If you want an effective security awareness program you have to understand how employees will be attacked, and to understand that you need to know the fundamentals of social engineering. I just finished reading the book Social Engineering by Chris Hadnagy and wanted to share with you my thoughts. First, there are surprisingly few good books dedicated to hacking the human. While there are literally hundreds on hacking technology, you may find five such books on Amazon that focus on human issues. So I'm always excited to see when we get a new resource such as this. If you are not aware, Chris and his team also maintain a website dedicated to social engineering at http://www.social-engineer.org. Overall, I like the book, I would rate it an Amazon 4 out of 5. The book does an outstanding job of laying the foundation of social engineering and all the different concepts that come into play. Chris identifies, defines and references all the different ways you can monitor, understand and influence people. What impressed me the most was how extensive the material was on all the different concepts and theories. In some ways I would almost consider this an academic reference, it describes all the different possible tools you can use in hacking the human. What I think would be great is to take this to the next level, something like "Hacking Exposed". How can we take these different tools and put them together in a planned attack? Chapter 8 does this to some effect describing Case Studies, but I think you could dedicate an entire book to this. One thing that would have also helped is if Chris identified which techniques he felt were the most effective based on his experience, at times I was simply overwhelmed with all the different options. Finally, what I would like to see is a book that focuses less on physical social engineering and one that focuses more on network based. Some of the topics covered require you to be in person (micro expressions, lock picking, etc) and most of the examples were based on physical penetration tests (though I absolutely loved the example of attacking the stamp collecting CEO over the Internet). All in all a great book, a definite read if you want to develop your skills in social engineering.
