The Art of Deception: Controlling the Human Element of Security

When I picked this book up, I thought it was going to be an apologia from Mitnick for his prior life's work: cracking into supposedly secure phone and computer systems and networks. I read the book just before Hallowe'en, and that was appropriate, because the stories Mitnick recounts are really scary. Instead of wasting words explaining his own actions, Mitnick gives scores of fascinating examples of how most "security" proved to be simply non-existent. In the end, all security systems depend on humans, and therein lies the weakest link. The books shows how easy it is to gain people's trust- over the phone- and by getting them to reveal little bits of seemingly harmless information, gaining complete control over any data the con man (or woman) wants to get.The book sets out security policies, and there's also a whole chapter on security training. One of Mitnick's recommendations is for companies to supply each employee with a copy of the book. Normally I'd dismiss this as blatant self-promotion. But believe me, in this case, the more people share the book's stories with each other at the water cooler, the closer the company will come to being a secure environment. Mitnick makes it clear that everyone in the company has to be aware of security issues, and of the many types of attacks he describes so well, and know how to react to any demand for information, even from someone who appears to be an insider. By the time you finished the book, you'll be a believer, and you'll think two or three times before giving out information. And company security officers may want to stop simply sending e-mails about security, and get all employees (including the receptionists!) into classroom training.The only problem I had with this book was Mitnick's use of the term "social engineering" to describe the manipulation of employees and security systems. Social engineering is what the conservatives accuse the liberals on the U.S. Supreme Court of doing. But that's a minor item in an otherwise overwhelming and totally convincing book.

This book cuts to the chase, and exposes what was, currently is, and will continue to be the weakest link in computer security... the human element. Historically, people seem to take the path of least resistance. Give them a reason to believe you are who you say you are, and they will accept it. Give them a reason to think you're helping them (even with a problem they never knew they had until you pointed it out to them), and they will put at your disposal all their tools and information. We won't be able to make much inroads into security (of any kind) until we being to change the essence of human nature... and that, my friend, is unlikely to change. Kevin Mitnick tells it like it is -- from the voice of experience. As obvious as some of the pretexts are, they worked for him... and will likely continue to work for the next generation's social engineer. Remember, the difference between truth and fiction is but a state of mind. Persuasion is still the key element... one that Mitnick has mastered. Read, learn, and avoid the simple mistakes of others. Thanks for the book, Kevin.

Kevin Mitnick says "the term 'social engineering' is widely used within the computer security community to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through." It's suitable that Mitnick, once vilified for his cracking exploits, has written a book about the human element of social engineering - that most subtle of information security threats.Some readers may find a book on computer security penned by a convicted computer criminal blasphemous. Rather than focusing on the writer's past, it is clear that Mitnick wishes the book to be viewed as an attempt at redemption.The Art of Deception: Controlling the Human Element of Security states that even if an organization has the best information systems security policies and procedures; most tightly controlled firewall, encrypted traffic, DMZ's, hardened operating systems patched servers and more; all of these security controls can be obviated via social engineering.Social engineering is a method of gaining someone's trust by lying to them and then abusing that trust for malicious purposes - primarily gaining access to systems. Every user in an organization, be it a receptionist or a systems administrator, needs to know that when someone requesting information has some knowledge about company procedures or uses the corporate vernacular, that alone should not be authorization to provide controlled information.The Art of Deception: Controlling the Human Element of Security spends most of its time discussing many different social engineering scenarios. At the end of each chapter, the book analyzes what went wrong and how the attack could have been prevented.The book is quite absorbing and makes for fascinating reading. With chapter titles such as The Direct Attack; Just Asking for it; the Reverse Sting; and Using Sympathy, Guilt and Intimidation, readers will find the narratives interesting, and often they relate to daily life at work.Fourteen of the 16 chapters give examples of social engineering covering many different corporate sectors, including financial, manufacturing, medical, and legal. Mitnick notes that while companies are busy rolling out firewalls and other security paraphernalia, there are often unaware of the threats of social engineering. The menace of social engineering is that it does not take any deep technical skills - no protocol decoders, no kernel recompiling, no port scans - just some smooth talk and a little confidence.Most of the stories in the book detail elementary social engineering escapades, but chapter 14 details one particularly nasty story where a social engineer showed up on-site at a robotics company. With some glib talk, combined with some drinks at a fancy restaurant, he ultimately was able to get all of the design specifications for a leading-edge product.In order for an organization to dev

While it's a temptation to impose value judgement about the author who is a convicted felon, I strongly urge anyone who is involved in security (IT and corporate), internal auditors and fraud prevention specialists to suspend any opinions of the author and to carefully read this book.What we in the IT world call 'social engineering' is nothing more than a con that exploits human trust. Mitnick was highly effective at social engineering and this book provides a wealth of information regarding his views of 'social engineering' vulnerabilities and how he exploited them. He exposes the details of some of the most effective techniques used by those who use social engineering to accomplish their goals - whether those goals are as sinister as corporate espionage or fraud, or merely to prove that they can gain access to systems and information. While some of the recommended countermeasures in this book may seem Draconian there is middle ground to implement effective controls that do not hamper business processes or impose overly restrictive policies.The bottom line, though, is to learn from this book and distill the key lessons into knowledge throughout your organization. Awareness is one of the most powerful security tools, and this book promotes that. Also, while this book is ostensibly about IT security, the lessons imparted are as applicable to any other aspect of a business as they are to IT - in many ways there are even more applicable because the exploits are based on effective con games that were in existence long before computers came on the scene.

I went into this book thinking I knew a fair amount about security in general. You know, don't leave your network password on a post-it on your bulletin board, be aware of strangers in your office, that kind of thing. Then, I finished reading the book, and realized that it challenged all the assumptions that I had about the way I react in these situations. Mitnick's right - we as human beings are conditioned to be polite and trusting, and as horrible as it seems, that's not always right. But you don't have to become nasty and distrustful, just aware. That's what this book is talking about. The examples are wonderful - they really do read like a mystery thriller. And the advice is really sound. It doesn't mention it here, but there is a great flowchart in the back of the book that I've copied for everyone in my office. It details what to do if someone calls you for information that you are not sure they need or should be getting. All in all, The Art of Deception is a must read for many of us.