Hacking the Human This book is dedicated to Ravinder, Alec, Oscar, and Mia Hacking the Human Social Engineering Techniques and Security Countermeasures IAN MANN © Ian Mann 2008 All rights reserved No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior permission of the publisher Published by Gower Publishing Limited Gower House Croft Road Aldershot Hampshire GU11 3HR England Gower Publishing Company Suite 420 101 Cherry Street Burlington, VT 05401-4405 USA Ian Mann has asserted his moral right under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work www.gowerpublishing.com British Library Cataloguing in Publication Data Mann, Ian Hacking the human : social engineering techniques and security countermeasures Social engineering Social systems - Planning Business enterprises - Security measures I Title 658.4’7 ISBN: 978-0-566-08773-8 Library of Congress Cataloging-in-Publication Data Mann, Ian Hacking the human : social engineering techniques and security countermeasures / by Ian Mann p cm Includes index ISBN 978-0-566-08773-8 Social engineering Social systems Planning I Title HM668.M36 2009 658.4’7 dc22 2008019977 Contents List of Figures ix Introduction SECTION 1: THE RISKS Chapter What is Social Engineering? Social Engineering Threats Measurement of Security Controls 11 15 20 Chapter Understanding Your Risks Defining Social Engineering Risk Foundation Approach Standardized Approach Quantitative Approach 23 23 32 33 36 Chapter People, Your Weakest Link Social Engineering Vulnerabilities The Risks Associated with Vulnerabilities AĴacking CriticalX 39 39 43 46 Chapter Limitations to Current Security Thinking Information Security Vendors Organizational Structure Security Professionals The Adventures of HackerZ – continued … 63 63 63 64 66 SECTION 2: UNDERSTANDING HUMAN VULNERABILITIES Chapter Trust Me Trusting the AĴacker Tricks to Building Rapport 87 89 91 vi HACKING THE HUMAN Chapter Reading a Person Mind Reading Personality Profiling 97 97 99 Chapter Subconscious Mind Neuro-Linguistic Programming (NLP) Profiling Understanding the Subconscious The Power of Commands Hypnotic Language BeĴer Model of the Mind Enhanced Personality Profiling 115 115 117 124 130 131 132 Chapter Parent, Adult, Child Roles for the Social Engineer Applying Transactional Analysis 137 137 141 SECTION 3: COUNTERMEASURES Chapter Vulnerability Mapping Comparing System Strength Mapping your Systems Personality Profiling Techniques 155 157 160 162 Chapter 10 Protection Systems Building Systemic Improvements Social Engineering Model of Protection Mapping AĴack and Protection Combinations Access Controls 167 168 176 177 186 Chapter 11 Awareness and Training Awareness-Building Activities Targeting Awareness and Training Social Engineering Awareness Building Strategies 195 195 200 203 Chapter 12 Testing Levels of Progression Social Engineering Testing Methodology Get Out of Jail Free Cards Targeted Testing The Power of the Cardboard Box – A Typical Testing Assignment 211 211 213 216 221 222 CONTENTS Developing Stronger Systems Final Thoughts Further Reading Index vii 231 233 235 247 This page intentionally left blank List of Figures I.1 Human security – the missing link 2.1 2.2 Foundation approach to risk assessment Standardized approach to risk assessment (ISO 27001 compliant) Quantitative approach to risk assessment (ISO 27001 compliant) 35 6.1 6.2 6.3 Personality profiles Personality profile driving forces and roles Typical departments mapped to personality profiles 100 103 103 7.1 7.2 7.3 7.4 7.5 NLP eye movement reading Conscious–subconscious brain relationship Advanced model of the mind Personality profiles tendency to comply or challenge Psychological analysis of a phishing aĴack 115 120 132 133 135 8.1 8.2 8.3 8.4 Transactional analysis ego states Transactional analysis transaction diagram Crossed transaction Using TA to map hidden communication 144 146 148 151 9.1 9.2 Social engineering system strength mapping Personality profiles’ tendency to comply or challenge 157 162 10.1 10.2 Social engineering model of protection Mapping aĴacks and countermeasures to the model of protection Extending the social engineering model of protection Hacking aĴack vectors for biometric systems 177 2.3 10.3 10.4 32 36 178 180 191 .. .Hacking the Human This book is dedicated to Ravinder, Alec, Oscar, and Mia Hacking the Human Social Engineering Techniques and Security Countermeasures IAN MANN © Ian... Cataloging-in-Publication Data Mann, Ian Hacking the human : social engineering techniques and security countermeasures / by Ian Mann p cm Includes index ISBN 978-0-566-08773-8 Social engineering Social systems Planning... current security to withstand social engineering testing; • wanting to understand the benefits, and limitations, of social engineering testing, and where it could fit into your information security