Book review: Social Engineering – the Art of Human Hacking
By Derek Knights
I recently attended the Association of Certified Fraud Examiners Annual Conference in San Diego. Besides some terrific presentations and networking events, there was a bookstore. I’m a sucker for bookstores and I picked up enough books that I had to pay duty when I came back. One of those books was Social Engineering: The Art of Human Hacking, by Christopher Hadnagy. This is a worthwhile book for anyone in the security management and operations field, including investigations. And while it’s heavily IT-flavoured, it’s not just for the IT folks — in fact, it’s likely more valuable to non-IT personnel.
By Derek Knights
Hadnagy conducts penetration tests and so uses social engineering techniques in his work. He developed and operates www.social-engineering.org. This book and that website interact a great deal. I recommend you read it with your netbook or iPad handy, if only for the old “Candid Camera” clip from the ‘60s. (There, that’s a social engineering technique right there!)
The book itself is laid out with a good table of contents and index, so this book can be used easily as a reference, and indeed, the author states early on that the book is intended to be a study guide, not a once-read manual.
The easy “sort-of” definition of social engineering is using persuasion and emotions to control people or get them to do what you want them to do, often (unwittingly or not) against their own interests. There’s usually a little trickery and deceit, too. Hadnagy never really defines it in the book but explains that it is a “framework,” not a mere term or simple activity. He builds on this theme through the structure of the book and the related website. The early chapters cover information-gathering, elicitation and pretexting, and then the book moves on to topics such as persuasion and mind tricks. It stumbles a bit in a chapter on neuro-linguistic programming and micro-expressions since these are controversial and complex topics that need more space than they are given. There are some (likely unintentionally) funny photos, but also a really good colour-coded example of “Human Buffer Overflow.”
There is a very interesting section on influence, which discusses, among other things, how advertising works and how those ideas can be used (or misused) by a social engineer. It’s also the chapter that sends the reader to a very funny and illuminating clip from the old “Candid Camera” TV show (www.social-engineer.org/framework/Influence_Tactics:_Consensus_or_Social_Proof). Security professionals can draw from these to develop techniques both to be, and to combat, social engineers and to train people to recognize social engineering attempts.
The book ends with a convoluted and bloated chapter on tools of the social engineer, some specific case studies and ultimately a short but effective chapter on prevention. The case studies are very IT-centric, as are many in the preceding chapters. But there are a lot of examples of strictly verbal persuasion — which in my experience is the most common type your front lines face on a day-to-day basis.
Hadnagy’s writing style is easy to read, if a bit fervent-bordering-on-frantic. He is passionate about the subject and truly believes in what he writes about. With only a few spots where the tempo drags, this book is easy to read and understand, is quite enjoyable and is certainly usable for the security and investigation professional. Introducing us to the website is an unexpected bonus.
Derek Knights, CPP, CISSP, CFE CIPP/C, PCI, is Director, Corporate Investigations with Sun Life Financial.