RandomStorm publishes book on human nature security risks

Social Engineering Penetration Testing - RandomStormIT security management and compliance company, RandomStorm, has published a book explaining how organisations can perform structured tests to check for security vulnerabilities that are created by human weaknesses such as gullibility, pride and fear.

The book, “Social Engineering Penetration Testing,” was published by Elsevier on 30th June 2014 and is written for information security practitioners, network and computer system administrators and IT professionals. It portrays real life scenarios to help to train employees to recognise common social engineering tactics, to stop an attack in progress. Examples are provided showing how criminals have used phishing; telephone pre-texting and physical props to manipulate employees into divulging information, or performing activities on their behalf that compromise information security, or put physical assets at risk. Furthermore, the book provides detailed frameworks that enable organisations to assess how well a social engineering penetration test has been performed by their security auditor.

RandomStorm co-founder and technical director, Andrew Mason, was commissioned to write the book following a meeting with Elsevier at Infosecurity Europe last year. His co-writers are Richard Ackroyd and Gavin Watson, Senior Security Engineer and head of the RandomStorm Social Engineering Team.

At this year’s Infosecurity Europe show, Gavin Watson presented excerpts from the book, in the Business Strategy Theatre, to a packed audience.

Andrew Mason explains, “We have shared some of the social engineering pen testing techniques that we have successfully used at client sites to access restricted areas or sensitive information. Using the book’s examples, organisations can gain a much better understanding of the many ways that criminals employ social engineering. We walk you through the practical steps to improving defences in response to pen test results.”

Gavin Watson continues, “Too many times, social engineering pen tests will simply involve an auditor donning a high vis vest, or carrying a coffee cup and trying to blag their way past reception. What our book describes is how to develop a full risk framework that assesses every social engineering avenue that could be exploited by a criminal targeting your organisation.”

“We want to get away from just putting a tick in the compliance box and help organisations to genuinely improve their security through comprehensive tests that underpin policies, processes and training.”


The Data Protection Act 1998, Section 55, “unlawful obtaining etc., of personal data.” http://www.legislation.gov.uk/ukpga/1998/29/section/55

Leave a Comment

You must be logged in to post a comment.