Social Engineering
The Science of Human Hacking
2nd Edition
Published on 25. June 2018
320 pages
978-1-119-43373-6 (ISBN)
Description
Harden the human firewall against the most current threats
Social Engineering: The Science of Human Hacking reveals the craftier side of the hacker's repertoire--why hack into something when you could just ask for access? Undetectable by firewalls and antivirus software, social engineering relies on human fault to gain access to sensitive spaces; in this book, renowned expert Christopher Hadnagy explains the most commonly-used techniques that fool even the most robust security personnel, and shows you how these techniques have been used in the past. The way that we make decisions as humans affects everything from our emotions to our security. Hackers, since the beginning of time, have figured out ways to exploit that decision making process and get you to take an action not in your best interest. This new Second Edition has been updated with the most current methods used by sharing stories, examples, and scientific study behind how those decisions are exploited.
Networks and systems can be hacked, but they can also be protected; when the "system" in question is a human being, there is no software to fall back on, no hardware upgrade, no code that can lock information down indefinitely. Human nature and emotion is the secret weapon of the malicious social engineering, and this book shows you how to recognize, predict, and prevent this type of manipulation by taking you inside the social engineer's bag of tricks.
* Examine the most common social engineering tricks used to gain access
* Discover which popular techniques generally don't work in the real world
* Examine how our understanding of the science behind emotions and decisions can be used by social engineers
* Learn how social engineering factors into some of the biggest recent headlines
* Learn how to use these skills as a professional social engineer and secure your company
* Adopt effective counter-measures to keep hackers at bay
By working from the social engineer's playbook, you gain the advantage of foresight that can help you protect yourself and others from even their best efforts. Social Engineering gives you the inside information you need to mount an unshakeable defense.
Social Engineering: The Science of Human Hacking reveals the craftier side of the hacker's repertoire--why hack into something when you could just ask for access? Undetectable by firewalls and antivirus software, social engineering relies on human fault to gain access to sensitive spaces; in this book, renowned expert Christopher Hadnagy explains the most commonly-used techniques that fool even the most robust security personnel, and shows you how these techniques have been used in the past. The way that we make decisions as humans affects everything from our emotions to our security. Hackers, since the beginning of time, have figured out ways to exploit that decision making process and get you to take an action not in your best interest. This new Second Edition has been updated with the most current methods used by sharing stories, examples, and scientific study behind how those decisions are exploited.
Networks and systems can be hacked, but they can also be protected; when the "system" in question is a human being, there is no software to fall back on, no hardware upgrade, no code that can lock information down indefinitely. Human nature and emotion is the secret weapon of the malicious social engineering, and this book shows you how to recognize, predict, and prevent this type of manipulation by taking you inside the social engineer's bag of tricks.
* Examine the most common social engineering tricks used to gain access
* Discover which popular techniques generally don't work in the real world
* Examine how our understanding of the science behind emotions and decisions can be used by social engineers
* Learn how social engineering factors into some of the biggest recent headlines
* Learn how to use these skills as a professional social engineer and secure your company
* Adopt effective counter-measures to keep hackers at bay
By working from the social engineer's playbook, you gain the advantage of foresight that can help you protect yourself and others from even their best efforts. Social Engineering gives you the inside information you need to mount an unshakeable defense.
More details
Other editions
Additional editions
Book
09/2018
2nd Edition
Wiley
€36.50
Available immediately
Person
CHRISTOPHER HADNAGY is the CEO and Chief Human Hacker of Social-Engineer, LLC as well as the lead developer and creator of the world's first social engineering framework found at social-engineer.org. He is the founder and creator of the Social Engineering Village (SEVillage) at DEF CON and DerbyCon,as well as the creator
of the popular Social Engineering Capture the Flag (SECTF). He is a sought-after
speaker and trainer and even has debriefed the Pentagon on these topics. He
can be found tweeting at @humanhacker.
of the popular Social Engineering Capture the Flag (SECTF). He is a sought-after
speaker and trainer and even has debriefed the Pentagon on these topics. He
can be found tweeting at @humanhacker.
Content
1 - Cover [Seite 1]
2 - Title Page [Seite 5]
3 - Copyright [Seite 6]
4 - About the Author [Seite 9]
5 - About the Technical Editor [Seite 9]
6 - Credits [Seite 11]
7 - Acknowledgments [Seite 13]
8 - Contents [Seite 17]
9 - Foreword [Seite 21]
10 - Preface [Seite 23]
11 - 1 A Look into the New World of Professional Social Engineering [Seite 25]
11.1 - What Has Changed? [Seite 26]
11.2 - Why Should You Read This Book? [Seite 28]
11.3 - An Overview of Social Engineering [Seite 30]
11.4 - The SE Pyramid [Seite 35]
11.4.1 - OSINT [Seite 35]
11.4.2 - Pretext Development [Seite 36]
11.4.3 - Attack Plan [Seite 36]
11.4.4 - Attack Launch [Seite 36]
11.4.5 - Reporting [Seite 36]
11.5 - What's in This Book? [Seite 38]
11.6 - Summary [Seite 39]
12 - 2 Do You See What I See? [Seite 41]
12.1 - A Real-World Example of Collecting OSINT [Seite 41]
12.2 - Nontechnical OSINT [Seite 46]
12.2.1 - Observational Skills [Seite 46]
12.2.2 - Technical Open Source Intelligence [Seite 56]
12.2.3 - Two Other Things [Seite 76]
12.3 - Tools of the Trade [Seite 83]
12.3.1 - SET [Seite 83]
12.3.2 - IntelTechniques [Seite 83]
12.3.3 - FOCA [Seite 84]
12.3.4 - Maltego: The Granddaddy of Them All [Seite 84]
12.4 - Summary [Seite 85]
13 - 3 Profiling People Through Communication [Seite 87]
13.1 - The Approach [Seite 90]
13.2 - Enter the DISC [Seite 92]
13.2.1 - What Is DISC? [Seite 93]
13.2.2 - To Know Thyself Is the Beginning of Wisdom [Seite 95]
13.3 - Summary [Seite 104]
14 - 4 Becoming Anyone You Want to Be [Seite 107]
14.1 - The Principles of Pretexting [Seite 108]
14.1.1 - Principle One: Thinking Through Your Goals [Seite 109]
14.1.2 - Principle Two: Understanding Reality vs. Fiction [Seite 111]
14.1.3 - Principle Three: Knowing How Far to Go [Seite 112]
14.1.4 - Principle Four: Avoiding Short-Term Memory Loss [Seite 115]
14.1.5 - Principle Five: Getting Support for Pretexting [Seite 118]
14.1.6 - Principle Six: Executing the Pretext [Seite 119]
14.2 - Summary [Seite 122]
15 - 5 I Know How to Make You Like Me [Seite 125]
15.1 - The Tribe Mentality [Seite 127]
15.2 - Building Rapport as a Social Engineer [Seite 129]
15.2.1 - The Moral Molecule [Seite 130]
15.2.2 - The 10 Principles of Building Rapport [Seite 131]
15.3 - The Rapport Machine [Seite 144]
15.3.1 - Use the Friends and Family Plan [Seite 144]
15.3.2 - Read [Seite 144]
15.3.3 - Take Special Note of Failures [Seite 145]
15.4 - Summary [Seite 145]
16 - 6 Under the Influence [Seite 147]
16.1 - Principle One: Reciprocity [Seite 149]
16.1.1 - Reciprocity in Action [Seite 149]
16.1.2 - Using Reciprocity as a Social Engineer [Seite 151]
16.2 - Principle Two: Obligation [Seite 152]
16.2.1 - Obligation in Action [Seite 152]
16.2.2 - Using Obligation as a Social Engineer [Seite 154]
16.3 - Principle Three: Concession [Seite 155]
16.3.1 - Concession in Action [Seite 155]
16.3.2 - Using Concession as a Social Engineer [Seite 157]
16.4 - Principle Four: Scarcity [Seite 158]
16.4.1 - Scarcity in Action [Seite 159]
16.4.2 - Using Scarcity as a Social Engineer [Seite 159]
