The Art of Deception: Controlling the Human Element of Security [Rilegato]

Kevin Mitnick says "the term 'social engineering' is widely used within the computer security community to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through." It's suitable that Mitnick, once vilified for his cracking exploits, has written a book about the human element of social engineering - that most subtle of information security threats.

Some readers may find a book on computer security penned by a convicted computer criminal blasphemous. Rather than focusing on the writer's past, it is clear that Mitnick wishes the book to be viewed as an attempt at redemption.

The Art of Deception: Controlling the Human Element of Security states that even if an organization has the best information systems security policies and procedures; most tightly controlled firewall, encrypted traffic, DMZ's, hardened operating systems patched servers and more; all of these security controls can be obviated via social engineering.

Social engineering is a method of gaining someone's trust by lying to them and then abusing that trust for malicious purposes - primarily gaining access to systems. Every user in an organization, be it a receptionist or a systems administrator, needs to know that when someone requesting information has some knowledge about company procedures or uses the corporate vernacular, that alone should not be authorization to provide controlled information.

The Art of Deception: Controlling the Human Element of Security spends most of its time discussing many different social engineering scenarios. At the end of each chapter, the book analyzes what went wrong and how the attack could have been prevented.

The book is quite absorbing and makes for fascinating reading. With chapter titles such as The Direct Attack; Just Asking for it; the Reverse Sting; and Using Sympathy, Guilt and Intimidation, readers will find the narratives interesting, and often they relate to daily life at work.

Fourteen of the 16 chapters give examples of social engineering covering many different corporate sectors, including financial, manufacturing, medical, and legal. Mitnick notes that while companies are busy rolling out firewalls and other security paraphernalia, there are often unaware of the threats of social engineering. The menace of social engineering is that it does not take any deep technical skills - no protocol decoders, no kernel recompiling, no port scans - just some smooth talk and a little confidence.

Most of the stories in the book detail elementary social engineering escapades, but chapter 14 details one particularly nasty story where a social engineer showed up on-site at a robotics company. With some glib talk, combined with some drinks at a fancy restaurant, he ultimately was able to get all of the design specifications for a leading-edge product.

In order for an organization to develop a successful training program against the threats of social engineering, they must understand why people are vulnerable to attack in the first place. Chapter 15 explains of how attackers take advantage of human nature. Only by identifying and understanding these tendencies (namely, Authority, Liking, Reciprocation, Consistency, Social Validation, and Scarcity), can companies ensure employees understand why social engineers can manipulate us all.

After more than 200 pages of horror stories, Part 4 (Chapters 15 and 16) details the need for information security awareness and training. But even with 100 pages of security policies and procedures (much of it based on ideas from Charles Cresson Wood's seminal book Information Security Policies Made Easy) the truth is that nothing in Mitnick's security advice is revolutionary - it's information security 101. Namely, educate end-users to the risks and threats of non-technical attacks.

While there are many books on nearly every aspect of information security, The Art of Deception is one of the first (Bruce Schneier's Secrets and Lies being another) to deal with the human aspect of security; a topic that has long been neglected. For too long, corporate America has been fixated with cryptographic key lengths, and not focused enough on the human element of security.

From a management perspective, The Art of Deception: Controlling the Human Element of Security should be on the list of required reading. Mitnick has done an effective job of showing exactly what the greatest threat of attack is - people and their human nature.

Mitnick has his own reputation to live up to with this book, which sets a pretty high bar for the audience who knows him as the "World's Most Notorious Hacker." Unfortunately, while he knows the material cold, his skills as an author are less stellar.

The vignettes describing various cons are, in the large, very entertaining. They're fictionalized, and sometimes the dialogue feels artificial. This book is supposed to convince us how easily people are victimized by social engineers. When the victim's dialogue plays too obviously into the con man's hands (for the purpose of illustrating the point relevant to the enclosing chapter/section), this goal is to some extent defeated. It's too easy to read unnatural dialogue and use that as an excuse to tell oneself, "I don't have to worry about that sort of attack -- I'm not that dumb!" More effort could have been expended in fictionalizing these scenarios without making them so difficult to relate to. Seeing how a con is performed is kind of like learning how a magic trick works -- it holds a similar fascination. Imagine seeing an amazing magic trick performed on television, wondering how it was possibly accomplished, and then learning that the trick was all in the video editing. That really sucks the fun out of the magic -- analogously, when the "trick" in one of these cons is just that the victim does something obviously stupid at just the right moment, the believability and enjoyment are damaged.

Despite what I've said, the cons are definitely enjoyable to read and do offer some genuine insights. Not all suffer from believability problems. However, the supporting material discussing these scenarios is pretty weak. There's a rigid format ("Analyzing the con," "Preventing the con," etc.) which leads the author to repeat the same points over and over again with very little variation, at times seemingly just to fit the format. The purpose of all this material is to give useful security recommendations and proper motivation for following them. The recommendations are on-target, but repeated ad nauseum.

The descriptions of social engineers also suffer from a tendency to stroke the author's own ego -- the bigger the con, the thicker the language about how smart, handsome, and clever the con man is. I'd like to be convinced by facts, not hyperbole.

I think this would really have worked better as two books, for two different audiences. One for entertainment, to read about all the cons and how they work, to get a little history of social engineering. And one for serious security discussion. The blend of the two leads to a schizoid work that's simply mediocre.

Now that Kevin Mitnick is out of prison he has written "The Art of Deception". I rate this book as four stars. Has good insight regarding how Kevin was able to gain large company employee's trust by using social engineering methods. He gives great examples of how he would simply use a telephone to gain user id's and passwords, even from high tech security departments.

Most employee's don't think they are allowed to say 'no' to giving out information over the phone or email in the name of great customer service. There may be company policies but they 'still try to do the right thing' to help a co-worker regain access to the system, when in fact the person is a hacker.

Many solutions are offered to help small and large companies balance the choice of customer service over security and trust. One funny chapter was how Mr. Mitnick's used the same social engineering methods in prison to get additional phone calls, better food, and increase family visits. Classic... He didn't stop even in prison.

I recommend this book.