×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Book Review: Social Engineering In IT Security Tools, Tactics, and Techniques

samzenpus posted about 3 months ago | from the read-all-about-it dept.

Books 45

benrothke writes When I got a copy of Social Engineering in IT Security Tools, Tactics, and Techniques by Sharon Conheady, my first thought was that it likely could not have much that Christopher Hadnagy didn't already detail in the definitive text on the topic: Social Engineering: The Art of Human Hacking. Obviously Hadnagy thought differently, as he wrote the forward to the book; which he found to be a valuable resource. While there is overlap between the two books; Hadnagy's book takes a somewhat more aggressive tool-based approach, while Conheady take a somewhat more passive, purely social approach to the topic. There are many more software tools in Hadnagy; while Conheady doesn't reference software tools until nearly half-way through the book. This book provides an extensive introduction to the topic and details how social engineering has evolved through the centuries. Conheady writes how the overall tactics and goals have stayed the same; while the tools and techniques have been modified to suit the times. Keep reading for the rest of Ben's review.Coming in at about 250 pages, the book finds a good balance between high-level details and actionable tactical things to execute on. Without getting bogged down in filler. Since the social engineering tools and techniques only get better, the advantage Conheady's book has it that it details a lot that has changed in the 4 years since Hadnagy's book came out.

In chapter 1, she writes about mumble attacks, which are telephone-based social engineering attacks that are targeted at call center agents. The social engineer will pose as a speech-impaired customer or as a person calling on behalf of the speech-impaired customer. The goal of this method is to make the victims; in this case call center agents feel awkward or embarrassed and release the desired information. Given the pressure in which most call center agents are under; this is a simple yet highly effective attack.

Like Hadnagy, this also has a detailed social engineering test methodology. Conheady details a methodology with 5 stages: planning and target identification, research and reconnaissance, scenario creation, attack execution and exit, and reporting. She notes that one does not have to be a slave to the methodology, and it can be modified depending on the project.

Social engineering can often operate on the limit of what is legal and ethical. The author goes to great lengths to write what the ethical and legal obligations are for the tester.

The book is filled with lots of practical advice as Conheady is seasoned and experienced in the topic. From advice to dealing with bathrooms as a holding location, gaining laptop connectivity and more; she writes of the many small details that can make the difference between a successful social engineering test and a failed one.

The book also details many areas where the job of the social engineer is made easy based on poor security practices at the location. Chapter 7 details how many locations have access codes on doors often don't do much to keep social engineers out. Many doors have 4-character codes, and she writes that she has seen keypads where the combination numbers have been so worn down that you can spot them straightaway.

As noted earlier, the book focuses more on the human techniques of social engineering than on software tools. She does not ignore that tools and in chapter 9 provides a list of some of the more popular tools to use, including Maltego, Cree.py and others. She also has lists of other tools to use such as recording devices, bugging devices, phone tools and more.

With all those, she still notes that the cell phone is the single most useful item you can bring with you on a social engineering test. She writes that some of the many uses a cell phone has is to discourage challengers, fake a call to look busy, use the camera and more.

While most of the book is about how to execute a social engineering test, chapter 10 details how you can defend against social engineering. She notes that it is notoriously difficult to defend against social engineering because it targets the weakest link in the security chain: the end-user. She astutely notes that a firm can't simply roll out a patch and immunize its staff against the latest social engineering attack. Even though there are vendors who make it seem like you can. The chapter also lists a number of indicators that a firm may be experiencing a social engineering attack.

Hadnagy's book is still the gold-standard on the topic. But Social Engineering in IT Security Tools, Tactics, and Techniques certainly will give it a run for the money.

Hadnagy's approach to social engineering is quite broad and aggressive. Conheady takes more of a kinder, gentler approach to the topic. For those that are looking for an effective guide on which to build their social engineering testing program on, this certainly provides all of the core areas and nearly everything they need to know about the fundamentals of the topic.

Reviewed by Ben Rothke.

Sorry! There are no comments related to the filter you selected.

The real problem (1)

ArcadeMan (2766669) | about 3 months ago | (#47722927)

“To summarize the summary of the summary: people are a problem.” - Douglas Adams

Re:The real problem (0)

Anonymous Coward | about 3 months ago | (#47723027)

To summarize the summary of the summary and brings in a quote from the Doors: people are strange.

Re:The real problem (0)

Anonymous Coward | about 3 months ago | (#47726173)

To summarize the summary of the summary with a summer Sumner something: Sting in July.

