eBook - ePub
Social Engineering Penetration Testing
Executing Social Engineering Pen Tests, Assessments and Defense
Gavin Watson, Andrew Mason, Richard Ackroyd
This is a test
Share book
- 390 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Social Engineering Penetration Testing
Executing Social Engineering Pen Tests, Assessments and Defense
Gavin Watson, Andrew Mason, Richard Ackroyd
Book details
Book preview
Table of contents
Citations
About This Book
Social engineering attacks target the weakest link in an organization's securityhuman beings. Everyone knows these attacks are effective, and everyone knows they are on the rise. Now, Social Engineering Penetration Testing gives you the practical methodology and everything you need to plan and execute a social engineering penetration test and assessment. You will gain fascinating insights into how social engineering techniques including email phishing, telephone pretexting, and physical vectors can be used to elicit information or manipulate individuals into performing actions that may aid in an attack. Using the book's easy-to-understand models and examples, you will have a much better understanding of how best to defend against these attacks.
The authors of Social Engineering Penetration Testing show you hands-on techniques they have used at RandomStorm to provide clients with valuable results that make a real difference to the security of their businesses. You will learn about the differences between social engineering pen tests lasting anywhere from a few days to several months. The book shows you how to use widely available open-source tools to conduct your pen tests, then walks you through the practical steps to improve defense measures in response to test results.
- Understand how to plan and execute an effective social engineering assessment
- Learn how to configure and use the open-source tools available for the social engineer
- Identify parts of an assessment that will most benefit time-critical engagements
- Learn how to design target scenarios, create plausible attack situations, and support various attack vectors with technology
- Create an assessment report, then improve defense measures in response to test results
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Social Engineering Penetration Testing an online PDF/ePUB?
Yes, you can access Social Engineering Penetration Testing by Gavin Watson, Andrew Mason, Richard Ackroyd in PDF and/or ePUB format, as well as other popular books in Computer Science & Systems Architecture. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1
An Introduction to Social Engineering
Gavin Watson, Senior Security Engineer, RandomStorm Limited
This chapter will introduce the reader to the concept of social engineering.
Information in this chapter
ā¢ Defining social engineering
ā¢ Examples from the movies
ā¢ Sneakers
ā¢ Hackers
ā¢ Matchstick Men
ā¢ Dirty Rotten Scoundrels
ā¢ The Imposter
ā¢ Famous social engineers
ā¢ Kevin Mitnik
ā¢ Frank Abagnale
ā¢ Badir Brothers
ā¢ Chris Hadnagy
ā¢ Chris Nickerson
ā¢ Real-world attacks
ā¢ The RSA breach
ā¢ The Buckingham Palace breach
ā¢ The Financial Times breach
ā¢ The Microsoft XBox breach
ā¢ Operation Camion
Introduction
This chapter has the sole aim of introducing the reader to the concept of social engineering. There are various definitions, some vague and others precise, and these will be discussed in order to explain what the concept of social engineering is really about. Everyday examples will be used to show the reader the various forms of social engineering used, highlighting how such techniques are not necessarily confined to the realm of criminal activity.
To further understand the social engineering concept, this chapter will then discuss some of the excellent examples from various movies. With the assistance of poetic license, writers have been able to create wonderful examples of how social engineering could potentially be used. Although these examples are of course fictitious, they are in fact based on very real techniques, providing criminal minds with inspiration as well as providing entertainment.
Certain individuals have pioneered social engineering techniques, resulting in some being made famous and others fairly notorious. The exploits of both historical and modern day social engineers, such as Kevin Mitnick and Frank Abagnale, will be covered. This will demonstrate how single individuals have used these techniques to achieve extraordinary breaches of seemingly robust security.
This chapter will conclude by focusing on the negative side of social engineering and how it has been used to commit crime. The various attacks discussed demonstrate the true reality of the situation: Social engineering attacks are routinely being used by organized criminal groups and they are a highly effective means of assault.
Defining social engineering
Social engineering has many definitions depending on which book you read or to whom you speak. The Oxford dictionary defines it as:
The application of sociological principles to specific social problemsā¦
Despite being partially relevant, in truth it falls far short of accurately describing what āreal worldā social engineering truly is.
Another possible definition of social engineering might be:
The art of intentionally manipulating behaviour using specially crafted communication techniques.
This definition reduces social engineering down to the absolute basics of leveraging communication in all its possible manifestations with the objective of exploiting the human factor. Therefore, where there is interaction there is always the capacity and potential for social engineering. The most fundamental example of this would be the act of lying. Although the historical roots of individuals committing immoral acts is beyond the scope of this book, it is important to note that social engineering is as old as communication itself.
The SANS Instituteās definition1 provides an alternative explanation, which is certainly closer to the mark with:
Social engineering is the āartā of utilizing human behavior to breach security without the participant (or victim) even realizing that they have been manipulated.
The important part of this definition is the context within which the concept is applied. You could define social engineering as the techniques used to elicit information or manipulate behavior but that doesnāt do it justice in the context of information security, which is the focus of this book. When it comes to securing your businessā sensitive information social engineering then becomes:
The art of eliciting sensitive information and/or manipulating individuals into performing actions that may result in a security breach.
You could argue that eliciting sensitive information is in itself a security breach, but what is meant in this definition are breaches of network or physical security or indeed both. This definition and the context of business information security is the basis for all information within this book.
Considering the use of the word āartā in the previous definition, is social engineering regarded as an art form? The authors of this book believe the answer to that must be yes. Social engineering is not an exact science, often involving the application of very creative thinking. This book aims to present very logical and structured models to aid in social engineering assessments, however, it does not mean that social engineering can be completely reduced to an absolute āif A set of actions then B.ā The models presented in this book help to ensure value for the client through accurate and thorough assessments. However, once these models have been followed the social engineer can apply all manner of creative spins on the scenarios, providing of course that they donāt then contradict the advice of the models used in the first place.
The various social engineering techniques aim to exploit vulnerabilities in human nature rather than those of a computer system. The terms, āhuman hackingā and āhacking wetwareā have been used in obscure security articles and some ācyberpunkā inspired novels to describe social engineering methods. A typical social engineer may use myriad psychological techniques to manipulate their target, these can range from leveraging emotional states through to clever sentence structure and personality profiling. The techniques used vary greatly and so social engineering can be thought of as an eclectic collection of manipulation techniques. However, it is not just limited to psychological trickery. Social engineers may use props and disguises and even go to the great lengths of creating entire scenarios involving many different stages to achieve their objectives. The techniques can also be applied to other platforms such as telephone calls or e-mail, not just face-to-face encounters.
Arguably one of the finest examples of individuals that engage in social engineering techniques are successful sales persons. The average sales person has one simple objective: to sell their service or product to their client. In order to do this the sales person will not simply ask the client if they would like to buy, but rather leverage every possible available technique to influence the clientās decision. A very simplistic example would be the use of open rather than closed questions. A closed question can be answered with a simple āYesā or āNoā whereas an open question requires a lengthier, often less absolute answer. For example, the sales person may say:
āSo how many would you like to buy?ā rather than āWould you like to buy it?ā, or āHow can I help you?ā rather than, āCan I help you?ā
There are even various sales models and methodologies focused simply on overcoming client objections to successfully close a sale. However, the parallels between successful social engineers and successful salesmen go far beyond the standard sales process.
The very best salesmen will research their potential client, perhaps simply to find something they have in common to talk about. Mentioning your latest golf exploits at the end of the meeting may well gain favor with a client that has a keen interest in the sport. Some sales persons may take this even further by actually profiling their client, reading any available information associated with the subject to provide a better āsales pitch.ā This initial reconnaissance is mirrored in the first stages of a social engineering attack with the target company and the staff research. Social engineers will harvest as much information as they can to increase the chances of perpetrating a successful attack. Consequently, both salesmen and social engineers will take full advantage of getting to know their targets very well.
Additionally social engineers may try to impersonate individuals to elicit sensitive information from their targets. Similarly, the successful sales person may also try impersonation in an attempt to gain a foothold for the sales process. For example, impersonating staff members simply to get a direct telephone number to a particular department or specific staff member or to elicit information on competing sales companies. Social engineers will contact the target company to elicit similar information to aid in further attacks. The only difference is the ultimate objective with the salesman wanting a sale and the social engineer wanting to gain access to sensitive information or to gain information they can use to attack the company in some other way.
