Customer Reviews

The Art of Deception: Controlling the Human Element of Security

5 star:		(80)
4 star:		(29)
3 star:		(20)
2 star:		(7)
1 star:		(8)

 

 

Kevin Mitnick says "the term 'social engineering' is widely used within the computer security community to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through." It's suitable that Mitnick, once vilified for his cracking exploits, has written a book about the human element of social engineering - that most subtle of information security threats.

Some readers may find a book on computer security penned by a convicted computer criminal blasphemous. Rather than focusing on the writer's past, it is clear that Mitnick wishes the book to be viewed as an attempt at redemption.

The Art of Deception: Controlling the Human Element of Security states that even if an organization has the best information systems security policies and procedures; most tightly controlled firewall, encrypted traffic, DMZ's, hardened operating systems patched servers and more; all of these security controls can be obviated via social engineering.

Social engineering is a method of gaining someone's trust by lying to them and then abusing that trust for malicious purposes - primarily gaining access to systems. Every user in an organization, be it a receptionist or a systems administrator, needs to know that when someone requesting information has some knowledge about company procedures or uses the corporate vernacular, that alone should not be authorization to provide controlled information.

The Art of Deception: Controlling the Human Element of Security spends most of its time discussing many different social engineering scenarios. At the end of each chapter, the book analyzes what went wrong and how the attack could have been prevented.

The book is quite absorbing and makes for fascinating reading. With chapter titles such as The Direct Attack; Just Asking for it; the Reverse Sting; and Using Sympathy, Guilt and Intimidation, readers will find the narratives interesting, and often they relate to daily life at work.

Fourteen of the 16 chapters give examples of social engineering covering many different corporate sectors, including financial, manufacturing, medical, and legal. Mitnick notes that while companies are busy rolling out firewalls and other security paraphernalia, there are often unaware of the threats of social engineering. The menace of social engineering is that it does not take any deep technical skills - no protocol decoders, no kernel recompiling, no port scans - just some smooth talk and a little confidence.

Most of the stories in the book detail elementary social engineering escapades, but chapter 14 details one particularly nasty story where a social engineer showed up on-site at a robotics company. With some glib talk, combined with some drinks at a fancy restaurant, he ultimately was able to get all of the design specifications for a leading-edge product.

In order for an organization to develop a successful training program against the threats of social engineering, they must understand why people are vulnerable to attack in the first place. Chapter 15 explains of how attackers take advantage of human nature. Only by identifying and understanding these tendencies (namely, Authority, Liking, Reciprocation, Consistency, Social Validation, and Scarcity), can companies ensure employees understand why social engineers can manipulate us all.

After more than 200 pages of horror stories, Part 4 (Chapters 15 and 16) details the need for information security awareness and training. But even with 100 pages of security policies and procedures (much of it based on ideas from Charles Cresson Wood's seminal book Information Security Policies Made Easy) the truth is that nothing in Mitnick's security advice is revolutionary - it's information security 101. Namely, educate end-users to the risks and threats of non-technical attacks.

While there are many books on nearly every aspect of information security, The Art of Deception is one of the first (Bruce Schneier's Secrets and Lies being another) to deal with the human aspect of security; a topic that has long been neglected. For too long, corporate America has been fixated with cryptographic key lengths, and not focused enough on the human element of security.

From a management perspective, The Art of Deception: Controlling the Human Element of Security should be on the list of required reading. Mitnick has done an effective job of showing exactly what the greatest threat of attack is - people and their human nature.

Mitnick has his own reputation to live up to with this book, which sets a pretty high bar for the audience who knows him as the "World's Most Notorious Hacker." Unfortunately, while he knows the material cold, his skills as an author are less stellar.

The vignettes describing various cons are, in the large, very entertaining. They're fictionalized, and sometimes the dialogue feels artificial. This book is supposed to convince us how easily people are victimized by social engineers. When the victim's dialogue plays too obviously into the con man's hands (for the purpose of illustrating the point relevant to the enclosing chapter/section), this goal is to some extent defeated. It's too easy to read unnatural dialogue and use that as an excuse to tell oneself, "I don't have to worry about that sort of attack -- I'm not that dumb!" More effort could have been expended in fictionalizing these scenarios without making them so difficult to relate to. Seeing how a con is performed is kind of like learning how a magic trick works -- it holds a similar fascination. Imagine seeing an amazing magic trick performed on television, wondering how it was possibly accomplished, and then learning that the trick was all in the video editing. That really sucks the fun out of the magic -- analogously, when the "trick" in one of these cons is just that the victim does something obviously stupid at just the right moment, the believability and enjoyment are damaged.

