Click here to Skip to main content
Click here to Skip to main content

The Art of Deception: Controlling the Human Element of Security

, 12 Jan 2003
Rate this:
Please Sign up or sign in to vote.
Book review of The Art of Deception

Editorial Note

This article is in the Book Review chapter. Reviews are intended to provide you with information on books - both paid and free - that others consider useful and of value to developers. Read a good programming book? Write a review!

Title The Art of Deception: Controlling the Human Element of Security
Author Kevin D. Mitnick, William L. Simon
Publisher John Wiley & Sons
Published October 2002
ISBN 0471237124
Price USD 27.50
Pages 305

Review

Security has many facets ranging from purely physical security (controlling physical access to some resource) to 'logical' security (securing information and the flow of information through and among organizations). One thing that's common to all facets of security is that they rely on a protocol to ensure that the security controls are active and can perform their function.

An example of a security protocol is something most people do every day - lock something to secure it, and control access by giving they key to only those that you trust. The protocol in this example is that you use a key to secure access to something (your house, apartment, car, desk, locker, etc) and share the key (grant access to the resource) with the people you trust. The protocol has three aspects: a resource, a key, and trust. While all three aspects are interesting from a security point of view - this book relies on the weakest aspect: trust. Someone could directly betray trust, or more insidiously, manipulate someone into betraying trust without even being aware of what's happening.

Like security at large, trust also has many facets - this book focuses on how some people circumvent security measures by exploiting the trust that people have in others whom they have never met or even seen. The people that circumvent security measures by exploiting trust are called social engineers.

The authors take a practical approach to describing what social engineers can achieve by grabbing your attention right from the beginning with a story of how Stanley Mark Rifkin became a multi-millionaire overnight by carrying out the largest bank robbery in history. Rifkin didn't use a gun or a computer. Rifkin used his social engineering skills to simply ask trusted staff members of the bank for information and then asking other employees of the same bank to transfer the money to an off-shore bank account. The story sets the stage for the rest of the book, in terms of practicality and presentation.

The book, for the most part (14 of 16 chapters), uses a simple format and describes various social engineering attacks interwoven with a lot of other information in the form of sidebars, notes, and definitions. Each social engineering attack is described from the target's (victim's) point of view, the attacker's point of view, and followed by an analysis of the attack. The format makes the book engaging since you initially see the attack from the victim's point of view only to realize, in my case, how close some of the stories come to some scenarios you may have been in. The attacker's point of view describes how an attacker selects his mark (the person or people he wants to manipulate) and then carries out the attack. The analysis describes possible motives and how you or your organization may be vulnerable.

The final two chapters of the book bring all of the content together by describing counter measures that you and your organization can take to limit vulnerabilities and thwart possible attacks. The countermeasures are generally a matter of common knowledge; however, this book puts all of the information into one place in an easy to follow format.

This is not a technical book about security; however, you'll benefit from this book if you're not familiar with social engineering, or want to gain a broader understanding of security from the human element.

Overall Rating: B

Overall Value 4
Accuracy 5
Depth 3
Readability 4
Organization 4

Calculate the Grade as follows: Add all numeric grade values, divide by 25, multiply by 100, then assign the letter grade based on the following ranges:

A+:100 A :95 A-:90 B+:85 B:75 B-:70 C+:65 C :60 C-:50 D+:40 D :30 D-:25 F Blush | :O

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Erik Westermann
Software Developer (Senior)
Canada Canada
Erik is a senior developer-writer with more than 14 years professional programming experience designing and developing large scale database and Internet-centric applications for organizations including MSN.ca, ADP, Nortel, lemontonic.com, EDS, Merrill Lynch, ePost, CIBC, TD Securities, IBC, CIHI, InnovaPost, etc.
 
Erik has been specializing in BizTalk Server-based solutions for five contiguous years to date. His experience includes many SOA and ESB-style applications using technologies like Commerce Server, SharePoint, ASP.NET and advanced .NET Framework.
 

Erik's interests include systems architecture, writing, reading and his kids. Erik's affiliations include ACM (acm.org), and the IASA.

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Mobile
Web01 | 2.8.140721.1 | Last Updated 13 Jan 2003
Article Copyright 2003 by Erik Westermann
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid