I remember precisely where I was when I first saw Erdal talk about social engineering: it was a jam-packed room at Microsoft’s TechEd, overflowing into the hallway if memory serves me. Software developers and IT pros alike had flooded into the room to hear about this phenomenon which sounded so intriguing – the ability to bend people to your will with what must have seemed like mind control to many people. The audience was in raptures as they learned about how the best technology controls we had at our disposal were so readily circumvented due to the fallibility of the organic matter sitting at the keyboard.
But the memory that sticks with me to this day is not the content, but rather how Erdal made people feel; scared, entertained and lusting for more. Of course, there was substance to the talk, as there was to many others that day and indeed the hundreds of others I must have seen since then. Substance alone, however, is not what makes a lesson stick nor is it what makes a lasting impression. Passion, enthusiasm and engagement were the ingredients that made my first encounter with Erdal memorable and indeed they’re the traits I’ve subsequently borrowed from him in my own speaking career.
Upon reflection, I suspect that talk was, itself, a degree of social engineering – he was manipulating the emotions of the audience. We’re all susceptible to it in one form or another simply because we respond to the sentiments it elicits within us. We’ve all experienced fear, greed, urgency, curiosity and sympathy, among many of the other feelings an adept social engineer plays upon. The trick is in understanding the right buttons to push in order to bend the victim (or in this case, the audience) to your point of view.
Over time, the mechanics of social engineering has become ever more important for us to understand. Whilst us humans haven’t particularly changed in terms of how we respond to those aforementioned emotions, the technology landscape we live within has changed a great deal in ways that make this style of attack ever more effective. For example, we’ve never had access to more open source intelligence data than we do today and that same statement will still hold true if you read this again a year from now. The number of channels through which social engineering attacks can be mounted are also expanding; it’s no longer just phishing attacks in emails, we see malicious attacks being mounted via every conceivable communication platform by which adversaries can get their message in front of victims.
In this book, Erdal takes a very practical look at the mechanics of how these attacks take place. It’s a thorough overview yet is also readily consumable and packed with real world examples. Erdal goes beyond the theory and academics and drills down into easily accessible resources, reproducible steps and industry precedents that demonstrate just how effective social engineering attacks can be. Perhaps most importantly though, he lays a foundation that paves the way for those of us defending against these attacks to better prepare both our systems and our people.
I hope that you come away from reading this book feeling the same way as Erdal’s audience did when I first saw him talk – scared, entertained and lusting for more!
Founder of Have I Been Pwned
Foreword of Learn Social Engineering