diff --git a/manuscript/markdown/main/chapter3.md b/manuscript/markdown/main/chapter3.md
index a9aed37..7851283 100644
--- a/manuscript/markdown/main/chapter3.md
+++ b/manuscript/markdown/main/chapter3.md
@@ -182,7 +182,7 @@ We used to start the Metasploit service with:
 `service metasploit start`  
 but now there is no `metasploit` service as such.
 
-##### Useful metasploit [commands](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/)
+##### Useful metasploit commands
 
 * `msf >` [help](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/#help)
 * `msf >` [show](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/#show)
@@ -190,7 +190,8 @@ but now there is no `metasploit` service as such.
   * Additional module specific parameters are: `missing`, `advanced`, `evasion`, `targets`, `actions`  
 * `msf > show options`
 * `msf > info <module name>` [info](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/#info)
-
+Refer the following link for more insight :https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
+<!--- I have removed the link from the heading and placed it here as the font looks different when this URl was applied --->
 ##### metasploit meterpreter client commands
 
 * Meterpreter Client  
@@ -216,8 +217,7 @@ If you need Metasploit integration in BeEF (in most cases you will want this), s
 `extension: metasploit: enable: true`  
 in the `/etc/beef-xss/config.yaml` file.  
 Also make sure  
-`enable`  
-is set to `true` in `/usr/share/beef-xss/extensions/metasploit/config.yaml`
+`enable` is set to `true` in `/usr/share/beef-xss/extensions/metasploit/config.yaml`
 
 When running Metasploit for BeEF, I often provide `msfconsole` with a Metasploit resource file specifically for BeEF (I call this `beef.rc` and put it in `~/`). This resource file will have the following in it at a minimum:
 
@@ -325,16 +325,16 @@ or see the documentation for more details
 %% Errors installing. Submitted issue here: https://github.com/michenriksen/gitrob/issues/62
 %% Error running. Didn't like my password: https://github.com/michenriksen/gitrob/issues/63
 
-#### [CMSmap](https://github.com/Dionach/CMSmap)
+#### CMSmap
 
-CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular Content Management Systems (CMSs).  
+[CMSmap] (https://github.com/Dionach/CMSmap) is a python open source CMS scanner that automates the process of detecting security flaws of the most popular Content Management Systems (CMSs).  
 Currently supports: WordPress, Joomla and Drupal.
 
 `git clone https://github.com/Dionach/CMSmap.git /opt/CMSmap`
 
-#### [Veil Framework](https://www.veil-framework.com/) {#tooling-setup-kali-linux-tools-i-use-that-need-adding-to-kali-linux-veil-framework}
+#### Veil Framework {#tooling-setup-kali-linux-tools-i-use-that-need-adding-to-kali-linux-veil-framework}
 
-I have decided to clone the Veil-Framework, as it has a good collection of very useful tools. Veil-Evasion is specifically useful for antimalware evasion. The Veil super project also has an install script to install all Veil projects, found at the [Veil](https://github.com/Veil-Framework/Veil) repository for the Veil-Framework account on github.
+I have decided to clone the [Veil-Framework] (https://www.veil-framework.com/), as it has a good collection of very useful tools. Veil-Evasion is specifically useful for antimalware evasion. The Veil super project also has an install script to install all Veil projects, found at the [Veil](https://github.com/Veil-Framework/Veil) repository for the Veil-Framework account on github.
 
 There are install guides here:  
 [https://www.veil-framework.com/guidesvideos/](https://www.veil-framework.com/guidesvideos/)
@@ -551,10 +551,10 @@ We no longer must run everything as root, so this is no longer an issue.
   Port: `8080`  
 
 * **ScriptSafe**: I like to be in control of where my JavaScript is coming from  
-* **Cookies**
-* **EditThisCookie**
+* **Cookies**: <!---Need some content here--->.
+* **EditThisCookie**:<Need some content here>
 * **SessionBuddy**: For storage of browser sessions and easy hydration
-* **User Agent Switcher for Chrome**
+* **User Agent Switcher for Chrome**:<Need some content here>
 * **Web Developer**: I am a web developer, it has some really useful tools that provide visibility and insight
 
 #### [Iceweasel](https://wiki.debian.org/Iceweasel) (FireFox with different Licensing) add-ons {#tooling-setup-kali-linux-tools-i-use-that-need-adding-to-kali-linux-iceweasel-add-ons}
@@ -563,7 +563,7 @@ A small introduction to Iceweasel: Iceweasel was forked from Firefox for the pur
 
 * **FoxyProxy Standard**: Similar to the same [Chromium](#tooling-setup-kali-linux-tools-i-use-that-need-adding-to-kali-linux-chromium-extensions-foxyproxy-standard) Extension as discussed above
 * **NoScript**: I like to know where my JavaScript is coming from
-* **Tamper Data**
+* **Tamper Data**:<!---Need some content here--->
 * **Web Developer**: I'm a web developer, it has some really useful tools that provide visibility and insight
 * **HackBar**: HackBar is somewhat useful for (en/de)coding (Base64, Hex, MD5, SHA-(1/256), etc), manipulating and splitting URLs
 * **Advanced Cookie Manager**
@@ -577,6 +577,7 @@ A small introduction to Iceweasel: Iceweasel was forked from Firefox for the pur
 %% http://blog.binarymist.net/2014/03/29/up-and-running-with-kali-linux-and-friends/#openVAS   
 
 ### Additional Hardware {#tooling-setup-kali-linux-additional-hardware}
+<!---Need some content here--->
 
 #### TP-LINK TL-WN722N USB Wireless Adapter
 
@@ -588,9 +589,9 @@ As I find it flexible to run pen testing set-ups on VMs, the following addresses
 
 The following is the process I have found to set-up the pass-through on Kali 2016.1 (first Kali rolling release. Kernel 4.3, Gnome 3.18), by-passing the Linux Mint 17.3 (Rosa) Host (in my case).
 
-##### Wi-Fi Adapter:
+##### Wi-Fi Adapter
 
-TP-LINK TL-WN722N Version 1.10
+TP-LINK TL-WN722N Version 1.10:
 
 * chip-set: Atheros ar9271
 * Vendor ID: 0cf3
@@ -600,7 +601,7 @@ TP-LINK TL-WN722N Version 1.10
 ![](images/TL-WN722N.jpg)
 
 ##### Useful commands:
-
+<!---Please provide a lead-in sentence before Bullet list--->
 * `iwconfig`
 * `ifconfig`
 * `sudo lshw -C network`
@@ -644,7 +645,7 @@ First of all, you need to add the user that controls the guest to the vboxusers
 ##### Provide USB recognition to guest:
 
 Install the appropriate VirtualBox Extension Pack on to the host. These packs can be found here ([https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads)) for the most recent,  
-and older builds here: ([https://www.virtualbox.org/wiki/Download_Old_Builds_5_0](https://www.virtualbox.org/wiki/Download_Old_Builds_5_0)). Do not forget to checksum the pack before you add the extension. The version of the extension pack must match that of the VirtualBox installed. Now in your guest, check to see if you have the appropriate linux-headers package installed. If you do not, run the following:
+and older builds here: ([https://www.virtualbox.org/wiki/Download_Old_Builds_5_0](https://www.virtualbox.org/wiki/Download_Old_Builds_5_0)). Do not forget to checksum the pack before you add the extension. The version of the extension pack must match that of the VirtualBox installed. Now in your guest, check to see if you have the appropriate linux-headers package installed. If you do not, run the following commands:
 
 1. `apt-get update`
 2. `apt-get upgrade`
@@ -654,21 +655,21 @@ and older builds here: ([https://www.virtualbox.org/wiki/Download_Old_Builds_5_0
 6. Apply extension to VirtualBox in the host at: File -> Preferences -> Extensions.
 
 ##### Blacklist Wi-Fi Module on Host:
-
-Unload the `ath9k_htc` module to take effect immediately, and blacklist it so that it does not load on boot. The module needs to be blacklisted on the host in order for the guest to be able to load it. Now we need to check to see if the module is currently loaded on the host with the following command:
+<!---Please provide a lead-in sentence--->
+1.Unload the `ath9k_htc` module to take effect immediately, and blacklist it so that it does not load on boot. The module needs to be blacklisted on the host in order for the guest to be able to load it. Now we need to check to see if the module is currently loaded on the host with the following command:
 
 `lsmod | grep -e ath`
 
-We are looking for `ath9k_htc`. If it is visible in the output produced from the previous command, unload it with the following command:
+2.We are looking for `ath9k_htc`. If it is visible in the output produced from the previous command, unload it with the following command:
 
 `modprobe -r ath9k_htc`
 
-Next you will need to create a blacklist file in `/etc/modprobe.d/`  
+3.Next you will need to create a blacklist file in `/etc/modprobe.d/`  
 Create `/etc/modprobe.d/blacklist-ath9k.conf` and add the following text into it and save:
 
 `blacklist ath9k_htc`
 
-I had to do the following step on Kali 1.1, but it seems it is no longer necessary in Kali 2016.1 rolling. If you are still on 1.1, go into the settings of your VM -> USB -> and add a Device Filter. I named this tl-wn722n and added the Vendor and Product IDs we discovered with `lsusb`. Make sure Enable USB 2.0 (EHCI) Controller is also enabled.
+4.I had to perform the following step on Kali 1.1, but it seems it is no longer necessary in Kali 2016.1 rolling. If you are still on 1.1, go into the settings of your VM -> USB -> and add a Device Filter. I named this tl-wn722n and added the Vendor and Product IDs we discovered with the `lsusb` command. Make sure Enable USB 2.0 (EHCI) Controller is also enabled as shown in the following screenshot:
 
 ![](images/USBDeviceFilter.png)
 
@@ -714,7 +715,7 @@ I had to do the following step on Kali 1.1, but it seems it is no longer necessa
 ##### Test: 
 
 Plug your Wi-Fi adapter into your laptop.
-
+<!---Please provide a lead-in--->
 In the Devices menu of your guest -> USB Devices, you should be able to select the ATHEROS USB2.0 WLAN adapter.
 
