Slashdot Mirror

← Back to Stories (view on slashdot.org)

Book Review: Social Engineering In IT Security Tools, Tactics, and Techniques

Posted by samzenpus on from the read-all-about-it dept.

benrothke writes When I got a copy of Social Engineering in IT Security Tools, Tactics, and Techniques by Sharon Conheady, my first thought was that it likely could not have much that Christopher Hadnagy didn't already detail in the definitive text on the topic: Social Engineering: The Art of Human Hacking. Obviously Hadnagy thought differently, as he wrote the forward to the book; which he found to be a valuable resource. While there is overlap between the two books; Hadnagy's book takes a somewhat more aggressive tool-based approach, while Conheady take a somewhat more passive, purely social approach to the topic. There are many more software tools in Hadnagy; while Conheady doesn't reference software tools until nearly half-way through the book. This book provides an extensive introduction to the topic and details how social engineering has evolved through the centuries. Conheady writes how the overall tactics and goals have stayed the same; while the tools and techniques have been modified to suit the times. Keep reading for the rest of Ben's review. Social Engineering in IT Security Tools, Tactics, and Techniques author Sharon Conheady pages 272 publisher McGraw-Hill Osborne Media rating 8/10 reviewer Ben Rothke ISBN 978-0071818469 summary Great resource on which to build a social engineering testing program Coming in at about 250 pages, the book finds a good balance between high-level details and actionable tactical things to execute on. Without getting bogged down in filler. Since the social engineering tools and techniques only get better, the advantage Conheady's book has it that it details a lot that has changed in the 4 years since Hadnagy's book came out.

In chapter 1, she writes about mumble attacks, which are telephone-based social engineering attacks that are targeted at call center agents. The social engineer will pose as a speech-impaired customer or as a person calling on behalf of the speech-impaired customer. The goal of this method is to make the victims; in this case call center agents feel awkward or embarrassed and release the desired information. Given the pressure in which most call center agents are under; this is a simple yet highly effective attack.

Like Hadnagy, this also has a detailed social engineering test methodology. Conheady details a methodology with 5 stages: planning and target identification, research and reconnaissance, scenario creation, attack execution and exit, and reporting. She notes that one does not have to be a slave to the methodology, and it can be modified depending on the project.

Social engineering can often operate on the limit of what is legal and ethical. The author goes to great lengths to write what the ethical and legal obligations are for the tester.

The book is filled with lots of practical advice as Conheady is seasoned and experienced in the topic. From advice to dealing with bathrooms as a holding location, gaining laptop connectivity and more; she writes of the many small details that can make the difference between a successful social engineering test and a failed one.

The book also details many areas where the job of the social engineer is made easy based on poor security practices at the location. Chapter 7 details how many locations have access codes on doors often don't do much to keep social engineers out. Many doors have 4-character codes, and she writes that she has seen keypads where the combination numbers have been so worn down that you can spot them straightaway.

As noted earlier, the book focuses more on the human techniques of social engineering than on software tools. She does not ignore that tools and in chapter 9 provides a list of some of the more popular tools to use, including Maltego, Cree.py and others. She also has lists of other tools to use such as recording devices, bugging devices, phone tools and more.

With all those, she still notes that the cell phone is the single most useful item you can bring with you on a social engineering test. She writes that some of the many uses a cell phone has is to discourage challengers, fake a call to look busy, use the camera and more.

While most of the book is about how to execute a social engineering test, chapter 10 details how you can defend against social engineering. She notes that it is notoriously difficult to defend against social engineering because it targets the weakest link in the security chain: the end-user. She astutely notes that a firm can't simply roll out a patch and immunize its staff against the latest social engineering attack. Even though there are vendors who make it seem like you can. The chapter also lists a number of indicators that a firm may be experiencing a social engineering attack.

Hadnagy's book is still the gold-standard on the topic. But Social Engineering in IT Security Tools, Tactics, and Techniques certainly will give it a run for the money.

Hadnagy's approach to social engineering is quite broad and aggressive. Conheady takes more of a kinder, gentler approach to the topic. For those that are looking for an effective guide on which to build their social engineering testing program on, this certainly provides all of the core areas and nearly everything they need to know about the fundamentals of the topic.

Reviewed by Ben Rothke.

45 comments

  1. The real problem by ArcadeMan · · Score: 1

    “To summarize the summary of the summary: people are a problem.” - Douglas Adams

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:The real problem by Anonymous Coward · · Score: 0

      To summarize the summary of the summary and brings in a quote from the Doors: people are strange.

