Over two years ago I read and reviewed 'The Art of Deception,' also by Mitnick and Simon. I thought that book was 'original, entertaining, [and] scary.' Those same adjectives apply to 'The Art of Intrusion' (TAOI). While I also add 'disappointing' and 'disturbing' to the description of TAOI, sections of the new book make it an absolute must-read. If you want to understand the consequences of systematic, long-term compromise of your enterprise, you must read and heed the lessons of TAOI.
This book may provide the closest look inside an intruder's mind the security community has yet seen. There is simply no substitute for understanding the methodology, goals, and determination of a skilled intruder. Chapter 8 brings the world of the enemy to life, describing separate incidents where crackers stole intellectual property from enterprise networks. These intruders were patient and methodical, taking months to locate, acquire, and transfer their prey. I have encountered this sort of adversary as a real security consultant (explanation follows), but never read supposed first-hand accounts from the enemy's point of view. Chapter 8 alone makes the book worth purchasing.
Why is the book 'disappointing' and 'disturbing' then? I was repeatedly disgusted to read about so-called 'security consultants' who are 'published authors on security topics' (p. 168), who describe themselves as 'white-hats' but acknowledge defacing sites 'where security was so shoddy someone needed to be taught a lesson (p. 143), and who are 'respected security professionals by day and become a black-hat hacker by night, honing the skills that pay their mortgage by hacking into the most resilient software companies on the planet' (p. 166). Attaching the label 'security professional' to these criminals -- still active by some accounts -- is a crime itself. At least Mitnick perpetrated his crime and did his time. These people, however skilled, are a black mark on the security community -- they literally perform the crimes for which their 'skills' are then required. The mitigating factor for me is that these intruders shared their stories for the benefit of the community. For that I am grateful, but I'd also like to hear they've hung up their black hats!
In some places Mitnick seems to close to his subjects to render a fair opinion of their skills. Chapter 5 talks about Adrian Lamo, named by Mitnick 'The Robin Hood Hacker.' It begins with a story about rescuing a kitten from a 'dirty storm drain' that belongs in an after-school TV special, and smells of social engineering on Mr. Lamo's part. After reading about this 'purist... the thinking man's hacker,' we learn his only real skill was 'exploiting misconfigured proxy servers.' When asked what operating system the New York Times was running when he infiltrated it via proxy server, 'Adrian answered that he doesn't know. 'I don't analyze a network that way.' I doubt someone who 'secured' a proxy server at Excite@Home by cutting the cat 5 cable to the box knows anything more than how to use his 'favorite tool... ProxyHunter' and his 'intellectual gift of finding misconfigured proxy servers' (p. 112). This mischaracterization of Adrian Lamo hurts the authors' credibility, at least as far as chapter 5 goes. I felt the same sense of being too close to the characters when reading of 'two convicted murderers' in chapter 3, although their story should catch the eyes of prison wardens everywhere.
Besides the war stories in TAOI, I found many of the authors' insights appropriate and helpful. In places Mitnick and Simon describe how victims never believe they are compromised, and when they are shown proof, they 'figure they just dropped the ball on this one occasion' (p. 216). Repeatedly through the book, network security monitoring is offered as a means of incident detection and response. I wish those who advocate the supposed defender's advantage of knowing their network would read this gem on p. 164: 'I knew their network better than anyone there knew it. If they were having problems, I could probably have fixed them.' This is so true, because the intruder's interest goes so much deeper than an administrator who sees security as part of his over-stressed and under-resourced job.
Not all of the book was written from the perspective of black hats masquerading as 'security professionals' by day. Chapter 4 features a tale by former Boeing employee Don Boelling, a real security professional. Other chapters present the stories of unnamed penetration testers, all of which I found intriguing.
Despite my negative opinion of the ethics of some of this book's contributors, I still highly recommend reading TAOI. I suspect the validity of some of the earlier reviews, as three are posted by people whose only review is for TAOI and one is by TAOI co-author W.L. Simon! Does the social engineering never end?