16.5 - Principle Five: Authority [Seite 161]
16.5.1 - Authority in Action [Seite 163]
16.5.2 - Using Authority as a Social Engineer [Seite 164]
16.6 - Principle Six: Consistency and Commitment [Seite 166]
16.6.1 - Consistency and Commitment in Action [Seite 166]
16.6.2 - Using Commitment and Consistency as a Social Engineer [Seite 168]
16.7 - Principle Seven: Liking [Seite 170]
16.7.1 - Using Liking as a Social Engineer [Seite 171]
16.8 - Principle Eight: Social Proof [Seite 172]
16.8.1 - Social Proof in Action [Seite 173]
16.8.2 - Using Social Proof as a Social Engineer [Seite 173]
16.9 - Influence vs. Manipulation [Seite 175]
16.9.1 - Manipulation in Action [Seite 175]
16.9.2 - Principles of Manipulation [Seite 177]
16.10 - Summary [Seite 180]
17 - 7 Building Your Artwork [Seite 181]
17.1 - The Dynamic Rules of Framing [Seite 183]
17.1.1 - Rule 1: Everything You Say Evokes the Frame [Seite 186]
17.1.2 - Rule 2: Words T hat Are Defined with the Frame Evoke the Frame [Seite 188]
17.1.3 - Rule 3: Negating the Frame [Seite 189]
17.1.4 - Rule 4: Causing the Target to T hink About the Frame Reinforces the Frame [Seite 190]
17.2 - Elicitation [Seite 192]
17.2.1 - Ego Appeals [Seite 192]
17.2.2 - Mutual Interest [Seite 194]
17.2.3 - Deliberate False Statement [Seite 196]
17.2.4 - Having Knowledge [Seite 198]
17.2.5 - The Use of Questions [Seite 201]
17.3 - Summary [Seite 206]
18 - 8 I Can See What You Didn't Say [Seite 207]
18.1 - Nonverbals Are Essential [Seite 208]
18.2 - All Your Baselines Belong to Us [Seite 211]
18.2.1 - Be Careful of Misconceptions [Seite 214]
18.2.2 - Know the Basic Rules [Seite 218]
18.3 - Understand the Basics of Nonverbals [Seite 220]
18.4 - Comfort vs. Discomfort [Seite 222]
18.4.1 - Anger [Seite 222]
18.4.2 - Disgust [Seite 225]
18.4.3 - Contempt [Seite 227]
18.4.4 - Fear [Seite 229]
18.4.5 - Surprise [Seite 231]
18.4.6 - Sadness [Seite 235]
18.4.7 - Happiness [Seite 239]
18.5 - Summary [Seite 244]
19 - 9 Hacking the Humans [Seite 247]
19.1 - An Equal Opportunity Victimizer [Seite 248]
19.2 - The Principles of the Pentest [Seite 249]
19.2.1 - Document Everything [Seite 252]
19.2.2 - Be Judicious with Pretexts [Seite 252]
19.3 - Phishing [Seite 253]
19.3.1 - Educational Phishing [Seite 253]
19.3.2 - Pentest Phishing [Seite 254]
19.3.3 - Spear Phishing [Seite 255]
19.3.4 - Phishing Summary [Seite 256]
19.4 - Vishing [Seite 257]
19.4.1 - Credential Harvesting [Seite 257]
19.4.2 - Vishing for OSINT [Seite 259]
19.4.3 - Vishing for Full Compromise [Seite 260]
19.4.4 - Vishing Summary [Seite 263]
19.5 - SMiShing [Seite 264]
19.6 - Impersonation [Seite 265]
19.6.1 - Planning an Impersonation Pentest [Seite 266]
19.6.2 - Considerations of Sanitization [Seite 268]
19.6.3 - Equipment Procurement [Seite 269]
19.6.4 - Impersonation Summary [Seite 270]
19.7 - Reporting [Seite 270]
19.7.1 - Professionalism [Seite 271]
19.7.2 - Grammar and Spelling [Seite 272]
19.7.3 - All the Details [Seite 272]
19.7.4 - Mitigation [Seite 272]
19.7.5 - Next Steps [Seite 273]
19.8 - Top Questions for the SE Pentester [Seite 274]
19.8.1 - How Can I Get a Job Being a Social Engineer? [Seite 274]
19.8.2 - How Do I Get My Clients to Do SE Stuff? [Seite 275]
19.8.3 - How Much Should I Charge? [Seite 277]
19.9 - Summary [Seite 278]
20 - 10 Do You Have a M.A.P.P.? [Seite 281]
20.1 - Step 1: Learn to Identify Social Engineering Attacks [Seite 283]
20.2 - Step 2: Develop Actionable and Realistic Policies [Seite 285]
20.2.1 - Take the Thinking out of the Policy [Seite 285]
20.2.2 - Remove the Ability for Empathy Bypasses [Seite 286]
20.2.3 - Make Policies Realistic and Actionable [Seite 287]
20.3 - Step 3: Perform Regular Real-World Checkups [Seite 288]
20.4 - Step 4: Implement Applicable Security-Awareness Programs [Seite 290]
20.5 - Tie It All Together [Seite 291]
20.6 - Gotta Keep 'Em Updated [Seite 292]
20.7 - Let the Mistakes of Your Peers Be Your Teacher [Seite 294]
20.8 - Create a Security Awareness Culture [Seite 295]
20.9 - Summary [Seite 298]
21 - 11 Now What? [Seite 301]
21.1 - Soft Skills for Becoming an Social Engineer [Seite 301]
21.1.1 - Humility [Seite 302]
21.1.2 - Motivation [Seite 302]
21.1.3 - Extroverted [Seite 302]
21.1.4 - Willingness to Try [Seite 303]
21.1.5 - It Really Works! [Seite 303]
21.2 - Technical Skills [Seite 304]
21.3 - Education [Seite 305]
21.4 - Job Prospects [Seite 307]
21.4.1 - Start Your Own Company [Seite 307]
21.4.2 - Get Hired by a Pentest Company [Seite 307]
21.4.3 - Get Hired by a Social Engineering Company [Seite 308]
21.5 - The Future of Social Engineering [Seite 308]
22 - Index [Seite 311]
23 - EULA [Seite 322]
2 - Title Page [Seite 5]
3 - Copyright [Seite 6]
4 - About the Author [Seite 9]
5 - About the Technical Editor [Seite 9]
6 - Credits [Seite 11]
7 - Acknowledgments [Seite 13]
8 - Contents [Seite 17]
9 - Foreword [Seite 21]
10 - Preface [Seite 23]
11 - 1 A Look into the New World of Professional Social Engineering [Seite 25]
11.1 - What Has Changed? [Seite 26]
11.2 - Why Should You Read This Book? [Seite 28]
11.3 - An Overview of Social Engineering [Seite 30]
11.4 - The SE Pyramid [Seite 35]
11.4.1 - OSINT [Seite 35]
11.4.2 - Pretext Development [Seite 36]
11.4.3 - Attack Plan [Seite 36]
11.4.4 - Attack Launch [Seite 36]
11.4.5 - Reporting [Seite 36]
11.5 - What's in This Book? [Seite 38]
11.6 - Summary [Seite 39]
12 - 2 Do You See What I See? [Seite 41]
12.1 - A Real-World Example of Collecting OSINT [Seite 41]
12.2 - Nontechnical OSINT [Seite 46]
12.2.1 - Observational Skills [Seite 46]
12.2.2 - Technical Open Source Intelligence [Seite 56]
12.2.3 - Two Other Things [Seite 76]
12.3 - Tools of the Trade [Seite 83]
12.3.1 - SET [Seite 83]
12.3.2 - IntelTechniques [Seite 83]
12.3.3 - FOCA [Seite 84]
12.3.4 - Maltego: The Granddaddy of Them All [Seite 84]
12.4 - Summary [Seite 85]
13 - 3 Profiling People Through Communication [Seite 87]
13.1 - The Approach [Seite 90]
13.2 - Enter the DISC [Seite 92]
13.2.1 - What Is DISC? [Seite 93]
13.2.2 - To Know Thyself Is the Beginning of Wisdom [Seite 95]
13.3 - Summary [Seite 104]
14 - 4 Becoming Anyone You Want to Be [Seite 107]
14.1 - The Principles of Pretexting [Seite 108]
