Social Engineering Penetration Testing

Executing Social Engineering Pen Tests, Assessments and Defense


  • Gavin Watson, Professional Services Manager at RandomStorm
  • Andrew Mason, Co-founder and Technical Director at RandomStorm
  • Richard Ackroyd, Senior Security Engineer for RandomStorm

Social engineering attacks target the weakest link in an organization's security-human beings. Everyone knows these attacks are effective, and everyone knows they are on the rise. Now, Social Engineering Penetration Testing gives you the practical methodology and everything you need to plan and execute a social engineering penetration test and assessment. You will gain fascinating insights into how social engineering techniques-including email phishing, telephone pretexting, and physical vectors- can be used to elicit information or manipulate individuals into performing actions that may aid in an attack. Using the book's easy-to-understand models and examples, you will have a much better understanding of how best to defend against these attacks.

The authors of Social Engineering Penetration Testing show you hands-on techniques they have used at RandomStorm to provide clients with valuable results that make a real difference to the security of their businesses. You will learn about the differences between social engineering pen tests lasting anywhere from a few days to several months. The book shows you how to use widely available open-source tools to conduct your pen tests, then walks you through the practical steps to improve defense measures in response to test results.

View full description


Information security practitioners, information technology leaders, network administrators, computer system administrators, information security engineers, IT professionals, Information security managers, security analysts, and an academic audience among information security majors.


Book information

  • Published: April 2014
  • Imprint: SYNGRESS
  • ISBN: 978-0-12-420124-8


"...will help you understand the many tricks and approaches to this most powerful of hacking processes. will enable you to integrate social engineering within the overall framework of your penetration testing services." -Network Security, Nov 2014

Table of Contents

Introduction to Social Engineering
Why People are the Weakest Link in your Security
Basic Techniques, Deception, and Manipulation
Assessment Prerequisites
Reconnaissance: Building the Foundation of an Assessment
Ensuring Value Through Effective Threat Modeling
Designed Targeted Scenarios
A Model for Creating Plausible Situations
The Email Attack Vector - Spear Phishing
The Telephone Attack Vector
The Physical Attack Vector
Supporting an Attack with Technology
Difference between "Long Game" and "Short Game" Attack Strategies
Writing the Report
Creating Hardened Policies and Procedures
Reclassifying Information
Improving Physical Security Controls
Designing and Conducting Effective Staff Awareness Training
Internal Social Engineering Assessments