What do you think?
Rate this book
Practical Social Engineering: A Primer for the Ethical Hacker
An ethical introduction to social engineering, an attack technique that leverages psychology, deception, and publicly available information to breach the defenses of a human target in order to gain access to an asset. Social engineering is key to the effectiveness of any computer security professional.Social engineering is the art of capitalizing on human psychology to compromise systems, not technical vulnerabilities. It’s an effective method of attack because even the most advanced security detection teams can do little to defend against an employee clicking a malicious link or opening a file in an email and even less to what an employee may say on a phone call. This book will show you how to take advantage of these ethically sinister techniques so you can better understand what goes into these attacks as well as thwart attempts to gain access by cyber criminals and malicious actors who take advantage of human nature. Author Joe Gray, an award-winning expert on the subject, shares his Social Engineering case studies, best practices, OSINT tools, and templates for both orchestrating (ethical) attacks and reporting them to companies so they can better protect themselves. His methods maximize influence and persuasion with creative techniques, like leveraging Python scripts, editing HTML files, and cloning a legitimate website to trick users out of their credentials. Once you’ve succeeded in harvesting information on your targets with advanced OSINT methods, Gray guides you through the process of using this information to perform real Social Engineering, then teaches you how to apply this knowledge to defend your own organization from these types of attacks. You’ll • How to use Open Source Intelligence tools (OSINT) like Recon-ng and whois • Strategies for capturing a target’s info from social media, and using it to guess their password • Phishing techniques like spoofing, squatting, and standing up your own webserver to avoid detection • How to collect metrics about the success of your attack and report them to clients • Technical controls and awareness programs to help defend against social engineering Fast-paced, hands-on and ethically focused, Practical Social Engineering is a book every pentester can put to use immediately.
210 pages, Kindle Edition
Published June 14, 2022
23 people are currently reading
222 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 2 of 2 reviews
October 14, 2022
The Advanced Encryption Standard (AES) was selected in 2001 to replace the aging Data Encryption Standard (DES). AES is a symmetric-key algorithm, and with enough computing power, it can be broken. While it can be broken in theory, even if you used all of the computing power on the planet, the universe would likely collapse back on itself before you succeeded. And that is just for one key.
For those who don't want to wait billions of years, rather than use all the world's computing power to hack into a system, they will use social engineering to break it. In Practical Social Engineering: A Primer for the Ethical Hacker (No Starch Press), author Joe Gray has written an excellent introduction to the topic.
I have reviewed here other books on social engineering in the past, including Social Engineering in IT Security Tools, Tactics, and Techniques, and two by Hadnagy in Unmasking the Social Engineer: The Human Element of Security and Social Engineering: The Art of Human Hacking.
Gray has written a reference that can be used by those who want to get their feet wet in social engineering. While an introductory text on the topic, he doesn't waste much space on introductory topics. While breaking encryption requires massive amounts of computing power and people with PhDs in math, social engineering looks to attack something much more accessible, the human element. The perfect example of that is phishing. Which, with a few clicks, can obviate millions of dollars of information security hardware and software controls.
At 200 pages, the book is a great introductory text for those that want to master the fundamentals of social engineering. The focus of the book is on using specific tools to do that.
While the primary audience for the book is social engineers and those that want to be. It should also be read by those who can be victims of social engineering, which is pretty much everyone.
For example, chapter 4 on gathering business OSINT is something everyone should be aware of.
Open-source intelligence (OSINT) is the collection and analysis of data gathered from open sources to produce actionable intelligence. The book makes significant use of Crunchbase for that.
Crunchbase is a platform for gaining awareness about business information about private and public companies. Its content includes investment and funding information, founding members and individuals in leadership positions, mergers and acquisitions, news, and industry trends.
By being aware of information gathered from sources like Crunchbase, potential social engineering victims can minimize their attack surface by knowing that when someone calls or messages with seemingly insider information. It is, in fact, public, to which the parties should not be given access or information.
The book is primarily written for pen testers who will find this a helpful guide to assist them in their social engineering tasks. As noted, it also has a lot of value for those that don't want to be victims of a social engineering attack. And the best offense is a good defense, as detailed in this valuable guide.
For those who don't want to wait billions of years, rather than use all the world's computing power to hack into a system, they will use social engineering to break it. In Practical Social Engineering: A Primer for the Ethical Hacker (No Starch Press), author Joe Gray has written an excellent introduction to the topic.
I have reviewed here other books on social engineering in the past, including Social Engineering in IT Security Tools, Tactics, and Techniques, and two by Hadnagy in Unmasking the Social Engineer: The Human Element of Security and Social Engineering: The Art of Human Hacking.
Gray has written a reference that can be used by those who want to get their feet wet in social engineering. While an introductory text on the topic, he doesn't waste much space on introductory topics. While breaking encryption requires massive amounts of computing power and people with PhDs in math, social engineering looks to attack something much more accessible, the human element. The perfect example of that is phishing. Which, with a few clicks, can obviate millions of dollars of information security hardware and software controls.
At 200 pages, the book is a great introductory text for those that want to master the fundamentals of social engineering. The focus of the book is on using specific tools to do that.
While the primary audience for the book is social engineers and those that want to be. It should also be read by those who can be victims of social engineering, which is pretty much everyone.
For example, chapter 4 on gathering business OSINT is something everyone should be aware of.
Open-source intelligence (OSINT) is the collection and analysis of data gathered from open sources to produce actionable intelligence. The book makes significant use of Crunchbase for that.
Crunchbase is a platform for gaining awareness about business information about private and public companies. Its content includes investment and funding information, founding members and individuals in leadership positions, mergers and acquisitions, news, and industry trends.
By being aware of information gathered from sources like Crunchbase, potential social engineering victims can minimize their attack surface by knowing that when someone calls or messages with seemingly insider information. It is, in fact, public, to which the parties should not be given access or information.
The book is primarily written for pen testers who will find this a helpful guide to assist them in their social engineering tasks. As noted, it also has a lot of value for those that don't want to be victims of a social engineering attack. And the best offense is a good defense, as detailed in this valuable guide.
August 6, 2022
Finally a decent book on Social Engineering (SE)! So far, any book on SE I got into my hands was just a collection of con-man anecdotes. This book focuses on open source intelligence and the technical aspects; it introduces many tools and explains the procedures for both offensive and defensive techniques of SE. Many additional resources are listed throughout the text, though unfortunately not in a bibliography at the end of the book.
Displaying 1 - 2 of 2 reviews