Social Engineering in IT Security: Tools, Tactics, and Techniques

Social Engineering in IT Security: Tools, Tactics, and Techniques

by Sharon Conheady
Released August 2014
Publisher(s): McGraw-Hill
ISBN: 9780071818476

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Cutting-edge social engineering testing techniques

"Provides all of the core areas and nearly everything [you] need to know about the fundamentals of the topic."--Slashdot Conduct ethical social engineering tests to identify an organization's susceptibility to attack. Written by a global expert on the topic, Social Engineering in IT Security discusses the roots and rise of social engineering and presents a proven methodology for planning a test, performing reconnaissance, developing scenarios, implementing the test, and accurately reporting the results. Specific measures you can take to defend against weaknesses a social engineer may exploit are discussed in detail. This practical guide also addresses the impact of new and emerging technologies on future trends in social engineering.
  • Explore the evolution of social engineering, from the classic con artist to the modern social engineer
  • Understand the legal and ethical aspects of performing a social engineering test
  • Find out why social engineering works from a victim's point of view
  • Plan a social engineering test--perform a threat assessment, scope the test, set goals, implement project planning, and define the rules of engagement
  • Gather information through research and reconnaissance
  • Create a credible social engineering scenario
  • Execute both on-site and remote social engineering tests
  • Write an effective social engineering report
  • Learn about various tools, including software, hardware, and on-site tools
  • Defend your organization against social engineering attacks