    2. Re:The real problem by Anonymous Coward · · Score: 0

      Something is rotten in the state of Denmark!!!

      too many social engineers there!! :)_

    3. Re:The real problem by Anonymous Coward · · Score: 0

      To summarize the summary of the summary with a summer Sumner something: Sting in July.

  2. Why dignify it as "social engineering"? by Anonymous Coward · · Score: 0

    I find the name "social engineering" irritating. What they are talking about is scamming, nothing more, nothing less. Are we supposed to call scammers, fraudsters and crooks "social engineers" now?

    1. Re:Why dignify it as "social engineering"? by Anonymous Coward · · Score: 0

      Very good point.

      Social engineering is far too kind of a phrase.

    2. Re:Why dignify it as "social engineering"? by Anonymous Coward · · Score: 0

      I'm glad someone else feels this way. I spent years in college working my ass off to earn the right to be called an engineer.

    3. Re:Why dignify it as "social engineering"? by Anonymous Coward · · Score: 0

      Can someone please explain, even if it is in the role of Devil's advocate, how it is that "social engineering" is not "lying and fraud"? It makes me want to punch someone right in the mouth every time they utter that phrase, yet I must be the idiot if it has been around for ages. What am I missing?

    4. Re:Why dignify it as "social engineering"? by Livius · · Score: 1

      It's a useful distinction to make, so there should be a term for it.

      Of course, that term should on include the word 'engineering', since it has nothing to do with the correct meaning of the word 'engineering'.

    5. Re:Why dignify it as "social engineering"? by Anonymous Coward · · Score: 0

      Yes. "Social Engineering" is nothing more than Running A Con, and social engineers are con artists.

      The real problem that is not talked about is how fucked up in the head a person has to be to assume they know best how and what other people should be doing and so "social engineer" them into doing it.

      Social Engineering = pretentious fruitcakes manipulating people.

    6. Re:Why dignify it as "social engineering"? by Anonymous Coward · · Score: 0

      There is hacking and then there is ‘ethical hacking’.
      There is fraud and then there is ‘social engineering’.

      Does that make sense?

    7. Re:Why dignify it as "social engineering"? by Anonymous Coward · · Score: 0

      I am a computer doctorsome numskull cardiologist doesn’t like my title.

    8. Re:Why dignify it as "social engineering"? by Anonymous Coward · · Score: 0

      They are security testerswhat’s the big deal what they call themselves.

      Red team, tiger team, ethical hacker, white hat, blah blah blah.

      They do a service to test the company.

      Do you see something wrong with that?

      Someone has to do it.

    9. Re:Why dignify it as "social engineering"? by Wootery · · Score: 1

      So essentially you're just saying What the parent said?

    10. Re:Why dignify it as "social engineering"? by Anonymous Coward · · Score: 0

      you must be a lawyer....u have to be to say such stuff...

    11. Re:Why dignify it as "social engineering"? by GTRacer · · Score: 1

      I must be one of the few people who actually likes the term "social engineering." I first encountered it in connection with Kevin Mitnick and Kevin Poulsen's biographies. While I completely agree at the root level SE is just a synonym for con games, fraud and the like, I accept it as a situationally-applicable variant when it pertains to security bypasses. As distinct from conning someone out of their Medicaid checks or pushing counterfeit merchandise with a smooth pitch.

      I also like to think the engineering part comes into play when you design a system for ingratiating yourself into a foreign organization's trust, especially when it leads to credentialed access to I/T systems.

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  3. Re:KKTC'deki ÃNTÃHAL ÃDDÃALARI by Anonymous Coward · · Score: 0

    good news.... Recep Tayyip Erdoan is done killing innocent Kurds and Armeniansnow has time to be on Slashdot.

  4. I have Sharon's phone number if you want it by Anonymous Coward · · Score: 1

    I bet most of you Slashdorks would swoon over her.

    1. Re:I have Sharon's phone number if you want it by Anonymous Coward · · Score: 0

      Who is that?

    2. Re:I have Sharon's phone number if you want it by CaptainDork · · Score: 1

      Spoiler alert ...

      It's O4U812.

      --
      It little behooves the best of us to comment on the rest of us.
    3. Re:I have Sharon's phone number if you want it by Anonymous Coward · · Score: 0

      Whats the country code? :)

    4. Re:I have Sharon's phone number if you want it by Zero__Kelvin · · Score: 2

      Nice attempt to social engineer a date from me Sharon, but it's never going to happen.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    5. Re:I have Sharon's phone number if you want it by Anonymous Coward · · Score: 0

      WHO IS SHARON!?

