It has been joked that only drug dealers and software developers refer to their customers ‘users’. Jesting aside, one of the points behind this quote is humans have often been an afterthought in the design of some systems (most of us can probably think of an infuriating user interface we’ve had to deal with).
This point also applies equally to wider cyber security, where it’s all too easy to get caught up in technical defences and lose sight of the human dimension.
In security circles, ‘social engineering’ is a term used to describe psychological attempts to manipulate people into divulging information or providing access to something they shouldn’t. Techniques vary in sophistication but can include pretexting (use scenarios or narratives by an attacker to fool a victim), diversion , phishing and tailgating.
These attacks on our ‘wetware’ (brains) are arguably far more common than many technical attacks: scammers have been using a variety of cunning password recovery scams to compromise accounts in recent years and most of us have probably received an email from a benevolent stranger keen to share his extensive wealth if only we would furnish our account details.
In Social Engineer, fictional IT contractor and white hat hacker extraordinaire Brody Taylor provides a stark reminder of the innate trusting nature and gullability humans can display which can put us at risk from a range of scams.
The story centres around one of Brody’s assignments to conduct a penetration testing on a pharmaceutical company fearful for the security of its intellectual property, whilst simultaneously managing a blossoming relationship with an animal rights activist. As each of these intertwined stories unfold the author, Ian Sutherland, serves up time-lapsed slices of Brody’s encounters, which range from tense to downright hilarious.
Particularly entertaining sections of the book involve Brody revealing his audacious escapades and the findings of his assignment to members of the company board, whose reactions oscillate between shock and almost comical fury. But the story also considers the emotional toll and dilemmas Brody’s skills can create when he ends up deceiving more than just his clients.
Amongst the twists and turns the book provides some very real lessons on how unprepared orgnisations could end up with seemingly harmless intruders wandering their halls – perhaps in the most unlikely of guises.
The message to both the reader and certain apoplectic board members is clear: workforce education is key and complacency means defeat in any business trying to avoid a breach.
As a fast-paced little novella that most people could read within a couple of hours, Social Engineer makes for an exciting way of educating family, friends or employees on the human side of security. We look forward to reading the next installment of the Brody Taylor Series.
Did you find this post useful? Follow @DS_Watch on twitter or sign up for email updates to get more posts on security tech. We also have a free Android App.