Despite what I've said, the cons are definitely enjoyable to read and do offer some genuine insights. Not all suffer from believability problems. However, the supporting material discussing these scenarios is pretty weak. There's a rigid format ("Analyzing the con," "Preventing the con," etc.) which leads the author to repeat the same points over and over again with very little variation, at times seemingly just to fit the format. The purpose of all this material is to give useful security recommendations and proper motivation for following them. The recommendations are on-target, but repeated ad nauseum.

The descriptions of social engineers also suffer from a tendency to stroke the author's own ego -- the bigger the con, the thicker the language about how smart, handsome, and clever the con man is. I'd like to be convinced by facts, not hyperbole.

I think this would really have worked better as two books, for two different audiences. One for entertainment, to read about all the cons and how they work, to get a little history of social engineering. And one for serious security discussion. The blend of the two leads to a schizoid work that's simply mediocre.

I went into this book thinking I knew a fair amount about security in general. You know, don't leave your network password on a post-it on your bulletin board, be aware of strangers in your office, that kind of thing. Then, I finished reading the book, and realized that it challenged all the assumptions that I had about the way I react in these situations. Mitnick's right - we as human beings are conditioned to be polite and trusting, and as horrible as it seems, that's not always right. But you don't have to become nasty and distrustful, just aware. That's what this book is talking about. The examples are wonderful - they really do read like a mystery thriller. And the advice is really sound. It doesn't mention it here, but there is a great flowchart in the back of the book that I've copied for everyone in my office. It details what to do if someone calls you for information that you are not sure they need or should be getting. All in all, The Art of Deception is a must read for many of us.

Now that Kevin Mitnick is out of prison he has written "The Art of Deception". I rate this book as four stars. Has good insight regarding how Kevin was able to gain large company employee's trust by using social engineering methods. He gives great examples of how he would simply use a telephone to gain user id's and passwords, even from high tech security departments.

Most employee's don't think they are allowed to say 'no' to giving out information over the phone or email in the name of great customer service. There may be company policies but they 'still try to do the right thing' to help a co-worker regain access to the system, when in fact the person is a hacker.

Many solutions are offered to help small and large companies balance the choice of customer service over security and trust. One funny chapter was how Mr. Mitnick's used the same social engineering methods in prison to get additional phone calls, better food, and increase family visits. Classic... He didn't stop even in prison.

I recommend this book.

This book cuts to the chase, and exposes what was, currently is, and will continue to be the weakest link in computer security... the human element. Historically, people seem to take the path of least resistance. Give them a reason to believe you are who you say you are, and they will accept it. Give them a reason to think you're helping them (even with a problem they never knew they had until you pointed it out to them), and they will put at your disposal all their tools and information. We won't be able to make much inroads into security (of any kind) until we being to change the essence of human nature... and that, my friend, is unlikely to change. Kevin Mitnick tells it like it is -- from the voice of experience. As obvious as some of the pretexts are, they worked for him... and will likely continue to work for the next generation's social engineer. Remember, the difference between truth and fiction is but a state of mind. Persuasion is still the key element... one that Mitnick has mastered. Read, learn, and avoid the simple mistakes of others. Thanks for the book, Kevin.

I waited for the book of the famous hacker Kevin Mitnick for a long
time, checking my mailbox every day after my pre-order was
completed. The book was almost worth the wait!

Its a fun book with lots of entertaining and education stories on what
is possible by means of social engineering attacks. The characters
clearly push the limits of this "human technology".

One of the articles I have read on the book called it "Kevin Mitnick's
Latest Deception" due to his downplaying of technology security
controls and emphasizing people skills and weaknesses. However, the
human weaknesses do nullify the strengths of technology defenses and
humans are much harder to "harden" than UNIX machines.

The attack side is stronger in the book than the defense side,
naturally following from the author's background. However, there are
some great defense resource on policy design, awareness and needed
vigilance. However, there is this "minor" issues with defense against

social engineering: one of the definitions called it a "hacker's
clever manipulation of the natural human tendency to trust". The word
"natural" is key; if we are to believe the definition, all defenses
against social engineering will be going against _nature_ and, as a
result, will be ineffective for most environments. Author also
advocates social engineering penetration testing, which appears to be
the best way to prepare for such attacks. Security awareness, while
needed, will get you so far.

The book's stories show examples of hackers defeating firewalls,
passwords, token and two-factor authentication systems, multi-layer
defense, financial institutions security, armed guards and many other
commonly believed to be effective security controls. While some of the
stories first seem to defy common sense, upon more detailed
investigation there are clearly believable. Dialogs, stories,
situations are described with terrifying reality behind them: "So what is the money transfer code for today? - Its this-and-that..." Social
engineers bravely attack and conquer on the pages of this great book!

The book will give lots of ideas to those involved in penetration
testing. Using the book, it is possible to extract a structure of a
successful attack, gather some target selection criteria, learn how to
combine social and technical attacks and then use it for the
pentesting.

The biggest shortcoming of the book is that it has no "attack HOWTO"
part. It has zero content on developing, improving and polishing the
social engineering skills. While it might seem that natural ability is
all it takes, the author _knows_ that there are methods to develop
social engineering skills, but chose not to disclose them and I regret
his decision to withhold such information.

Anton Chuvakin, Ph.D., GCIA is a Senior Security Analyst with a major
information security company. In his spare time he maintains his
security portal info-secure.org

While it's a temptation to impose value judgement about the author who is a convicted felon, I strongly urge anyone who is involved in security (IT and corporate), internal auditors and fraud prevention specialists to suspend any opinions of the author and to carefully read this book.

What we in the IT world call 'social engineering' is nothing more than a con that exploits human trust. Mitnick was highly effective at social engineering and this book provides a wealth of information regarding his views of 'social engineering' vulnerabilities and how he exploited them. He exposes the details of some of the most effective techniques used by those who use social engineering to accomplish their goals - whether those goals are as sinister as corporate espionage or fraud, or merely to prove that they can gain access to systems and information. While some of the recommended countermeasures in this book may seem Draconian there is middle ground to implement effective controls that do not hamper business processes or impose overly restrictive policies.

The bottom line, though, is to learn from this book and distill the key lessons into knowledge throughout your organization. Awareness is one of the most powerful security tools, and this book promotes that. Also, while this book is ostensibly about IT security, the lessons imparted are as applicable to any other aspect of a business as they are to IT - in many ways there are even more applicable because the exploits are based on effective con games that were in existence long before computers came on the scene.

If you have any interest in IT Security, you need to study Social Engineering, and this book is a great resource. It's truly amazing how effective Social Engineering can be against security systems of any kind.

I was a former victim of Kevin's exploits. He gained access to our network through an elaborate pretext; gaining access to systems that were secured by firewalls, dial back modems, extensive security policies and (unfortunately) many humans like myself. Everything but the humans worked flawlessly.

The art of the con is as old as anything. Con artists know that any system, yes ANY system, can be compromised as long as humans are involved. All the technology in the world (alone) isn't going to stop a creative and motivated social engineer.

Sadly, the focus of IT security today is on technology and technology alone. Very little attention is paid to the topic of social engineering and how to mitigate this threat. `Human nature' is, once again the culprit here, as people view controls that reduce social engineering threats (strict process controls, seemingly redundant and repetitive procedures) as unnecessary or overly paranoid.

This book goes a long way to illustrate the wide applicability of this type of threat, even describing social engineering attacks against the traffic court systems and the Social Security Administration.

This book is a `must read' for any serious security professional, and a very interesting read for anybody wanting a look at the way a real hacker's brain works.

After all the media hype and disinformation surrounding his past "hacker" exploits, it would have been easy for Kevin Mitnick to just sell out and pen a cheesy "How To Be a Hacker" book, or even a simple autobiography setting an objective balance to sensationalist Mitnick-centered books such as John Markoff's "Cyberpunk" and "Takedown". Thankfully, Mitnick has instead seized a brilliant opportunity to fill a gigantic hole in the vast library of thoroughly redundant "information security" books currently flooding the market.

"The Art of Deception" is, by default, the definitive and authoritative reference work on the subject of "social engineering". No author has ever tackled this tremendously important--and consistently ignored--aspect of information security with the same amount of depth, specificity and firsthand knowledge that Mitnick documents in this book.

Despite the book jacket's description of Mitnick as a "legendary hacker" and "cyber-desperado", this book is decidedly NOT about "hacking" in the purest form in the word. In fact, it's rather ironic that for most people, the name "Kevin Mitnick" is synonymous with the profile of a stereotypical "master hacker", because he is much less regarded in the underground hacker scene for his technical skills than for his adept social engineering skills. Some would even say that without his social engineering chops, Mitnick would have been nothing more than an average geek with knowledge of common computer intrusion techniques.

Even if you accept that opinion as true, it truly underscores the very real threat social engineering poses to ANY organization, and also proves one of the underlying themes of this book, which is that an attacker doesn't need to possess exotic and hyper-advanced "hacking" skills (or in many cases, even a computer!) to get at your company's sensitive data. All it takes is a phone call and gullible employees who aren't aware that answering a caller's seemingly innocuous questions can ultimately compromise the security of the entire company. Like the blurb on the book jacket says, "the gravest security risk of all is human nature."

