Atnaujinkite slapukų nuostatas

El. knyga: Practical Social Engineering

3.80/5 (67 ratings by Goodreads)
  • Formatas: EPUB+DRM
  • Išleidimo metai: 14-Jun-2022
  • Leidėjas: No Starch Press,US
  • Kalba: eng
  • ISBN-13: 9781718500990
Kitos knygos pagal šią temą:
Practical Social EngineeringDidesnis paveikslėlis
  • Formatas: EPUB+DRM
  • Išleidimo metai: 14-Jun-2022
  • Leidėjas: No Starch Press,US
  • Kalba: eng
  • ISBN-13: 9781718500990
Kitos knygos pagal šią temą:

DRM apribojimai

  • Kopijuoti:

    neleidžiama

  • Spausdinti:

    neleidžiama

  • El. knygos naudojimas:

    Skaitmeninių teisių valdymas (DRM)
    Leidykla pateikė šią knygą šifruota forma, o tai reiškia, kad norint ją atrakinti ir perskaityti reikia įdiegti nemokamą programinę įrangą. Norint skaityti šią el. knygą, turite susikurti Adobe ID . Daugiau informacijos  čia. El. knygą galima atsisiųsti į 6 įrenginius (vienas vartotojas su tuo pačiu Adobe ID).

    Reikalinga programinė įranga
    Norint skaityti šią el. knygą mobiliajame įrenginyje (telefone ar planšetiniame kompiuteryje), turite įdiegti šią nemokamą programėlę: PocketBook Reader (iOS / Android)

    Norint skaityti šią el. knygą asmeniniame arba „Mac“ kompiuteryje, Jums reikalinga  Adobe Digital Editions “ (tai nemokama programa, specialiai sukurta el. knygoms. Tai nėra tas pats, kas „Adobe Reader“, kurią tikriausiai jau turite savo kompiuteryje.)

    Negalite skaityti šios el. knygos naudodami „Amazon Kindle“.

An ethical introduction to social engineering, an attack technique that leverages psychology, deception, and publicly available information to breach the defenses of a human target in order to gain access to an asset. Social engineering is key to the effectiveness of any computer security professional.

Practical Social Engineering teaches you how to leverage human psychology and publicly available information to attack a target. The book includes sections on how to evade detection, spear phish, generate reports, and protect victims to ensure their well-being. You'll learn how to collect information about a target and how to exploit that information to make your attacks more effective. You'll also learn how to defend yourself or your workplace against social engineering attacks. Case studies throughout offer poignant examples such as how the author was able to piece together the details of a person's life simply by gathering details from an overheard restaurant conversation. Gray walks you through the sometimes difficult decision making process that every ethical social engineer must go through when implementing a phishing engagement including how to decide whether to do things manually or use automated tools; even how to set up your web server and build other technical tools necessary to succeed.

Recenzijos

"Gray provides a very accessible look at social engineering that should be essential reading for pentesters and ethical hackers." -Ian Barker, BetaNews

"I really liked the way that [ Joe] lays out tools to use, including walking through where to download them from and install them . . . as beginner-friendly and as easy to use as possible." -Patrick Laverty, Layer 8 Podcast

