Social Engineering - Christopher Hadnagy [194]
This whole book boils down to “security through education.” Human hacking is an art form. Social engineering is a mixture and blending of sciences, art, and skill. When blended in the right amount and right mixture the results are “shikata ga nai.”
Companies lose millions of dollars per year to breaches, with a large majority of those breaches stemming from social engineering attacks. Yet, more often than not, when we offer clients the chance to add social engineering auditing to their pentesting services they decline.
Why?
Companies tend to fear change. Countless times in my professional practice I have heard intelligent and successful business owners say things like, “We don’t need a social engineering audit. Our people won’t fall for those tricks.” Then during the pentest we will do a few authorized phone calls to get information and when we present the information in the report they are amazed how easy it was to get the information.
At all levels of various companies, security awareness doesn’t tend to change much. When speaking to companies after a pentest about a security awareness training program we launched, many told us they do not perform formal intense training for call center or tech support departments. Yet those are the same departments that most often fall for social engineering attacks.
This points to the core of the problem that I am speaking about here. Security through education cannot be a simple catch phrase; it has to become a mission statement. Until companies and the people who make up those companies take security personally and seriously, this problem won’t be fixed completely. In the meantime, those who were serious enough to read this book and to have a desire to peer into the dark corners of society can enhance their skills enough to keep their families, selves, and companies a little more secure.
When the “lion roars,” be the one who is at the front of the pack leading the exodus out of the way. Be an example of what to do and how to defend against these attacks.
With enough time and enough effort anyone can be social engineered. Those words are true, as scary as they are. That doesn’t mean there is no hope; it means your job is to make malicious social engineering so difficult and time consuming that most hackers will give up and go after “low-hanging fruit” or the prey that is left behind. I know; it sounds cold. I would love it if everyone would read this book and make some massive changes—then companies would be truly secure. But that is just not the world we live in.
That statement, then, raises a very serious question. If there truly is no hope, how can companies, people, families, and everyone protect against this massive vulnerability? Until companies begin to realize their vulnerability to social engineering attacks, individuals will have to educate themselves about attack methods and stay vigilant, as well as spread the word to others. Only then do we have hope of staying if not one step ahead of an attack, then not too far behind.
Summary
As I conclude this book, I hope it has opened your eyes to the world of social engineering. I hope that it will continue to help you take note of the potential for malicious attacks. I hope it has helped you build or maintain a healthy fear of the potential for disaster.
I also hope this book helps you to protect your businesses, your families, your children, your investments, and your life. I hope that the information within has showed you that staying completely secure and protected is not impossible.
Mati Aharoni, my mentor, says in one of his classes that the reason the bad guys usually win is because they have dedication, time, and motivation on their side. Don’t let life get in the way of security. Conversely, don’t let too much fear of the bad guys keep you from enjoying life.
I hope that applying the principles in this book enhances your ability to read and communicate more effectively with people around you. Using them in many aspects of your life, not just security, can prove to be a life-altering exercise.