So Neal, let’s start with a question that a lot of people have asked, I get this all the time, what books are there any recommended books that you would have before getting started in cyber security? So let’s start with that. It’ll do you have like a top three, top five books that you would recommend someone look at getting if they want to get started in in cyber security. Absolutely, and it actually, I went to my bookshelf and actually pulled pulled some books together so I could do like a little show and
Well, the only book that I don’t have here that you may have to include a link for is a book called, The Pentester blueprint, which is starting a career as an ethical hacker by Philip Wiley. And I’ll send you the link that you can get on Amazon. I don’t have a physical copy of that book. That would be like book number one. So we had filled up on our stream a couple of weeks ago and he was talking about that book and talked about his desire and passion and some of them the mentorship things that he Does to try to get people into a career in ethical hacking. He does a project called pone school with the university, in Texas, where he actually teaches ethical hacking to universities for free and brings that free. I think I can train you. So he took all of that knowledge on starting a career in ethical hacking and brought it into a book called The Pentester blueprint. So that’s book number one, that I would 100% recommend.
You know, everybody gets on board with it as well. And I did bring a, you know, it’s hard because I’ve got to I’ve got a bookshelf, full of books and you read a whole lot of them and there’s a, there’s a lot of good knowledge that’s out there. And so when I looked across some kind of a series of books, one of the first ones that I would definitely recommend is this one right here. Social engineering. Bye-bye. Christopher had baggy. This guy is, is a literal genius when it comes to social engineering. And, and I think that this is, this is an awesome book. When you look at just how prevalent social engineering is an attack tactic, it is literally used in 90% of the attacks that are out there. When you talk about fishing, whether you’re talking about fishing with a voice call, whether you’re talking about, you know, you know, trying to try to social engineer your way into a building when it comes to physical penetration testing. And so, this will cover a lot of the psychological mental and, you know, kind of the tactics that kind of come with doing social
And so, 10 of 10 would definitely recommend the social engineering book by Chris had Nagy, which is called the art of human hacking Odell. We were discussing this offline. I mean, sorry to interrupt again. Can you give us like the 32nd? What is social engineering and give us some examples? We were talking previously about, you know, do you have any cool examples of something? That’s so let’s like just bring that in right here. So this book gives us an example: if you can of we, someone did something using social engineering to circumvent Events like really high security or something. So, I you say, you say, hi security. And, and it’s hard to define where that bar for high security is if some of these pentest engages. Exactly. I I was paid testing a hospital here in the US several years ago and hospitals are notoriously bad at security and there’s no one reason why that’s the case. It’s just
Hospitals are open. There’s not a lot of physical security as you would imagine because doctors have to move from floor to floor from room to room. Nurses have to move pretty frequently. You’ve got families that are coming and going out of the floors. It’s hard to secure hospitals. Part of one of the pens has that. I did one time was social engineering and physical access to the hospital. And I think one of the, more glaring ones that I had done was I had taken I’d put on a polo and Ice Polo. I was walking around the hospital with my backpack on and I had my MacBook in my hand. Now, on my MacBook, I’m like any other pentester, you have got stickers everywhere all over my MacBook. So I mean, it’s pretty clear that that’s not your standard, it guy or maybe it is. I guess it depends on what your perspective is, he is and I walked up to this receptionist in this hospital and I said, hey, you know, we’ve got some reports of some network issues.
Coming from this side of the building, do you care? If I sit down right here at this desk, right? Next to you and see if I can troubleshoot some of this networking stuff, she said. Yeah, absolutely. So, I literally took my hacker laptop, sat down next to her opened it up, and pulled up, you know, Metasploit and some Terminals, and things like this, and just started to hack, literally right next to her and after about 10 or 15 minutes, you know, I started up at startup Cain and Abel and I was like, intercepting traffic and whatnot on the Lan Port. I got to think of myself as like, well, I wonder if I can take this a little bit further and so, I And her. And I said I said, hey there appears to be some really weird activity going on with your account that I can see because I’m sitting right here, you know, next to you. I said, hey can you give me your password? So that I can check and make sure that your account looks in order in the system. And she said, yeah, absolutely. So she took out a Post-It. Note, I wrote her username and password on a Post-It note and handed it to me right there on the spot sitting next to her. I mean, put it when you talk about it like I did. That’s why I laugh at the high-security part because
There’s not really a high C or low security in some of these places. You know, when it comes to doing things like social engineering and that’s that’s not an edge case. That’s not, you know, it’s fun to laugh at. But that’s an I could tell you numerous places where I’ve tried that similar tactic and technique and it works. You know. You just seem like a smart guy. You seem like you’re an it you have all these really cool things that I have no idea what it is that you’re doing. So obviously, you look like you’re it and I couldn’t even imagine that a hacker. Would be sitting right next to me. My own place of business. So, yeah. Here’s my password. Have at it. So, I mean, let me push you but now, seriously engineering versus technical skills. Yeah, there are whole domains where someone can become a specialist in Social Engineering. The reason I ask this is that I saw a video on YouTube way, a lady’s supposed to be a social engineering expert and she pretends, she’s got a crying baby, and she has in his phone call, and she just seems so polite and seemed so trustworthy that she gets past all the Gatekeepers
Yes. I mean, I think so short. The answer is, yes. And actually, it is social engineering is one of those areas where it’s not for everybody. As a matter of fact, I’ve had, I’ve had pen testers work for me. I had a brilliant pentester work for me, one year when I was working for a big for consulting company and he could do wireless and network-based exploitation with the best of them. But we tried to we try to get him to do a social engineering engagement, and he actually got Physically anxious about the prospects of lying to another human being. And I’ll tell this, I’ll tell this story because I, this is also we talked about social engineering stories. This is a fun story to Tory’s, do stories, always fun. So really, you know, real-world stories, always the best to go for it. I got store I got stories for days. I got stories for days. So we were this particular engagement that we were doing was against a university in the Northeast part of the United States of America. And This was before we were ever going on site. This was, we were doing most of this social engineering, you know, remotely. And so we had scraped their website and had come to find universities again like hospitals are terribly bad at security on a whole lot of friends. And so, you know, universities naturally just want to be open for all their students at all their faculty and things like that. And so they had posted on an IT page on the web, some pump, know some noticeable down.
The time that they were going to be having because of some, it works that they were going to be doing. And so we stood up, you know, there’s a dot it domain. It’s supposed to be for Italy, but you can pay like $75 for a domain and get a DOT domain. And so we paid for this University’s domain in God. It and so it read like, and I can’t say that University, but it read like that University dot it as though it looked like it was an IT domain and we Scrape the webpage. We made it look just like the university and we took their online directory and just started calling administrative assistants. We start cutting executive assistants. We start calling your people who would typically be at their desk and handling Affairs for large divisions. And our script was very much like, hey, you may have seen on the website that we’ve got, this planned upgrade of this system, we need you to while we’re on the phone with you go to this University.
Domain dot it, let’s download this update together, and let’s make sure that we get your Updated, and they did it and they did it on the phone with us. And we tried to get it because we wanted this individual to have his chance to practice his social engineering skills and got physically anxious. And so kind of roundabout way to your original question was. Yeah, I mean, it takes a certain mentality and this is going to sound terrible from an ethnos perspective. But it takes a certain mentality to sit on the phone with somebody or to look them in the eye and Only lie to them and trick them into doing something that, you know, you know, could be detrimental to them. Yes, I can understand that some people wouldn’t want to do that. So, yeah, the idea was social engineering, is that you in talking to humans. So, rather than machines, you’re getting humans to do something that they shouldn’t really do like Italy. You’re tricking them basically to do something. Yeah. Yeah, I mean, you’re getting your eliciting, human response in the digital world.