The Cybersecurity Canon: Unmasking the Social Engineer: The Human Element of Security

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Ben Rothke: Unmasking the Social Engineer: The Human Element of Security (2014) by Christopher Hadnagy

Executive Summary

It’s said you can get a lot just by asking. Social engineers know this and have used it to the extreme. While firms have spent huge amounts of their budgets on security hardware and software solutions, they often forget about dealing with social engineering. A successful social engineering attack can render all that security hardware and software worthless.

Review

In his first book, Social Engineering: The Art of Human Hacking, author Christopher Hadnagy wrote the definitive reference on social engineering. In it, he detailed the entire lifecycle of social engineering and pretty much everything you needed to know on the topic. In this follow-up, Unmasking the Social Engineer: The Human Element of Security, he takes social engineering up a few levels. While the first book was more of a practical introduction to the topic, this is an advanced title for the serious practitioner. There is a lot of interesting information and research provided in the book. But the challenge here is not just reading it; rather it is in mastering its practical use.

Unmasking the Social Engineer is meant to show the reader how to read a person’s body language and facial expressions. Understanding these makes not only social engineering easier but defending against social engineering attacks as well. If you can understand how an attacker uses non-verbal behavior, then you can better defend yourself and your organization against them.

While the first book was about a standard approach to social engineering, this new title can be seen as advanced social engineering. The premise of the book is that, in order to fully and effectively deal with and defend against social engineering threats, it is important to have an understanding of how non-verbal communication is used. The book notes that much of our everyday communication is nonverbal. And as its name implies, nonverbal communication is the process of communicating and understanding messaging via such mechanisms as touch, posture, body language, eye movement, eye contact and more. Since social engineers and scammers use these techniques, it is important to understand them in order to defend against them.

The book’s forward is written by Dr. Paul Ekman. Ekman is a renowned psychologist whose career is deeply enmeshed in nonverbal communication. Hadnagy’s approach is based significantly on methods Ekman developed, much of it starting over 35 years ago. As to Dr. Ekman, he was ranked in the 100 most cited psychologists of the 20th century.

Of the book’s four parts, half is contained in Part 2: Decoding the Language of the Body. The four chapters in the section particularize the various aspects of how movements around different body parts can be interpreted.

While an interesting read, the techniques detailed in the book are quite complex. Whereas it is often difficult to understand what people say, understanding their nonverbal communications is not a trivial endeavor. Readers should, therefore, not read this 200 page book and expect to come out experts in nonverbal communication.

For serious readers who wants to understand everything they can about the topic of social engineering, Unmasking the Social Engineer should be one of the references in their cybersecurity reading arsenal.

Conclusion

Far too many firms forget about the human element when it comes to information security. Ensuring that social engineering is part of the overall information security program is no longer an option. And in Unmasking the Social Engineer: The Human Element of Security, Hadnagy makes that eminently clear.