Monday, August 21, 2017

The Art of Deception

The Art of Deception: Controlling the Human Element of Security
© 2005 Kevin Mitnick
352 pages



The Art of Deception is interesting at first, but very repetitive. Mitnick, who claims his career as a hacker was passed solely on manipulating people to gain information and access, shares stories of others who did the same. These mostly include private investigators, with at least one pair of curious teenagers and a few bits of corporate espionage. The modus operandi in all the cases is very similar: the actor engages in background research to learn a few names and some of the lingo of the business, then makes phone calls to different people and departments within the company. Information is solicited under false pretense from various people, then combined to gain further access or the answers. Mitnick refers to this as social engineering, and it's obvious from his collection that a high degree of charisma is required to gain the trust or goodwill of subjects; Mitnick also points out how the actors manipulate the people they're interacting with, pushing buttons for sympathy and fear. There are very few cases included here of people working in person; the simplest case involved a man studying a business to find out when the office staff left, and when the janitors arrived. He then approached the place in a suit and briefcase, and pretended to be an office worker who needed to run in and get a few things from his office -- allowing him free run of the place. Mitnick ends each section, and the book in total, with advice on how to secure and compartmentalize information so employees don't accidentally give the farm away. This includes strict policies and training to control the flow of information, emphasizing the need to verify the identity and need of people requesting information.

4 comments:

  1. You make me wonder: who buys such books? Your review persuades me: I ain't buying it!

    ReplyDelete
  2. The first book was stranger...it mostly appealed to people with an interest in IT security, but Mitnick laboriously explained internet and computer basics. I think he could have combined the two volumes for more general -- and less repetitive -- appeal.

    ReplyDelete
  3. I actually *have* this book! Although you're not exactly encouraging me to *read* it... [lol]

    ReplyDelete
    Replies
    1. If you read the first few chapters and then Mitnick's concluding advice, that's pretty much it, content-wise.

      Delete

Thank you for visiting! Because of some very clever spambots, I've had to start moderating comments more strictly, but they're approved throughout the day.