The Art of Deception: Controlling the Human Element of Security

Title The Art of Deception: Controlling the Human Element of Security Author Kevin D. Mitnick, William L. Simon Publisher John Wiley & Sons Published October 2002 ISBN 0471237124 Price USD 27.50 Pages 305

Review

Security has many facets ranging from purely physical security (controlling physical access to some resource) to 'logical' security (securing information and the flow of information through and among organizations). One thing that's common to all facets of security is that they rely on a protocol to ensure that the security controls are active and can perform their function.

An example of a security protocol is something most people do every day - lock something to secure it, and control access by giving they key to only those that you trust. The protocol in this example is that you use a key to secure access to something (your house, apartment, car, desk, locker, etc) and share the key (grant access to the resource) with the people you trust. The protocol has three aspects: a resource, a key, and trust. While all three aspects are interesting from a security point of view - this book relies on the weakest aspect: trust. Someone could directly betray trust, or more insidiously, manipulate someone into betraying trust without even being aware of what's happening.

Like security at large, trust also has many facets - this book focuses on how some people circumvent security measures by exploiting the trust that people have in others whom they have never met or even seen. The people that circumvent security measures by exploiting trust are called social engineers.

The authors take a practical approach to describing what social engineers can achieve by grabbing your attention right from the beginning with a story of how Stanley Mark Rifkin became a multi-millionaire overnight by carrying out the largest bank robbery in history. Rifkin didn't use a gun or a computer. Rifkin used his social engineering skills to simply ask trusted staff members of the bank for information and then asking other employees of the same bank to transfer the money to an off-shore bank account. The story sets the stage for the rest of the book, in terms of practicality and presentation.

The book, for the most part (14 of 16 chapters), uses a simple format and describes various social engineering attacks interwoven with a lot of other information in the form of sidebars, notes, and definitions. Each social engineering attack is described from the target's (victim's) point of view, the attacker's point of view, and followed by an analysis of the attack. The format makes the book engaging since you initially see the attack from the victim's point of view only to realize, in my case, how close some of the stories come to some scenarios you may have been in. The attacker's point of view describes how an attacker selects his mark (the person or people he wants to manipulate) and then carries out the attack. The analysis describes possible motives and how you or your organization may be vulnerable.

The final two chapters of the book bring all of the content together by describing counter measures that you and your organization can take to limit vulnerabilities and thwart possible attacks. The countermeasures are generally a matter of common knowledge; however, this book puts all of the information into one place in an easy to follow format.

This is not a technical book about security; however, you'll benefit from this book if you're not familiar with social engineering, or want to gain a broader understanding of security from the human element.

Overall Rating: B

Calculate the Grade as follows: Add all numeric grade values, divide by 25, multiply by 100, then assign the letter grade based on the following ranges: