eBook - ePub

Social Engineering Penetration Testing

Name: Social Engineering Penetration Testing
Author: Gavin Watson, Andrew Mason, Richard Ackroyd

Executing Social Engineering Pen Tests, Assessments and Defense

Gavin Watson, Andrew Mason, Richard Ackroyd

Buch teilen

390 Seiten
English
ePUB (handyfreundlich)
Über iOS und Android verfügbar

eBook - ePub

Social Engineering Penetration Testing

Executing Social Engineering Pen Tests, Assessments and Defense

Gavin Watson, Andrew Mason, Richard Ackroyd

Angaben zum Buch

Buchvorschau

Inhaltsverzeichnis

Quellenangaben

Über dieses Buch

Social engineering attacks target the weakest link in an organization's securityhuman beings. Everyone knows these attacks are effective, and everyone knows they are on the rise. Now, Social Engineering Penetration Testing gives you the practical methodology and everything you need to plan and execute a social engineering penetration test and assessment. You will gain fascinating insights into how social engineering techniques including email phishing, telephone pretexting, and physical vectors can be used to elicit information or manipulate individuals into performing actions that may aid in an attack. Using the book's easy-to-understand models and examples, you will have a much better understanding of how best to defend against these attacks.

The authors of Social Engineering Penetration Testing show you hands-on techniques they have used at RandomStorm to provide clients with valuable results that make a real difference to the security of their businesses. You will learn about the differences between social engineering pen tests lasting anywhere from a few days to several months. The book shows you how to use widely available open-source tools to conduct your pen tests, then walks you through the practical steps to improve defense measures in response to test results.

Understand how to plan and execute an effective social engineering assessment
Learn how to configure and use the open-source tools available for the social engineer
Identify parts of an assessment that will most benefit time-critical engagements
Learn how to design target scenarios, create plausible attack situations, and support various attack vectors with technology
Create an assessment report, then improve defense measures in response to test results

Häufig gestellte Fragen

Wie kann ich mein Abo kündigen?

Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.

(Wie) Kann ich Bücher herunterladen?

Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.

Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?

Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.

Was ist Perlego?

Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.

Unterstützt Perlego Text-zu-Sprache?

Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.

Ist Social Engineering Penetration Testing als Online-PDF/ePub verfügbar?

Ja, du hast Zugang zu Social Engineering Penetration Testing von Gavin Watson, Andrew Mason, Richard Ackroyd im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Computer Science & Systems Architecture. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.

Information

Verlag

Syngress

Jahr

2014

ISBN

9780124201828

Thema

Computer Science

Thema

Systems Architecture

Chapter 1

An Introduction to Social Engineering

Gavin Watson, Senior Security Engineer, RandomStorm Limited

This chapter will introduce the reader to the concept of social engineering.

Information in this chapter

• Defining social engineering

• Examples from the movies

• Sneakers

• Hackers

• Matchstick Men

• Dirty Rotten Scoundrels

• The Imposter

• Famous social engineers

• Kevin Mitnik

• Frank Abagnale

• Badir Brothers

• Chris Hadnagy

• Chris Nickerson

• Real-world attacks

• The RSA breach

• The Buckingham Palace breach

• The Financial Times breach

• The Microsoft XBox breach

• Operation Camion

Introduction

This chapter has the sole aim of introducing the reader to the concept of social engineering. There are various definitions, some vague and others precise, and these will be discussed in order to explain what the concept of social engineering is really about. Everyday examples will be used to show the reader the various forms of social engineering used, highlighting how such techniques are not necessarily confined to the realm of criminal activity.

To further understand the social engineering concept, this chapter will then discuss some of the excellent examples from various movies. With the assistance of poetic license, writers have been able to create wonderful examples of how social engineering could potentially be used. Although these examples are of course fictitious, they are in fact based on very real techniques, providing criminal minds with inspiration as well as providing entertainment.

Certain individuals have pioneered social engineering techniques, resulting in some being made famous and others fairly notorious. The exploits of both historical and modern day social engineers, such as Kevin Mitnick and Frank Abagnale, will be covered. This will demonstrate how single individuals have used these techniques to achieve extraordinary breaches of seemingly robust security.

This chapter will conclude by focusing on the negative side of social engineering and how it has been used to commit crime. The various attacks discussed demonstrate the true reality of the situation: Social engineering attacks are routinely being used by organized criminal groups and they are a highly effective means of assault.

Defining social engineering

Social engineering has many definitions depending on which book you read or to whom you speak. The Oxford dictionary defines it as:

The application of sociological principles to specific social problems…

Despite being partially relevant, in truth it falls far short of accurately describing what “real world” social engineering truly is.

Another possible definition of social engineering might be:

The art of intentionally manipulating behaviour using specially crafted communication techniques.

This definition reduces social engineering down to the absolute basics of leveraging communication in all its possible manifestations with the objective of exploiting the human factor. Therefore, where there is interaction there is always the capacity and potential for social engineering. The most fundamental example of this would be the act of lying. Although the historical roots of individuals committing immoral acts is beyond the scope of this book, it is important to note that social engineering is as old as communication itself.

The SANS Institute’s definition¹ provides an alternative explanation, which is certainly closer to the mark with:

Social engineering is the ‘art’ of utilizing human behavior to breach security without the participant (or victim) even realizing that they have been manipulated.

The important part of this definition is the context within which the concept is applied. You could define social engineering as the techniques used to elicit information or manipulate behavior but that doesn’t do it justice in the context of information security, which is the focus of this book. When it comes to securing your business’ sensitive information social engineering then becomes:

The art of eliciting sensitive information and/or manipulating individuals into performing actions that may result in a security breach.

You could argue that eliciting sensitive information is in itself a security breach, but what is meant in this definition are breaches of network or physical security or indeed both. This definition and the context of business information security is the basis for all information within this book.

Considering the use of the word “art” in the previous definition, is social engineering regarded as an art form? The authors of this book believe the answer to that must be yes. Social engineering is not an exact science, often involving the application of very creative thinking. This book aims to present very logical and structured models to aid in social engineering assessments, however, it does not mean that social engineering can be completely reduced to an absolute “if A set of actions then B.” The models presented in this book help to ensure value for the client through accurate and thorough assessments. However, once these models have been followed the social engineer can apply all manner of creative spins on the scenarios, providing of course that they don’t then contradict the advice of the models used in the first place.

The various social engineering techniques aim to exploit vulnerabilities in human nature rather than those of a computer system. The terms, “human hacking” and “hacking wetware” have been used in obscure security articles and some “cyberpunk” inspired novels to describe social engineering methods. A typical social engineer may use myriad psychological techniques to manipulate their target, these can range from leveraging emotional states through to clever sentence structure and personality profiling. The techniques used vary greatly and so social engineering can be thought of as an eclectic collection of manipulation techniques. However, it is not just limited to psychological trickery. Social engineers may use props and disguises and even go to the great lengths of creating entire scenarios involving many different stages to achieve their objectives. The techniques can also be applied to other platforms such as telephone calls or e-mail, not just face-to-face encounters.

Arguably one of the finest examples of individuals that engage in social engineering techniques are successful sales persons. The average sales person has one simple objective: to sell their service or product to their client. In order to do this the sales person will not simply ask the client if they would like to buy, but rather leverage every possible available technique to influence the client’s decision. A very simplistic example would be the use of open rather than closed questions. A closed question can be answered with a simple “Yes” or “No” whereas an open question requires a lengthier, often less absolute answer. For example, the sales person may say:

“So how many would you like to buy?” rather than “Would you like to buy it?”, or “How can I help you?” rather than, “Can I help you?”

There are even various sales models and methodologies focused simply on overcoming client objections to successfully close a sale. However, the parallels between successful social engineers and successful salesmen go far beyond the standard sales process.

The very best salesmen will research their potential client, perhaps simply to find something they have in common to talk about. Mentioning your latest golf exploits at the end of the meeting may well gain favor with a client that has a keen interest in the sport. Some sales persons may take this even further by actually profiling their client, reading any available information associated with the subject to provide a better “sales pitch.” This initial reconnaissance is mirrored in the first stages of a social engineering attack with the target company and the staff research. Social engineers will harvest as much information as they can to increase the chances of perpetrating a successful attack. Consequently, both salesmen and social engineers will take full advantage of getting to know their targets very well.

