Even though I’m a qualified ISO 27001 Lead Auditor and former “management consultant” I’m still basically a technical geek. So when I was asked to review this book I was not particularly looking forward to it and I asked myself what relevance did this book have to digital forensics? I have to say having reviewed the book my mindset has changed.
The book contains 12 chapters, divided into three sections. The first section contains four chapters. It explains social engineering and describes the risks to an organization of social engineering attacks. It then goes on to explain why people are the weakest link in an organization. Finally it explains why current thinking and approaches, including ISO 27001, do not pay due attention to social engineering risks. The second section then goes on to explain human vulnerabilities. It does this by examining a number of topics in the section’s chapters, including building trust, reading a person, subconscious techniques (including Neuro-Linguistic Programming) and then different roles a social engineer attacker could take. The final section concentrates on countermeasures to social engineering. It does this by describing techniques to assess an organization’s vulnerabilities, explaining security controls to counter defined vulnerabilities, including awareness and training. Finally the section explains how the countermeasures can be tested.
The book comprises 254 pages and given the retail price it is not the best value book I have come across.
So given all of the above, why did I get some value out of reviewing it? The answer lies within the number of examples and incidents of social engineering attacks it describes. There are over a dozen. Whilst a few of them have only a human element to them, most involve to some degree IT or phone technology. So I started thinking! If one of these attacks occurred what evidence would I need to find to prove such an attack had occurred, or how would it be possible to establish an innocent victim wasn’t actually the perpetrator? It was quite thought provoking.
This is not a book on IT security, or Digital Forensics. Given the number of pages and the sell price it is not particularly good value. However if you would like to understand social engineering attacks and consider its relevance to digital forensics this is a reasonable edition to your library.
Book Title: Hacking the Human
Book Subtitle: Social Engineering Techniques & Security Countermeasures
Author(s): Ian Mann
Publisher: Gower Publishing Ltd.
Date of Publishing: November 2008
Price: $104.95 / £60.00