Daugiau informacijos

An ethical introduction to social engineering; an attack technique that leverages psychology, deception, and publicly available information to breach the defenses of a human target in order to gain access to an asset. Social engineering is key to the effectiveness of any computer security professional.
Acknowledgments xvii
Introduction xix
Who This Book Is For xx
What You'll Find in This Book xx
Summary xxi
PART I THE BASICS
1(22)
1 What Is Social Engineering?
3(10)
Important Concepts in Social Engineering
4(1)
Pretexting
4(1)
Open Source Intelligence
4(1)
Phishing
5(1)
Spear Phishing
5(1)
Whaling
6(1)
Vishing
6(1)
Baiting
7(1)
Dumpster Diving
7(1)
Psychological Concepts in Social Engineering
8(1)
Influence
8(1)
Manipulation
8(1)
Rapport
8(1)
Dr. Cialdini's Six Principles of Persuasion
9(2)
Sympathy vs. Empathy
11(1)
Conclusion
12(1)
2 Ethical Considerations In Social Engineering
13(10)
Ethical Social Engineering
14(1)
Establishing Boundaries
14(1)
Understanding Legal Considerations
14(1)
Understanding Service Considerations
15(1)
Debriefing After the Engagement
16(1)
Case Study: Social Engineering Taken Too Far
17(1)
Ethical OSINT Collection
17(1)
Protecting Data
17(1)
Following Laws and Regulations
18(2)
Case Study: Ethical Limits of Social Engineering
20(2)
Conclusion
22(1)
PART II OFFENSIVE SOCIAL ENGINEERING
23(112)
3 Preparing For An Attack
25(10)
Coordinating with the Client
26(1)
Scoping
26(1)
Defining Objectives
27(1)
Defining Methods
27(1)
Building Successful Pretexts
27(1)
Using Specialized Operating Systems for Social Engineering
28(1)
Following the Attack Phases
29(4)
Case Study: Why Scoping Matters
33(1)
Conclusion
33(2)
4 Gathering business osint
35(18)
Case Study: Why OSINT Matters
36(1)
Understanding Types of OSINT
36(1)
Business OSINT
37(1)
Getting Basic Business Information from Crunchbase
37(3)
Identifying Website Owners with WHOIS
40(2)
Collecting OSINT from the Command Line with Recon-ng
42(6)
Using Other Tools: theHarvester and OSINT Framework
48(1)
Finding Email Addresses with Hunter
49(1)
Exploiting Mapping and Geolocation Tools
50(1)
Conclusion
51(2)
5 Social Media And Public Documents
53(18)
Analyzing Social Media for OSINT
53(1)
LinkedIn
54(2)
Job Boards and Career Sites
56(1)
Facebook
57(3)
Instagram
60(3)
Leveraging Shodan for OSINT
63(1)
Using Shodan Search Parameters
63(1)
Searching IP Addresses
64(1)
Searching Domain Names
65(1)
Searching Hostnames and Subdomains
65(1)
Taking Automatic Screenshots with Hunchly
66(2)
Pilfering SEC Forms
68(1)
Conclusion
69(2)
6 Gathering Osint About People
71(12)
Using OSINT Tools for Analyzing Email Addresses
72(1)
Finding Out If a User Has Been Breached with Have I Been Pwned
72(1)
Enumerating Social Media Accounts with Sherlock
73(1)
Enumerating Website Accounts with WhatsMyName
73(1)
Analyzing Passwords with Pwdlogy
74(1)
Analyzing a Target's Images
75(1)
Manually Analyzing EXIF Data
76(1)
Analyzing Images by Using ExifTool
76(4)
Analyzing Social Media Without Tools
80(1)
Linkedln
80(1)
Instagram
80(1)
Facebook
80(1)
Twitter
80(1)
Case Study: The Dinner That Gave All the Gold Away
81(1)
Conclusion
82(1)
7 Phishing
83(24)
Setting Up a Phishing Attack
84(1)
Setting Up a Secure VPS Instance for Phishing Landing Pages
84(8)
Choosing an Email Platform
92(2)
Purchasing Sending and Landing Page Domains
94(1)
Setting Up the Phishing and Infrastructure Web Server
94(1)
Additional Steps for Phishing
95(1)
Using Tracking Pixels to Measure How Often Your Email Is Opened
96(1)
Automating Phishing with Gophish
96(5)
Adding HTTPS Support for Phishing Landing Pages
101(1)
Using URL Shorteners in Phishing
101(1)
Using SpoofCard for Call Spoofing
102(1)
Timing and Delivery Considerations
102(1)
Case Study: The $25 Advanced Persistent Phish
102(3)
Conclusion
105(2)
8 Cloning A Landing Page
107(14)
An Example of a Cloned Website
108(1)
The Login Page
108(2)
The Sensitive Questions Page
110(1)
The Error Page
