Social Engineering: The Art of Human Hacking02 Dec 2012 in Security
I just got done reading Christopher Hadnagy's Social Engineering: The Art of Human Hacking. If you are interested in the social aspects of information security, this provides an in-depth view of the actual techniques and science behind social engineering. While books like Kevin Mitnick's The Art of Deception and The Art of Intrusion tell amusing and noteworthy stories of social engineering hacking, Hadnagy's book tells you why and how it works. Hadnagy's exposure all reveals the most important lesson -- how to defend against the attacks.
Hadnagy takes you through all the steps of a social engineering exploit -- from information gathering to the exploit. He discusses techniques like elicitation (extracting information from a target), influence (getting them to do what you want), pretexting (developing the back story that makes the attack believable), micro-expressions (control the subtle muscle movements that can give you away), and neuro-linguistic programming (the exact way you say things can make a big difference).
It doesn't matter if you're blue team, trying to protect your valuable assets against attack, or red team, trying to get in there, but it's critical you know how to exploit the human element of security. After all, the devil you know is better than the devil you don't.