    6. Re:I have Sharon's phone number if you want it by Anonymous Coward · · Score: 0

      wat? she broke up with ozzy?

    7. Re:I have Sharon's phone number if you want it by Swave+An+deBwoner · · Score: 2

      Ah, yes, you must have read her brief bio here:

      https://www.securitysummit.it/speakers/conheady-sharon/

      Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

      If you see Sharon around your office, please open the door to let her in.

      She's definitely hot.

    8. Re:I have Sharon's phone number if you want it by Anonymous Coward · · Score: 0

      u r tooooooooooooo tuff for the rest of us...

      have yer fun...

      go size the day!

    9. Re:I have Sharon's phone number if you want it by Anonymous Coward · · Score: 0

      is it a city in massachusets in the US of A

    10. Re:I have Sharon's phone number if you want it by Zero__Kelvin · · Score: 1

      A woman who knows where the CAPS LOCK key is located and what it does,

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  5. Sex: a social engineering tool by Rob+Riggs · · Score: 2

    Please help me with research on my new IT Security book...

    --
    the growth in cynicism and rebellion has not been without cause
    1. Re:Sex: a social engineering tool by Anonymous Coward · · Score: 0

      someone already wrote it:

      https://www.cia.gov/library/publications/the-world-factbook/geos/vm.html

  6. Edit check by parodigm_shifter · · Score: 1

    It's "foreword" when you write the piece that goes before the book contents. Forward is a direction you go.

    1. Re:Edit check by Anonymous Coward · · Score: 0

      So whats the diff between a foreword and a preface?

    2. Re:Edit check by benrothke · · Score: 1

      I stand corrected.

      Thanks.

  7. dont critizise the notion of 'social engineering' by Anonymous Coward · · Score: 0

    dont critizise the notion of 'social engineering' if you are going to do it as an anonymous coward.

    so many critical comments. but you can be honest and criticial if u do it as an anonymous coward.

    that is just exactly precislly the tpye u rail against when you do that and it is very hypacritical.

  8. foreword!!! by Anonymous Coward · · Score: 0

    It's"foreword," not "forward!" You're not allowed to do a book review if you can't spell the word you just looked at in the book you're reviewing!

    1. Re:foreword!!! by Anonymous Coward · · Score: 0

      OMG!!! the wurld is going to end!!!

      He passed the ALS challenge...but..but but...he mispelled a wurd.

      omy!!!!! :::You're not allowed to do a book review

      dats da law!!!

      he broke de law!!!!!

      stop presses!! O lordie!

      I thank you for freaking about about this major issue...

      Freak to freak!! this is bad...very bad...

      HE forgot to add the letter 'e'. oh no!!!!

      stop wurld!
      evil!

      speling is fundamental!

    2. Re:foreword!!! by Anonymous Coward · · Score: 0

      There is another minor misspelling.

      But I am not going to tell you what it is...

      I want you to suffer! :)

    3. Re:foreword!!! by Anonymous Coward · · Score: 0

      the world just ended...

      is misspelling worst than ISIS in Iraq?

    4. Re:foreword!!! by Anonymous Coward · · Score: 0

      what r your thoughts on the oxford comma mr expert?

  9. Re:KKTC'deki ÃNTÃHAL ÃDDÃALARI by Anonymous Coward · · Score: 0

    Erdogan!!! A rotten man...an evil man. a mad man...a killer or armenians man!

  10. 30 comments...and nothing about the book content.. by Anonymous Coward · · Score: 0

    Why has no one talked about the book?
    About the subject?
    About what's it means?

    Just a bunch of gibberish comments.

    I think every company should have a social engineering pen test.

    We did. The results were frightening.

    This needs to be made from and centre in every company.

    This is a big deal. Don't ignore it.

  11. Re:30 comments...and nothing about the book conten by Anonymous Coward · · Score: 0

    this is slashdot!

    I am in berlin.

    it's almost morning...

  12. Hamas Executes 30 Innocent Palestinians In Gaza!!! by Anonymous Coward · · Score: 0

    Hamas Executes 30 Innocent Palestinians In Gaza, Western Media Scared To Report Massacre

    please slashdot report this!

    http://www.inquisitr.com/1393376/hamas-executes-30-innocent-palestinians-in-gaza-western-media-scared-to-report-massacre-update

  13. Egyptian Imam Issues Ladies Room Invasion Fatwa by Anonymous Coward · · Score: 0

    Egyptian Imam Issues Ladies Room Invasion Fatwa

    http://www.frontpagemag.com/2014/dgreenfield/egyptian-imam-issues-ladies-room-invasion-fatwa/

    I went and issued a Fatwa but noone listened!