Social Engineering in IT Security: Tools, Tactics, and Techniques

Sharon Conheady

Published by

McGraw Hill

ISBN

9780071818469

RRP

£27.99

Reviewed by

Jim McGhie CEng MBCS CITP

Score

10 out of 10

Conheady starts by providing a comprehensive introduction to different types of social engineering and explains its evolution through the centuries.

The chapter ends by considering who are today’s social engineers and notes that whilst the overall goals and tactics of social engineering attacks have remained similar through the ages, tools and techniques have been continually adapted in line with developments in information technology.

Following a comprehensive introduction the focus then moves to the human aspects of social engineering with the majority of the remainder of the books being devoted to social engineering testing.

Chapter 2 deals with the legal and ethical obligations associated with testing. I particularly enjoyed chapter 3, which discusses in some detail why social engineering works by considering trust, responsibility and the various aspects of human nature related to social engineering.

In chapters 6 through to 8 the author proposes a social engineering test procedure. It has five distinct stages: planning, research, scenario setting, test execution, and finally writing up the report.

Chapter 9 is devoted to explaining the uses and application of testing tools, listing the more popular tools currently in use, for example, Maltego and Cree.py and Spokeo. The author also suggests other tools to use, including recording devices, bugging devices and phone tools.

In chapter 10 the author considers possible defences against social engineering attacks whilst conceding this to be difficult since they target what is recognised as the weakest link in any security chain, namely the end-user. She also lists a number of indicators that suggest an organisation is the possible victim of a social engineering attack. The final chapter considers where social engineering is heading in the future.

Throughout the main parts of the book there are hints and tips providing valuable information to anyone planning a social engineering test, as well as insights into how attacks are planned and executed for those looking at how to protect themselves and their business.

The book should appeal to anyone interested in updating their thinking and background knowledge on social engineering as well as consultants faced with performing social engineering testing. I award the book 10 out of 10 for its approach, coverage of the material and ease of reading.

Further information: McGraw Hill

December 2014