The Art of Deception: Controlling the Human Element of Security

A well-run and maintained network is difficult to attack. Not impossible, just difficult. The easiest way to subvert most systems is the weakest component - the people. People want to be helpful and too often are not aware of the impact of even simple slips. People are also lazy. They write down passwords, circumvent security systems that seem burdensome, and do not report obvious attempts to access system.

Mitnick show us that the most difficult part of any security system is to educate the users and to obtain their buy in that a secure system is a benefit.

Rating:
Summary: Very interesting book!!!!!
Review: First of all we all have the right to speek out but i do want to mention that Kevin Mitnik is no criminal if he were he would be outside he'd be inside, and about the book it is very interesting, we all in some day in our lives fall for some kind of deception some of them which we unfortunately can even detect until it's to late so in other words i thank Kevin Mitnik for giving me an inside look at reality that can happen to anybody, good work Kevin...............
Thanks

Rating:
Summary: This isn't about technology
Review: The above reviewer claimed that being out of the loop for so long makes Mitnick ill-equiped to write a book on security. It goes to show how little the reviewer understands about the subject.

The fact of the matter is that social engineering has changed little over the decades, let alone since the 80's. The entire point of the book is that no matter how much technology you have, no matter how amazing your whiz-bang toys are, your network is *still* in danger. I don't care what physical security you have installed and working, the people you rely on to use and protect that network is, and in all likelyhood always will be, your weakest link. I paraphrase the book when I say that a computer that is turned off is not secure. You can always talk someone into turning it on for you.

The book itself is amazing. Easy to read, easy to understand, and insightful in it's illustration of social engineering. Unfortunatly, a lot of the security procedures reccomended can be draconian, but when there's a lot riding on the line, you have to take a lot of steps to make things secure.

I heartily suggest this book. If nothing else, read it as a wakeup call.

Rating:
Summary: I'm truly in awe.
Review: This is the first book that I've read from cover to cover in close to 7 years. I could not put it down! Read it in 2 weeks, taking notes, evaluating the way I responded to calls at my companies help desk, reviewing some of the links mentioned in the book, etc., etc.,etc. This is one book that if you read it you will have the ability to better defend and better compromise anything and anyone, but if you don't read it you will eventually regret it because there is a wealth of information that I haven't found anywhere else. There are popular web links mentioned that I was shocked to find were still valid. The detail and instruction are immaculate and if you don't read it....simply put you are a foolish morron. Headlines should read, "Mitnick does it again with a simple Mitnick Message!". Kevin, you inspire me and I wish I had your knowledge and influence.

Rating:
Summary: Profit from crime
Review: Don't forget, when you buy this book, the author is profiting from the crimes he commited. It's like buying a book by Jeffrey Dahmer on how not to be murdered. Criminals should not profit from their crimes. If you feel you /must/ read this book, check it out of the library.

Rating:
Summary: Packed with Knowledge!
Review: In The Art of Deception, Kevin D. Mitnick, a corporate security consultant who was once arrested for computer hacking, has written a fascinating book about how to control security lapses due to the "human element." With writer William L. Simon, he describes how con artists use social engineering to gain information by lying to pass themselves off as insiders. By being sensitive to human behavior and taking advantage of trust, they learn to bypass your security systems. The book teaches you how to ward off such threats and educate employees. Yet, problematically, this information could also help con artists be more sophisticated. In any case, this highly informative, engaging book includes sample conversations that open the door to information, along with tips about how various cons are used and what to do about them. We from getAbstract recommend this book to corporate officers, information managers, human resource directors and security personnel, but don't tell anybody.

Rating:
Summary: Speaks volumes on social engineering/makes you think!
Review: After reading it, the book makes one more aware of what to be careful when giving out information of any kind and how to protect yourself and your company's assets. I've heard alot of "Don't ever give out your id/password", "Always have firewalls on your network." One hardly ever hears about 'make sure you're giving information to someone who's supposed to have it'. There's tons of books on security with respect to technology but this is the first one I've seen that actually focuses on the weakest link when it comes to security - the human element.

All the firewalls and software can't prevent a social engineer from getting in if he/she knows justs how to act and/or what to say to get what they want. Reading the scenarios really opened my eyes. Theres a scenario where a social engineer pretended to be a manager of a video store. After enough talking to another employee at another branch, the social engineer was able to get enough information to obtain the credit card # of someone who owed money to the client the social engineer was hired by.

In reading the scenarios, I'd seen examples where I'd asked for the type of information described for perfectly legitimate reasons. I'd never imagined how someone could take just 1 or 2 pieces of information and create chaos for a person or a company. If you're in the IT industry, or work in any kind of customer service, you really need to pick up this book. This book doesn't bash people for being as helpful as they can be (team player, etc). He's just saying to be more aware of what's going on and when giving out any kind of information, being a little cautious doesn't hurt. As humans, we're not perfect to begin with, but a little awareness will make it just a little harder for that social engineer to get what they want.

Rating:
Summary: The Missing Chapter!
Review: The first chapter was dropped from the book just before publishing. you can find that first chapter online at ... Yahoo Groups first.

Rating:
Summary: A Must Read for security professionals
Review: If you have any interest in IT Security, you need to study Social Engineering, and this book is a great resource. It's truly amazing how effective Social Engineering can be against security systems of any kind.

I was a former victim of Kevin's exploits. He gained access to our network through an elaborate pretext; gaining access to systems that were secured by firewalls, dial back modems, extensive security policies and (unfortunately) many humans like myself. Everything but the humans worked flawlessly.

The art of the con is as old as anything. Con artists know that any system, yes ANY system, can be compromised as long as humans are involved. All the technology in the world (alone) isn't going to stop a creative and motivated social engineer.

Sadly, the focus of IT security today is on technology and technology alone. Very little attention is paid to the topic of social engineering and how to mitigate this threat. 'Human nature' is, once again the culprit here, as people view controls that reduce social engineering threats (strict process controls, seemingly redundant and repetitive procedures) as unnecessary or overly paranoid.

This book goes a long way to illustrate the wide applicability of this type of threat, even describing social engineering attacks against the traffic court systems and the Social Security Administration.

This book is a 'must read' for any serious security professional, and a very interesting read for anybody wanting a look at the way a real hacker's brain works.