Book Review : The Art of Deception Controlling the Human Element of Security
In Wikipedia’s article for the word Hacker, Kevin Mitnick -the book’s authoris the first mentioned name under the “Notable Security Hackers” section. Kevin was form-erly known as “the most wanted computer criminal in United States history”.
According to Kevin, what he did wasn’t even against the law at that time, but it became a crime after a new legislation was passed. The book is mainly concerned with ex-ploring the term “Social Engineering”, and illustrating how it can be applied to easily breached security systems. It shows that no matter what antivirus, firewall appliances or software you use, the human factor remains the weakest link of security.
It starts with a preface giving a brief bio-graphy of Kevin. His father had split from his mother when he was three years old, and he was raised by his mother. She worked hard as a waitress to support them both, so unfortunately she had to leave him most of the time on his own. He describes himself in his childhood as being his own babysitter. His early skills became apparent when he -at the age of 12- discovered a way to use the buses to travel free throughout Los Angeles. Later on, during his high school years, he met another student who was caught up in a hobby called “Phone phreaking”. As Kevin describes it: “Phone phreaking is a type of hacking that allows you to explore the telephone network by exploiting the phone systems and phone company employees”.
This was when he started using what was called later “Social Engineering”; that is deceiving and manipulating people into giving out confidential information which they normally would never reveal to a stranger. The first part of the book is a demonstration of the reasons behind calling the human factor as the security’s weakest link. In the second part, Kevin gives the reader some examples of how Social Engineering can be used, through some fictional stories. H ends each story with analyzing the con in the story, and then a “Mitnick Message” with a recommendation of how to deal with such a scenario.
The stories are categorized in chapters according to the theme used for “Social Engineering” and tricking the victim. The titles of the chapters easily attract the reader’s curiosity to understand how can a trick like that work for a hacker, for example “The Direct Attack: Just Asking for It” or “Using Sympathy, Guilt, and Intimidation”.
The third part is somehow similar to the second one, but it shows how can Social Engineering be combined with hacking, through some more fictional stories demonstrating how a corporate’s security premises can be breached using Social Engineering, to steal confidential information. Part four is Kevin’s general recommendations for corporates to be able to prevent successful Social Engineering attacks on their organizations. It includes tips on how to build a successful security training program and recommended
corporate information security policies that can be customized for any organization and applied instantly to protect the company’s information.
The book is very well written, with Kevin simplifying the concepts and presenting the book in a way that even non-technical readers would find both informative and entertaining.
About The Authors :
Mohamed Mohie, IS Engineer