Social Engineering: The Art of Human Hacking
by Christopher Hadnagy

Wiley 2010.
ISBN ISBN 978-0470639535 USD 22.74; Table of Contents:

Reviewed by  Richard Austin   May 31, 2011 

Social engineering, "the act of manipulating a person to take an action that may or may not be in the "target's" best interest"(pg. 10), has played a major role in several significant breaches of late, which makes this a most timely book for security professionals. Hadnagy asserts that there are two reasons we're seeing more instances of social engineering attacks. First, there's the simple principle of return-on-investment: "no self-respecting hacker is going to spend 100 hours to get the same results from a simple attack that takes one hour, or less" (p.2). Secondly, better products and defenses are making many classic technical attack vectors more difficult to employ with a high probability of success (p. 17).

The book presents an excellent introduction to the techniques used by social engineers, whether an authorized penetration tester or a malicious attacker, to induce otherwise knowledgeable and careful people into revealing intimate details of their personal and professional lives. Hadnagy begins with information gathering and elicitation which together provide the basis for establishing the pretext actually used in interacting with the target. He makes extensive use of examples, anecdotes and links to additional material on his website (

His presentation on "Mind Tricks" (Chapter 5) is likely the most controversial part of the book as it introduces "microexpressions" and "neuro linguistic programming". To put it mildly, the professional jury is still very much out on the validity of these models for understanding and influencing human behavior. As a reader, if those models are useful to you in organizing and understanding the material, then by all means use them. However, if they seem like meaningless buzz-words used to create a pretext of understanding a very complex subject, then ignore them and be reassured that many professionals in the psychological fields would agree with you.

Once the social engineer has invested the time in information gathering and elicitation and used that information to create a viable pretext, the time has come for the end game of persuading the target to take the desired action. Hadnagy presents influence and persuasion as a well-organized process with definite intermediate steps on the way to realizing the final goal.

Any skilled craftsperson has the appropriate set of tools and a social engineer is no exception. Beyond the obvious examples of lock picks and Internet search engines, Hadnagy covers other useful items such as SET (the Social Engineering Toolkit). There's even advice on appropriate dress for dumpster-diving.

Six case studies illustrate the practice of social engineering in real-world situations. Each case study is followed by a review that reinforces the salient points from the case.

Hadnagy finishes his presentation with advice on how to defend yourself and your organization against social engineering attacks. Though there are no "silver bullets", he provides solid advice on tactics such as enhanced awareness training that realistically covers social engineering attacks, anticipating attack methods in scripts developed for help desk personnel (e.g., what they should really say when the CEO calls for a password reset), etc, that will strengthen organizational resistance to social engineering attempts.

In all honesty, you probably will feel rather "dirty" after reading this book. You will encounter examples reminiscent of car salesmen, the worst sort of politician, and many other social denizens that have complicated your life in one way or another. However, the same techniques that may have been used to "get-one-up" on you in those social interactions are being employed by your adversaries in attempting to achieve unauthorized access to the assets you are charged with defending. By studying and applying the practical advice in this book, you will be much better prepared to help your organization become more resistant to exploit attempts against human elements, which bitter experience has shown to be the weakest links in any security system.

Before beginning life as a university instructor and independent sybersecurity consultant, Richard Austin ( spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu