Ben's Book of the Month: Review of "Practical Social Engineering: A Primer for the Ethical Hacker"

Posted on by Ben Rothke

The Advanced Encryption Standard (AES) was selected in 2001 to replace the aging Data Encryption Standard (DES). AES is a symmetric-key algorithm, and with enough computing power, it can be broken. While it can be broken in theory, even if you used all the computing power on the planet, the universe would likely collapse back on itself before you succeeded. And that is just for one key.


For those who don’t want to wait billions of years, rather than use all the world’s computing power to hack into a system, they will use social engineering to break it. In Practical Social Engineering: A Primer for the Ethical Hacker (No Starch Press), author Joe Gray has written an excellent introduction to the topic. 


I have reviewed other books on social engineering in the past, including Social Engineering in IT Security Tools, Tactics, and Techniques, and two by Hadnagy in Unmasking the Social Engineer: The Human Element of Security and Social Engineering: The Art of Human Hacking.


Gray has written a reference that can be used by those who want to get their feet wet in social engineering. While breaking encryption requires massive amounts of computing power and people with PhDs in math, social engineering looks to attack something much more accessible—the human element. The perfect example of that is phishing, which, with a few clicks, can obviate millions of dollars of information security hardware and software controls.


At 200 pages, the book is a great introductory text for those that want to master the fundamentals of social engineering. The focus of the book is on using specific tools to do that.


The primary audience for the book is social engineers and those who want to be, but it should also be read by those who can be victims of social engineering, which is pretty much everyone.


For example, Chapter 4 on gathering business OSINT is something everyone should be aware of. Open-source intelligence (OSINT) is the collection and analysis of data gathered from open sources to produce actionable intelligence. The book makes significant use of Crunchbase for that.


Crunchbase is a platform for gaining awareness about business information about private and public companies. Its content includes investment and funding information, founding members and individuals in leadership positions, mergers and acquisitions, news, and industry trends.


By being aware of information gathered from sources like Crunchbase, potential social engineering victims can minimize their attack surface by knowing that when someone calls or messages with seemingly insider information, it is, in fact, public, to which the parties should not be given access or information. 


The book is primarily written for pentesters who will find this a helpful guide to assist them in their social engineering tasks. As noted, it also has a lot of value for those who don’t want to be victims of a social engineering attack. And the best offense is a good defense, as detailed in this valuable guide.

Ben Rothke

Senior Information Security Manager, Tapad

Human Element

phishing social engineering insider threats PII security awareness

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community