The Art of Deception: Controlling the Human Element of Security

This book was primarily written to be a valuable source of information for small businesses and multinational companies alike. Designed to improve you companies security techniques and proceedures, this book highlights the biggest vunerability to any company, over-helpful people.

This book gives detailed descriptions of many different kinds of scams (Social Engineering Attacks), and then analyses each of the scams, and recommends ways for employee's to be more vigilant.

This book is easy to read. By which I mean it isn't too technical. And when something technical does arise, Kevin writes little 'Mitnick Messages' which explains it all using simple, easy to understand language.

NOTE: For anyone out there who may be a budding Social Engineer/Hacker/Phone Phreak. BUY THIS BOOK, because it is practically a manual on the subject. Plus it was written by the one and only Kevin David Mitnick, probably the greatest hacker on the face of the earth.

Rating:
Summary: Yawn. Lots of repitition.
Review: I am a Kevin Mitnick fan. However, I had to book this book down halfway though. I felt that it kept repeating itself. This would be a good book for non technical management to understand the kind of things that happen. If your an IT professional or a security professional you will be bored out of your mind reading this book.

Rating:
Summary: Hacking made frighteningly easy
Review: Story by story, Mitnick (once described as the FBI's "most wanted hacker") reveals some tricks-of-the-trade. Fair enough. But if you are expecting technical details about defeating system login controls or busting through firewalls, you will be disappointed. Mitnick's favorite hacking tools are the telephone, plus the experience and nerve to deceive unsuspecting members of the organizations he is attacking into defeating the controls from the inside.

Reading this book, you will quickly come to realize that Mitnick's toolbox is every bit as effective as the hacking and cracking technology ... and as you read further, it may dawn on you just how hard it is to counter the social engineering attack. After all, much as you might like to, you can't simply plug in a new program to security-patch your employees!

Mitnick's suggested countermeasures in section 4 of the book are fairly straightforward (a wide-ranging security awareness program and a decent set of policies) but implementing them effectively and persuading employees to pay attention requires those very social engineering skills described in sections 1-3.

I'm left with the distinct impression that Mitnick is teasing us by describing a few simple deceptions whilst keeping the best to himself. But think for a moment about the success of the "419" advance fee scams. Otherwise sane, intelligent individuals are evidently being drawn into parting with their hard-earned cash on the basis of these crude deceptions. The implications are truly frightening.

My bottom line: take this book on holiday with you. Once you start, you will not want to put it down and you can reflect on it at the bar. Free drinks anyone?

Rating:
Summary: This book is must for System Administrators and IT Managers.
Review: The Art Of Deception is a fairly good book especially if you are holding key position in Information Technology. This book will provide you examples of social engineering that can lead information theft. This book provides the information on all the aspects that needs to be taken care of, if you plan or implement network security. However, people looking for technical details will be disappointed, as it does not provide any technical information or way to protect or safeguard corporate information.

I like this book because it takes your attention to places that are ignored by many people. Remember, installing and configuring Firewalls, IP Sec, and Encryption is useless if you leave your server room accessible. That's exactly what this book tells. Having $ 100,000 technology is not enough to protect your information if you are careless about the information that a social engineer can use to break that technology.

This book is worth buying.

Rating:
Summary: The Tao of Deception
Review: Other reviewers write that this book is repetetive, and I agree - I believe that Mitnick is trying to convey a mindset. Each scenario in the book, taken alone, is insignificant. You can skip through the book, reading here and there, without losing much. Don't expect to learn much in this book about technicals of network security. But then again, all the computer and telecommunications savvy in the world does not make a hacker.

The right technical skills and knowledge, plus the mindset presented in this book equals hacking. If you are on the security side of things, reading this book (or a few chapters of it, at least) will help you get into the mindset of a hacker, and thus better detect weaknesses in your organization or system.

By the way, I thought the book was an entertaining read. Others say it was boring. I think they expected the wrong thing out of the book. For those of you that have read Harvey Mackay - this book is a lot like "Swim with the Sharks Without Being Eaten Alive" - he tells parables to get the message across.

Rating:
Summary: Excellent insight into social engineering
Review: I'm responsible for securing our company's network, which includes writing security policies and guidelines for users to follow. Like many people in the industry, much of my security training has been focused almost exclusively on the technologies used to attach and defend networks. But more and more, I think we are all beginning to realize there is a very important human element involved as well. Mitnick does a great job in this book of giving the security professional insight into the social engineering techniques used to take advantage of either weakness or ignorance in a particular target. I've found this book as useful as any in my library.

Rating:
Summary: Art of deception.... by boring your reader
Review: Since my first book on hackers (Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll) and reading about Mitnick in the early 90s, I was expecting a fantastic book outlining how he managed to do so much while on the run.

Unortunately, the writing style is quite repetitive and boring. Don't get me wrong - the substance is there, and there is plenty to be learned from Mitnick's 'fictional stories' that illustrate the concept of social engineering. However, as I said, the style leaves a lot to be desired, and after reading the firsy half of the book, I struggled motivating myself to grab the book and finish reading it.

I recommend it only if you do not understand how social engineering works and don't mind putting up with a professional social engineering with amateur writing skills.

Rating:
Summary: No Hack Just Con
Review: It's amazing that on the book jacket bio of Kevin, it is NEVER mentioned that he was in jail.

Kevin is a criminal and even less of a hacker than a complete con-man. Kevin positions himself as a Security Expert when all he could really advertise himself as a BS-Detector Consultant.

I agree the legal system failed in the case of not actually charging him while holding him for so long. But he ain't exactly Snow White, he had MANY chances to go straight after being constantly caught, yet he kept up like an addict.

The only Art of Deception in this book is the con of getting you to buy this.

Rating:
Summary: The Art of Deception...and then some
Review: The human factor is truly security's weakest link according to Kevin Mitnick, famed hacker, now turn security consultant.

Mitnick, based on his illustrious experiences, writes about social engineering; the human factors involved with information security. The book goes into multiple ways of showing social engineering in practice, such as convincing an employee to reveal his computer username and password or tricking someone to download spyware.

The book is definitely an eye-opener, bringing awareness of such devious, unorthodox tactics and attacks that users, net administrators and companies are commonly uneducated about. For counteractive measures, Mitnick goes on to recommend the establishment of training and awareness programs in addition to security policy guidelines.

But an interesting note surrounding the publication of this book was "the lost chapter". Much of the preface section never made the final cut but happened to mysteriously turn up on the Internet.

It revealed a lot more of Mitnick, with him recounting his life as a hacker and fugitive, about incidents whereby he was wrongly accused and his later arrest and incarceration where he was denied his constitutional rights...and John Markoff of the New York Times who couldn't get his facts straight.

At the end of this "lost chapter", it's safe to say you'd have some sympathy towards the legendary Mitnick, a hero in his own right. But then you'd have to give it a second thought, wouldn't you? After all, the book is about deception. ;-)

[+] Many methods of social engineering, an eye-opener.

[-] The scenario examples are fictionalized. He doesn't regale us with his actual stories.