The Art of Deception: Controlling the Human Element of Security

After Mitnick's first dozen examples anyone responsible for organizational security is going to lose the will to live. It's been said before, but people and security are antithetical. Organizations exist to provide a good or service and want helpful, friendly employees to promote the good or service. People are social animals who want to be liked. Controlling the human aspects of security means denying someone something. This circle can't be squared.

Considering Mitnick's reputation as a hacker guru, it's ironic that the last point of attack for hackers using social engineering are computers. Most of the scenarios in The Art of Deception work just as well against computer-free organizations and were probably known to the Phoenicians; technology simply makes it all easier. Phones are faster than letters, after all, and having large organizations means dealing with lots of strangers.

Much of Mitnick's security advice sounds practical until you think about implementation, when you realize that more effective security means reducing organizational efficiency--an impossible trade in competitive business. And anyway, who wants to work in an organization where the rule is "Trust no one"? Mitnick shows how easily security is breached by trust, but without trust people can't live and work together. In the real world, effective organizations have to acknowledge that total security is a chimera--and carry more insurance. --Steve Patient, amazon.co.uk

Product Description
The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security
Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief."
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.

Some readers may find a book on computer security penned by a convicted computer criminal blasphemous. Rather than focusing on the writer's past, it is clear that Mitnick wishes the book to be viewed as an attempt at redemption.

The Art of Deception: Controlling the Human Element of Security states that even if an organization has the best information systems security policies and procedures; most tightly controlled firewall, encrypted traffic, DMZ's, hardened operating systems patched servers and more; all of these security controls can be obviated via social engineering.

Social engineering is a method of gaining someone's trust by lying to them and then abusing that trust for malicious purposes - primarily gaining access to systems. Every user in an organization, be it a receptionist or a systems administrator, needs to know that when someone requesting information has some knowledge about company procedures or uses the corporate vernacular, that alone should not be authorization to provide controlled information.

The Art of Deception: Controlling the Human Element of Security spends most of its time discussing many different social engineering scenarios. At the end of each chapter, the book analyzes what went wrong and how the attack could have been prevented.

The book is quite absorbing and makes for fascinating reading. With chapter titles such as The Direct Attack; Just Asking for it; the Reverse Sting; and Using Sympathy, Guilt and Intimidation, readers will find the narratives interesting, and often they relate to daily life at work.

Fourteen of the 16 chapters give examples of social engineering covering many different corporate sectors, including financial, manufacturing, medical, and legal. Mitnick notes that while companies are busy rolling out firewalls and other security paraphernalia, there are often unaware of the threats of social engineering. The menace of social engineering is that it does not take any deep technical skills - no protocol decoders, no kernel recompiling, no port scans - just some smooth talk and a little confidence.

Most of the stories in the book detail elementary social engineering escapades, but chapter 14 details one particularly nasty story where a social engineer showed up on-site at a robotics company. With some glib talk, combined with some drinks at a fancy restaurant, he ultimately was able to get all of the design specifications for a leading-edge product.

In order for an organization to develop a successful training program against the threats of social engineering, they must understand why people are vulnerable to attack in the first place. Chapter 15 explains of how attackers take advantage of human nature. Only by identifying and understanding these tendencies (namely, Authority, Liking, Reciprocation, Consistency, Social Validation, and Scarcity), can companies ensure employees understand why social engineers can manipulate us all.

After more than 200 pages of horror stories, Part 4 (Chapters 15 and 16) details the need for information security awareness and training. But even with 100 pages of security policies and procedures (much of it based on ideas from Charles Cresson Wood's seminal book Information Security Policies Made Easy) the truth is that nothing in Mitnick's security advice is revolutionary - it's information security 101. Namely, educate end-users to the risks and threats of non-technical attacks.

While there are many books on nearly every aspect of information security, The Art of Deception is one of the first (Bruce Schneier's Secrets and Lies being another) to deal with the human aspect of security; a topic that has long been neglected. For too long, corporate America has been fixated with cryptographic key lengths, and not focused enough on the human element of security.

From a management perspective, The Art of Deception: Controlling the Human Element of Security should be on the list of required reading. Mitnick has done an effective job of showing exactly what the greatest threat of attack is - people and their human nature.