 Run `dmesg | grep htc`, you should see something similar to the following printed:
diff --git a/manuscript/markdown/main/chapter4.md b/manuscript/markdown/main/chapter4.md
index 2cb14d5..6a4d114 100644
--- a/manuscript/markdown/main/chapter4.md
+++ b/manuscript/markdown/main/chapter4.md
@@ -21,7 +21,7 @@ This allows us to create effective attack strategies, including non-technical as
 
 #### Reconnaissance Forms {#process-and-practises-penetration-testing-reconnaissance-reconnaissance-forms}
 
-Information gathering can and should be done (initially) in such a way that the target does not know you are doing it (passive). However, reconnaissance can achieve "noise" levels so loud that the target *should* absolutely know you are doing it (active). Unfortunately, all too often target organisations do not notice more active assessment due to insufficient logging, monitoring, and alerting, as discussed in several of the following chapters. These activities also require that someone actually take notice, as discussed in the People chapter specific to engagement.
+Information gathering can and should be done (initially) in such a way that the target does not know you are doing it (passive). However, reconnaissance can achieve "noise" levels so loud that the target *should* absolutely know you are doing it (active). Unfortunately, all too often target organisations do not notice more active assessment due to insufficient logging, monitoring, and alerting, as discussed in several of the following chapters. These activities also require that someone actually take notice, as discussed in Chapter 5, _People_ specific to engagement.
 
 #### Passive
 
@@ -33,7 +33,7 @@ Passive reconnaissance is the phase when information gathering cannot be detecte
 
 The pen tester or attacker cannot directly probe the target, they must use third party information. Sometimes this may be out of date, so confirmation and validation are desirable, even required. This is usually not too difficult, but it takes more time than if the passive constraint was lifted, and the pen tester could probe directly.
 
-If you refer back to the diagram in the 30,000' view chapter under [Identify Risks](#starting-with-the-30000-foot-view-identify-risks-likelihood-and-impact), you will note "Your Organisation" and  indirect relationships to the "Competitor". You will see that your competitor, or attacker, has what is known as a passive or third party relationship with you via your bank, accountants, domain and/or technical consultants, professional services, telcos, ISP and any other number of intermediaries. These include social media, whois, DNS (and reverse) lookups and endless amounts of information floating available via the Internet and even our physical cities. Once you have acquired the names of the technology workers at the target organisation, you can search technology specific forums to see what sort of questions they are asking or possibly blogging about.
+If you refer back to the diagram in section, *2. SSM Identify Risks* of Chapter 1, *Starting with the 30,000' View*, you will note "Your Organisation" and  indirect relationships to the "Competitor". You will see that your competitor, or attacker, has what is known as a passive or third party relationship with you via your bank, accountants, domain and/or technical consultants, professional services, telcos, ISP and any other number of intermediaries. These include social media, whois, DNS (and reverse) lookups and endless amounts of information floating available via the Internet and even our physical cities. Once you have acquired the names of the technology workers at the target organisation, you can search technology specific forums to see what sort of questions they are asking or possibly blogging about.
 
 #### Semi-Active
 
@@ -46,7 +46,7 @@ Active reconnaissance involves interacting with the target directly, engaging in
 * Snooping physical premises.
 * Port scanning the entire range `nmap -p- <target>` and some of the aggressive nmap scanning modes shown below.
 * Spidering public facing resources. Directories and files, often public without the administrators realising it. If they ran a spidering tool against their servers they would see all the publicly accessible resources.
-* Banner grabbing and probing, which we address below under the [Service Fingerprinting](#process-and-practises-penetration-testing-reconnaissance-service-fingerprinting) section.
+* Banner grabbing and probing, which we address under the section, *Service fingerprinting* of Chapter 4, *Process and Practises*.
 
 ##### Netcat
 
@@ -78,15 +78,16 @@ Consider these uses.
 &nbsp;
 
 **Hardened Web Server**
-
 Following is an example using Nmap against a hardened target, with an SSH daemon and web server running...
 
 Using the aggressive option, `-A`, the pen tester makes a lot of noise, and any logs under even the most casual inspection by a system administrator, should clearly identify Nmap probes.
 
+Following is the `nmap` command:
 {title="nmap command", linenos=off, lang=Bash}
     # Attempt to detect hardened target OS and services running on it.
     nmap -A <target>
 
+Following is the result for the `nmap` command:
 {title="nmap result", linenos=off, lang=Bash}
     Nmap scan report for <target> (<target ip>)
     Host is up (0.0014s latency).
@@ -113,6 +114,7 @@ Using the aggressive option, `-A`, the pen tester makes a lot of noise, and any
     Please report any incorrect results at http://nmap.org/submit/ .
     Nmap done: 1 IP address (1 host up) scanned in 35.18 seconds
 
+Following is the target system logs:
 {title="target system logs", linenos=off}
     <time> <target> sshd:  refused connect from <kali ip> (<kali ip>)
        <time> <target> <logger instance>:  [info] ::ffff:<kali ip> - - 
@@ -182,9 +184,11 @@ Using the aggressive option, `-A`, the pen tester makes a lot of noise, and any
 
 Using the service detection option, `-sV`, the results provide almost as much information. Even with the intensity set to maximum, the pen tester makes very little noise, and if the logs are under review, the chance of missing these probes is likely. The only indicator that really stands out at all is the `sshd` auth request failure. As there are only two such references, it's likely that a system administrator wouldn't think that much of it. Without the `sshd` entries, this would fall under the Semi-Active phase mentioned above.
 
+Following is the `nmap` command:
 {title="nmap command", linenos=off, lang=Bash}
     nmap -sV --version-intensity 9 <target>
 
+Following is the result for the `nmap` command:
 {title="nmap result", linenos=off}
     Nmap scan report for <target> (<target ip>)
     Host is up (0.0061s latency).
@@ -198,6 +202,7 @@ Using the service detection option, `-sV`, the results provide almost as much in
     Service detection performed. Please report any incorrect results at http://nmap.org/submit/
     Nmap done: 1 IP address (1 host up) scanned in 17.63 seconds
 
+Following is the target system logs:
 {title="target system logs", linenos=off}
     <time> <target> sshd:  refused connect from <kali ip> (<kali ip>)
     <time> <target> <logger instance>:  [info] ::ffff:<kali ip> - - 
@@ -208,10 +213,12 @@ Using the service detection option, `-sV`, the results provide almost as much in
 
 An example of using Nmap against an un-hardened target follows. In later chapters I will discuss how to go about the hardening process. I have also provided quite a bit of information specific to hardening servers on my [blog](http://blog.binarymist.net/).
 
+Following is the `nmap` command:
 {title="nmap command", linenos=off, lang=Bash}
     # Attempt to detect un-hardened target OS and services running on it.
     nmap -A <target>
 
+Following is the result for the `nmap` command:
 {title="nmap result", linenos=off, lang=Bash}
     Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-12 20:17 NZDT
     Nmap scan report for <target>
@@ -333,9 +340,11 @@ An example of using Nmap against an un-hardened target follows. In later chapter
 
 Using the service detection option, `-sV`, on the un-hardened metasploitable 2, we don't observe as much verbosity as with the `-A` flag set, but we still note quite a bit.
 
+Following is the `nmap` command:
 {title="nmap command", linenos=off}
     nmap -sV --version-intensity 9 <target>
 
+Following is the result for the `nmap` command:
 {title="nmap result", linenos=off, lang=Bash}
     Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-12 19:38 NZDT
     Nmap scan report for <target>
@@ -409,7 +418,7 @@ Too many decoys will slow your scan down and often lead to less accurate results
 
 &nbsp;
 
-There are a few things to know in order to use the idle scan properly and understand resulting behaviours and consequences. An idle scan is a side-channel attack which exploits predictable IP fragmentation ID sequence generation on the decoy host to glean information about open ports on the target. This is a clever yet simple technique. Intrusion Detection Systems (IDSs) will display the scan as coming from the decoy machine you specify (which must be active within certain criteria). Check the [Additional Resources](#additional-resources-process) chapter for further details.
+There are a few things to know in order to use the idle scan properly and understand resulting behaviours and consequences. An idle scan is a side-channel attack which exploits predictable IP fragmentation ID sequence generation on the decoy host to glean information about open ports on the target. This is a clever yet simple technique. Intrusion Detection Systems (IDSs) will display the scan as coming from the decoy machine you specify (which must be active within certain criteria).Check the Appendix, Additional Resources for further details.
 
 {linenos=off, lang=Bash}
     # 1.1.1.1:1234 is the IP address and port of the decoy machine.
@@ -422,9 +431,7 @@ Adding to what we have learnt above, the simplest way to deduce the details of t
 Feel free to try the same requests against the likes of the Metasploitable 2 VM. Its legitimate HTTP protocol is 1.0
 
 ##### Depending on the Server field
-
-&nbsp;
-
+**Request**:
 {title="Request", linenos=off, lang=Bash}
     # Run netcat against your targets web server
     nc <target> 80
@@ -433,7 +440,7 @@ Feel free to try the same requests against the likes of the Metasploitable 2 VM.
     # You will probably need to hit the enter key twice.
 