Therefore it can be said that salesmen make the best social engineers, with their natural confidence, positive attitude, and experience of effective influencing techniques. Their sole purpose is to sell you a concept or an idea. However, when that concept changes from buying something to giving up your password, youād best be on your guard, buyers beware!
There are a plethora of individuals in everyday life that use social engineering techniques, not just clever sales persons. In fact you may have used the techniques many times yourself, perhaps to convince a friend to do something or prise some snippet of information out of a colleague. Indeed numerous agencies, departments, organizations or groups are known to employ such techniques as part and parcel of their standard ātrade craft.ā For example:
ā¢ Law enforcement agencies, in order to draw information out of alleged criminal suspects
ā¢ Private investigators, to elicit information
ā¢ Lawyers, when questioning the witness
ā¢ Grifters and Hustlers, when tricking their mark
ā¢ even children, when trying to manipulate their parents
ā¢ organized criminals when attacking businesses.
Examples from the movies
Poetic license has enabled writers to create some of the most entertaining and often ludicrous social engineering scenarios. Although most of the creative hustles we see in the movies are somewhat far-fetched, they are almost always based on very real techniques. In truth the movies can often demonstrate what could potentially be possible if the social engineer was daring enough and had the available resources to attempt it.
Sneakers
The 1992 film Sneakers directed by Phil Alden Robinson is full of excellent examples of social engineering techniques. The main character Martin Bishop runs a Tiger Team2 style company who specialize in breaking security systems, with the aim of helping the client better defend against similar attacks. The team are approached by government officials and pressured into retrieving a mysterious āblack boxā device from the famous mathematician Dr. Gunter Janek. The box is believed to have been built for the former Soviet government and the United States are concerned that it may be a case of national security. Martin and his team retrieve the box, discovering that it is able to break any US encryption scheme. Martin hands the box over to the government officials but soon realizes that they were in fact impostors and his team then has to pull off their most difficult mission yet to get the box back and into safe hands.
The scene where Martin is approached by the āgovernment officialsā and asked to perform the task of retrieving the black box device is an excellent example of multiple social engineering techniques. The two government officials are impostors, actually working for a criminal organization. Martin is duped and drawn into their plot by a number of factors. First, the two officials present plausible facades as government officials: they have what appears to be the correct credentials, talk like government officials and even produce information that Martin presumes only a government would have. All these reaffirm their credibility and so to Martin the two men look, sound and act exactly like the people they are trying to impersonate. They both put pressure on Martin and make him focus on an ultimatum: help them or have his real identity as a computer hacker used against him. In doing so they successfully manipulate Martin into agreeing to help them, all the time keeping his attention fixed on his situation and leaving no room for doubting their actual identities. Despite performing similar impersonations countless times, Martin falls for their scam completely. The social engineering element of this scene is the combination of impersonation, choice of words and subtly guiding the victim to focus on the right elements.
For Martin to achieve his objective he needs to break into the building where the black box is initially located, by gaining access through reception. Again, this is accomplished by using more than one social engineering technique. One of the team members approaches reception claiming that they have a delivery to take inside. The receptionist refuses to allow them entry and the team member continues to try and convince the receptionist to make an exception, claiming that they may lose their job. This is already an attempt to invoke guilt in the target to try and make them comply. Simultaneously, Martin approaches the desk asking if his wife had dropped a cake off, referencing the second floor of the building. The purpose of this is to plant the seed of credibility while the receptionist is distracted. The receptionist then returns to arguing with the delivery driver. Martin leaves before returning with a cake and balloons, asking the receptionist to release the locking mechanism as he has no hands free to retrieve his card (a card he doesnāt have). With the receptionist distracted by the delivery driver and an ensuing argument, Martin then shouts at the receptionist to āPush the damn buzzer will you!ā Of course the receptionist immediately does so to escape the increasingly stressful situation. The two team members both impersonate different individuals and play out a scenario designed to confuse, disorientate and stress the receptionist, manipulating him into opening the door for Martin. The situation or scenario is entirely plausible and that results in the security bei...