Chapter Three · The Human Threat

Chapter 3: The Human Threat — Social Engineering

The first two chapters protected the machine — passwords, logins, sessions. This chapter looks at the gap none of that closes: the person sitting in front of the machine. Most real attacks don't beat the technology at all. They talk a person into opening the door, and that turns out to be the cheapest, most reliable way in.

4 topics

You can build a wall ten feet thick, and it won't help if someone inside opens the door. That is the whole idea of this chapter. The technology can be doing its job perfectly — the locks all hold — and the attacker still gets in, because they never went after the lock. They went after the person holding the key.

The name for this is social engineering: manipulating a person into doing something that hands the attacker access, instead of breaking the system directly. Four topics build the picture — why the person is the easiest way in, the most common form of it (phishing), the other shapes the con takes, and the part that surprises people most: why being smart is no protection at all.

Faced with two ways in, an attacker takes the cheaper one

Break the technology — a tall, patched, encrypted wall→slow, expensive, often fails

Talk to the person — an open door marked "the human"→cheap, fast, usually works