Book details of 'The Art of Deception: Controlling the Human Element of Security'

Title	The Art of Deception: Controlling the Human Element of Security
Author(s)	Kevin D. Mitnick, William L. Simon, Steve Wozniak
ISBN	0471237124
Language	English
Published	October 2002
Publisher	John Wiley & Sons

---

Back to shelf Computer
Amazon.com info for The Art of Deception: Controlling the Human Element of Security

Score:

Vote for this book

The Virtual Bookcase Reviews of 'The Art of Deception: Controlling the Human Element of Security':

Reviewer amazon.co.uk wrote:
The Art of Deception is about gaining someone's trust by lying to them and then abusing that trust for fun and profit. Hackers use the euphemism "social engineering" and hacker-guru Kevin Mitnick examines many example scenarios. After Mitnick's first dozen examples anyone responsible for organizational security is going to lose the will to live. It's been said before, but people and security are antithetical. Organizations exist to provide a good or service and want helpful, friendly employees to promote the good or service. People are social animals who want to be liked. Controlling the human aspects of security means denying someone something. This circle can't be squared. Considering Mitnick's reputation as a hacker guru, it's ironic that the last point of attack for hackers using social engineering are computers. Most of the scenarios in The Art of Deception work just as well against computer-free organizations and were probably known to the Phoenicians; technology simply makes it all easier. Phones are faster than letters, after all, and having large organizations means dealing with lots of strangers. Much of Mitnick's security advice sounds practical until you think about implementation, when you realize that more effective security means reducing organizational efficiency--an impossible trade in competitive business. And anyway, who wants to work in an organization where the rule is "Trust no one"? Mitnick shows how easily security is breached by trust, but without trust people can't live and work together. In the real world, effective organizations have to acknowledge that total security is a chimera--and carry more insurance.
Reviewer Rob Slade wrote:
Those in the security field know that Kevin Mitnick does not deserve the reputation he has gained as some kind of technical genius. His gift was skill as a social engineer. Stripped of the five dollar words, this means that he was a plain, old con man, cheat, or fraud. In other words, this is a book about how to fool people. Theoretically, the determined reader should be able to use the book to keep from being conned. In the preface, Mitnick would have us believe that, although he admits to being a fraud and deceiver, he was never a grifter. He never harmed anybody, never obtained a material benefit, and was just curious to see if he could ride the buses for free (at the expense of the transit system) or make calls for free (at the expense of an MCI customer). (The willing moral blindness of these assertions is possibly the most instructive part of the book: it is truly representative of large portions of the blackhat community.) He would have us believe that he is a "changed person": one of the most sought- after computer security experts world-wide, and the world's most famous hacker. Oh, and just in case the authorities are inclined to think that this book runs counter to the injunction that he not profit from the stories of his criminal exploits, the tales are all completely fictional. Trust him. Part one is entitled "Behind the Scenes." Chapter one states that people are security's weakest link. This is a truism well known in the field, but the first account is really about insider fraud, while the remainder are generic fear-mongering. Part two describes the art of the attacker. (At great length.) Chapter two depicts escalation or enumeration through social engineering, and points out that sometimes innocuous information isn't. There is a section on "preventing the con" at the end of each chapter: in this case we are told not to give out information, but not provided with any advice about authenticating callers. Similarly, chapter three says that sometimes attackers just ask for access or information and says to verify callers, but doesn't say how. Chapter four tells you to distrust everyone--which would probably be more damaging to society than social engineering. (Interestingly, yesterday a report came out about studies of "freeloading" in the animal kingdom, which notes that communities with too many non- contributing members tend not to survive. By extension, only societies with an overwhelming majority of trustworthy members exist for any length of time.) The prevention bit tells companies not to have people give credit card information over the phone, but stresses teaching employees about cons rather than policies. At about this point the text, which is very repetitious, throws in some minor technical details. This is enough to remind the professional that the book is designed for the naive user, with extremely lightweight analysis, and implications that would not be useful. There is more repetitive redundancy in chapter six, on the way to some useful information about fraudulent email and really lousy data about viruses and malware, in chapter seven. Chapters eight and nine are simply more of the same stories, which start to get very tedious. Part three is apparently supposed to help us detect intruders. Chapter ten has a little useful advice about having termination procedures. The major points in chapter eleven seem to be about all the people who have been mean to our poor Kevin. Then it is back to the, by now extremely tiresome, con jobs for another three chapters. We are intended to believe that part four will help us protect ourselves and our companies against social engineering. Chapter fifteen is an attempt to convince us that the book should be purchased for all employees. (Nice try, Kev.) There is an arbitrary, and oddly both generic and overly detailed, suggested security policy, in chapter sixteen. So. Security professionals already know about social engineering. It is unlikely in the extreme that even the most head down, don't-talk- to-the-users, socially maladept firewall administrator will learn very much from this book. But, of course, this is not a trade paperback. This is a hardback aimed at the mass market: the non-professionals. Will they learn anything from it? Well, it might be useful for teaching new tricks to those who like to con people (although fraudsters will likely be disappointed at the number of times it is assumed that they know how to reprogram DMS-100 switches: don't try this at home). The prevention sections, as noted, are big on "don't" and short on "how not to." Well, but the book can still be a fascinating read, can't it? Sure. If you're the type of person who finds humour in watching someone fall on his or her face. Over and over and over and over and over and over and over and over and over and over again ... copyright Robert M. Slade, 2002
Add my review for The Art of Deception: Controlling the Human Element of Security

Book description:

A legendary hacker reveals how to guard against the gravest security risk of all-human nature "...a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone. As entertainment, it's like reading the climaxes of a dozen complex thrillers, one after the other" --Publishers Weekly Kevin Mitnick's exploits as a cyber-desperado and fugitive from one of the most exhaustive FBI manhunts in history have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison in 2000, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most famous hacker gives new meaning to the old adage, "It takes a thief to catch a thief." Inviting you into the complex mind of the hacker, Mitnick provides realistic scenarios of cons, swindles, and social engineering attacks on businesses-and the consequences. Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. He illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent or any other seemingly innocent character. Narrated from the points of view of both the attacker and the victim, The Art of Deception explores why each attack was so successful and how it could have been averted in an engaging and highly readable manner reminiscent of a true-crime novel. Most importantly, Mitnick redeems his former life of crime by providing specific guidelines for developing protocols, training programs, and manuals to ensure that a company's sophisticated technical security investment will not be for naught. He shares his advice for preventing security vulnerability in the hope that people will be mindfully on guard for an attack from the gravest risk of all-human nature. KEVIN MITNICK is a security consultant to corporations worldwide and a cofounder of Defensive Thinking, a Los Angeles-based consulting firm (defensivethinking.com). He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government's information systems. His articles have appeared in major news magazines and trade journals, and he has appeared on Court TV, Good Morning America, 60 Minutes, CNN's Burden of Proof and Headline News. He has also been a keynote speaker at numerous industry events and has hosted a weekly radio show on KFI AM 640 Los Angeles. WILLIAM SIMON is a bestselling author of more than a dozen books and an award-winning film and television writer.