Social Engineering - Christopher Hadnagy [7]
In 2003 the Computer Security Institute did a survey along with the FBI and found that 77% of the companies interviewed stated a disgruntled employee as the source of a major security breach. Vontu, the data loss prevention section of Symantec (http://go.symantec.com/vontu/), says that 1 out of every 500 emails contains confidential data. Some of the highlights of that report, quoted from http://financialservices.house.gov/media/pdf/062403ja.pdf, are as follows:
62% reported incidents at work that could put customer data at risk for identity theft.
66% say their co-workers, not hackers, pose the greatest risk to consumer privacy. Only 10% said hackers were the greatest threat.
46% say it would be “easy” to “extremely easy” for workers to remove sensitive data from the corporate database.
32%, about one in three, are unaware of internal company policies to protect customer data.
These are staggering and stomach-wrenching statistics.
Later chapters discuss these numbers in more detail. The numbers show a serious flaw in the way security itself is handled. When there is education, hopefully before a breach, then people can make changes that can prevent unwanted loss, pain, and monetary damage.
Sun Tzu said, “If you know the enemy and know yourself you need not fear the results of a hundred battles.” How true those words are, but knowing is just half the battle. Action on knowledge is what defines wisdom, not just knowledge alone.
This book is most effective used as a handbook or guide through the world of social attacks, social manipulation, and social engineering.
What’s Coming Up
This is book is designed to cover all aspects, tools, and skills used by professional and malicious social engineers. Each chapter delves deep into the science and art of a specific social engineering skill to show you how it can be used, enhanced, and perfected.
The next section of this chapter, “Overview of Social Engineering,” defines social engineering and what roles it plays in society today, as well as the different types of social engineering attacks, including other areas of life where social engineering is used in a non-malicious way. I will also discuss how a social engineer can use the social engineering framework in planning an audit or enhancing his own skills.
Chapter 2 is where the real meat of the lessons begins. Information gathering is the foundation of every social engineering audit. The social engineer’s mantra is, “I am only as good as the information I gather.” A social engineer can possess all the skills in the world, but if he or she doesn’t know about the target, if the social engineer hasn’t outlined every intimate detail, then the chance of failure is more likely to occur. Information gathering is the crux of every social engineering engagement, although people skills and the ability to think on your feet can help you get out of a sticky situation. More often than not, the more information you gather, the better your chances of success.
The questions that I will answer in that chapter include the following:
What sources can a social engineer use?
What information is useful?
How can a social engineer collect, gather, and organize this information?
How technical should a social engineer get?
How much information is enough?
After the analyzation of information gathering, the next topic addressed in Chapter 2 is communication modeling. This topic closely ties in with information gathering. First I will discuss what communication modeling is and how it began as a practice. Then the chapter walks through the steps needed to develop and then use a proper communication model. It outlines how a social engineer uses this model against a target and the benefits in outlining it for every engagement.
Chapter 3 covers elicitation, the next logical step in the framework. It offers a very in-depth look into how questions are used to gain information,