Amazing! This book will make you think   October 9, 2002
27 out of 28 found this review helpful

I went into this book thinking I knew a fair amount about security in general. You know, don't leave your network password on a post-it on your bulletin board, be aware of strangers in your office, that kind of thing. Then, I finished reading the book, and realized that it challenged all the assumptions that I had about the way I react in these situations. Mitnick's right - we as human beings are conditioned to be polite and trusting, and as horrible as it seems, that's not always right. But you don't have to become nasty and distrustful, just aware. That's what this book is talking about. The examples are wonderful - they really do read like a mystery thriller. And the advice is really sound. It doesn't mention it here, but there is a great flowchart in the back of the book that I've copied for everyone in my office. It details what to do if someone calls you for information that you are not sure they need or should be getting. All in all, The Art of Deception is a must read for many of us.


Cuts to the chase, and exposes the weakest link...   October 16, 2002
Lew Payne (Boise, ID USA)
21 out of 22 found this review helpful

This book cuts to the chase, and exposes what was, currently is, and will continue to be the weakest link in computer security... the human element. Historically, people seem to take the path of least resistance. Give them a reason to believe you are who you say you are, and they will accept it. Give them a reason to think you're helping them (even with a problem they never knew they had until you pointed it out to them), and they will put at your disposal all their tools and information. We won't be able to make much inroads into security (of any kind) until we being to change the essence of human nature... and that, my friend, is unlikely to change. Kevin Mitnick tells it like it is -- from the voice of experience. As obvious as some of the pretexts are, they worked for him... and will likely continue to work for the next generation's social engineer. Remember, the difference between truth and fiction is but a state of mind. Persuasion is still the key element... one that Mitnick has mastered. Read, learn, and avoid the simple mistakes of others. Thanks for the book, Kevin.


There are lessons here ...   October 13, 2002
Mike Tarrani (Deltona, FL USA)
43 out of 51 found this review helpful

While it's a temptation to impose value judgement about the author who is a convicted felon, I strongly urge anyone who is involved in security (IT and corporate), internal auditors and fraud prevention specialists to suspend any opinions of the author and to carefully read this book.

What we in the IT world call 'social engineering' is nothing more than a con that exploits human trust. Mitnick was highly effective at social engineering and this book provides a wealth of information regarding his views of 'social engineering' vulnerabilities and how he exploited them. He exposes the details of some of the most effective techniques used by those who use social engineering to accomplish their goals - whether those goals are as sinister as corporate espionage or fraud, or merely to prove that they can gain access to systems and information. While some of the recommended countermeasures in this book may seem Draconian there is middle ground to implement effective controls that do not hamper business processes or impose overly restrictive policies.

The bottom line, though, is to learn from this book and distill the key lessons into knowledge throughout your organization. Awareness is one of the most powerful security tools, and this book promotes that. Also, while this book is ostensibly about IT security, the lessons imparted are as applicable to any other aspect of a business as they are to IT - in many ways there are even more applicable because the exploits are based on effective con games that were in existence long before computers came on the scene.


Scary Stuff   October 27, 2002
16 out of 17 found this review helpful

When I picked this book up, I thought it was going to be an apologia from Mitnick for his prior life's work: cracking into supposedly secure phone and computer systems and networks. I read the book just before Hallowe'en, and that was appropriate, because the stories Mitnick recounts are really scary. Instead of wasting words explaining his own actions, Mitnick gives scores of fascinating examples of how most "security" proved to be simply non-existent. In the end, all security systems depend on humans, and therein lies the weakest link. The books shows how easy it is to gain people's trust- over the phone- and by getting them to reveal little bits of seemingly harmless information, gaining complete control over any data the con man (or woman) wants to get.

The book sets out security policies, and there's also a whole chapter on security training. One of Mitnick's recommendations is for companies to supply each employee with a copy of the book. Normally I'd dismiss this as blatant self-promotion. But believe me, in this case, the more people share the book's stories with each other at the water cooler, the closer the company will come to being a secure environment.

Mitnick makes it clear that everyone in the company has to be aware of security issues, and of the many types of attacks he describes so well, and know how to react to any demand for information, even from someone who appears to be an insider. By the time you finished the book, you'll be a believer, and you'll think two or three times before giving out information. And company security officers may want to stop simply sending e-mails about security, and get all employees (including the receptionists!) into classroom training.

The only problem I had with this book was Mitnick's use of the term "social engineering" to describe the manipulation of employees and security systems. Social engineering is what the conservatives accuse the liberals on the U.S. Supreme Court of doing.

But that's a minor item in an otherwise overwhelming and totally convincing book.