 If the target is running Apache 2.2.3, you may see something resembling the following:
-
+**Response**:
 {title="Response", linenos=off, lang=HTTP}
     HTTP/1.1 400 Bad Request
     Date: Thu, 29 Oct 2015 04:44:09 GMT
@@ -443,6 +450,7 @@ If the target is running Apache 2.2.3, you may see something resembling the foll
 
 You can not rely on the Server field though as it could be obfuscated:
 
+**Response**:
 {title="Response", linenos=off, lang=HTTP}
     403 HTTP/1.1 Forbidden
     Date: Thu, 29 Oct 2015 04:44:09 GMT
@@ -451,7 +459,7 @@ You can not rely on the Server field though as it could be obfuscated:
     Content-Type: text/html; charset=iso-8859-1
 
 If your target is running an Express server, you will probably see something like:
-
+**Response**:
 {title="Response", linenos=off, lang=HTTP}
     HTTP/1.1 200 OK
     X-Powered-By: Express
@@ -463,21 +471,18 @@ If your target is running an Express server, you will probably see something lik
 
 ##### Ordering of Header Fields
 
-&nbsp;
-
 Every web server has its own specific ordering of header fields. This is usually more reliable for deducing the server type.
 
 ##### Malformed Requests
 
-&nbsp;
-
 If we try malformed requests or requests of non existent resources:
-
+**Request (not malformed)**:
 {title="Request (not malformed)", linenos=off}
     # Express is using HTTP 1.1
     nc <experss 4.0 server> 80
     GET / HTTP/1.1
 
+**Response**:
 {title="Response", linenos=off, lang=HTTP}
     HTTP/1.1 200 OK
     X-Powered-By: Express
@@ -487,14 +492,15 @@ If we try malformed requests or requests of non existent resources:
     Date: Thu, 29 Oct 2015 05:03:46 GMT
     Connection: keep-alive
     
-    # We get the page markup here.
+**Request (malformed)**:
+  # We get the page markup here.
 
 {title="Request (malformed)", linenos=off}
     nc <experss 4.0 server> 80
     GET / HTTP/3.0
 
 We receive a closed connection, but we still get the resource if there is one.
-
+**Response**:
 {title="Response", linenos=off, lang=HTTP}
     HTTP/1.1 200 OK
     X-Powered-By: Express
@@ -506,14 +512,16 @@ We receive a closed connection, but we still get the resource if there is one.
     
     # We get the page markup here.
 
-&nbsp;
+
 
 When we try an Apache server, we note that different versions exhibit different behaviour.
 
+**Request (not malformed)**
 {title="Request (not malformed)", linenos=off}
     nc <apache 2.2.3 server> 80
     GET / HTTP/1.0
 
+**Response**:
 {title="Response", linenos=off, lang=HTTP}
     HTTP/1.1 200 OK
     Date: Thu, 29 Oct 2015 05:02:03 GMT
@@ -524,10 +532,11 @@ When we try an Apache server, we note that different versions exhibit different
     
     No Host: header seen.
 
+**Request (malformed)**:
 {title="Request (malformed)", linenos=off}
     nc <apache 2.2.3 server> 80
     GET / HTTP/1.1
-
+**Response**:
 {title="Response", linenos=off, lang=HTTP}
     HTTP/1.1 400 Bad Request
     Date: Thu, 29 Oct 2015 05:01:51 GMT
@@ -549,22 +558,20 @@ Interesting, isn't it? Every server type answers in a different manner.
 
 ##### Non-existent protocol
 
-&nbsp;
-
 If we use a non-existent protocol:
-
+**Request**:
 {title="Request", linenos=off}
     nc <express 4.0 server> 80
     GET / CATSFORDINNER/1.1
     # Express ignores cats for dinner. No response
 
-
+**Request**:
 {title="Request", linenos=off}
     nc <apache 2.2.3 server> 80
     GET / CATSFORDINNER/1.0
 
 We see Apache is `200 OK` happy to have cats for dinner.
-
+**Response**:
 {title="Response", linenos=off}
     HTTP/1.1 200 OK
     Date: Thu, 29 Oct 2015 05:12:51 GMT
@@ -585,7 +592,7 @@ Using Nmap's service detection option, `-sV`, is ideal because Nmap uses service
 
 {linenos=off}
     nmap -sV -p 22 <target>
-
+**Results**:
 {title="Results", linenos=off}
     Starting Nmap 6.40 ( http://nmap.org ) at 2015-10-29 19:46 NZDT
     Nmap scan report for <target> (<target ip>)
@@ -599,7 +606,7 @@ Typically, identifying banners are part of the released binary for a given servi
 
 {linenos=off}
     nc -v <target> 22
-
+**Results**:
 {title="Results", linenos=off}
     Connection to <target> 22 port [tcp/*] succeeded!
     SSH-2.0-OpenSSH_6.7p1 Debian-3
@@ -622,15 +629,14 @@ To view all of the currently available local Nmap scripts:
 will give you the full listing. To narrow down the listing to specifics for the scenario:
 
 {linenos=off}
-    nmap --script-help "http-waf*"
+    nmap --script-help "h   ttp-waf*"
 
 yields the following two scripts, which are very useful:
 
-1. `http-waf-detect.nse`  
-attempts to determine whether the web server is protected by an IDS, IPS or WAF
-2. `http-waf-fingerprint.nse`  
-attempts to discover the presence of a WAF, its type, and version.
+1. `http-waf-detect.nse`: This attempts to determine whether the web server is protected by an IDS, IPS or WAF
+2. `http-waf-fingerprint.nse`: This attempts to discover the presence of a WAF, its type, and version.
 
+**Run both scripts**:
 {title="Run both scripts", linenos=off}
     nmap -p80 --script "http-waf-*" <target>
 
@@ -641,6 +647,8 @@ is also an excellent tool included in Kali Linux. WAFW00F, or `wafw00f`, tests f
 "_Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions_  
 _If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is_  
 _If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks_"
+–EnableSecurity
+
 
 #### DNS
 
@@ -781,7 +789,7 @@ is an excellent Open Source Intelligence (OSINT) tool.
 
 Discover is a collection of shell scripts to aggregate Kali Linux tools & automate various penetration testing tasks. Both passive and active options are available, allowing you to dig up a lot of information about your target long before you start trying to penetrate them. I have found both Domain and Person to be very useful.
 
-To run within Kali Linux you need to run the `/opt/discover/discover.sh` script. This is one of the additional tools we [added](#tooling-setup-kali-linux-tools-i-use-that-need-adding-to-kali-linux-discover-scripts) to Kali.
+To run within Kali Linux you need to run the `/opt/discover/discover.sh` script. This is one of the additional tools we added (refer to the *Discover scripts* section in Chapter 3, *Tooling Setup*) to Kali.
 
 For example,  
 Recon -> Domain -> Passive combines:
@@ -851,9 +859,9 @@ Then type:
 
 {linenos=off}
     show modules
+You will be presented with a listing of all the modules in `/usr/share/recon-ng/modules/`:
 
-and you will be presented with a listing of all the modules in `/usr/share/recon-ng/modules/`:
-
+**recon-ng modules**:
 {title="recon-ng modules", linenos=off}
     Discovery
     ---------
@@ -1079,7 +1087,7 @@ The commands may feel a bit heavy to start with, but they are very intuitive. Sp
 
 An attacker will start to collate information, and will often feed it into a tool, or specific set of tools. If they have lots of time, which is rare, perform the same process manually. I find that the tools which have well thought out algorithms are the quickest and best way to create a short list of probable passwords to later attempt to access accounts via brute force attack.
 
-I discuss this further in the [People](#people-identify-risks-weak-password-strategies) chapter.
+I discuss this further in sub-section, *Weak Password Strategies* of section, *Identify Risks* of Chapter 6, *People*.
 
 ### Vulnerability Scanning / Discovery
 
@@ -1087,7 +1095,7 @@ In this phase an attacker directs their attention to obtaining (scanning for) we
 
 Much of the work the attacker accomplishes in the reconnaissance stage will also reveal vulnerabilities, in addition to all sorts of useful information.
 
-I am not going to spend much time in this section looking for vulnerabilities, as we do this throughout the book, especially in the Identify Risks sections of most chapters. I will list a handful of tools though that I find very useful in this stage.
+I am not going to spend much time in this section looking for vulnerabilities, as we do this throughout the book, especially in the *Identify Risks* sections of most chapters. I will list a handful of tools though that I find very useful in this stage.
 
 #### Nmap
 
@@ -1132,7 +1140,7 @@ Keep in mind that most of this scanning is quite noisy and has the potential to
 
 ### Vulnerability Searching {#process-and-practises-penetration-testing-vulnerability-searching}
 
-The vulnerability advisories that were mentioned in the [30,000 View](#vulnerability-advisories) chapter will be covered here in a little more detail.
+The vulnerability advisories that were mentioned in Chapter 1, *Starting with the 30,000' View* will be covered here in a little more detail.
 
 By now, we should have a good idea of some of the target's weaknesses; it is time to find some exploits.
 
@@ -1171,7 +1179,7 @@ During this stage, contemplating and capturing countermeasures for vulnerabiliti
 
 Hammer your own systems and watch logs. Become familiar with the signatures and indicators of different tools and attacks, you will then know when you are actually under attack. You can take the same steps with active and semi-active reconnaissance. In this manner, you will be able to pre-empt your attacker's attempts at exploitation.
 
-We will go through actual exploitation that would be carried out by an attacker or penetration tester in each of the following chapter's Identify Risks sections.
+We will go through actual exploitation that would be carried out by an attacker or penetration tester in each of the following chapters *Identify Risks* sections.
 
 #### Isolating, Testing Potential Malware
 
@@ -1291,7 +1299,7 @@ There are many tools that can help us capture, organise, and provide physical re
 
 Software engineers often use wikis for storing and collaborating on information that is meant for the team's benefit; Dradis is a similar type of web application that stores all the information specific to what work has been completed, and what is left to be accomplished on an engagement for info-sec teams. It is self contained, and can be run from the likes of a laptop wherever you are working from.
 
-Like good wikis, Dradis provides the ability to add attachments and create reports. Dradis is included in Kali Linux, and the source code can be accessed from the dradisframework [repository](https://github.com/dradis/dradisframework) of dradis, which can be found on GitHub. There is a collection of security tools that Dradis [integrates with](https://github.com/dradis/dradisframework#some-of-the-features), and creating connectors to additional tools is stated to be easy.
+Like good wikis, Dradis provides the ability to add attachments and create reports. Dradis is included in Kali Linux, and the source code can be accessed from the 'dradisframework' [repository](https://github.com/dradis/dradisframework) of dradis, which can be found on GitHub. There is a collection of security tools that Dradis [integrates with](https://github.com/dradis/dradisframework#some-of-the-features), and creating connectors to additional tools is stated to be easy.
 
 #### CaseFile
 
@@ -1339,7 +1347,7 @@ The following table shows the average cost of fixing defects based on when they
 
 ![](images/AverageCostOfFixingDefects.png)
 
-> This material is used with the author's permission from Code Complete, by Steve McConnell � 2004. All Rights Reserved.
+> This material is used with the author's permission from Code Complete, by Steve McConnell © 2004. All Rights Reserved.
 
 Steve McConnel goes on to say: The data in the above table "_shows that, for example, an architecture defect that costs $1000 to fix when the architecture is being created can cost $15,000 to fix during system test._" The below figure illustrates this same phenomenon.
 
@@ -1347,7 +1355,7 @@ Steve McConnel goes on to say: The data in the above table "_shows that, for exa
 
 "_The cost to fix a defect rises dramatically as the time from when it's introduced to when it's detected increases. This remains true whether the project is highly sequential (doing 100 percent of requirements and design up front) or highly iterative (doing 5 percent of requirements and design up front)._"
 
-> This material is used with the author's permission from Code Complete, by Steve McConnell � 2004. All Rights Reserved.
+> This material is used with the author's permission from Code Complete, by Steve McConnell © 2004. All Rights Reserved.
 
 ### Evil Test Conditions {#process-and-practises-agile-development-and-practices-evil-test-conditions}
 
@@ -1355,7 +1363,7 @@ Many developers will be familiar with the test condition workshop that is often
 
 ![](images/TestCondition.png)
 
-Also consider creating evil test conditions. Often, developers do not have the mind set for this. That is why we need that "person(s) with security specialisations" within the team, as discussed right at the beginning of the 30,000' View chapter.
+Also consider creating evil test conditions. Often, developers do not have the mind set for this. That is why we need that "person(s) with security specialisations" within the team, as discussed right at the beginning of Chapter 1, Starting with the 30,000' View.
 
 ![](images/TestConditionEvil.png)
 
@@ -1382,7 +1390,7 @@ BSIMM also has some good [guidance on security testing](https://www.bsimm.com/on
 
 ### Security Regression Testing {#process-agile-development-and-practices-security-regression-testing}
 
-If you are using NodeJS, and have not already gotten your tests running as part of a CI build or pre-commit hook, check out the Consuming Free and Open Source Tooling section in [Fascicle 1](https://leanpub.com/holistic-infosec-for-web-developers-fascicle1-vps-network-cloud-webapplications) for some information on how to set this up.
+If you are using NodeJS, and have not already gotten your tests running as part of a CI build or pre-commit hook, check out the *Consuming Free* and *Open Source Tooling* section in *Holistic InfoSec For Web Developers, Part 1: VPS, Network, Cloud and Web Applications, Kim Carter, Leanpub* for some information on how to set this up.
 
 As I see it, this is one of the biggest wins you can take, with minimum expenditure. You can simply continue to use your existing automated test suites and frameworks. All you have to do is add a **security focused test API** into the mix. You can continue to use your chosen (language specific) TDD/BDD framework of choice, just proxy your existing tests through the security API. Then, simply tell the API to attack your application, targeting all known vulnerabilities that the API is aware of. The API will learn your application's external facing structure given that it has proxied all your requests and responses. The security API should already exist, all you have to do is use it.
 
@@ -1415,7 +1423,7 @@ Details on running Zap in a Docker container can be found on the [Zap wiki](http
 
 ##### NodeGoat Set-up on your local machine {#process-agile-development-and-practices-security-regression-testing-nodegoat-set-up-on-your-local-machine}
 
-The following is also addressed in the [Kali Linux Install](#tooling-setup-kali-linux-kali-linux-install) section of the Tooling Setup chapter.
+The following is also addressed in the *Kali Linux Install* section of Chapter 3, *Tooling Setup*..
 
 In VirtualBox you will need to add a Host-only Network. By default, this will be called `vboxnet0` in your VirtualBox settings. Running an `ifconfig` on the host will reveal a new network interface called `vboxnet0`. This allows guests and host to communicate with each other without anyone outside of the host network interface being able to see the communications. In this example, we set the Adapter IP address to `192.168.56.1`, an address then assigned to the host as an additional network interface.
 
@@ -1563,7 +1571,7 @@ Some developers have an inquisitiveness about how their work can be exploited, s
 1. Take the lead on the security front.
 2. Mentor; infect with their passion, and pass on their knowledge to their co-workers.
 
-I mention in the People chapter, specifically the ["Top Developer Motivators in Order"](#people-countermeasures-morale-productivity-and-engagement-killers-top-developer-motivators-in-order) section, how developers love being the champion of something. The role of the security champion or any champion for that matter, needs to be applied to the developer as a vacuum. People do not respond well to being pushed into anything. The best developers will just pick up the role, but many will not be as proactive. For less proactive developers, it pays to create the role and, as the Product Owner or manager, approach them and ask them if they would like to take on the responsibility as security champion. Once a developer has taken up this responsibility, they will usually do a pretty good job of infusing the rest of their team with their passion and knowledge.
+I mention in Chapter 6, *People*, specifically the *Top Developer Motivators in Order* section, how developers love being the champion of something. The role of the security champion or any champion for that matter, needs to be applied to the developer as a vacuum. People do not respond well to being pushed into anything. The best developers will just pick up the role, but many will not be as proactive. For less proactive developers, it pays to create the role and, as the Product Owner or manager, approach them and ask them if they would like to take on the responsibility as security champion. Once a developer has taken up this responsibility, they will usually do a pretty good job of infusing the rest of their team with their passion and knowledge.
 
 ### Pair Programming {#process-agile-development-and-practices-pair-programming}
 
@@ -1583,7 +1591,7 @@ The [BSIMM Code Review](https://www.bsimm.com/online/ssdl/cr/) resource has some
 
 #### Why? {#process-agile-development-and-practices-code-review-why}
 
-When humans are in a creative mode, we often struggle to see the defects in our own creation. That is why tightly knit teams with high morale (as discussed in the people chapter under the "Morale, Productivity and Engagement Killers" sections) are a force to be reckoned with. We are all watching each other's backs and we are good at seeing faults in others and their creations. That is why we really do need each other. Never underestimate this creative blindness that shows in us all and that we have a very powerful mitigation tool in the team. Use it.
+When humans are in a creative mode, we often struggle to see the defects in our own creation. That is why tightly knit teams with high morale (as discussed in Chapter 6, *People* under the *Morale, Productivity and Engagement Killers sections*) are a force to be reckoned with. We are all watching each other's backs and we are good at seeing faults in others and their creations. That is why we really do need each other. Never underestimate this creative blindness that shows in us all and that we have a very powerful mitigation tool in the team. Use it.
 
 #### Linting, Static Analysis
 
@@ -1628,18 +1636,19 @@ Here is an example from the Flow website.
     }
     foo('Hello, world!');
 
+**Run flow**:
 {title="Run flow", linenos=off, lang=bash}
     $> flow
     hello.js:5:5,19: string
     This type is incompatible with
       hello.js:3:10,15: number
-    
+**Refactoring to DbC**: 
 {title="Refactoring to DbC", linenos=off, lang=JavaScript}
     function foo(x: string, y: number): string {
       return x.length * y;
     }
     foo('Hello', 42);
-
+**Run flow**:
 {title="Run flow", linenos=off, lang=bash}
     $> flow
     hello.js:3:10,21: number
@@ -1674,7 +1683,7 @@ Code Monkey finishes his task much faster than Professional Developer.
 
 The Code Monkey is solely focused on completing the task as fast as possible. They cut some code and declare that the task is done. The Professional Developer thinks the problem through, does a little research to satisfy them self that their proposed approach is in fact the most appropriate approach for the problem. They organise a [test condition workshop](http://blog.binarymist.net/2012/03/24/how-to-optimise-your-testing-effort/#testConditionWorkshop), which solidifies requirements and drives out design defects via active stake holder participation. They drive there low level design with TDD, and make sure they follow [coding standards](http://blog.binarymist.net/2013/03/02/how-to-increase-software-developer-productivity/#codingStandardsAndGuidelines), thus ensuring that future maintenance to their code is easier, and much [easier to read](http://blog.binarymist.net/2009/12/24/keeping-encapsulation-on-ones-mind/).
 They ask for a pair to [review](http://blog.binarymist.net/2012/03/24/how-to-optimise-your-testing-effort/#pairReview) their code or perhaps requests a fellow team member to sit with them and [pair program](#process-agile-development-and-practices-pair-programming) for a bit on some complex areas of the code base.
-This makes sure their code is being run in the [continuous integration](http://blog.binarymist.net/2012/03/24/how-to-optimise-your-testing-effort/#continuousIntegration) suite, that their [acceptance tests](http://www.slideshare.net/kimcarter75098/moving-to-tdd-bdd) (which has been driving their feature) are passing, and that [security regression tests](#process-agile-development-and-practices-security-regression-testing) are not regressing.
+This makes sure their code is being run in the [continuous integration](http://blog.binarymist.net/2012/03/24/how-to-optimise-your-testing-effort/#continuousIntegration) suite, that their [acceptance tests](http://www.slideshare.net/kimcarter75098/moving-to-tdd-bdd) (which has been driving their feature) are passing, and that (refer to sub-section, Agile Development  of section, Security regression testing of this chapter) are not regressing.
 They check that their work complies with the [Definition of Done](http://blog.binarymist.net/2013/03/02/how-to-increase-software-developer-productivity/#definitionOfDone). You do have a Definition of Done, right?
 
 What the Product Owner or software development manager often fails to understand is that it is the slower (professional) developer that is creating code that can be maintained and extended at a sustainable pace. The Professional Developer is investing time and effort into creating a better quality of code than the Code Monkey, who appears to be producing code faster. The Product Owner and/or manager do not necessarily see this, in which case the Code Monkey clearly looks to be the superior developer. What also often occurs is that the Code Monkey rides on the Professional Developer's quality and adds their lower quality code on top, thus making the Code Monkey appear god-like.
diff --git a/manuscript/markdown/main/chapter5.md b/manuscript/markdown/main/chapter5.md
index 6a41c5a..b595761 100644
--- a/manuscript/markdown/main/chapter5.md
+++ b/manuscript/markdown/main/chapter5.md
@@ -76,14 +76,11 @@ You can even build your own with the likes of the Tessel and its [RFID module](h
 
 ![](images/tesselRFID.jpg)
 
-%% https://github.com/tessel/rfid-pn532/issues/24 Used with permission.
+ Used with permission : Refer the following link: %% https://github.com/tessel/rfid-pn532/issues/24.
 
-&nbsp;
-
-Of course, there are many more that I may explore in a later book or blog post.
 
-%% https://www.google.co.nz/search?q=rfid+tags&oq=rfid+tags&aqs=chrome..69i57j0l5.13744j0j7&client=ubuntu&sourceid=chrome&es_sm=93&ie=UTF-8#q=rfid+tag+exploitation
-%% http://www.rfidvirus.org/
+Of course, there are many more that I may explore in a later book or blog [post] (https://www.google.co.nz/search?q=rfid+tags&oq=rfid+tags&aqs=chrome..69i57j0l5.13744j0j7&client=ubuntu&sourceid=chrome&es_sm=93&ie=UTF-8#q=rfid+tag+exploitation
+%% http://www.rfidvirus.org/)
 
 ### Computers Logged in and Unlocked {#physical-identify-risks-computers-logged-in-unlocked}
 
@@ -152,7 +149,7 @@ The tools you use to provide visibility will determine what an attacker needs to
 
 ## 3. SSM Countermeasures
 
-There is a common theme throughout this section: prevent, detect and respond. It is discussed in a little more depth in the [RFID Tags](#physical-countermeasures-rfid) section.
+There is a common theme throughout this section: prevent, detect and respond.It is discussed in a little more depth in sub-section, *RFID Tags* of section, *3. SSM Countermeasures* of Chapter 5, *Physical*.
 
 ### Fortress Mentality {#physical-countermeasures-fortress-mentality}
 
@@ -168,13 +165,13 @@ I have [blogged](http://blog.binarymist.net/2012/11/04/sanitising-user-input-fro
 
 ![](images/ThreatTags/PreventionEASY.png)
 
-Provide education, then monitor and test that the education is taking effect; repeat if not, have someone with a devious, creative mindset test these areas. There are also quite a few ideas in the [People](#people) chapter on increasing staff engagement.
+Provide education, then monitor and test that the education is taking effect; repeat if not, have someone with a devious, creative mindset test these areas. There are also quite a few ideas in the Chapter 6, *People* on increasing staff engagement.
 
 ### Insecure Doors and/or Windows {#physical-countermeasures-insecure-doors-windows}
 
 ![](images/ThreatTags/PreventionVERYEASY.png)
 
-Much of ensuring that staff do secure the premises when they leave, comes down to the level of engagement. See the [People](#people) chapter for ideas on how to increase staff engagement and motivation to take care of the organisation they work for, while being alert. Do not underestimate how much of the staff member's attitude affects this.  
+Much of ensuring that staff do secure the premises when they leave, comes down to the level of engagement. See Chapter 6, _People_ for ideas for ideas on how to increase staff engagement and motivation to take care of the organisation they work for, while being alert. Do not underestimate how much of the staff member's attitude affects this.  
 Do not overwork your staff to the point that they are too tired when they leave the premises to think about doing a full rounds check, or if they do, then miss something.  
 It is an age old law. What goes around comes around. Treat your staff as you would like to be treated, and they will be more likely to make sure that the premises openings are locked properly when they leave.
 
@@ -243,7 +240,7 @@ You can then use your ranking as input to the Countermeasures step, thus helping
 
 ![](images/ThreatTags/PreventionEASY.png)
 
-Most of what you can do here comes down to the people problem described in the chapter on [People](#people).
+Most of what you can do here comes down to the people problem described in in Chapter 6, *People*.
 
 1. Educate your workers.
 2. Create a [culture](http://blog.binarymist.net/2014/04/26/culture-in-the-work-place/) that inspires people to think about security and includes it as part of who they are.
@@ -276,7 +273,7 @@ The “outside” vulnerability can be mitigated by the implementation of Li-Fi
 
 I usually use a pass-phrase of about 40 characters long, made up of random characters including a mix of alphanumeric, upper case, lower case and symbols. For some people this can be a little awkward. For those abiding by the best practises of using password vaults, it should actually be easier than typing a short pass-phrase, because they will be copied and pasted from the safe. In this case, there is no convenience lost. If such long pass-phrases feel inconvenient for users, it should compel them to use a password vault (which they should already be doing).
 
-The [Transient Devices](#physical-countermeasures-transient-devices) section may also be of interest.
+The sub-section _Transient Devices_ in section _3. SSM countermeasures_ in this chapter may also be of interest.
 
 #### Hiding the SSID
 
@@ -328,7 +325,7 @@ Again, company policy and culture may require some work as well.
 
 #### Cameras, Sensors and Alarms
 
-Detection is an important part of the overall security of your premises. When your prevention fails, you are going to want to know about it so that you can react appropriately. Ideally, surveillance systems should also be configured to send alerts to someone who is going to take notice of them. I have addressed some of the concerns about alerts that fail to trigger human reaction specifically in the "Morale, Productivity and Engagement Killers" section of the [People](#people) chapter. I have found ZoneMinder, an open source video surveillance solution, to be excellent at recording, detecting motion, and providing events. You can then do what ever you like with the events, including email, SMS, push notifications, etc. Be prepared to get your hands dirty here though as this is an open and extensible platform. I have also noticed NodeMinder, which was of interest to me, but at the time of this writing, was not being maintained, like so many NPM packages.
+Detection is an important part of the overall security of your premises. When your prevention fails, you are going to want to know about it so that you can react appropriately. Ideally, surveillance systems should also be configured to send alerts to someone who is going to take notice of them. I have addressed some of the concerns about alerts that fail to trigger human reaction specifically  section _Morale, Productivity and Engagement Killers_ of the Chapter 6, _People_. I have found ZoneMinder. I have found ZoneMinder, an open source video surveillance solution, to be excellent at recording, detecting motion, and providing events. You can then do what ever you like with the events, including email, SMS, push notifications, etc. Be prepared to get your hands dirty here though as this is an open and extensible platform. I have also noticed NodeMinder, which was of interest to me, but at the time of this writing, was not being maintained, like so many NPM packages.
 
 ## 4. SSM Risks that Solution Causes
 
@@ -354,7 +351,7 @@ With labels removed you run the risk that someone will forget who services the a
 
 ### Sensitive Printed Matter
 
-People may rebel against policy if they are not treated the right way. Sometimes it is hard to see this, people are good at hiding their true feelings. I discuss strategies of getting the most out of your people in the [People](#people) chapter so as to avoid a lack of buy-in and engagement.
+People may rebel against policy if they are not treated the right way. Sometimes it is hard to see this, people are good at hiding their true feelings. I discuss strategies of getting the most out of your people in Chapter 6, *People* so as to avoid a lack of buy-in and engagement.
 As with security in all other areas, increasing it is likely to cost a little more and decrease some convenience. Although, with thought and planning, this can become part of your company culture. People can be your strongest, or your weakest defence. This is your choice. Cultural change can be implemented from any level. The most successfully being from the shop floor.  
 High quality shredders are not much more expensive than their lesser counter-parts.
 
@@ -458,7 +455,7 @@ This technically does not provide any increased security, but reduces convenienc
 
 #### Wi-Fi Protected Set-up (WPS)
 
-This leads to a little increase in effort to establish a wireless connection. Those who are provided with access should also be recorded as having access, discussed below in the [Transient Devices](#physical-costs-and-trade-offs-transient-devices) section.
+This leads to a little increase in effort to establish a wireless connection. Those who are provided with access should also be recorded as having access, discussed below in the section *ransient Devices* of Chapter 5, *Physical*.
 
 #### WPA2 and WPA
 
diff --git a/manuscript/markdown/main/chapter6.md b/manuscript/markdown/main/chapter6.md
index ed62161..19b2bd9 100644
--- a/manuscript/markdown/main/chapter6.md
+++ b/manuscript/markdown/main/chapter6.md
@@ -2,7 +2,7 @@
 
 ![10,000' view of People Security](images/10000People.png)
 
-As in the chapter on [Physical](#physical) security, the people problem is often over-looked, not only by technical personnel, but by everyone. For a proficient social engineer (SE), it is easy to craft and execute attacks, although not quite as easy and simple as walking through the front door that has been left open. With a little patience, practise, and the right frame of mind, the majority of people can be played successfully, even those who are very aware.
+As in the Chapter 5, *Physical* on Physical security, the people problem is often over-looked, not only by technical personnel, but by everyone. For a proficient social engineer (SE), it is easy to craft and execute attacks, although not quite as easy and simple as walking through the front door that has been left open. With a little patience, practise, and the right frame of mind, the majority of people can be played successfully, even those who are very aware.
 
 Why is "people security" often over-looked? A couple of reasons I can think of include:
 
@@ -11,10 +11,11 @@ Why is "people security" often over-looked? A couple of reasons I can think of i
 
 As with many other attacks, this is often one that is a key component of a larger more sophisticated attack.
 
-If you think back to the Penetration Testing [process](#process-and-practises-penetration-testing) we walked through in the Process and Practises chapter, a SE generally carries out their attack sequences in a similar manner. The following steps offer the high level approach often taken:
+If you think back to the Penetration Testing process we walked through in the section, Penetration Testing in Chapter 4, Process and Practises, a SE generally carries out their attack sequences in a similar manner. The following steps offer the high level approach often taken:
 
 1. **Reconnaissance** (or Information Gathering)  
-This is one of the most important steps in a SE engagement. Similar to the [forms](#process-and-practises-penetration-testing-reconnaissance-reconnaissance-forms) discussed in the Process and Practises chapter, a huge amount of freely available information can be gathered without anyone suspecting what it is going to be used for, if it is used at all (semi-active), or that its even being gathered (passive). This information is used to feed the creation of the following attack steps, as well as technical attacks. We have already looked at some forms of information that an attacker can use to build their target's profile in the Process and Practises and Physical chapters. I would also like to draw your attention to the content Michael Bazzell has [collated](https://inteltechniques.com/links.html) and his excellent books on the gathering of Open Source Intelligence.
+This is one of the most important steps in a SE engagement. Similar to the forms discussed in sub-section, *Reconnaissance Forms* of section, *Penetration Testing* of Chapter 4, *Process and Practises*, a huge amount of freely available information can be gathered without anyone suspecting what it is going to be used for, if it is used at all (semi-active), or that its even being gathered (passive). This information is used to feed the creation of the following attack steps, as well as technical attacks.  We have already
+looked at some forms of information that an attacker can use to build their target's profile in the Chapter 4, Process and Practises and Chapter 5, Physical. I would also like to draw your attention to the content Michael Bazzell has [collated](https://inteltechniques.com/links.html) and his excellent books on the gathering of Open Source Intelligence.
 2. **Connecting with Target**  
 Humans are complicated units; we have a body, spirit, soul, feelings, emotions, and usually need to feel like we can trust someone before we hand over the proverbial jewels. An attacker can not approach a human as they would a machine although there are similarities. There are areas that we know we have to work around, for example. A skilled SE will build relationship with a target while they are gently probing for weaknesses. This is often carried out over weeks, or even months of communication and interaction. It is typically a gradual process, but sometimes trust can be built quickly. There are also many ways to fast track this process, such as:
   * Pretexting (becoming someone else): Here you learn someone else's behaviour, what they do, how they do it, their routines, what they know, who they know, how they talk, what they like, their family members, and their details. Most of these details are often freely available on the Internet in many forms. Equipped with these details, pretexting is simply acting as if you are that person. The closer you come to believing you are that person, the more successful the pretext will be.
@@ -27,7 +28,8 @@ At this stage an attacker has discovered human vulnerabilities in their target a
 This is where the attacker hits the jackpot and acquires what they were after from the onset of the assignment or operation, and leaves the target unsuspecting that they have been played at all, often leaving them thinking and feeling that they have helped someone legitimately. Similar to a successful technology based attack, the target should not have a clue that they have been exploited.
 
 ## 1. SSM Asset Identification
-Take results from [higher level Asset Identification](#starting-with-the-30000-foot-view-asset-identification). Remove any that are not applicable. Add any newly discovered. Here are some to get you started:
+Take results from the section, *1. SSM Asset Identification* of Chapter 1, *Starting with the
+30,000' View*. Remove any that are not applicable. Add any newly discovered. Here are some to get you started:
 
 * People carry huge amounts of confidential information on them, not only in their bags and devices, but also, most importantly, their brains. People are like sponges, we soak up information everywhere. We also leak a lot and are capable of leaking without even knowing it when targeted by a skilled SE. I will cover more of this in the Identify Risks section.
 * State of mind: An engaged, devoted, and loyal worker is truly an asset. I can not emphasise this enough.
@@ -38,8 +40,8 @@ Many of the assets are the same as those in other chapters, it is more that peop
 
 Risks based on the failures of people represent a very different set of attack vectors than any others mentioned in this material. People are both complex and complicated; our personalities are full of faults just waiting to be exploited, thus the approach at finding vulnerabilities is quite different.  
 You can still use some of the processes from the top level [2. SSM Identify Risks](#starting-with-the-30000-foot-view-identify-risks), but outcomes can look quite different.  
-I find the [Threat agents cloud](#starting-with-the-30000-foot-view-identify-risks-threat-agents) and [Likelihood and impact](#starting-with-the-30000-foot-view-identify-risks-likelihood-and-impact) diagrams still quite useful, as well as [MS 5. Document the Threats](#ms-5-document-the-threats), [OWASP Risk Rating Methodology](#ms-5-document-the-threats) and the [intel-threat-agent-library](#intel-threat-agent-library), as they are technology agnostic.  
-Additionally, [OWASP Ranking of Threats](#ms-6-rate-the-threats), [MS 6. Rate the Threats](#ms-6-rate-the-threats), and DREAD can be useful.
+I find the Threat agents cloud  diagrams still quite useful refer to the following sub-sections, *Threat Agents* and *Likelihood and impact*, of section *2. SSM Identify Risks* in Chapter 1, *Starting with the 30,000' View*, as well as the following sections, *OWASP Risk Rating Methodology* and the *Intel Threat Agent Library* in *MS 5. Document the Threats* as they are technology agnostic.
+Additionally refer to *OWASP Ranking of Threats* in the section *MS 5. Document the Threats*, *MS 6. Rate the Threats* mentioned in section *Rating of Threats*, and DREAD can be useful. People are the strongest point in a security process, they are often also the weakest.
 
 People are the strongest point in a security process, they are often also the weakest.
 
@@ -107,17 +109,15 @@ A very profitable tactic for an adversary is to acquire a staff member from a ta
 
 #### Password Profiling {#people-identify-risks-weak-password-strategies-password-profiling}
 
-There are a plethora of large password word-lists available. I discussed a handful of these in the [Tooling Set-up](#tooling-setup-kali-linux-tools-i-use-that-need-adding-to-kali-linux-password-lists) chapter. An attacker will use password profiling to create short lists of words based on information gathered in the reconnaissance stage. These word-lists are typically much shorter than the "off the shelf" word-lists sometimes used for brute forcing targets accounts.
+There are a plethora of large password word-lists available. I discussed a handful of these in the sub-section, *Password Lists* , section *Tools I Use That Need Adding to Kali Linux* of Chapter 3, *Tooling Setup*. An attacker will use password profiling to create short lists of words based on information gathered in the reconnaissance stage. These word-lists are typically much shorter than the "off the shelf" word-lists sometimes used for brute forcing targets accounts.
 
-If running any of the following tools produces a list with your password in it, I strongly suggest you review the [Countermeasures](#people-countermeasures-weak-password-strategies) section to learn about strong passwords.
+If running any of the following tools produces a list with your password in it, I strongly suggest you review the section, *Countermeasures* in Chapter 4, *People to learn about strong passwords*.
 
 A> Word-list generators are used to create short more precise and targeted word-lists. It is important here to understand organisational password policies and constrain the tool that you use to produce a word-list that honours any password policies in place in the target organisation. Otherwise the tool will end up producing passwords not relevant to the target.
 
-##### [Crunch](http://tools.kali.org/password-attacks/crunch) {#people-identify-risks-weak-password-strategies-password-profiling-crunch}
+##### Crunch {#people-identify-risks-weak-password-strategies-password-profiling-crunch}
 
-&nbsp;
-
-Crunch seems a little lower level or granular, perhaps less personalised than the likes of cupp which we discuss soon. Crunch often creates larger word-lists. Of course, this depends on how you specify your arguments for crunch. The likes of wild-cards can help with granularity. Crunch would probably be a good choice if you know more about organisational password policies and less about the individual people/person.
+[Crunch](http://tools.kali.org/password-attacks/crunch) seems a little lower level or granular, perhaps less personalised than the likes of cupp which we discuss soon. Crunch often creates larger word-lists. Of course, this depends on how you specify your arguments for crunch. The likes of wild-cards can help with granularity. Crunch would probably be a good choice if you know more about organisational password policies and less about the individual people/person.
 
 Crunch generates every possible combination of characters you tell it to and provides control over the character sets you want used. There is a collection of character sets in Kali Linux in `/usr/share/rainbowcrack/charset.txt` you can use. The best one is in the crunch directory though: `/usr/share/crunch/charset.lst` You can also specify a literal set of characters as an argument.
 
@@ -144,9 +144,7 @@ or from the terminal:
 
 ##### Common User Passwords Profiler (CUPP) {#people-identify-risks-weak-password-strategies-password-profiling-cupp}
 
-&nbsp;
-
-Created by Muris Kurgas AKA j0rgan, this tool is easy to use and can be used in an interactive style. With the `-i` parameter, it interviews the person running it before it goes ahead and creates the word-list output. We installed this in the [Tooling Setup](#tooling-setup-kali-linux-tools-i-use-that-need-adding-to-kali-linux-cupp) chapter.
+Created by Muris Kurgas AKA jorgan, this tool is easy to use and can be used in an interactive style. With the `-i` parameter, it interviews the person running it before it goes ahead and creates the word-list output. We installed this in the sub-section *Common User Passwords Profiler (cupp)* of section, Tools I Use That Need Adding to Kali Linux in  Chapter 3, *Tooling Setup*.
 
 Once you have git cloned it, check the source to confirm what you are about to run, then run it. I like to use interactive mode with `-i`. Run it with no arguments to see the help screen and `cd` into `/opt/cupp/` to explore.
 
@@ -225,16 +223,16 @@ General usage is from the terminal as follows:
     cewl -d 2 -m 3 -w ~/cewl-bob-wordlist.txt www.bobthebuilder.com/en-us/
     # If you go deep, it can take a very long time.
 
-You can use the word-list produced and augment it with the likes of [crunch](#people-identify-risks-weak-password-strategies-password-profiling-crunch) to add some common extra characters, or even [cupp](#people-identify-risks-weak-password-strategies-password-profiling-cupp) to make the passwords a bit more personal.
+You can use the word-list produced and augment it with the likes of crunch (refer to section Crunch) to add some common extra characters, or even cupp (refer to sub-section Common User Passwords Profiler in (CUPP)), of section Weak Password Strategies in this chapter) to make the passwords a bit more personal.
 
-##### [Wordhound](https://bitbucket.org/mattinfosec/wordhound.git)
-
-&nbsp;
+##### Wordhound
 
 Wordhound is a Python application that creates word-lists based on generic websites, plain text (emails for example), Twitter, PDFs and Reddit sub-reddits.
 
 I discovered this tool in the Hacker Playbook 2. It looks like Kim had some trouble with it in Kali Linux but it does look like it has potential. I did not have the time to try it.
 
+https://bitbucket.org/mattinfosec/wordhound.git
+
 #### Brute Forcing
 
 The following brute force attempts were against the Damn Vulnerable Web App (DVWA) in the OWASPBWA suite running at IP `192.168.56.22`.
@@ -253,7 +251,7 @@ Often with HTTP brute forcing you will have to slow the requests down. Most tool
 Hydra appears to be the most [mature](https://www.thc.org/thc-hydra/network_password_cracker_comparison.html) of the brute force specific tools.
 
 To run hydra, simply run it from the menu in Kali Linux:  
-Password Attacks -> Online Attacks -> hydra  
+**Password Attacks -> Online Attacks -> hydra**  
 or from the terminal.
 
 {title="SSH", linenos=off, lang=bash}
@@ -271,7 +269,7 @@ or from the terminal.
 
 You can find the video of how the following attack is played out at [http://youtu.be/zevpMvQwWOU](http://youtu.be/zevpMvQwWOU).
 
-I> ## Web Forms
+I> **Web Forms**
 I>
 I> When it comes to using hydra against web forms, if you can, once you have the command set and ready to run, it is usually best to test it against the web site with a known good login to make sure hydra handles the success correctly and the failures correctly.
 I>
@@ -284,9 +282,9 @@ I> * The name of the field that takes the password
 I> * Failure message for a failed attempt. The only place you need to look is the response of the first request. It seems that any string in the response can be used, even if it is a redirect back to `login.php`, any header value, body value, or even header name. Alternatively You could use a success message for a successful attempt, cookie or what ever the web site uses to inform of a successful login.
 
 {icon=bomb}
-G> ## The Play
+G> **The Play**
 G>
-G> For this example, we need to add Bob the Builder, as profiled in the CUPP example above, to the DVWA database. I knew that the passwords in the DVWA database were stored as `MD5`s from the exercise I did in the SQLi section from the Web Applications chapter in [Fascicle 1](https://leanpub.com/holistic-infosec-for-web-developers-fascicle1-vps-network-cloud-webapplications). If DVWA had assumed that the data-store would at some stage be compromised as discussed in the Data-store Compromise section, and provided the correct countermeasures as discussed in the countermeasures section of the Web Applications chapter in [Fascicle 1](https://leanpub.com/holistic-infosec-for-web-developers-fascicle1-vps-network-cloud-webapplications), we would not be able to reverse engineer the crypto strategy as easily. The time it takes to brute force the passwords would also be significantly increased due to the key stretching of the Key Derivation Functions (KDFs). With that in mind though, if you profile effectively you will end up with a small word-list to use in your chosen brute force tool, which may only take a few hours or days for the average user's password.
+G> For this example, we need to add Bob the Builder, as profiled in the CUPP example above, to the DVWA database. I knew that the passwords in the DVWA database were stored as `MD5`s from the exercise I did in the SQLi section from the Web Applications chapter in [Part 1](https://leanpub.com/holistic-infosec-for-web-developers-fascicle1-vps-network-cloud-webapplications). If DVWA had assumed that the data-store would at some stage be compromised as discussed in the Data-store Compromise section, and provided the correct countermeasures as discussed in the countermeasures section of the Web Applications chapter in [Part 1](https://leanpub.com/holistic-infosec-for-web-developers-fascicle1-vps-network-cloud-webapplications), we would not be able to reverse engineer the crypto strategy as easily. The time it takes to brute force the passwords would also be significantly increased due to the key stretching of the Key Derivation Functions (KDFs). With that in mind though, if you profile effectively you will end up with a small word-list to use in your chosen brute force tool, which may only take a few hours or days for the average user's password.
 G>
 G> For the sake of demonstration, I chose a password from the middle of the word-list that CUPP produced: `Y35w3c4n!$@`. Bob thought he was being clever changing the characters of "yes we can" to look like numbers and adding some special characters to the end. Hackers know all the tricks though.  
 G> Browse to `/phpmyadmin` of the OWASPBWA, -u `root` -p `owaspbwa` and find the dvwa database and add `Bob` as a `user` and his hashed password that we produced from:  
@@ -299,13 +297,13 @@ G> to the `password` field.
 {icon=bomb}
 G> Using an HTTP intercepting proxy as mentioned above, let's use Burpsuite and FoxyProxy. Once you have DVWA running, or another website you want to attempt to brute force, browse to the login page. Then turn the "Burp 8080" proxy on. Start burpsuite and make sure it is listening on port `8080` (or what ever your browsers proxy is going to send to). I added a correct `username` ("user" in this case) but false `password` values to the `username` and `password` fields and submitted. Note that you can add any values.
 G>
-G> Now in Burpsuites Proxy tab -> HTTP history tab, right click on the (`POST`) request and select Send to Intruder. Go to the Intruder tab and in the Positions tab, keep the Attack type: "[Sniper](https://portswigger.net/burp/help/intruder_positions.html)" because we are only using one wordlist. If we were using a wordlist for usernames and a different one for passwords, we would probably want to use "Cluster bomb".
+G> Now in Burpsuites **Proxy** tab -> **HTTP history** tab, right click on the (`POST`) request and select **Send to Intruder**. Go to the Intruder tab and in the **Positions** tab, keep the Attack type: "[Sniper](https://portswigger.net/burp/help/intruder_positions.html)" because we are only using one wordlist. If we were using a wordlist for usernames and a different one for passwords, we would probably want to use "Cluster bomb".
 G>
 Now clear all the highlighted fields apart from the `password` value, then go to the Payloads tab. Keep the Payload set to 1 and Payload type set to [Simple list](https://portswigger.net/burp/help/intruder_payloads_types.html).
 G>
 G> I just added `user1`, `user2`, `user3` and `user`, the last being the correct password. It can pay to have a valid account to test with, especially with `HTTP`. You do not need FoxyProxy on any more either.  
-G> Go into the Intruder menu up the top -> Start attack. You will now get a pop up window with the results of the passwords you added.  
-G> With the Response tab and Raw tab selected, start at the top of the requests and just arrow down through them, inspecting the differences as you go. You should see that the last one, the `user` password, has one changed value from the other responses. It will have a `Location` header with value of `index.php` rather than `login.php` that all the failed responses contain.
+G> Go into the Intruder menu up the top -> **Start attack**. You will now get a pop up window with the results of the passwords you added.  
+G> With the **Response** tab and **Raw** tab selected, start at the top of the requests and just arrow down through them, inspecting the differences as you go. You should see that the last one, the `user` password, has one changed value from the other responses. It will have a `Location` header with value of `index.php` rather than `login.php` that all the failed responses contain.
 G>
 G> That is our difference that we use to feed to our brute forcing tool so that it knows when we have a successful login, even though, in theory, the login process is not yet complete as we have not issued the follow up `GET` request. This does not matter, as we know we would not have been given an `index.php` if we were not authorised.
 G>
@@ -466,7 +464,7 @@ I think the following may also have suffered from Medusa's redirect problem. I h
     passvar=admin, \
     uservar=admin' -vvv -d
 
-I address the compromise of password hashes in the Web Applications chapter of [Fascicle 1](https://leanpub.com/holistic-infosec-for-web-developers-fascicle1-vps-network-cloud-webapplications) under the section "Management of Application Secrets".
+I address the compromise of password hashes in the Web Applications chapter of [Part 1](https://leanpub.com/holistic-infosec-for-web-developers-fascicle1-vps-network-cloud-webapplications) under the section "Management of Application Secrets".
 
 ### Vishing (Phone Calls) {#people-identify-risks-phone-calls}
 ![](images/ThreatTags/average-widespread-average-severe.png)
@@ -497,7 +495,7 @@ Some services are free, some are paid for. SMS providers offering spoofing capab
 
 You can [DIY](http://www.social-engineer.org/wiki/archives/CallerIDspoofing/CallerID-SpoofingWithAsterisk.html) with the likes of [Asterisk](http://www.asterisk.org/get-started), an open source framework that provides all the tools anyone would need to spoof Caller IDs and much more. You will need a VoIP service provider, but you control everything else, and all of the information about your target is in your hands alone.
 
-If you are planning a phone call, you are going to have to have a pretty solid idea of who your pretext is and know as much as possible about them in order to make your pretext believable. This is where you really draw from the reconnaissance phase as seen in the [Processes and Practises](#process-and-practises-penetration-testing-reconnaissance) chapter. It is a good idea to script out the points you (SE) want to cover in your phone call. Rehearse the points many times so that they sound natural. The more you practise, the easier it will be when you have to deviate (the target will often throw curve balls at you) from your points and come back to them. There is no substitute for having as much information as possible on the target and have rehearsed the call many times.
+If you are planning a phone call, you are going to have to have a pretty solid idea of who your pretext is and know as much as possible about them in order to make your pretext believable.This is where you really draw from the reconnaissance phase as seen in the sub-section *Reconnaissance* of section *Penetration Testing* in Chapter 4, *Processes and Practises*. It is a good idea to script out the points you (SE) want to cover in your phone call. Rehearse the points many times so that they sound natural. The more you practise, the easier it will be when you have to deviate (the target will often throw curve balls at you) from your points and come back to them. There is no substitute for having as much information as possible on the target and have rehearsed the call many times.
 
 SMS spoofing can also be very useful. Some services cannot handle return messages though, unless the attacker has physical access to a phone that would legitimately contact the target's phone (as with [flexispy](http://blog.flexispy.com/spoof-sms-powerful-secret-weapon-shouldve-using/)) and can install software on the initiating phone which the attacker controls.
 
@@ -730,9 +728,9 @@ Quite a few file formats are supported to cloak the payload, such as PDF, Word d
 
 The Teensy USB device as a [penetration testing device](http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle) overcomes running payloads on the target machine the same way a keyboard or Rubber Ducky would. Because it is a Human Interface Device (HID) it is trusted by most OSs. It can be concealed in any type of USB hardware. That alone creates a huge vector for exploitation. The Teensy has similar specifications to the Rubber Ducky but is about half the price. It is just a development board though, and has to be programmed via an Arduino. SET provides the reverse shells, listeners, and a good selection of exploits out of the box. Metasploit is at your disposal as usual with SET and attack vectors such as PowerShell, wscript, and others are available.
 
-#### [USB Rubber Ducky](http://usbrubberducky.com/)
+#### USB Rubber Ducky
 
-The USB standard has a HID specification, which means that any USB device masquerading as a keyboard will be automatically accepted by most OSs. 
+The [USB](http://usbrubberducky.com/) standard has a HID specification, which means that any USB device masquerading as a keyboard will be automatically accepted by most OSs. 
 
 The main Duckyscript Encoder is a Java application that converts the ducky script files into hex code. You can load them on your micro SD card, insert the card into the ducky and SE your ducky into your target's computer. The encoder can be downloaded from the hak5darren github accounts USB-Rubber-Ducky repository [Downloads page](https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Downloads) on the wiki.
 
@@ -855,7 +853,7 @@ It was also noted in the Arxan report that 80% of consumers would change provide
 
 ### [Morale, Productivity and Engagement Killers](https://speakerdeck.com/binarymist/how-to-increase-software-developer-productivity) {#people-countermeasures-morale-productivity-and-engagement-killers}
 
-Staff are often thought of as resources. If you want the best out of your people, treat them like valuable assets. Go out of your way to build meaningful relationships with them and create empathy. People base their decisions on emotions, later justifying them with facts. With this in mind, keep them on strong emotional ground. Staff that feel appreciated work much harder and will be more likely to:
+Staff are often thought of as resources. If you want the best out of your people, treat them like valuable assets. Go out of your way to build meaningful relationships with them and create empathy. People base their decisions on emotions, later justifying them with facts. With this in mind, keep them on strong emotional ground. Staff that feel appreciated work much harder and will be more likely to. Go to the following [link] (https://speakerdeck.com/binarymist/how-to-increase-software-developer-productivity):
 
   * be conscientious about everything, including following organisational policy
   * remain engaged and alert
@@ -932,7 +930,7 @@ Set more than that and developers lose their focus. Developers do not respond we
 ### Employee Snatching
 ![](images/ThreatTags/PreventionDIFFICULT.png)
 
-Combative staff snatching can be attributed to the countermeasures of [Morale, Productivity and Engagement Killers](#people-countermeasures-morale-productivity-and-engagement-killers).
+Combative staff snatching can be attributed to sub-section *Morale Productivity* and Engagement Killers of *3. SSM Countermeasures* in this chapter.
 
 #### Exit Interviews
 
@@ -955,7 +953,7 @@ Defeating compromise is actually very simple, but few follow the guidelines. Tho
 
 * Good passwords should be long and complex enough that you are unable to remember them.
 * Use a mix of random, or at worst pseudorandom, alphanumeric, upper/lower case, and special characters. Get yourself a [OneRNG](http://onerng.info/) for generating true randomness.
-* Swapping characters with numbers and special characters does not really make compromise that much more difficult as we have already seen in the Identify Risks section [above](#people-identify-risks-weak-password-strategies).
+* Swapping characters with numbers and special characters does not really make compromise that much more difficult as we have already seen in the sub-section *Weak Password Strategies* of section *1.SSM Identify Risks*.
 * Use a unique password for every account.
 * Use a password database (ideally with multi-factor authentication) that generates passwords for you based on the criteria you set. This way, the profiling attacks we have mentioned are going to have a tough time brute forcing your accounts. This is such simpler and easy to implement advice, but still so many are failing to take heed.
 
@@ -989,7 +987,7 @@ Creating policy that ensures call recipients request and obtain the caller's nam
 
 Do not rely on Caller ID. It isn't trustworthy. I am not aware of any way to successfully [detect](http://www.cse.sc.edu/~mustafah/download/cid_USC_CSE_TR-2013-001.pdf) Caller ID spoofing before the call is answered.
 
-With SMS, the first line of detection is to respond to the number that was spoofed confirming any information in the initial message. This will rule out many services. Failing that, confirmation by calling the sender and recognising their voice, will go a long way. The next line of defence would be to contact them via some other means such as email, but face to face is always going to be the best. Work you way through the list of communication techniques from the [Email](#people-countermeasures-morale-productivity-and-engagement-killers-email) section above.
+With SMS, the first line of detection is to respond to the number that was spoofed confirming any information in the initial message. This will rule out many services. Failing that, confirmation by calling the sender and recognising their voice, will go a long way. The next line of defence would be to contact them via some other means such as email, but face to face is always going to be the best.Work your way through the list of communication techniques from the sub-section, *Email* of section, *SSM Countermeasures*.
 
 ### SMiShing {#people-countermeasures-smishing}
 ![](images/ThreatTags/PreventionAVERAGE.png)
@@ -1129,7 +1127,7 @@ By providing developers with the tools needed to maximise their motivation, thes
 
 ### Employee Snatching
 
-As per above, your people assets need to be guarded. This all comes back to the same thing: what comes around goes around. Treat your knowledge workers how they expect to be treated. Check the [Top Developer Motivators in Order](#people-countermeasures-morale-productivity-and-engagement-killers-top-developer-motivators-in-order) above if unsure what this means.
+As per above, your people assets need to be guarded. This all comes back to the same thing: what comes around goes around. Treat your knowledge workers how they expect to be treated. Check Top Developer Motivators in Order in sub-section, Morale, Productivity and Engagement Killers of section, SSM Countermeasures in this chapter if unsure what this means.
 
 #### Exit Interviews
 
@@ -1262,7 +1260,7 @@ There is just training and testing required here.
 
 ### SMiShing
 
-Training and testing are required here too, plus the cost of engaging the brain, always being suspicious and thinking of ways you could be outsmarted. Verify that the source number is the legitimate number you're led to believe it is. Not a big deal using the services discussed in the [Vishing Countermeasures](#people-countermeasures-phone-calls) section.
+Training and testing are required here too, plus the cost of engaging the brain, always being suspicious and thinking of ways you could be outsmarted. Verify that the source number is the legitimate number you're led to believe it is. Not a big deal using the services discussed in the sub-section  Vishing (Phone Calls) of section 3. SSM Countermeasures in this chapter.
 
 ### Favour for a Favour