14.1.1 - Principle One: Thinking Through Your Goals [Seite 109]
14.1.2 - Principle Two: Understanding Reality vs. Fiction [Seite 111]
14.1.3 - Principle Three: Knowing How Far to Go [Seite 112]
14.1.4 - Principle Four: Avoiding Short-Term Memory Loss [Seite 115]
14.1.5 - Principle Five: Getting Support for Pretexting [Seite 118]
14.1.6 - Principle Six: Executing the Pretext [Seite 119]
14.2 - Summary [Seite 122]
15 - 5 I Know How to Make You Like Me [Seite 125]
15.1 - The Tribe Mentality [Seite 127]
15.2 - Building Rapport as a Social Engineer [Seite 129]
15.2.1 - The Moral Molecule [Seite 130]
15.2.2 - The 10 Principles of Building Rapport [Seite 131]
15.3 - The Rapport Machine [Seite 144]
15.3.1 - Use the Friends and Family Plan [Seite 144]
15.3.2 - Read [Seite 144]
15.3.3 - Take Special Note of Failures [Seite 145]
15.4 - Summary [Seite 145]
16 - 6 Under the Influence [Seite 147]
16.1 - Principle One: Reciprocity [Seite 149]
16.1.1 - Reciprocity in Action [Seite 149]
16.1.2 - Using Reciprocity as a Social Engineer [Seite 151]
16.2 - Principle Two: Obligation [Seite 152]
16.2.1 - Obligation in Action [Seite 152]
16.2.2 - Using Obligation as a Social Engineer [Seite 154]
16.3 - Principle Three: Concession [Seite 155]
16.3.1 - Concession in Action [Seite 155]
16.3.2 - Using Concession as a Social Engineer [Seite 157]
16.4 - Principle Four: Scarcity [Seite 158]
16.4.1 - Scarcity in Action [Seite 159]
16.4.2 - Using Scarcity as a Social Engineer [Seite 159]
16.5 - Principle Five: Authority [Seite 161]
16.5.1 - Authority in Action [Seite 163]
16.5.2 - Using Authority as a Social Engineer [Seite 164]
16.6 - Principle Six: Consistency and Commitment [Seite 166]
16.6.1 - Consistency and Commitment in Action [Seite 166]
16.6.2 - Using Commitment and Consistency as a Social Engineer [Seite 168]
16.7 - Principle Seven: Liking [Seite 170]
16.7.1 - Using Liking as a Social Engineer [Seite 171]
16.8 - Principle Eight: Social Proof [Seite 172]
16.8.1 - Social Proof in Action [Seite 173]
16.8.2 - Using Social Proof as a Social Engineer [Seite 173]
16.9 - Influence vs. Manipulation [Seite 175]
16.9.1 - Manipulation in Action [Seite 175]
16.9.2 - Principles of Manipulation [Seite 177]
16.10 - Summary [Seite 180]
17 - 7 Building Your Artwork [Seite 181]
17.1 - The Dynamic Rules of Framing [Seite 183]
17.1.1 - Rule 1: Everything You Say Evokes the Frame [Seite 186]
17.1.2 - Rule 2: Words T hat Are Defined with the Frame Evoke the Frame [Seite 188]
17.1.3 - Rule 3: Negating the Frame [Seite 189]
17.1.4 - Rule 4: Causing the Target to T hink About the Frame Reinforces the Frame [Seite 190]
17.2 - Elicitation [Seite 192]
17.2.1 - Ego Appeals [Seite 192]
17.2.2 - Mutual Interest [Seite 194]
17.2.3 - Deliberate False Statement [Seite 196]
17.2.4 - Having Knowledge [Seite 198]
17.2.5 - The Use of Questions [Seite 201]
17.3 - Summary [Seite 206]
18 - 8 I Can See What You Didn't Say [Seite 207]
18.1 - Nonverbals Are Essential [Seite 208]
18.2 - All Your Baselines Belong to Us [Seite 211]
18.2.1 - Be Careful of Misconceptions [Seite 214]
18.2.2 - Know the Basic Rules [Seite 218]
18.3 - Understand the Basics of Nonverbals [Seite 220]
18.4 - Comfort vs. Discomfort [Seite 222]
18.4.1 - Anger [Seite 222]
18.4.2 - Disgust [Seite 225]
18.4.3 - Contempt [Seite 227]
18.4.4 - Fear [Seite 229]
18.4.5 - Surprise [Seite 231]
18.4.6 - Sadness [Seite 235]
18.4.7 - Happiness [Seite 239]
18.5 - Summary [Seite 244]
19 - 9 Hacking the Humans [Seite 247]
19.1 - An Equal Opportunity Victimizer [Seite 248]
19.2 - The Principles of the Pentest [Seite 249]
19.2.1 - Document Everything [Seite 252]
19.2.2 - Be Judicious with Pretexts [Seite 252]
19.3 - Phishing [Seite 253]
19.3.1 - Educational Phishing [Seite 253]
19.3.2 - Pentest Phishing [Seite 254]
19.3.3 - Spear Phishing [Seite 255]
19.3.4 - Phishing Summary [Seite 256]
19.4 - Vishing [Seite 257]
19.4.1 - Credential Harvesting [Seite 257]
19.4.2 - Vishing for OSINT [Seite 259]
19.4.3 - Vishing for Full Compromise [Seite 260]
19.4.4 - Vishing Summary [Seite 263]
19.5 - SMiShing [Seite 264]
19.6 - Impersonation [Seite 265]
19.6.1 - Planning an Impersonation Pentest [Seite 266]
19.6.2 - Considerations of Sanitization [Seite 268]
19.6.3 - Equipment Procurement [Seite 269]
19.6.4 - Impersonation Summary [Seite 270]
19.7 - Reporting [Seite 270]
19.7.1 - Professionalism [Seite 271]
19.7.2 - Grammar and Spelling [Seite 272]
19.7.3 - All the Details [Seite 272]
19.7.4 - Mitigation [Seite 272]
19.7.5 - Next Steps [Seite 273]
19.8 - Top Questions for the SE Pentester [Seite 274]
19.8.1 - How Can I Get a Job Being a Social Engineer? [Seite 274]
19.8.2 - How Do I Get My Clients to Do SE Stuff? [Seite 275]
19.8.3 - How Much Should I Charge? [Seite 277]
19.9 - Summary [Seite 278]
20 - 10 Do You Have a M.A.P.P.? [Seite 281]
20.1 - Step 1: Learn to Identify Social Engineering Attacks [Seite 283]
20.2 - Step 2: Develop Actionable and Realistic Policies [Seite 285]
20.2.1 - Take the Thinking out of the Policy [Seite 285]
20.2.2 - Remove the Ability for Empathy Bypasses [Seite 286]
20.2.3 - Make Policies Realistic and Actionable [Seite 287]
20.3 - Step 3: Perform Regular Real-World Checkups [Seite 288]
20.4 - Step 4: Implement Applicable Security-Awareness Programs [Seite 290]
20.5 - Tie It All Together [Seite 291]
20.6 - Gotta Keep 'Em Updated [Seite 292]
20.7 - Let the Mistakes of Your Peers Be Your Teacher [Seite 294]
20.8 - Create a Security Awareness Culture [Seite 295]
20.9 - Summary [Seite 298]
21 - 11 Now What? [Seite 301]
21.1 - Soft Skills for Becoming an Social Engineer [Seite 301]
21.1.1 - Humility [Seite 302]
21.1.2 - Motivation [Seite 302]
21.1.3 - Extroverted [Seite 302]
21.1.4 - Willingness to Try [Seite 303]
21.1.5 - It Really Works! [Seite 303]
21.2 - Technical Skills [Seite 304]
21.3 - Education [Seite 305]
21.4 - Job Prospects [Seite 307]
21.4.1 - Start Your Own Company [Seite 307]
21.4.2 - Get Hired by a Pentest Company [Seite 307]
21.4.3 - Get Hired by a Social Engineering Company [Seite 308]
21.5 - The Future of Social Engineering [Seite 308]
22 - Index [Seite 311]
23 - EULA [Seite 322]