Additionally social engineers may try to impersonate individuals to elicit sensitive information from their targets. Similarly, the successful sales person may also try impersonation in an attempt to gain a foothold for the sales process. For example, impersonating staff members simply to get a direct telephone number to a particular department or specific staff member or to elicit information on competing sales companies. Social engineers will contact the target company to elicit similar information to aid in further attacks. The only difference is the ultimate objective with the salesman wanting a sale and the social engineer wanting to gain access to sensitive information or to gain information they can use to attack the company in some other way.

Therefore it can be said that salesmen make the best social engineers, with their natural confidence, positive attitude, and experience of effective influencing techniques. Their sole purpose is to sell you a concept or an idea. However, when that concept changes from buying something to giving up your password, you’d best be on your guard, buyers beware!

There are a plethora of individuals in everyday life that use social engineering techniques, not just clever sales persons. In fact you may have used the techniques many times yourself, perhaps to convince a friend to do something or prise some snippet of information out of a colleague. Indeed numerous agencies, departments, organizations or groups are known to employ such techniques as part and parcel of their standard “trade craft.” For example:

• Law enforcement agencies, in order to draw information out of alleged criminal suspects

• Private investigators, to elicit information

• Lawyers, when questioning the witness

• Grifters and Hustlers, when tricking their mark

• even children, when trying to manipulate their parents

• organized criminals when attacking businesses.

Examples from the movies

Poetic license has enabled writers to create some of the most entertaining and often ludicrous social engineering scenarios. Although most of the creative hustles we see in the movies are somewhat far-fetched, they are almost always based on very real techniques. In truth the movies can often demonstrate what could potentially be possible if the social engineer was daring enough and had the available resources to attempt it.

Sneakers

The 1992 film Sneakers directed by Phil Alden Robinson is full of excellent examples of social engineering techniques. The main character Martin Bishop runs a Tiger Team² style company who specialize in breaking security systems, with the aim of helping the client better defend against similar attacks. The team are approached by government officials and pressured into retrieving a mysterious “black box” device from the famous mathematician Dr. Gunter Janek. The box is believed to have been built for the former Soviet government and the United States are concerned that it may be a case of national security. Martin and his team retrieve the box, discovering that it is able to break any US encryption scheme. Martin hands the box over to the government officials but soon realizes that they were in fact impostors and his team then has to pull off their most difficult mission yet to get the box back and into safe hands.

The scene where Martin is approached by the “government officials” and asked to perform the task of retrieving the black box device is an excellent example of multiple social engineering techniques. The two government officials are impostors, actually working for a criminal organization. Martin is duped and drawn into their plot by a number of factors. First, the two officials present plausible facades as government officials: they have what appears to be the correct credentials, talk like government officials and even produce information that Martin presumes only a government would have. All these reaffirm their credibility and so to Martin the two men look, sound and act exactly like the people they are trying to impersonate. They both put pressure on Martin and make him focus on an ultimatum: help them or have his real identity as a computer hacker used against him. In doing so they successfully manipulate Martin into agreeing to help them, all the time keeping his attention fixed on his situation and leaving no room for doubting their actual identities. Despite performing similar impersonations countless times, Martin falls for their scam completely. The social engineering element of this scene is the combination of impersonation, choice of words and subtly guiding the victim to focus on the right elements.

For Martin to achieve his objective he needs to break into the building where the black box is initially located, by gaining access through reception. Again, this is accomplished by using more than one social engineering technique. One of the team members approaches reception claiming that they have a delivery to take inside. The receptionist refuses to allow them entry and the team member continues to try and convince the receptionist to make an exception, claiming that they may lose their job. This is already an attempt to invoke guilt in the target to try and make them comply. Simultaneously, Martin approaches the desk asking if his wife had dropped a cake off, referencing the second floor of the building. The purpose of this is to plant the seed of credibility while the receptionist is distracted. The receptionist then returns to arguing with the delivery driver. Martin leaves before returning with a cake and balloons, asking the receptionist to release the locking mechanism as he has no hands free to retrieve his card (a card he doesn’t have). With the receptionist distracted by the delivery driver and an ensuing argument, Martin then shouts at the receptionist to “Push the damn buzzer will you!” Of course the receptionist immediately does so to escape the increasingly stressful situation. The two team members both impersonate different individuals and play out a scenario designed to confuse, disorientate and stress the receptionist, manipulating him into opening the door for Martin. The situation or scenario is entirely plausible and that results in the security bei...