So I have just completed Chris Hadnagy’s book and now I am a social engineering master. Well perhaps a master of this art is an exaggeration on my part, but I certainly believe I have learned a great deal from reading what is in my view, an essential guide to the inner workings of social engineering, be it used for good or evil.
The book does not claim to turn anyone into a master. It does though give you a broad and deep understanding and will point you to many other areas of research if becoming a master is your end goal. Considering the years of research gone into various disciplines discussed and skills you would need to cover, I wish you happy researching if this is your end game. I certainly plan to return to many of the areas out of interest myself.
As the web has recently started to develop into the social monster we see today, its teachings I believe may become even more important to many of us in the years to come. It should certainly convince people that a good security awareness program must be adopted everywhere and continually tested/updated.
Just observing my students and others I know online; day to day and seeing the kind of information they share without a thought of the impact this may have for their own personal security, never mind the organisations they may work for, really makes me think it could become open season for crime, in many different ways.
Hopefully they are all lucky and don’t fall victims or perhaps they listen to my constant warnings to take more care.
Thinking back to my own perception of social engineering before I read the book, I had a good idea of what I considered relatively simple types of attack, unfortunately though many people still seem to fall for these sweeping attacks.
For many of us experienced web users we tend to spot these or our spam filters sweep them away so we don’t have to endure yet another delete button press. But what about a targeted attack? How many of us would fall victim then?
I imagine a very high proportion of people would. In fact given enough information about the target and the right set of circumstances we all could quite easily and if you think “no way, not I” then you are probably the most likely to fall for one.
The book outlines the lengths that individuals or groups resort to, in order to tailor an attack customised especially just for you.
Essentially gathering your information from just about any resource they can, coming into contact with you in person or others around you, reading your face, emotions and behaviours like a book and then using all of this minute detail to manipulate you into giving further information away or perhaps fully compromising your systems in a variety of different ways including sending malicious files, dropping off at your office CD/DVD or USB devices with more nasty stuff, convincing you to browse to nasty websites or stealing your systems from right under your nose!
In actual fact it could be quite scary reading for many.
The book also offers good advice in terms of what you can do about it all to what to look for in an auditor if you have already started to think how these attacks my affect your business and would like to test/improve your performance.
The book promotes something which I truly think is important “be aware, educated and prepared”
I have heard recently there is “no patch for human stupidity”, well there is no immediate fix but we can certainly receive constant updates: Through Education.