Social Engineering

the_Grinchthe_Grinch Member Posts: 4,164 ■■■■■■■■■■
I am hoping you guys can help with something. Social Engineering is one aspect of security that I do really enjoy. Now there are books on the subject, but I am also thinking about taking college courses related to social engineering. Obviously, there pretty much no course called social engineering. My question is should I focus on psychology courses or sociology courses? I think sociology is the way to go, but wanted to get some opinions!
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff

Comments

  • TurgonTurgon Banned Posts: 6,313
    the_Grinch wrote: »
    I am hoping you guys can help with something. Social Engineering is one aspect of security that I do really enjoy. Now there are books on the subject, but I am also thinking about taking college courses related to social engineering. Obviously, there pretty much no course called social engineering. My question is should I focus on psychology courses or sociology courses? I think sociology is the way to go, but wanted to get some opinions!

    It's an interesting subject.

    Perhaps do some reading before engaging with the colleges about their offerings. Philosophy, Psychology and Sociology are very wide fields.

    You can find a lot of good stuff on the net looking at the thinking of writers in a modern context..

    Machiavelli, marketing, and management - Google Libros
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Do a social psychology course. Cognitive psychology is pretty interesting too if you like that sort of thing, but it might get a little far from what you're looking for.

    I'm a psychology major and social engineering is a large part of my job. It's helped a little bit, but I don't think college courses are remotely necessary. If you're just trying to fill-in a college schedule, I think those would be interesting courses; you shouldn't feel obligated to do them though. You can always just get the course books and review them yourself. I haven't gotten a lot of extra value from attending the lectures because they often follow the book so closely.

    You're going to want to familiarize yourself with this website if you haven't already: Prevention of Influence, Deception, Identity Theft and Phishing Through Education And I assume you've already gotten a copy of The Art of Deception.
  • chrisonechrisone Senior Member Member Posts: 2,013 ■■■■■■■■■□
    social engineering practice = goto your local bar, get a couple drinks, smooth talk girls.

    Then you will build up your ego and slick talk. This will get you into talking to people with confidence which is what you need to fool people. icon_thumright.gificon_lol.gif
    Certs: CISSP, OSCP, CRTP, eCPPT, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), eLearnSecurity: WAPTv3 (completed), eLearnSecurity: IHRP (completed), eLearnSecurity: PTXv2, BlackHills InfoSec: Breaching the Cloud
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (in-progress), MS-500, eLearnSecurity: eWPT, eLearnSecurity: eCIR (in-progress), eLearnSecurity: eCPTXv2
  • eMeSeMeS Member Posts: 1,875
    Sociology is more the study of group behavior, whereas psychology is the study of human and animal behavior.

    A psychology class would be more fitting here, IMO. As Dynamik mentioned, a social psychology class is appropriate.

    I would also highly recommend this book: Amazon.com: Influence: Science and Practice (5th Edition) (9780205609994): Robert B. Cialdini: Books

    Regardless of your interest in your topic, if you haven't read this book you should. Best book ever on influence and influence processes.

    As an aside, last week I delivered and ITIL Foundation class at a customer site. I was very surprised when the discussion took a security turn. Later on, after the discussion, one of the attendees told me that she doesn't understand the term "social engineering", nor it's origin, and that's she's personally offended by the use of that term. She was speaking about her colleagues, so I think there might have been something more to it.

    Total surprise to me...I never thought of the term "social engineering" as offensive to anyone...

    MS
  • eMeSeMeS Member Posts: 1,875
    chrisone wrote: »
    social engineering practice = goto your local bar, get a couple drinks, smooth talk girls.

    Sometimes the best teacher is a bad example. I highly recommend following dynamik to the local bars, watch him attempt to smooth talk girls, and consistently strike out.

    MS
  • the_Grinchthe_Grinch Member Posts: 4,164 ■■■■■■■■■■
    Ouch! I've read Art of Deception and most of No Tech Hacking, I'll look into the other suggested material. I've also began looking into NLP related material as well. I was looking into college course as a way to get a better foundation to build on. I took an intro psych course in college and enjoyed it so I figured taking some more courses wouldn't hurt. Thanks for the advice and I could see a women getting offended by the term social engineering (no offense to women of course ;)
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • earweedearweed Member Posts: 5,192 ■■■■■■■■■□
    IMO she may have just been offended since a lot of training material which used to use the pronoun he now use she. Prob was offended thinking that most of the victims of SE were being singled out as women. Either gender is equally susceptible to SE and need training to avoid it.
    No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives.
  • the_Grinchthe_Grinch Member Posts: 4,164 ■■■■■■■■■■
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • chrisonechrisone Senior Member Member Posts: 2,013 ■■■■■■■■■□
    eMeS wrote: »
    Sometimes the best teacher is a bad example. I highly recommend following dynamik to the local bars, watch him attempt to smooth talk girls, and consistently strike out.

    MS

    hahaha my post was intended as a small joke, but there are several books on the subject. However you will need a big ego which will give you super confidence in lying to someone. Id figure getting a few drinks in you and practicing on local "talent" (girls) , would be great practice lol
    Certs: CISSP, OSCP, CRTP, eCPPT, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), eLearnSecurity: WAPTv3 (completed), eLearnSecurity: IHRP (completed), eLearnSecurity: PTXv2, BlackHills InfoSec: Breaching the Cloud
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (in-progress), MS-500, eLearnSecurity: eWPT, eLearnSecurity: eCIR (in-progress), eLearnSecurity: eCPTXv2
  • eMeSeMeS Member Posts: 1,875
    chrisone wrote: »
    hahaha my post was intended as a small joke, but there are several books on the subject. However you will need a big ego which will give you super confidence in lying to someone. Id figure getting a few drinks in you and practicing on local "talent" (girls) , would be great practice lol

    Oh, I got the humor....

    Good book on this one out there too: Amazon.com: The Definitive Book of Body Language: Barbara Pease, Allan Pease: Books

    In reality, women are always in control in these situations and always make the first move.

    MS
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,669 Admin
    Social engineering is about believeability and making a successful "sale." Look into the Dale Carnegie books and courses on salesmanship.
  • Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
    All of this is good advice, but honestly you just have to "do" it. Try to convince people to let you do things you otherwise shouldn't be allowed to. Sometimes I sweet talk the rental car counter into giving me a few class upgrades by saying I'm on my honeymoon. Other times I'll use a "death in the family" to get priority on an over-booked or cancelled flight. Sure it's lying but hey, that's what social engineering is. You have to practice it or you'll never be any good. You can't just turn it on and off - you have to be able to use your skills at all times.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,669 Admin
    Paul Boz wrote: »
    Sure it's lying but hey, that's what social engineering is. You have to practice it or you'll never be any good. You can't just turn it on and off - you have to be able to use your skills at all times.
    Look at all the success Kevin Mitnick has had following is very advice!
  • Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
    JDMurray wrote: »
    Look at all the success Kevin Mitnick has had following is very advice!

    There is a big difference between lying to a ticket counter clerk and hacking the telephone system ;)

    Also - I find it humorous that I've also legitimately (through my vocation of course) hacked at least one of the organizations under the "criminal acts & suspected criminal acts" list. That's a pretty nice feeling :)
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    JDMurray wrote: »
    Social engineering is about believeability and making a successful "sale." Look into the Dale Carnegie books and courses on salesmanship.

    I've only done a handful of random calls to people within my organization to see if I could fabricate a story and get them to divulge information. But I would have to agree with JDMurray, salesmanship is the key. I spent almost the first 10 years of my career doing a mix of sales, management, and consulting. I spent so much time with people from the casual Joe who walked in my store to pitching a solution to a group of 5 or 6 managers in some corporations conference room that selling became an incredibly easy thing to do.

    I imagine social engineering wouldn't be a much different process. Evaluate the type of individual you are working with based on past experiences so you will be more likely to succeed. Gain the trust of the person you are trying to exploit and the information will probably flow.
  • Chris:/*Chris:/* Member Posts: 658
    the_Grinch wrote: »
    I am hoping you guys can help with something. Social Engineering is one aspect of security that I do really enjoy. Now there are books on the subject, but I am also thinking about taking college courses related to social engineering. Obviously, there pretty much no course called social engineering. My question is should I focus on psychology courses or sociology courses? I think sociology is the way to go, but wanted to get some opinions!

    Those courses will be fine but also look at outside education opportunities. Search amazon.com and read about operation security which is the governments way of passively combating social engineering.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
Sign In or Register to comment.