The Art of Deception: Controlling the Human Element of Security
Authors: Kevin D. Mitnick and William L. Simon
Pages: 368
Publisher: Wiley
ISBN: 0-471-23712-4
Introduction
Kevin Mitnick is one of the best-known figures in the world of computer security. There’s a lot of controversy surrounding Mitnick – some regard him as a hacker, others as a cracker. The legendary Steve Wozniak wrote in the preface of the book: “Kevin Mitnick is one of the finest people I know.” As the book came out, it’s been frequently noted that this is like a method of redemption for Mitnick. I want you to read this review not thinking about anything you know about Kevin Mitnick and just concentrate on the knowledge packed into the book.
About the authors
Kevin Mitnick is a security consultant to corporations worldwide and a co-founder of Defensive Thinking, a Los Angeles-based consulting firm. He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government’s information systems. He has also been a keynote speaker at numerous industry events and has hosted a weekly radio show on KFI AM 640 Los Angeles.
William Simon is a bestselling author of more than a dozen books and an award-winning film and television writer.
Inside the book
Mitnick gets the book going by identifying the human factor as security’s weakest link. It doesn’t really make a difference if you have a first-rate intrusion detection system, a properly configured firewall or you’re using encryption, if you haven’t made sure that your employees learn sound security practices. You have to be aware of the fact that there is no technology out there that can prevent a social engineering attack.
In the spotlight we find naivety, stupidity and gullibility, and plenty of it. As you study the innumerable case studies you begin to comprehend how misleading our sense of security can be. The author portrays a clear distinction between an amateur computer intruder that goes for quantity and the professional intruder that targets quality information. The latter is, obviously, what you should worry about the most.
As the book progresses you basically get into the mind of the social engineer as Mitnick skilfully analyzes its behaviour. A good social engineer never underestimates his adversary and is usually very articulate.
What you learn is how much the protection of information is important. Sometimes documents that you deem to contain only innocuous data can be of great value to a social engineer. A single piece of information is not valuable per se, but combined with several pieces just like it, can form something of value.
The stories throughout the book are depicted in great detail with accompanying telephone conversations and in-depth clarifications of what happened. That’s not all though. Mitnick doesn’t just demonstrate how your security can be broken; he gives you guidance on how to harden your defenses.
It is of the utmost importance that your employees understand how big of a mistake can occur from mishandling non public information. Also very important are things everyone takes for granted like passwords, also in the form of verbal security codes. Using proper passwords and not disclosing them to anyone is one of the crucial steps to security.
Mitnick notes a fundamental fact when it comes to the training of users. It’s not only the training that’s important, it’s also crucial to use techniques to constantly remind people what they’ve learned so it doesn’t fade away with time. If the training is successful, users will learn how to think and observe more.
The author also explains what a corporate information security policy is and provides insight on how you should develop a comprehensive information security program. This information can definitely be used as a sort of a reference guide. It’s also important to realize that most social engineering attacks can be prevented but unless everyone in the organization is not completely conscious about security, there are always risks.
At the end of the book you see some lists and charts that provide a quick reference version of the social engineering methods discussed throughout the book as well as the verification procedures from chapter 16. It’s good to keep those handy so you can remind yourself about the threats from time to time.
My 2 cents
Some may think that this book is all about intimidation, that some of the scenarios depicted here couldn’t happen. I don’t. I believe this book to be an eye-opener to how vulnerable we are. There’s no doubt you’ll become a bit paranoid after you get through “The Art of Deception”, and I think that’s exactly what you need.
You need to shape up and in case you still don’t get it, start treating security like a process and not as a product. Security doesn’t stop in the server room or in the fingerprint identification system on your worker’s desktop computer. It goes beyond all those things. It’s not enough to teach your employees to stop writing their passwords on post-it notes or disclose them to anyone. Education is needed to make both you and your employees question some situations. You need a good security policy. You definitely need this book.