The Art of Deception: Controlling the Human Element of Security

After Mitnick's first dozen examples anyone responsible for organizational security is going to lose the will to live. It's been said before, but people and security are antithetical. Organizations exist to provide a good or service and want helpful, friendly employees to promote the good or service. People are social animals who want to be liked. Controlling the human aspects of security means denying someone something. This circle can't be squared.

Considering Mitnick's reputation as a hacker guru, it's ironic that the last point of attack for hackers using social engineering are computers. Most of the scenarios in The Art of Deception work just as well against computer-free organizations and were probably known to the Phoenicians; technology simply makes it all easier. Phones are faster than letters, after all, and having large organizations means dealing with lots of strangers.

Much of Mitnick's security advice sounds practical until you think about implementation, when you realize that more effective security means reducing organizational efficiency--an impossible trade in competitive business. And anyway, who wants to work in an organization where the rule is "Trust no one"? Mitnick shows how easily security is breached by trust, but without trust people can't live and work together. In the real world, effective organizations have to acknowledge that total security is a chimera--and carry more insurance. --Steve Patient, amazon.co.uk

Product Description
The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security
Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief."
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.

What we in the IT world call 'social engineering' is nothing more than a con that exploits human trust. Mitnick was highly effective at social engineering and this book provides a wealth of information regarding his views of 'social engineering' vulnerabilities and how he exploited them. He exposes the details of some of the most effective techniques used by those who use social engineering to accomplish their goals - whether those goals are as sinister as corporate espionage or fraud, or merely to prove that they can gain access to systems and information. While some of the recommended countermeasures in this book may seem Draconian there is middle ground to implement effective controls that do not hamper business processes or impose overly restrictive policies.

The bottom line, though, is to learn from this book and distill the key lessons into knowledge throughout your organization. Awareness is one of the most powerful security tools, and this book promotes that. Also, while this book is ostensibly about IT security, the lessons imparted are as applicable to any other aspect of a business as they are to IT - in many ways there are even more applicable because the exploits are based on effective con games that were in existence long before computers came on the scene.


Interesting & timely about the dangers of social engineering   October 15, 2002
Ben Rothke (USA)
49 out of 51 found this review helpful

Kevin Mitnick says "the term 'social engineering' is widely used within the computer security community to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through." It's suitable that Mitnick, once vilified for his cracking exploits, has written a book about the human element of social engineering - that most subtle of information security threats.

Some readers may find a book on computer security penned by a convicted computer criminal blasphemous. Rather than focusing on the writer's past, it is clear that Mitnick wishes the book to be viewed as an attempt at redemption.

The Art of Deception: Controlling the Human Element of Security states that even if an organization has the best information systems security policies and procedures; most tightly controlled firewall, encrypted traffic, DMZ's, hardened operating systems patched servers and more; all of these security controls can be obviated via social engineering.

Social engineering is a method of gaining someone's trust by lying to them and then abusing that trust for malicious purposes - primarily gaining access to systems. Every user in an organization, be it a receptionist or a systems administrator, needs to know that when someone requesting information has some knowledge about company procedures or uses the corporate vernacular, that alone should not be authorization to provide controlled information.

The Art of Deception: Controlling the Human Element of Security spends most of its time discussing many different social engineering scenarios. At the end of each chapter, the book analyzes what went wrong and how the attack could have been prevented.

The book is quite absorbing and makes for fascinating reading. With chapter titles such as The Direct Attack; Just Asking for it; the Reverse Sting; and Using Sympathy, Guilt and Intimidation, readers will find the narratives interesting, and often they relate to daily life at work.

Fourteen of the 16 chapters give examples of social engineering covering many different corporate sectors, including financial, manufacturing, medical, and legal. Mitnick notes that while companies are busy rolling out firewalls and other security paraphernalia, there are often unaware of the threats of social engineering. The menace of social engineering is that it does not take any deep technical skills - no protocol decoders, no kernel recompiling, no port scans - just some smooth talk and a little confidence.

Most of the stories in the book detail elementary social engineering escapades, but chapter 14 details one particularly nasty story where a social engineer showed up on-site at a robotics company. With some glib talk, combined with some drinks at a fancy restaurant, he ultimately was able to get all of the design specifications for a leading-edge product.

In order for an organization to develop a successful training program against the threats of social engineering, they must understand why people are vulnerable to attack in the first place. Chapter 15 explains of how attackers take advantage of human nature. Only by identifying and understanding these tendencies (namely, Authority, Liking, Reciprocation, Consistency, Social Validation, and Scarcity), can companies ensure employees understand why social engineers can manipulate us all.

After more than 200 pages of horror stories, Part 4 (Chapters 15 and 16) details the need for information security awareness and training. But even with 100 pages of security policies and procedures (much of it based on ideas from Charles Cresson Wood's seminal book Information Security Policies Made Easy) the truth is that nothing in Mitnick's security advice is revolutionary - it's information security 101. Namely, educate end-users to the risks and threats of non-technical attacks.

While there are many books on nearly every aspect of information security, The Art of Deception is one of the first (Bruce Schneier's Secrets and Lies being another) to deal with the human aspect of security; a topic that has long been neglected. For too long, corporate America has been fixated with cryptographic key lengths, and not focused enough on the human element of security.

From a management perspective, The Art of Deception: Controlling the Human Element of Security should be on the list of required reading. Mitnick has done an effective job of showing exactly what the greatest threat of attack is - people and their human nature.


Puts the Others to Shame   October 15, 2002
Keith Kimmel (OK USA)
8 out of 8 found this review helpful

There are plenty of other so-called 'hackers' who are 'coming out' to help the world and writing books about it, and I have read most if not all them.

When I ordered 24 copies from Wiley & Sons [the publisher] for resale at my eBookstore, I thought it would be just another hacker book that would sell well, but would leave it's reader not knowing a whole lot more about the subject of information security (InfoSec) than they did before they picked up the book and parted with their funds. I was wrong.

Mitnick's book is full of useful information that can [and should] be put to use in any organization. The advice provided is not only practical but detailed and logical. The stupidity or carelessness of one user on the corporate LAN can render millions of dollars in gee-wiz security gadgets useless, allowing hackers into sensitive severs housing customer contact lists, proprietary trade secrets and internal memorandums containing confidential and personal information.

For those of you who don't know, Mitnick breached the security of the largest corporations in America, including Motorola. After one of the most exhaustive manhunts in FBI history, and Mitnick's subsequent release from federal prison, he has been the most sought-after security consultant in the world.

Mitnick, who is probably the world's foremost expert in trickery to gain access to sensitive information (known as 'social engineering'), reveals exactly how vulnerable you and your companies' personal information is to someone posing as an IRS Agent or as a AT&T Customer Service Representative. You could say that Mitnick either had god's unlisted telephone number, or he could trick someone into giving it to him.

Full of information that any company can use to implement effective security practices and make sure they are followed, The Art of Deception is a book that every corporate security manager, investigator and hacker alike should have on his or her desk.


Much-needed complement to books on network security   January 2, 2003
James J. Lippard (Phoenix, AZ USA)
6 out of 7 found this review helpful

Kevin Mitnick has put together an excellent book, that fills a major gap in the computer and network security literature. The examples are realistic (I suspect more than one is a thinly-veiled example from real life) and clear depictions of the principles they illustrate. The book is well-organized, and most importantly, it gives sound advice on how to defeat the social engineer. The suggested information security policies at the end of the book are worth the price of the book all by themselves. This is a must-read for information security professionals and corporate executives. It is nice to see that Kevin Mitnick has returned something of value to the world.


An Expert That Knows   December 19, 2002
Randy Given (Manchester, CT USA)
5 out of 6 found this review helpful

If you are used to going to books by experts available to the public (e.g., Bruce Schneier on cryptography), then this is the new classic book from an expert on "social engineering".

There are questions around the author's circumstances and deeds, how his rights were tread upon, etc. Disregard that and learn from a master. When hearing testimony from some criminals, serial killers for example, it is much harder to separate psychological problems from physiological problems from societal problems and so on. With crackers (bad hackers), it is a little easier. When one of them lays out all this material in an informational organized manner, we need to take note. This book is such a case.

Many crackers will brag about their technical prowess and escapades. Very few will brag about their social equilance. By far, the latter is more dangerous, as any (good) computer security expert knows.

The book starts out with many good examples of vulnerabilities in an easy-to-read manner. I learned several new areas where I need to tighten my OWN security. Kaching!

Where it really starts getting good is in the applications. Sections 2 and 3 are good, but especially good are chapters 11 ("Combining Technology and Social Engineering"), 15 ("Information Security Awareness and Training") and 16 ("Recommended Corporate Information Security Policies"). Chapter 16 is well worth the price of the book, all by itself.

If you are serious about REAL computer security that is effective, you must read this book.