The renowned cryptographer Bruce Schneier once wrote, "security is not a product, it's a process". "The Art of Deception" bolsters that notion, and completely shatters the myth that technological measures can ensure information (or even physical) security. If anything, a company's security technology can be artfully used against itself in ways that completely negate its effectiveness. There is a very enlightening section on Caller-ID spoofing which will definitely open the eyes of anyone who thinks that a Caller-ID display is positive proof of a caller's identity and location. Mitnick claims a 100% success rate in getting information out of people using a spoofed internal company Caller-ID name and number. Because of this, he continually reminds the reader of the absolute worthlessness of Caller-ID as a security mechanism. I'm glad he does this, because almost no one outside of the hacking and phreaking scene even realizes that Caller-ID spoofing is possible, and the more this fact can be beaten into the heads of I.T. or security managers, the better. You can have millions of dollars of firewall products, encryption technology, password policies, and intrusion detection systems in place, but if I can simply call up your company's new intern on the phone (using spoofed Caller-ID, of course) pretending to be a company executive, and social engineer him into divulging information or even sending out sensitive files or faxes directly from internal computers, then that "technology" is nothing more than a heap of black boxes with lots of pretty blinking lights. An iron door on a cardboard house.

There are many people who have automatic biases against Mitnick (due to his past record as a convicted felon) and will cast off this book as nothing more than a how-to manual on conning corporations out of their data. The debate on whether he deserved the treatment he received from the U.S. Federal Government and Justice Department, and whether he is truly a "criminal" or not, is completely ancillary to the value and legitimacy of this book. It is not an I.T. or con man's version of "The Anarchist Cookbook". He devotes 78 pages at the end of the book specifically outlining recommended corporate security policies. The book is always written from the perspective that the social engineer is the "bad guy", and Mitnick makes no concerted attempt to justify social engineering as a legitimate activity.

The only problem I see with "The Art of Deception" is, ironically, not the book itself. It is with the very people whom this book seeks to educate regarding the dangers of social engineering. No doubt, most IT managers will come away from this book as if they had a religious epiphany. However, knowing the time and budget constraints placed on employees by many companies, I am extremely skeptical that you can instill the same sense of urgency and vigilance in employees who don't have a direct, firsthand reason to care about information security. If you can social engineer the overnight janitor to turn on a restricted development server, or get an intern to divulge the name and internal phone extension of a project manager, then you're still screwed. It's difficult to see how it's possible to effectively guard against all forms of social engineering without making every single employee in a company act like an annoying paranoid twit in response to even the most truly innocuous situations.

Regardless, this book should be required reading for all company executive and managers, in both large and small organizations. When it comes right down to it, "The Art of Deception" is fundamentally a book on psychology than actual information security techniques, and as such, the principles demonstrated within are equally applicable to any company that has information or resources that need to be protected from outsiders. For example, Mitnick explains a hilarious, and ridiculously simple social engineering scheme that can get your traffic tickets dismissed. And with no computers required from the social engineer's end. The book is at least funny, if nothing else.

When I picked this book up, I thought it was going to be an apologia from Mitnick for his prior life's work: cracking into supposedly secure phone and computer systems and networks. I read the book just before Hallowe'en, and that was appropriate, because the stories Mitnick recounts are really scary. Instead of wasting words explaining his own actions, Mitnick gives scores of fascinating examples of how most "security" proved to be simply non-existent. In the end, all security systems depend on humans, and therein lies the weakest link. The books shows how easy it is to gain people's trust- over the phone- and by getting them to reveal little bits of seemingly harmless information, gaining complete control over any data the con man (or woman) wants to get.

The book sets out security policies, and there's also a whole chapter on security training. One of Mitnick's recommendations is for companies to supply each employee with a copy of the book. Normally I'd dismiss this as blatant self-promotion. But believe me, in this case, the more people share the book's stories with each other at the water cooler, the closer the company will come to being a secure environment.

Mitnick makes it clear that everyone in the company has to be aware of security issues, and of the many types of attacks he describes so well, and know how to react to any demand for information, even from someone who appears to be an insider. By the time you finished the book, you'll be a believer, and you'll think two or three times before giving out information. And company security officers may want to stop simply sending e-mails about security, and get all employees (including the receptionists!) into classroom training.

The only problem I had with this book was Mitnick's use of the term "social engineering" to describe the manipulation of employees and security systems. Social engineering is what the conservatives accuse the liberals on the U.S. Supreme Court of doing.

But that's a minor item in an otherwise overwhelming and totally convincing book.