July 26, 2018 at 2:31 pm #168888BillVParticipant
In his new book, “Social Engineering: The Science of Human Hacking, 2nd Edition,” Chris Hadnagy really hits the mark by providing a great overview of
[See the full article at: Book Review: Social Engineering: The Science of Human Hacking]
August 1, 2018 at 8:48 am #168926BillVParticipant
Great book! Definitely enjoyed it. Thanks for the opportunity to write the review 🙂
August 1, 2018 at 11:54 am #168929Don DonzalKeymaster
My pleasure. Thanks for being an active member!
As for the book itself, I agree completely that there’s something in this for everyone. Learning how to interact with people comes naturally to some. But now that this is a science, it can be learned and practiced even by those who seemingly don’t have that talent. Getting better at being a “people person” has benefits far beyond a pen test.
I’d love to hear stories from other EH-Netters of how social engineering skills helped not only in pen tests but also elsewhere.
August 28, 2018 at 10:07 am #169067MTGreenParticipant
Thanks for the review Bill!
My favorite part was “Tips on avoiding a black eye.” 🙂
I think that observation is a key element of social engineering. Pay attention to how people are prone to act, and give them an opportunity to act that way.
I think you comments on pretexting and building a rapport are important.
Social Engineering is a new face on the old confidence man subject. The more you person thinks they will get out of the interaction, the more likely that are to give.
I am a coach, and fakes are a part of many sports. I have found that if an athlete fakes in a way his opponent expects him to go, the opponent bites hard. A commonly used word today outside of sports is narrative. If your actions are consistent with the subjects perspective on what should happen, you are set. Another way to put it is that people see what they want to see.
That would suggest that reconnaissance is an important part of social engineering. Observe regular routines, and mimic them. Add a shift that is not so far out of scope to draw suspicion. The closer an action is to habit, the less thought will go into completing the action.
From a pen testing perspective, I think it is important to look at an organization’s purposeful routines and exploit them, and also to introduce an unaddressed but predictable issue, and see how the employees respond.
Finally, as for the art or the science. I thing the the most effective perspective is that social engineering is an art that barrows some techniques from science. The art is knowing which technique to use when, and being able to freestyle when necessary.
- You must be logged in to reply to this topic.