The Art of Deception: Controlling the Human Element of Security
The Art of Deception – The world’s most infamous hacker offers an insider’s view of the low-tech threats to high-tech security. Kevin Mitnick’s exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world’s most notorious hacker gives new meaning to the old adage, “It takes a thief to catch a thief.”
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent.
Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.
Book Review by J. J. Kwashnak
An interesting look at security’s weak link
Kevin Mitnick has been arguably the most famous computer hacker out there. His story has been told by others in several books. But here Mitnick is not trying to really share his experiences – rather he calls upon his collection of acquaintances and others he knows to illustrate how people can be engineered.
Most of the book is essentially a series of stories of social engineering (getting someone to do what you want without their realizing it) and then some superficial analysis of why it worked. He then tries to synthesize his earlier chapters into a set of practical security precautions, many of which are common sense, and most of which the reader would have already figured out from reading the book. The stories he chooses to share are fairly interesting, both in their daring and setup and in their simplicity.
What this book would be best for would be handing it to a corporate manager and allow him or her a wake up call as to security. As we try to work together, have things automated and available on-line and as our organizations grow the catchword is results, even if you have to bend the rules a bit. This is what the social engineer can exploit. Many of the stories skate along the edge of the law, and Mitnick points out when it would cross into illegal.
While interesting, after a while the book becomes more tedious in structure and what is being said. Still it is very accessible and would be a great book for someone not so familiar with computers and hacking to see how some of it is done. It should serve as a wake-up call for management as to some of the dangers we face every day. And while most of the stories presented are more in the spirit of curiosity, or fun, or revenge, it would be easy to take them up a notch into activities with serious corporate impact.