Social Engineering: The Art of Human Hacking by Chris Hadnagy

Social Engineering is not a technical book, at least not in the traditional sense. You will not see extensive discussion about ports, firewalls or encryption. If you were hoping for any of those topics, then you are in for a disappointment. This book is about human hacking, again not in the traditional sense. At the end of the day, security boils down to humans. Humans are vulnerable and no technology is secure if it is protected by people who can be deceived.

Chris Hadnagy, who is also the founder of Social-engineer.org, is undoubtedly one of the experts in the field of Social Engineering. If you have visited the website he maintains, you will get a good sense of his ability to educate readers and to provide them with relevant information in the field of social engineering. If you haven’t visited his website, I highly recommend reading more about the Social Engineering Framework and perhaps even subscribing to the
newsletter. The podcasts can be an additional source of knowledge. He often makes regular appearances at BlackHat and several other security conferences.

Chapter 1, emphasizes the importance of practicing some of the social engineering skills without getting into any legal trouble. For some, it may seem like a daunting challenge while for others it may be an adventurous endeavor. The author makes it quite clear that this book is not a manual instead should be used
as a guide to walk you through various aspects of social engineering.
Just like various phases of Penetration Testing, social engineering begins with the important phase of information gathering. With the help of a few tools the author discusses the criticality of communication models.

I was a little surprised to find that Chapter 2 was missing a summary section. Chapter 3, drives home an powerful point of asking the right questions to create new opportunities that will help you to be a good social engineer as well as a good communicator. In this chapter, he discusses methods on how to be a good elicitor and how to go about asking intelligent questions.

Chapter 4, deals with the topic of pretexting and what value it serves in achieving the goal of seeing through the victim. It’s about research, simplicity and spontaneity. The author ends this chapter with couple of real-life examples.

Chapter 5, has a psychological bent more than any other material in the book. The author underlines various human emotions without sounding like a psychologist and provides numerous illustrations to prove his point. The most fascinating phase of the whole book is – Human Buffer Overflow. The exercise mentioned to describe that concept is even more fun. I
recommend that readers try out the exercise.

Chapter 6, deals with the power of influence and manipulation. It’s about how one can influence someone else to such an extent that they follow your lead. It’s about gaining temporary control overall someone else in order to achieve your goal. What I thought was particularly interesting was the author’s attempt of explaining manipulation using Consumer Behavior. It seemed a little far fetched for the discussion at hand. The reason why I was not totally convinced about using consumer behaviorism is because the illustrations are specific to Western culture and may not easily translate in other parts of the world.

Chapter 7, in my opinion, should be dedicated to Inspector Gadget (an animation character with various bionic gadgets built into his body, source: Wikipedia). It is quite eye-opening to see how many tools are out there which could make someone so vulnerable. By the time you end up on Chapter 8, and if you are still skeptical about how all this works in grand scheme of things, then you cannot afford to skip the case studies.Some of them read like movie scripts while others will urge you to think like a hacker.

Chapter 9 is for the security professional who realizes the threat of social engineering and is interested in either mitigating or perhaps preventing such attacks. Since humans have weak spots, prevention may not be trivial, especially in large organization, due diligence may call for awareness training or conducting audits at regular intervals. One of the strengths of this book is that it speaks to the audience without getting too technical. This book could have easily been a difficult read but the author carefully steers the readers through the subject with
the help of case studies, tools and most importantly fundamental principles behind social engineering. This book deviates from the traditional security books and offers a good blend of security concepts and mind tricks.

by A Rao (CISSP, CISA, ITIL)

Comments are closed.