***** Hacking the Human: Social Engineering Techniques and Security Countermeasures.
In this essential reference on human factors security, author and IT security consultant Ian Mann explains how organizations can counter social engineering threats through a combination of systemic protective measures and by training personnel to recognize sophisticated behavior- manipulation tactics.
Mann defines social engineering as manipulation of people “by deception, into giving out information, or performing an action.” He examines the psychological models for our decision-making processes and discusses the powerful techniques that can be used to manipulate people with ease. Human security, he argues, is the missing link between IT and physical security.
Mann examines various concepts throughout the book, including the relationship between the conscious and subconscious mind and how people often respond not on the conscious but on the subconscious level. He explains how perpetrators can combine subtle but sophisticated measures, like suggestion and distraction. For example, an individual seeking admission to a ticketed event might reach for a phony slip of paper and make a false-positive statement like “this is the right ticket” followed by a distracting question at the moment it is quickly shown and taken away. If done with good timing, believable tone of voice, and the right body language, the individual can fool the victim and gain entry.
The subject matter of Hacking the Human is varied and at times dense, ranging from magic and mind-reading tricks to neurolinguistic programming, transactional analysis, and personality profiling. The book, however, is engaging and readable.
Overall, this text is a detailed primer as well as a solid reference source and a starting point for further research. In a fundamental way, this book is analogous to a lock-picking manual for the human brain. It is an indispensible resource for security professionals regardless of specialty.
Reviewer: William Stepka, CPP, CISSP (Certified Information Systems Security Professional), is principal of Stepka & Associates in San Francisco, providing security consulting, training, and investigative services. He is the historian of ASIS’s San Francisco Bay Area Chapter and has contributed articles to its newsletter on topics including social engineering and plainclothes security.