Learn Social Engineering
eBook - ePub

Learn Social Engineering

Dr. Erdal Ozkaya

Share book
  1. 566 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Learn Social Engineering

Dr. Erdal Ozkaya

Book details
Book preview
Table of contents
Citations

About This Book

Improve information security by learning Social Engineering.

Key Features

  • Learn to implement information security using social engineering
  • Get hands-on experience of using different tools such as Kali Linux, the Social Engineering toolkit and so on
  • Practical approach towards learning social engineering, for IT security

Book Description

This book will provide you with a holistic understanding of social engineering. It will help you to avoid and combat social engineering attacks by giving you a detailed insight into how a social engineer operates.

Learn Social Engineering starts by giving you a grounding in the different types of social engineering attacks, and the damages they cause. It then sets up the lab environment to use different toolS and then perform social engineering steps such as information gathering. The book covers topics from baiting, phishing, and spear phishing, to pretexting and scareware.

By the end of the book, you will be in a position to protect yourself and

your systems from social engineering threats and attacks.

All in all, the book covers social engineering from A to Z, along with excerpts from many world wide known security experts.

What you will learn

  • Learn to implement information security using social engineering
  • Learn social engineering for IT security
  • Understand the role of social media in social engineering
  • Get acquainted with Practical Human hacking skills
  • Learn to think like a social engineer
  • Learn to beat a social engineer

Who this book is for

This book targets security professionals, security analysts, penetration testers, or any stakeholder working with information security who wants to learn how to use social engineering techniques. Prior knowledge of Kali Linux is an added advantage

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Learn Social Engineering an online PDF/ePUB?
Yes, you can access Learn Social Engineering by Dr. Erdal Ozkaya in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2018
ISBN
9781788838009
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Ask the Experts – Part 1

Troy Hunt

Troy Hunt is a Microsoft regional director and MVP for Developer Security, an ASPInsider, and an author for Pluralsight. Troy has been building software for browsers since the very early days of the web and possesses an exceptional ability to distill complex subjects into relatable explanations. This has led Troy to become a thought leader in the security industry and produce more than twenty top-rated courses for Pluralsight. Currently, Troy is heavily involved in Have I Been Pwned? (HIBP), a free service that aggregates data breaches and helps people establish the potential impact of malicious web activity. Troy blogs regularly about web security, and is a frequent speaker at industry conferences across the globe and throughout the media, discussing a wide range of technologies. Troy has been featured in a number of articles in publications including Forbes, TIME magazine, Mashable, PCWorld, ZDNet, and Yahoo! Tech. Aside from technology and security, Troy is an avid snowboarder, windsurfer, and tennis player.
We're all born as adept social engineers. I can't recall precisely how effective I was when I was only a few years old, but I've watched my young children in action and they seem to be rather good at it. We learn from a very young age about how to appeal to human emotions so that we can bend them to our will; we make people anxious, fearful, sympathetic, greedy, and eager by pushing just the right buttons. Most amazingly of all, we do it from such a young age without even needing to think about it.
But there are those who think about it a great deal, and indeed, the adept social engineer can turn it into something of an art form. We're all subject to being the victim; it happens every time we see an advertisement. The advertising industry is full of social engineering: buy this product if you want to stay healthy/get rich/ have a better bedroom life with your partner. The information-security industry is another that leans heavily on manipulating the feelings of those it targets with promotions—in reality, those hooded bandits in dimly-lit rooms hacking websites are often teenage kids in their bedrooms, but that doesn't create quite the same sense of fear now, does it?
One of the drivers I personally see accelerating the growth of social engineering is the prevalence of data breaches. Here, we have a situation where billions of our personal data records are being taken from systems every year by unauthorized parties. Data on our names, our addresses, our phone numbers, our dates of birth, and, in some cases, even deeply personal attributes such as our sexual preferences. Now think about what that means for social engineering.
Remember what we're dealing with here—social engineering is about the manipulation of humans such that they perform an action or divulge information that they wouldn't normally do had they not been duped into it. Considering those data breaches for a moment, think about what it means for an attacker if they can convince the victim they are indeed that person's bank because they know certain information about them. If someone calls up and says "Hi Mr Jones, this is your bank, do you still live at 27 Smith Street?", that immediately gives the victim a much higher degree of confidence in the authenticity of the social engineer. This is increasingly possible because those personal-information attributes are being leaked all over the place.
It's not just data breaches either; there's the whole Open Source Intelligence (OSINT) space, which relies heavily on information that we ourselves provide publicly. Social media is a great example of that; we leak enough information deliberately to make it significantly easier for those attempting to impersonate us, and, consequently, socially engineer banks, Telcos, and other institutions that rely on this information for identity verification. We're doing it more too—a growing proportion of the population are digital native; that is, they've never known a time where we didn't willingly share information of this nature socially. It's the new normal.
I was recently invited over to Washington, DC to testify in front of US Congress on precisely this—the impact of data breaches on knowledge-based authentication. During my testimony, I relayed a recent story of how my father attempted to change his broadband plan, which involved calling up the Telco and verifying his identity. They did this by asking him his name, phone number, and date of birth. You know, the same thing that people put on their social media profiles, or, for the cautious folks who don't, have disclosed anyway courtesy of friends who share photos of all the fun they had at a birthday party. It's a genuinely serious issue as it calls into question the very premise of being able to prove one's identity based purely on things they know.
Part of the problem is that the organizations we deal with simply aren't conditioning customers to look for the signs of social engineering. I had an incident recently where I received a call from an individual claiming to be from a bank I have an account with. The phone rang and there was a long period of silence followed by what was clearly a VOIP connection and a foreign accent. The caller claimed to be from my bank and said they just needed to verify my identity first, could I please provide my date of birth:
"Sure, but I need to verify your identity before I provide you with that information."
"But, sir, we're your bank, you can trust us!"
"Well, you say you're my bank but how do I know you are? Can I call you on the phone number on the website?"
"No, that's not the best number, let us give you the number to call."
Yes, that's really how it went down! I told them I believed it was a scam and hung up. I also told the next two people who called over the following days the same thing until I got so frustrated about it that I called the bank themselves (through the number on their website), to report a concerted social-engineering attack. And my account was overdrawn. The calls were real. I was so frustrated by the experience that I lodged a complaint with the bank after which they reduced my home loan rate as a sign of good will! True story.
So, companies themselves are setting people up with behavioral patterns that condition them to be socially engineered. Mind you, the fix can also be quite easy, and it was around about the same time as the aforementioned bank situation that American Express called me due to allegedly fraudulent activity on my card. We did the same dance with them asking me to verify myself and me asking them to do the same, to which they responded, "Sure, turn over your card and call us back on the number you see there." What a gloriously simple mechanism that showed, not only had they given this thought in advance but that the operators at Amex were actually trained to handle this situation.
Another very common social-engineering attack I tracked for a time was the Windows tech-support scam. Every day, we had people all over the world receiving calls from overseas, allegedly from Windows Support. They'd claim the victim's PC had viruses, but they didn't worry, Microsoft was there to help them! The scammer would then take the victim through a series of steps that usually began by opening the Windows Event Viewer and asking the victim to look for errors. Of course, there's always errors in the Event Viewer, but it would cause the scammer to excitedly exclaim, "See - they're viruses!" They'd then have the victim grant them remote control to the machine through freely available remote desktop software, perform some fixes, and then demand money. Many people paid.
As much as I hated witnessing these scams, I always marveled at how well they demonstrated so many fundamental social-engineering techniques:
  1. A sense of urgency was created when the victim was led to believe their PC was infected
  2. Salvation was promised by the scammer—they were there to help!
  3. Trust was established by showing the victim the errors on their own machine
  4. A false sense of value was created when the fix was implemented
  5. Relief was felt by the victim once Microsoft confirmed the machine was now fixed
Finally, of course, it all culminated in monetization. Consider the rollercoaster of emotions this process took the victims through—it genuinely scared people to the point where they behaved in a way they never would have had they not been manipulated. And, the thing is, we can all easily picture people we know falling precisely for this scam because a technical concept such as your PC has viruses is beyond their comprehension.
These are just a few examples of the basic mechanics of social engineering, and, as we create more data, leak more information into the public domain, and get more people using more connected systems, attacking the human becomes more and more prevalent. And the scariest thing of all is that anybody can do it—after all, we've been practicing since birth!

Jonathan C. Trull

As the Senior Director for the Microsoft Enterprise Cybersecurity Group, Jonathan leads Microsoft's team of worldwide Chief Security Advisors to provide thought leadership, strategic direction on the development of Microsoft security products and services, and deep customer and partner engagement around the globe.
In cooperation with Qualys, SANS Institute, the Council on Cyber Security and the State of Colorado, he spearheaded the development of the Qualys Top 4 Controls tool that allows anyone to assess the security of their Windows computer for free. He also worked in cooperation with Federal, State and private-sector partners to form the Colorado Joint Cyber Crime Task Force. This is one of the US first cybercrime information sharing centers, with a primary focus of increasing cyber resiliency within Colorado.
Trull has established himself as an innovative security leader and was recently named by the SANS Institute as one of the People Who Made a Difference in Cybersecurity. He serves as an advisor to several security startups and venture capital firms, and has spoken at major security events such as RSA, Black Hat, Gartner, CSO50, and SANS. Trull is a Certified Information Systems Auditor (CISA) and an Offensive Security Certified Professional (OSCP). He earned a master's degree from the University of North Texas and a bachelor's degree from Metropolitan State University of...

Table of contents