally allow delivery drivers to walk around the office, how do you intend to explain that you need to do so? In a lot of the examples of social engineering engagements presented in the book, there are plenty of times where Chris and/or his team just barely seem to squeak by (e.g., about to walk right into a security guard that already kicked them out just as an elevator door opens allowing for a quick escape). Those close encounters aside, by not having a thorough pretext, he does get caught once or twice and explains the how and the why. In discussing pretexting Chris breaks it down into six different principles, some of which include thinking through your goals, determining how far to go (with the details), and avoiding short-term memory loss.

As the book moves from pretexting into the actual interaction with people, there is some specific focus on building rapport with your target, principles of influencing others, and the difference between influence and manipulation. In discussing the ten principles of building rapport, Chris mentions using a slower rate of speech to avoid “word whiskers,” or words such as “um,” “like”, and “uh.” I want to reinforce this recommendation, because not only is it highly important for social engineering but it’s important any time you are speaking with someone. You can quickly lose credibility if you’re pausing with an “um” in every sentence. The recommendation in the book is to focus on your RSVP – rhythm, speed, volume, and pitch. Paying attention to these items can help you speak more clearly while presenting yourself in a professional manner. “Perfect practice makes perfect.” These skills take practice, lots of practice, to perfect. You can practice with friends and family or look into finding a local improvisation class offered in your area. The more you practice your communication skills, the more comfortable you’ll be during social engineering engagements.

Once you’ve started engaging with your target and building rapport, you can begin influencing the direction of the conversation or the person. Chris breaks influence down to eight separate principles. Reciprocity can be used to elicit an individual to do something for you after you’ve done something for them (e.g., I hold the first door open for you, you’ll likely open the second door for me). Authority is used to express some level of power over the target. Another principle is obligation – such as when you feel obligated to answer a question. When this principle is presented, Chris suggests a challenge to the reader. He suggests that the next time you are in a conversation and the other person asks you a question, don’t answer or acknowledge it. Instead, just stare at them. If they ask whether you’re okay or not, respond “yep” and nothing further. Generally, you’d feel obligated to answer the question so this makes it an awkward situation. As he recommends this, he then goes on to suggest that most readers are likely letting out a nervous weird laugh or smile while picturing that scenario. Yep! That was me. I couldn’t help but chuckle about this as I read it.

This reminded me of an experiment we once conducted in an interpersonal communication class. One person was to think of a topic that they are very excited about – maybe a sport, hobby, or any other interest. They were told they’d have some amount of time to explain this to the second person. The second person was to, at some time shortly into the conversation, hang their head down and seem genuinely uninterested. As you can imagine, the person talking about the topic they’re excited about could get a little upset or downright angry.

The idea presented behind influence is getting someone to want to do something you need for them to do. This is the whole “make them think it was their idea” thing. That’s the power of influence. Chris goes on to explain how this is different from manipulation, and how he prefers to stay away from manipulating targets. He explains that manipulation is just getting them to do something you want them to do. Do you see the difference? Manipulation generally leads to people feeling angry, or otherwise bad, once they find out they’ve been tricked. This is not the goal. As social engineers, we want to teach people how to identify these attacks. Manipulation doesn’t often lend itself well to being teachable.

The book then goes further into emotions and non-verbals used during communication. This was one area of particular interest to me, because I remember being taught when I was very young that folding your arms usually represented some sort of disgust, disinterest, or otherwise standoffish behavior. I disagree. Why? I am usually comfortable folding my arms while standing. It doesn’t mean that I’m not interested, or mean anything at all. Chris points this fact out and advises the reader not to use preconceived ideas as it relates to body language like this. Instead, he recommends that you create a baseline of the person as you begin communicating with them. For example, the person may twitch their leg frequently. This may be normal behavior and doesn’t necessarily indicate nervousness. However, if you ask an interesting question and the person stops twitching their leg, this is now different from the established baseline and something you should pay attention to during the conversation. The same goes for folded arms, face scratching, and other items. Don’t think about these things upon initial interaction but look for changes and deviations. As Chris puts it, “focus on the what, not the why.”

Body language and emotions, such as anger, fear, sadness, and happiness, must have your attention. You, as the social engineer, may need to adjust your approach or the conversation based on the emotion being shown by the target. It’s around this area of the book where I have a slight disagreement. Chris suggests several specific statements that may be used to elicit certain emotions or soften a person’s body language. One statement, in reference to speaking to your wife, goes like this: “Hey, honey, you look super tired. Was your day okay?” Whoa. I’ve been married a few years and one of the phrases you should never (ever) say to your wife is “you look tired.” I definitely do not recommend it. Either Chris has a very forgiving wife, or he just wants to see how many readers will try this out and report back to them after they’ve received a black eye.

The last few chapters focus on professional social engineering in penetration testing (pentesting) and recommendations on career advancement within the social engineering field. These chapters provide some excellent example scenarios and some very important topics related to social engineering. This includes everyone’s favorite thing to do – create reports. Just as with any other type of pentesting engagement, the report from a social engineering engagement is one of the, if not the most, important parts of the engagement. Chris indicates that your report needs to be professional, and it should be checked and proofread for spelling and grammar mistakes. Most importantly, the report needs to tell the client how they can fix the issues observed. If you can’t explain to your client how to address the problem, you should anticipate that they won’t be your client much longer.

Chris draws from past personal experience here about writing a report and explaining all of the cool things he was able to do. What did he forget? The client doesn’t particularly care about that. They want to know how to mitigate their risk. What can they do to improve? How can they adjust their security awareness program so that attacks from real attackers aren’t successful? This would be the difference between reporting your kewl h@cking adventures to your friends at the bar as opposed to the ROI of a paying customer.

To address this, Chris says you need a MAPP – Mitigation and Prevention Plan. Your MAPP should explain how to actually prevent the attacks and uses a four-step process: identification, actionable policies, checkups, and awareness programs. This also includes some specific advice for organizations on selecting vendors and for social engineers on working with clients. One important piece of this advice I think is worth mentioning is for the social engineer. If the customer is too difficult to work with, doesn’t have the interest in improving, or their general values, beliefs, or ideals do not align with yours, as the tester, then you need to know when to cut ties. There will, undoubtedly, be times when the best decision is to just walk away. This is often easier said than done, but it is nonetheless poignant advice.

The book concludes with recommendations on how to gain entry to a social engineering position, the types of companies worth looking at, how and where to gain further experience, and additional suggestions on becoming a professional social engineer. This is a welcome addition, as it is a natural extension of the focus of the book.

Closing Thoughts

Chris Hadnagy in his book, “Social Engineering: The Science of Human Hacking,” makes it abundantly clear that he’s not looking to arm the bad guys with ideas, but properly prepare the next generation of practitioners. There’s enough involved in the field of SE now that you can most certainly specialize in just being an awesome social engineer. As he quips, there’s just too much work for him to take on by himself and wants to help train as many other people as possible to be successful social engineers, so that we, as a collective whole, can help our clients and businesses secure their organizations. To quote Chris directly, “you cannot really defend against social engineering until you know all sides of its use.”

Having been in the information security field for a while, and having conducted social engineering tests before, I always knew there was a lot more to it than what you see at the surface level. After reading this book… “Wow!” Not only do I have a bajillion (no, Word didn’t even autocorrect that) new ideas running through my head, but Chris has definitely motivated me to take a closer look at all of the science involved in social engineering.

I also want to recognize some of the other work Chris is doing in this space with his Innocent Lives Foundation, which is dedicated to saving children from predators trying to hide on the Internet. Working often with law enforcement, Chris and other volunteers use their social engineering skills to assist in fighting the bad guys directly. There are a few mentions about the organization throughout the book, but I think this is a very commendable endeavor worthy of your attention.

Chris welcomes your feedback about the book, good or bad, and you can reach him via his website at social-engineer.org or Twitter @humanhacker. I recommend going out and grabbing a copy of the book for yourself. You won’t be disappointed. I’m pretty excited about doing some further reading and study to improve my skills. I hope this review has been helpful, has piqued your interest, and answered any questions you may have about the book. I also welcome any feedback and will be watching for comments or posts in the EthicalHacker.net forums.

EH-Net - Book Review - Social Engineering Science of Human Hacking - DEF CON SE CTFSee for Yourself at SE Villages

Chris Hadnagy also runs Social Engineering Villages at both DEF CON and DerbyCon which each feature a Capture the Flag (CTF) Contest. Participating is a great way to get real experience without getting into any trouble. Watching the competitors as well as the speakers is also an education. So either compete with the best or learn from the best. Here’s a little extra info on each.

DEF CON SE Village

Established at DEF CON 18 the SE Village has been the one-stop shop for all things social engineering at DEF CON. From our humble beginnings with a small room and our sound proof booth to now running 4 events and the “Human Track” where all the social engineering talks are given. The SE Village is the place for not only our flag ship event, the Social-Engineer Capture The Flag (The SECTF), but also Mission SE Impossible, the SECTF4Kids and the SECTF4Teens!

DerbyCon SE Village

DerbyCon is one of our favorite places. In the past 4 years we have been the place to go for all things social engineering at Derby Con. And for the third year in a row we will be again holding an entire SE Village at DerbyCon! This will include not only the old favorite “Can you beat the polygraph?” but we will be bringing back Mission SE Impossible AND the ever popular SECTF!

 

Author Bio

EH-Net - Book Review - Social Engineering Science of Human Hacking - Bill VarholBill Varhol has been an IT professional for 15 years, with most of them in information security. He is currently a VP with AlixPartners, a management consulting firm, where he leads the security assessments team. He holds certifications from ISC2, ISACA, Offensive Security, EC-Council, GIAC, Microsoft, CompTIA, LPI, and IACRB and has a BSc in IT, MSc in Cybersecurity and Information Assurance, and is finishing an MBA in IT Management (08/18).

Tags:

Tagged: 

Viewing 10 reply threads
  • Author
    Posts
    • #168888
      BillV
      Participant

      In his new book, “Social Engineering: The Science of Human Hacking, 2nd Edition,” Chris Hadnagy really hits the mark by providing a great overview of
      [See the full article at: Book Review: Social Engineering: The Science of Human Hacking]

    • #168926
      BillV
      Participant

      Great book! Definitely enjoyed it. Thanks for the opportunity to write the review 🙂

    • #168929
      Don Donzal
      Keymaster

      My pleasure. Thanks for being an active member!

      As for the book itself, I agree completely that there’s something in this for everyone. Learning how to interact with people comes naturally to some. But now that this is a science, it can be learned and practiced even by those who seemingly don’t have that talent. Getting better at being a “people person” has benefits far beyond a pen test.

      I’d love to hear stories from other EH-Netters of how social engineering skills helped not only in pen tests but also elsewhere.

      Don

    • #169067
      MTGreen
      Participant

      Thanks for the review Bill!

      My favorite part was “Tips on avoiding a black eye.” 🙂

      I think that observation is a key element of social engineering. Pay attention to how people are prone to act, and give them an opportunity to act that way.

      I think you comments on pretexting and building a rapport are important.

      Social Engineering is a new face on the old confidence man subject. The more you person thinks they will get out of the interaction, the more likely that are to give.

      I am a coach, and fakes are a part of many sports. I have found that if an athlete fakes in a way his opponent expects him to go, the opponent bites hard. A commonly used word today outside of sports is narrative. If your actions are consistent with the subjects perspective on what should happen, you are set. Another way to put it is that people see what they want to see.

      That would suggest that reconnaissance is an important part of social engineering. Observe regular routines, and mimic them. Add a shift that is not so far out of scope to draw suspicion. The closer an action is to habit, the less thought will go into completing the action.

      From a pen testing perspective, I think it is important to look at an organization’s purposeful routines and exploit them, and also to introduce an unaddressed but predictable issue, and see how the employees respond.

      Finally, as for the art or the science. I thing the the most effective perspective is that social engineering is an art that barrows some techniques from science. The art is knowing which technique to use when, and being able to freestyle when necessary.

      Mike

    • #182442
      Madmardigan
      Participant

      Great book! This is awesome ever!

    • #183419
      janeeewd
      Participant

      Oh! Now I know what I’ll read next)

    • #183491
      Sophia09le
      Participant

      Dara of Jasenovac streaming Dara of Jasenovac watch full online Dara of Jasenovac full streaming online Dara of Jasenovac watch online Dara of Jasenovac watch streaming Film, also called movie, motion picture or moving picture, is a visual art-form used to simulate experiences that communicate ideas, stories, perceptions, feelings, beauty, or atmosphere through the use of moving images. These images are generally accompanied by sound, and more rarely, other sensory stimulations.[1] The word “cinema”, short for cinematography, is often used to refer to filmmaking and the film industry, and to the art form that is the result of it. ❏ STREAMING MEDIA ❏ Streaming media is multimedia that is constantly received by and presented to an end-user while being delivered by a provider. The verb to stream refers to the process of delivering or obtaining media in this manner.[clarification needed] Streaming refers to the delivery method of the medium, rather than the medium itself. Distinguishing delivery method from the media distributed applies specifically to telecommunications networks, as most of the delivery systems are either inherently streaming (e.g. radio, television, streaming apps) or inherently non-streaming (e.g. books, video cassettes, audio CDs). There are challenges with streaming content on the Internet. For example, users whose Internet connection lacks sufficient bandwidth may experience stops, lags, or slow buffering of the content. And users lacking compatible hardware or software systems may be unable to stream certain content. Live streaming is the delivery of Internet content in real-time much as live television broadcasts content over the airwaves via a television signal. Live internet streaming requires a form of source media (e.g. a video camera, an audio interface, screen capture software), an encoder to digitize the content, a media publisher, and a content delivery network to distribute and deliver the content. Live streaming does not need to be recorded at the origination point, although it frequently is. Streaming is an alternative to file downloading, a process in which the end-user obtains the entire file for the content before watching or listening to it. Through streaming, an end-user can use their media player to start playing digital video or digital audio content before the entire file has been transmitted. The term “streaming media” can apply to media other than video and audio, such as live closed captioning, ticker tape, and real-time text, which are all considered “streaming text”. ❏ COPYRIGHT CONTENT ❏ Copyright is a type of intellectual property that gives its owner the exclusive right to make copies of a creative work, usually for a limited time.[1][2][3][4][5] The creative work may be in a literary, artistic, educational, or musical form. Copyright is intended to protect the original expression of an idea in the form of a creative work, but not the idea itself.[6][7][8] A copyright is subject to limitations based on public interest considerations, such as the fair use doctrine in the United States. Some jurisdictions require “fixing” copyrighted works in a tangible form. It is often shared among multiple authors, each of whom holds a set of rights to use or license the work, and who are commonly referred to as rights holders.[citation needed][9][10][11][12] These rights frequently include reproduction, control over derivative works, distribution, public performance, and moral rights such as attribution.[13] Copyrights can be granted by public law and are in that case considered “territorial rights”. This means that copyrights granted by the law of a certain state, do not extend beyond the territory of that specific jurisdiction. Copyrights of this type vary by country; many countries, and sometimes a large group of countries, have made agreements with other countries on procedures applicable when works “cross” national borders or national rights are inconsistent.[14] Typically, the public law duration of a copyright expires 50 to 100 years after the creator dies, depending on the jurisdiction. Some countries require certain copyright formalities[5] to establishing copyright, others recognize copyright in any completed work, without a formal registration. It is widely believed that copyrights are a must to foster cultural diversity and creativity. However, Parc argues that contrary to prevailing beliefs, imitation and copying do not restrict cultural creativity or diversity but in fact support them further. space bar counter This argument has been supported by many examples such as Millet and Van Gogh, Picasso, Manet, and Monet, etc.[15] ❏ GOODS OF SERVICES ❏ Credit (from Latin credit, “(he/she/it) believes”) is the trust which allows one party to provide money or resources to another party wherein the second party does not reimburse the first party immediately (thereby generating a debt), but promises either to repay or return those resources (or other materials of equal value) at a later date.[1] In other words, credit is a method of making reciprocity formal, legally enforceable, and extensible to a large group of unrelated people. The resources provided may be financial (e.g. granting a loan), or they may consist of goods or services (e.g. consumer credit). Credit encompasses any form of deferred payment.[2] Credit is extended by a creditor, also known as a lender, to a debtor, also known as a borrower.

    • #183650
      s0phia
      Participant

      The Science of Human Hacking uncovers the trickier side of the programmer’s collection—why hack into something when you could simply request access? Imperceptible by firewalls and antivirus programming,
      Application games like minecraft circle generator social designing depends on human shortcoming to access delicate spaces;

    • #183779
      clinton
      Participant

      perfect

    • #184560
      rex-harvey
      Participant

      nice article. i mean great. it look like a team work.

    • #184630
      bleackkendall
      Participant

      Still, also you should use classy packaging for all particulars that not just offer a handsome cast to your particulars similarly produce them brand-new and save for a long occasion if you enjoy your own business or bakery. For this, your packaging is a thing. Use diverse and seductive packaging for your bakery particulars and make a brawny brand clone. As we see there are numerous people who consume bakery particulars in their diurnal pattern, children similarly love to eat a donut and different bakery particulars, so you can snare the children’s absorption by applying various packaging for your products. Custom boxes are conceptual packaging for your donut packaging. Let’s talk about custom Donut Boxes and their advantages.

Viewing 10 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?