Table of contents

  1. Cover 
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. Contents at a Glance
  6. Contents 
  7. Foreword
  8. Acknowledgments
  9. Introduction
  10. Chapter 1: Introduction to Social Engineering
    1. Different Types of Social Engineering
      1. Physical Social Engineering
      2. Remote Social Engineering
      3. Combination Attacks
    2. The History and Evolution of Social Engineering
      1. The Golden Age of Con Artistry
      2. Social Engineering in the 1920s: Charles Ponzi
      3. Social Engineering in the 1940s: The War Magician
      4. Social Engineering in the 1950s: Frank Abagnale
      5. Social Engineering in the 1970s–1990s: Kevin Mitnick
      6. Social Engineering Since 2000
    3. Who Are the Social Engineers Today?
      1. Opportunists with Little Preparation
      2. Organized External Attackers
      3. Internal Attackers
    4. Introduction to Social Engineering Testing
      1. The Social Engineering Test Methodology
    5. Final Thoughts
  11. Chapter 2: The Legal and Ethical Aspects of Social Engineering Tests
    1. Malicious Social Engineers vs. Ethical Social Engineers
      1. Radio DJs and Kate Middleton Prank Call
      2. The Epic Hacking of Mat Honan
      3. Condé Nast Transfers $8 Million to Spear Phisher
    2. Is It Legal? Is It Ethical? The Legal and Ethical Aspects of Social Engineering
      1. The Social Engineering Contract
      2. The Get Out of Jail Free Card
      3. Laws You May Break
      4. Legal and Ethical Options
      5. Legal Do’s and Don’ts
    3. Free Pizza and Social Engineering in Your Personal Life
    4. Final Thoughts
  12. Chapter 3: Why Social Engineering Works
    1. Misplaced Trust in the Social Engineer
      1. Detecting Deception
      2. Why Do We Trust?
      3. Appearing Trustworthy
    2. Respect for Authority
      1. Factors that Increase Our Tendency to Obey
      2. Indicators of Authority
    3. Helpfulness
    4. Motivators to Aid the Social Engineer
      1. Positive Motivations: Reciprocity
      2. Negative Motivations: Pressuring the Victim
    5. Lack of Personal Responsibility
      1. Bystander Effect
    6. Lack of Awareness
      1. People Don’t Realize Social Engineering Is a Threat
      2. People Don’t Think They Will Be Targeted by Social Engineers
      3. People Think They Would Never Fall for a Social Engineering Scam
      4. People Don’t Know What to Do When They Face a Social Engineering Attack
    7. Final Thoughts
  13. Chapter 4: Planning Your Social Engineering Test
    1. Assessing the Threat
      1. Types of Attackers
      2. Current Awareness Levels
    2. Scoping the Social Engineering Test
      1. Type of Test
      2. Time to Allocate to Test
      3. Goals and Deliverables
    3. Planning the Project
      1. Test Plan
      2. Team Plan
      3. Communications Plan
      4. Risk Management Plan
    4. Defining the Rules of Engagement
      1. Restrictions on Testing
      2. Calling Off the Test
      3. Permission to Test
      4. Who Should Be Informed About the Test
    5. Case Study: Social Engineering a Banking Call Center
    6. Final Thoughts
  14. Chapter 5: Research and Reconnaissance
    1. What Types of Information to Look for in the Reconnaissance Phase
    2. Where to Look for Information
      1. Company Websites
      2. Recruitment Websites
      3. Newspapers and the Press
      4. WHOIS
      5. Conferences and Public Events
      6. Official Filings
      7. Commercial Sources
      8. Gray Literature
    3. Information Gathering on Social Networks
      1. Specific Social Networking Sites
    4. Physical Reconnaissance
    5. Dumpster Diving
    6. Telephone Reconnaissance
      1. Reconnaissance for Call Centers
    7. Challenges During the Research and Reconnaissance Phase
    8. Final Thoughts
  15. Chapter 6: Creating the Scenario
    1. Brainstorming Potential Scenarios
    2. Validating Scenarios
    3. Adding Credibility
      1. Character Development
      2. Costumes
      3. Props
    4. Identifying Possible Pitfalls
    5. Assigning Roles
    6. Practicing Again and Again
    7. Final Thoughts
  16. Chapter 7: Executing the Social Engineering Test
    1. Executing a Phishing Test
      1. A Non–Social Engineering Phishing Test
    2. Executing a Telephone Social Engineering Test
    3. Executing an Onsite Social Engineering Test
      1. The Basic Routine
      2. Common Actions once Inside
      3. Recording the Test
      4. Trophy Gathering
      5. Creating a Good Road Apple/Physical Bait
      6. Walking Through Doors: Access Codes and Tailgating
      7. Coffee/Smoking Break Analysis
    4. Building Rapport
      1. How to Make Small Talk
    5. What to Do If You Are Challenged
    6. What Else Can Go Wrong
    7. Final Thoughts
  17. Chapter 8: Writing the Social Engineering Report
    1. Continuous Feedback and Reporting
    2. Recording Events During the Test
    3. How Much Time Should You Allow for Report Writing?
    4. Planning the Report
      1. Establish Who Your Target Readers Are
      2. Specific Client Requests
      3. Risk Ratings for Social Engineering Findings
    5. Standard Report Contents
      1. Executive Summary
      2. Technical Details
      3. Example Report
      4. Appendixes
    6. The Quality Assurance Process
    7. Distributing the Report
    8. Final Thoughts
  18. Chapter 9: Tools of the Trade
    1. Research and Reconnaissance Tools
      1. Maltego
      2. Cree.py
      3. Spokeo
      4. The Wayback Machine
      5. Metadata Collectors: FOCA and Metagoofil
    2. Scenario Creation Tools
    3. Test Execution Tools
      1. What to Bring on Your Social Engineering Test
      2. Recording Devices
      3. Bugging Devices
      4. Keystroke Loggers
      5. Disguised Storage Devices
      6. The Cell Phone
      7. Phone Tools and Caller ID Spoofing
      8. The Social-Engineer Toolkit
    4. Final Thoughts
  19. Chapter 10: Defense Against the Dark Arts
    1. Indicators That You May Be Experiencing a Social Engineering Attack
      1. The Person’s Attitude
      2. Establishing a Connection
      3. The Nature of the Request
      4. Pressure/Urgency
      5. Small Mistakes
      6. Difficulty of Independent Validation
      7. Have You Been Social Engineered?
      8. Social Engineering Checklist: Have You Been Social Engineered?
    2. Responding to Social Engineering Attacks
    3. Security Policies and Procedures
      1. Data Classification Policy
      2. Physical Security Policy: Visitors
    4. Social Engineering Education and Awareness
    5. Physical and Technical Controls
    6. Social Engineering Tests as Defense
    7. Final Thoughts
  20. Chapter 11: Social Engineering: Past, Present, and Future
    1. Same Tricks, New Technology
      1. The Spanish Prisoner, 16th Century
      2. The Letter from Jerusalem, 19th Century
      3. Advance Fee Fraud Revival, Early 20th Century
      4. Advance Fee Fraud Scams Since the 1970s
    2. New Technology, New Targets, New Delivery
      1. Seeing Around Corners
      2. Remote Controllable Cockroaches
      3. Biometrics
      4. The Internet of Things
    3. Easier Profiling, More Believable Attacks
      1. Social Networks
      2. The Cloud
      3. Wearable Tech
      4. Countering Surveillance
      5. Implanted Tech
    4. Final Thoughts
  21. Index

Product information

  • Title: Social Engineering in IT Security: Tools, Tactics, and Techniques
  • Author(s): Sharon Conheady
  • Release date: August 2014
  • Publisher(s): McGraw-Hill
  • ISBN: 9780071818476