111(1)
Harvesting the Information
112(1)
Cloning a Website
113(1)
Finding the Login and User Pages
114(1)
Cloning the Pages by Using HTTrack
114(2)
Altering the Login Field Code
116(3)
Adding the Web Pages to the Apache Server
119(1)
Conclusion
119(2)
9 Detection, Measurement, And Reporting
121(14)
Detection
122(1)
Measurement
122(1)
Selection of Metrics
123(1)
Ratios, Medians, Means, and Standard Deviations
123(1)
The Number of Times an Email Is Opened
124(1)
The Number of Clicks
125(1)
Information Input into Forms
126(1)
Actions Taken by the Victim
127(1)
Detection Time
128(1)
The Timeliness of Corrective Actions
128(1)
The Success of Corrective Actions
128(1)
Risk Ratings
129(1)
Reporting
130(1)
Knowing When to Make a Phone Call1
130(1)
Writing the Report
130(3)
Conclusion
133(2)
PART III DEFENDING AGAINST SOCIAL ENGINEERING
135(48)
10 Proactive Defense Techniques
137(12)
Awareness Programs
138(1)
How and When to Train
138(1)
Nonpunitive Policies
139(1)
Incentives for Good Behavior
139(1)
Running Phishing Campaigns
140(1)
Reputation and OSINT Monitoring
140(1)
Implementing a Monitoring Program
141(1)
Outsourcing
141(1)
Incident Response
142(1)
The SANS Incident Response Process
142(2)
Responding to Phishing
144(1)
Responding to Vishing
144(1)
Responding to OSINT Collection
145(1)
Handling Media Attention
145(1)
How Users Should Report Incidents
146(1)
Technical Controls and Containment
146(1)
Conclusion
147(2)
11 Technical Email Controls
149(16)
Standards
149(1)
"From" Fields
150(1)
Domain Keys Identified Mail
150(5)
Sender Policy Framework
155(3)
Domain-Based Message Authentication, Reporting, and Conformance
158(3)
Opportunistic TLS
161(1)
MTA-STS
162(1)
TLS-RPT
162(1)
Email Filtering Technologies
162(1)
Other Protections
163(1)
Conclusion
164(1)
12 Producing Threat Intelligence
165(18)
Using Alien Labs OTX
166(1)
Analyzing a Phishing Email in OTX
166(1)
Creating a Pulse
167(1)
Analyzing the Email Source
168(1)
Inputting Indicators
169(3)
Testing a Potentially Malicious Domain in Burp
172(4)
Analyzing Downloadable Files
176(1)
Conducting OSINT for Threat Intelligence
177(1)
Searching VirusTotal
177(1)
Identifying Malicious Sites on WHOIS
177(2)
Discovering Phishes with PhishTank
179(1)
Browsing Threat Crowd
180(1)
Consolidating Information in ThreatMiner
181(1)
Conclusion
182(1)
A SCOPING WORKSHEET
183(4)
B REPORTING TEMPLATE
187(6)
Introduction
187(1)
Executive Summary
188(1)
Statement of Work
188(1)
Scope
188(1)
Completion Date
188(1)
Location of Work
188(1)
About <Company Name>
189(1)
Tools and Methodologies
189(1)
Metrics
189(1)
Phishing
189(1)
Vishing
190(1)
Findings
191(1)
Severity Key
191(1)
Discussion
191(1)
Problem
191(1)
Validation
191(1)
Potential Outcomes
192(1)
Mitigation or Remediation
192(1)
Recommendations
192(1)
Conclusion
192(1)
Phone Numbers Discovered
192(1)
Websites Discovered
192(1)
Emails Discovered
192(1)
High-Value Assets Discovered
192(1)
Pretexts Used
192(1)
C INFORMATION-GATHERING WORKSHEET
193(4)
D PRETEXTING SAMPLE
197(4)
Confused Employee
197(1)
IT Inventory
198(1)
Transparency Survey
199(2)
E EXERCISES TO IMPROVE YOUR SOCIAL ENGINEERING
201(4)
Help a Random Stranger and Then Prompt for "Flags"
201(1)
Improv
202(1)
Standup Comedy
202(1)
Public Speaking/Toastmasters
202(1)
Do OSINT Operations on Family and Friends
202(1)
Compete in Social Engineering and OSINT CTFs
203(2)
Index 205
Joe Gray is a veteran of the U.S. Navy. He is the Founder/Principal Instructor of The OSINTion, the Founder/Principal Investigator of Transparent Intelligence Services, and the inaugural winner of the DerbyCon Social Engineering CTF. A member of the Password Inspection Agency, he also won the TraceLabs OSINT Search Party at DEFCON 28, and recently authored the OSINT and OPSEC tools - DECEPTICON Bot and WikiLeaker.
Daugiau apie elektronines knygas Daugiau apie elektronines knygas
Pastovi nuoroda: https://www.kriso.lt/db/97817185009906e.html
Raktažodžiai: