Thursday, July 21, 2011

The Social Engineering Framework and How to Use It

Posted by OurTech Team | Thursday, July 21, 2011 | Category: , , , |




Through experience and research I have tried to outline the elements that make up a social engineer.
Each of these elements defines a part of the equation that equals a whole social engineer. These aspects
are not set in stone; as a matter of fact, from its original state until now the framework has grown.
The purpose of the framework is to give enough information for anyone to build on these skills. The
framework is not designed to be an all-inclusive resource for all information in each chapter. For
example, the portion of Chapter 5 that covers microexpressions is based on the research of some of the
greatest minds in this field and my experience in using that information. By no means is it meant to replace
the 50 years of research by such great minds as Dr. Paul Ekman.
As you read through the framework you will see that by utilizing the many skills within it, you can not
only enhance your security practice, but also your mindset about how to remain secure, how to
communicate more fully, and how to understand how people think.
Refer to the table of contents for a clear picture of the framework or view it online at
www.social-engineer.org/framework. At first glance the framework may appear daunting, but inside this
book you will find an analysis of each topic that will enable you to apply, enhance, and build these skills.
Knowledge is power—it is true. In this sense, education is the best defense against most social
engineering attacks. Even the ones that knowledge can’t protect 100 percent against, having details of
these attacks keeps you alert. Education can help you enhance your own skills, as well as be alert.
Along with education, though, you need practice. This book was not designed to be a once-read
manual; instead it was designed to be a study guide. You can practice and customize each section for
your needs. The framework is progressive in the sense that it is the way a social engineering attack is laid
out. Each section of the framework discusses the next topic in the order that a social engineer might utilize
that skill in their engagement or planning phases.
The framework shows how an attack might be outlined. After the attack is planned out, the skills that
are needed can be studied, enhanced, and practiced before delivery.
Suppose, for example, that you are planning a social engineering audit against a company that wanted
to see whether you could gain access to its server room and steal data.
Maybe your plan of attack would be to pretend to be a tech support person who needs access to the
server room. You would want to gather information, maybe even perform a dumpster dive.
Then under the pretext of being the tech guy, you could utilize some covert camera tools as well as
practice the proper language and facial/vocal cues for how to act, sound, and look like a tech guy.
If you locate what company your client uses for tech support you may need to do info gathering on it.
Who does your client normally get to service them? What are the names of the employees with whom
they interact? The attack needs to be planned out properly.
This book is not just for those who perform audits, though. Many readers are curious about what the
attacks are, not because they are protecting a company, but because they need to protect themselves.
Not being aware of the way a malicious social engineer thinks can lead someone down the path toward
being hacked.
College students in the field of security have also used the framework. The information in the
framework outlines a realistic path for these vectors, or methods of attack, and enables the reader to
study them in depth.
Generally, this information can also help enhance your ability to communicate in everyday life.
Knowing how to read facial expressions or how to use questions to put people at ease and elicit positive
responses can enhance your ability to communicate with your family and friends. It can assist you in becoming a good listener and more aware of people’s feelings.
Being able to read people’s body language, facial expressions, and vocal tones can also enhance your
ability to be an effective communicator. Understanding how to protect yourself and your loved ones will
only make you more valuable and more aware of the world around you.

Currently have 0 Comments:


Leave a Reply