Social Engineering - Christopher Hadnagy [16]
The purpose of the framework is to give enough information for anyone to build on these skills. The framework is not designed to be an all-inclusive resource for all information in each chapter. For example, the portion of Chapter 5 that covers microexpressions is based on the research of some of the greatest minds in this field and my experience in using that information. By no means is it meant to replace the 50 years of research by such great minds as Dr. Paul Ekman.
As you read through the framework you will see that by utilizing the many skills within it, you can not only enhance your security practice, but also your mindset about how to remain secure, how to communicate more fully, and how to understand how people think.
Refer to the table of contents for a clear picture of the framework or view it online at www.social-engineer.org/framework. At first glance the framework may appear daunting, but inside this book you will find an analysis of each topic that will enable you to apply, enhance, and build these skills.
Knowledge is power—it is true. In this sense, education is the best defense against most social engineering attacks. Even the ones that knowledge can’t protect 100 percent against, having details of these attacks keeps you alert. Education can help you enhance your own skills, as well as be alert.
Along with education, though, you need practice. This book was not designed to be a once-read manual; instead it was designed to be a study guide. You can practice and customize each section for your needs. The framework is progressive in the sense that it is the way a social engineering attack is laid out. Each section of the framework discusses the next topic in the order that a social engineer might utilize that skill in their engagement or planning phases.
The framework shows how an attack might be outlined. After the attack is planned out, the skills that are needed can be studied, enhanced, and practiced before delivery.
Suppose, for example, that you are planning a social engineering audit against a company that wanted to see whether you could gain access to its server room and steal data.
Maybe your plan of attack would be to pretend to be a tech support person who needs access to the server room. You would want to gather information, maybe even perform a dumpster dive.
Then under the pretext of being the tech guy, you could utilize some covert camera tools as well as practice the proper language and facial/vocal cues for how to act, sound, and look like a tech guy.
If you locate what company your client uses for tech support you may need to do info gathering on it. Who does your client normally get to service them? What are the names of the employees with whom they interact? The attack needs to be planned out properly.
This book is not just for those who perform audits, though. Many readers are curious about what the attacks are, not because they are protecting a company, but because they need to protect themselves. Not being aware of the way a malicious social engineer thinks can lead someone down the path toward being hacked.
College students in the field of security have also used the framework. The information in the framework outlines a realistic path for these vectors, or methods of attack, and enables the reader to study them in depth.
Generally, this information can also help enhance your ability to communicate in everyday life. Knowing how to read facial expressions or how to use questions to put people at ease and elicit positive responses can enhance your ability to communicate with your family and friends. It can assist you in becoming a good listener and more aware of people’s feelings.
Being able to read people’s body language, facial expressions, and vocal tones can also enhance your ability to be an effective communicator. Understanding how to protect yourself and your loved ones will only make you more valuable and more aware of the world around you.
Summary