Ackroyd Richard - Social engineering penetration testing executing social engineering pen tests, assessments and defense

1. Figures in Chapter 2
2. Figures in Chapter 7
3. Figures in Chapter 8
4. Figures in Chapter 9
5. Figures in Chapter 12
6. Figures in Chapter 13
7. Figures in Chapter 15
8. Figures in Chapter 16
9. Figures in Chapter 17

Gavin Watson

Andrew Mason

Richard Ackroyd

Foreword by Chris Hadnagy

Acquiring Editor:Chris Katsaropoulos

Editorial Project Manager:Benjamin Rearick

Project Manager:Malathi Samayan

Designer:Mark Rogers

Syngress is an imprint of Elsevier

225 Wyman Street, Waltham, MA 02451, USA

The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK

Copyright 2014 Elsevier Inc. All rights reserved

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangement with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

Watson, Gavin, 1982

Social engineering penetration testing: executing social engineering pen tests, assessments and defense/Gavin Watson, Andrew Mason, Richard Ackroyd.

pages cm.

Includes bibliographical references and index.

ISBN 978-0-12-420124-8 (alk. paper)

1. Social engineering. I. Title.

HM668.W38 2014

303.372--dc23

2014003510

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-0-12-420124-8

For information on all Syngress publications visit our website at http://store.elsevier.com/Syngress

Printed and bound in USA

14 15 16 17 10 9 8 7 6 5 4 3 2 1

I can still remember clearly when I sat down and started writing the framework at social-engineer.org. I searched the Internet for helpful hints on topics I wanted to cover. Nevertheless, Social Engineering was not a hot topic at that time.

I could find videos on getting free food from drive thrus or picking up girls but nothing to do with security. Around the same time I was writing the framework, I worked hard to try and include social engineering in any security work I was doing. Most of the time companies would say things like, Why try? We know we will fail. or There is no way anything like that would work on me!

I even resorted to giving away the services at times, just to prove how dangerous social engineering was. Fast forward now years into the future, people are emailing and calling for quotes on social engineering work every day. With the increase in interest comes the increase in providers of these services.

Unfortunately, for you, the readers of this book, there are so many providers it must be mind numbing to try and chose the right one. You may have asked yourself questions like How do I know I am working with a good provider of SE Services? What is a social engineering pentest really? and many more questions.

When I was approached about writing the foreword for this book, I was pretty strict about slapping a foreword inside these pages, until I read the book and understood what message these guys were trying to send. I had a few phone meetings to discuss their thoughts on topics and then I received the early editions of their writing.

As I read through each chapter, I felt like I found a group of guys who got it. They made it clear what a social engineering pentest is, what questions you should ask, and how you can make the best of the budget you have to include this very important aspect into your yearly checkups.

Years later, here I am still offering social engineering services. I used to be one of the few, now one of the many but a book like this will help you find those of us that really know, understand, and ARE social engineering professionals.

I know you will enjoy this book. For your business folks out there, you will especially enjoy . It will help you understand then relate why it is important to engage a social engineer for your security needs.

The section in about pretext development is an excellent coverage of a very difficult topic that I know any ardent student of social engineering will want to study.

will surely help you if you are seeking information on how to set up an effective awareness program.

These are just a sampling of the chapters. Each one has benefit for you.

I truly appreciate the chance I have had to read the work of Gavin, Andrew, and Richard. They have been open to my advice, more than patient with my busy schedule but most importantly they care about security. They dont preach stupid users but they preach uneducated users, that is a message I hold close to my heart. My motto from day 1 has been Security through education. It is nice to find a group, like the authors of this book, that think the same way.

Sincerely,

Christopher J. Hadnagy

Chief Human Hacker, Social-Engineer, Inc.

Author, Security Advocate, and Professional Social Engineer

The authors would like to thank the team at RandomStorm for their ongoing support, ensuring that we all stay busy with a wide range of exciting social engineering and other professional service engagements. Special mention to Jim Seaman, Katie Bruce and Charlotte Howarth for providing invaluable help throughout the entire process.

Gavin Watson

Senior Security Engineer, CISSP, CHECK Team Leader, CCNA