Re:The real problem (0)

Anonymous Coward | about 3 months ago | (#47725197)

Something is rotten in the state of Denmark!!!

too many social engineers there!! :)_

KKTC'deki ÃNTÃHAL ÃDDÃALARI AS (-1)

Anonymous Coward | about 3 months ago | (#47723009)

KKTC'deki ÃNTÃHAL ÃDDÃALARI ASILSIZ ÃfIKTI
KKTC'de Lefke Avrupa Ãfoeniversitesi'nden atñlan ve iÃ...Ylerine son verilen 2 kadñn akademisyen, 2012 yñlñnñn sonbaharñnda internet Ãf¼zerinden yaptñklarñ yayñn ve yerel bir gazeteye gÃfnderdikleri haberle, KKTC'nin Ãfnde gelen akademis...

http://www.dijiforum.com/detail.aspx?customEntry=460

Re:KKTC'deki ÃNTÃHAL ÃDDÃALARI (0)

Anonymous Coward | about 3 months ago | (#47723181)

good news.... Recep Tayyip Erdoan is done killing innocent Kurds and Armeniansnow has time to be on Slashdot.

Re:KKTC'deki ÃNTÃHAL ÃDDÃALARI (0)

Anonymous Coward | about 3 months ago | (#47725219)

Erdogan!!! A rotten man...an evil man. a mad man...a killer or armenians man!

Why dignify it as "social engineering"? (0)

Anonymous Coward | about 3 months ago | (#47723129)

I find the name "social engineering" irritating. What they are talking about is scamming, nothing more, nothing less. Are we supposed to call scammers, fraudsters and crooks "social engineers" now?

Re:Why dignify it as "social engineering"? (0)

Anonymous Coward | about 3 months ago | (#47723225)

Very good point.

Social engineering is far too kind of a phrase.

Re:Why dignify it as "social engineering"? (0)

Anonymous Coward | about 3 months ago | (#47723439)

I'm glad someone else feels this way. I spent years in college working my ass off to earn the right to be called an engineer.

Re:Why dignify it as "social engineering"? (0)

Anonymous Coward | about 3 months ago | (#47724097)

I am a computer doctorsome numskull cardiologist doesn’t like my title.

Re:Why dignify it as "social engineering"? (0)

Anonymous Coward | about 3 months ago | (#47723711)

Can someone please explain, even if it is in the role of Devil's advocate, how it is that "social engineering" is not "lying and fraud"? It makes me want to punch someone right in the mouth every time they utter that phrase, yet I must be the idiot if it has been around for ages. What am I missing?

Re:Why dignify it as "social engineering"? (1)

Wootery (1087023) | about 3 months ago | (#47727427)

So essentially you're just saying What the parent said?

Re:Why dignify it as "social engineering"? (1)

GTRacer (234395) | about 3 months ago | (#47727959)

I must be one of the few people who actually likes the term "social engineering." I first encountered it in connection with Kevin Mitnick and Kevin Poulsen's biographies. While I completely agree at the root level SE is just a synonym for con games, fraud and the like, I accept it as a situationally-applicable variant when it pertains to security bypasses. As distinct from conning someone out of their Medicaid checks or pushing counterfeit merchandise with a smooth pitch.

I also like to think the engineering part comes into play when you design a system for ingratiating yourself into a foreign organization's trust, especially when it leads to credentialed access to I/T systems.

Re:Why dignify it as "social engineering"? (1)

Livius (318358) | about 3 months ago | (#47723995)

It's a useful distinction to make, so there should be a term for it.

Of course, that term should on include the word 'engineering', since it has nothing to do with the correct meaning of the word 'engineering'.

Re:Why dignify it as "social engineering"? (0)

Anonymous Coward | about 3 months ago | (#47724037)

Yes. "Social Engineering" is nothing more than Running A Con, and social engineers are con artists.

The real problem that is not talked about is how fucked up in the head a person has to be to assume they know best how and what other people should be doing and so "social engineer" them into doing it.

Social Engineering = pretentious fruitcakes manipulating people.

Re:Why dignify it as "social engineering"? (0)

Anonymous Coward | about 3 months ago | (#47724141)

They are security testerswhat’s the big deal what they call themselves.

Red team, tiger team, ethical hacker, white hat, blah blah blah.

They do a service to test the company.

Do you see something wrong with that?

Someone has to do it.

Re:Why dignify it as "social engineering"? (0)

Anonymous Coward | about 3 months ago | (#47724073)

There is hacking and then there is ‘ethical hacking’.
There is fraud and then there is ‘social engineering’.

Does that make sense?

Re:Why dignify it as "social engineering"? (0)

Anonymous Coward | about 3 months ago | (#47727731)

you must be a lawyer....u have to be to say such stuff...

I have Sharon's phone number if you want it (1)

Anonymous Coward | about 3 months ago | (#47723381)

I bet most of you Slashdorks would swoon over her.

Re:I have Sharon's phone number if you want it (0)

Anonymous Coward | about 3 months ago | (#47723433)

Who is that?

Re:I have Sharon's phone number if you want it (1)

CaptainDork (3678879) | about 3 months ago | (#47723469)

Spoiler alert ...

It's O4U812.

Re:I have Sharon's phone number if you want it (0)

Anonymous Coward | about 3 months ago | (#47723505)

Whats the country code? :)

Re:I have Sharon's phone number if you want it (2)

Zero__Kelvin (151819) | about 3 months ago | (#47723561)

Nice attempt to social engineer a date from me Sharon, but it's never going to happen.

Re:I have Sharon's phone number if you want it (0)

Anonymous Coward | about 3 months ago | (#47723627)

WHO IS SHARON!?

Re:I have Sharon's phone number if you want it (0)

Anonymous Coward | about 3 months ago | (#47727747)

is it a city in massachusets in the US of A

Re:I have Sharon's phone number if you want it (1)

Zero__Kelvin (151819) | about 3 months ago | (#47728333)

A woman who knows where the CAPS LOCK key is located and what it does,

Sex: a social engineering tool (2)

Rob Riggs (6418) | about 3 months ago | (#47723753)

Please help me with research on my new IT Security book...

Re:Sex: a social engineering tool (0)

Anonymous Coward | about 3 months ago | (#47723795)

someone already wrote it:

https://www.cia.gov/library/publications/the-world-factbook/geos/vm.html

Re:I have Sharon's phone number if you want it (0)

Anonymous Coward | about 3 months ago | (#47724203)

wat? she broke up with ozzy?

Re:I have Sharon's phone number if you want it (2)

Swave An deBwoner (907414) | about 3 months ago | (#47725127)

Ah, yes, you must have read her brief bio here:

https://www.securitysummit.it/speakers/conheady-sharon/ [securitysummit.it]

Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

If you see Sharon around your office, please open the door to let her in.

She's definitely hot.

Re:I have Sharon's phone number if you want it (0)

Anonymous Coward | about 3 months ago | (#47727733)

u r tooooooooooooo tuff for the rest of us...

have yer fun...

go size the day!

Edit check (1)

parodigm_shifter (2756449) | about 3 months ago | (#47723811)

It's "foreword" when you write the piece that goes before the book contents. Forward is a direction you go.

Re:Edit check (0)

Anonymous Coward | about 3 months ago | (#47723957)

So whats the diff between a foreword and a preface?

Re:Edit check (1)

benrothke (2577567) | about 3 months ago | (#47725597)

I stand corrected.

Thanks.

dont critizise the notion of 'social engineering' (0)

Anonymous Coward | about 3 months ago | (#47724239)

dont critizise the notion of 'social engineering' if you are going to do it as an anonymous coward.

so many critical comments. but you can be honest and criticial if u do it as an anonymous coward.

that is just exactly precislly the tpye u rail against when you do that and it is very hypacritical.

foreword!!! (0)

Anonymous Coward | about 3 months ago | (#47724933)

It's"foreword," not "forward!" You're not allowed to do a book review if you can't spell the word you just looked at in the book you're reviewing!

Re:foreword!!! (0)

Anonymous Coward | about 3 months ago | (#47725241)

OMG!!! the wurld is going to end!!!

He passed the ALS challenge...but..but but...he mispelled a wurd.

omy!!!!! :::You're not allowed to do a book review

dats da law!!!

he broke de law!!!!!

stop presses!! O lordie!

I thank you for freaking about about this major issue...

Freak to freak!! this is bad...very bad...

HE forgot to add the letter 'e'. oh no!!!!

stop wurld!
evil!

speling is fundamental!

Re:foreword!!! (0)

Anonymous Coward | about 3 months ago | (#47725307)

There is another minor misspelling.

But I am not going to tell you what it is...

I want you to suffer! :)

Re:foreword!!! (0)

Anonymous Coward | about 3 months ago | (#47726047)

the world just ended...

is misspelling worst than ISIS in Iraq?

Re:foreword!!! (0)

Anonymous Coward | about 3 months ago | (#47727709)

what r your thoughts on the oxford comma mr expert?

30 comments...and nothing about the book content.. (0)

Anonymous Coward | about 3 months ago | (#47725287)

Why has no one talked about the book?
About the subject?
About what's it means?

Just a bunch of gibberish comments.

I think every company should have a social engineering pen test.

We did. The results were frightening.

This needs to be made from and centre in every company.

This is a big deal. Don't ignore it.

Re:30 comments...and nothing about the book conten (0)

Anonymous Coward | about 3 months ago | (#47726023)

this is slashdot!

I am in berlin.

it's almost morning...

Hamas Executes 30 Innocent Palestinians In Gaza!!! (0)

Anonymous Coward | about 3 months ago | (#47726063)

Hamas Executes 30 Innocent Palestinians In Gaza, Western Media Scared To Report Massacre

please slashdot report this!

http://www.inquisitr.com/1393376/hamas-executes-30-innocent-palestinians-in-gaza-western-media-scared-to-report-massacre-update

Egyptian Imam Issues Ladies Room Invasion Fatwa (0)

Anonymous Coward | about 3 months ago | (#47726073)

Egyptian Imam Issues Ladies Room Invasion Fatwa

http://www.frontpagemag.com/2014/dgreenfield/egyptian-imam-issues-ladies-room-invasion-fatwa/

I went and issued a Fatwa but noone listened!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?