Tag Archives: Security

Social Engineering The Art of Human Hacking – Review

So I have just completed Chris Hadnagy’s book and now I am a social engineering master. Well perhaps a master of this art is an exaggeration on my part, but I certainly believe I have learned a great deal from reading what is in my view, an essential guide to the inner workings of social engineering, be it used for good or evil.

The book does not claim to turn anyone into a master. It does though give you a broad and deep understanding and will point you to many other areas of research if becoming a master is your end goal. Considering the years of research gone into various disciplines discussed and skills you would need to cover, I wish you happy researching if this is your end game. I certainly plan to return to many of the areas out of interest myself.

As the web has recently started to develop into the social monster we see today, its teachings I believe may become even more important to many of us in the years to come. It should certainly convince people that a good security awareness program must be adopted everywhere and continually tested/updated.

Just observing my students and others I know online; day to day and seeing the kind of information they share without a thought of the impact this may have for their own personal security, never mind the organisations they may work for, really makes me think it could become open season for crime, in many different ways.

Hopefully they are all lucky and don’t fall victims or perhaps they listen to my constant warnings to take more care.

Thinking back to my own perception of social engineering before I read the book, I had a good idea of what I considered relatively simple types of attack, unfortunately though many people still seem to fall for these sweeping attacks.

For many of us experienced web users we tend to spot these or our spam filters sweep them away so we don’t have to endure yet another delete button press. But what about a targeted attack? How many of us would fall victim then?

I imagine a very high proportion of people would. In fact given enough information about the target and the right set of circumstances we all could quite easily and if you think “no way, not I” then you are probably the most likely to fall for one.

The book outlines the lengths that individuals or groups resort to, in order to tailor an attack customised especially just for you.

Essentially gathering your information from just about any resource they can, coming into contact with you in person or others around you, reading your face, emotions and behaviours like a book and then using all of this minute detail to manipulate you into giving further information away or perhaps fully compromising your systems in a variety of different ways including sending malicious files, dropping off at your office CD/DVD or USB devices with more nasty stuff, convincing you to browse to nasty websites or stealing your systems from right under your nose!

In actual fact it could be quite scary reading for many.

The book also offers good advice in terms of what you can do about it all to what to look for in an auditor if you have already started to think how these attacks my affect your business and would like to test/improve your performance.

The book promotes something which I truly think is important “be aware, educated and prepared”

I have heard recently there is “no patch for human stupidity”, well there is no immediate fix but we can certainly receive constant updates: Through Education.

Tagged , , , ,

eCPPT – Review and Passed

I am pleased to be able to report I am now a proud holder of eCPPT.

From my own background and perspective the course and exam was a very enjoyable experience. I would recommend this to anyone interested in security and perhaps on a limited budget.

I had done CEH prior to this course and personally found CEH useful in giving me a good foundation to approach this course. My day-to-day working life is not at the moment centred on security.

From my initial contact with eLearn security, I was impressed by the way I was handled as a potential customer and supported in terms of believing that I could achieve.

I did ponder long and hard before I parted with my own hard-earned cash.

After making my decision to join the course, I initially did feel a bit unsure in what I had bought into, mainly due to my concerns that perhaps I could not do this on my own in a distance learning fashion.

My fears where quickly put to rest, once I seen responses to my questions and I had read every post in the forums to make sure I was not adding posts already answered and just creating a general nuisance of myself.

The responses I received gave me matters to think about and pointers as to where to head to next, which is useful when you’re learning; building on my understanding was a combination of taking in the good advice and information in the slides/videos and asking appropriate questions.

I never felt at any time that if I had tried on my own and had to request for more info that I would not be given some sort of support, be it from someone experienced on the course or Armando the creator himself.

I would also say that experience from network+ and CCNA came in useful, as did some of my previous studies in relation to web technology including HTML, CSS (limited PHP and SQL), a basic understanding of Linux is also helpful.

The challenge of the exam really does focus on expecting you to apply what you learn; I believe this to be an excellent approach. No exam cram sessions on this one I am afraid, if you’re really only looking for another CV filler.

I had good fun and I believe that Armando is building on its success and looking to provide new and interesting experiences for current and potential new students. I look forward to this and hope to continue on as a student/contributor as I learn and have more fun.

If like me you wondered if you had what it took to perform a manual web application penetration test, then this is the one for you!

Details of the course content can be found at http://www.elearnsecurity.com/

Tagged ,