Review of The
Art of Deception
Bibliographical Information
The Art of Deception
Author: Mitnick, Kevin D. and William L. Simon
Wiley Publishing, Inc.
Indianapolis, IN. 2002
Kevin Mitnick's Art of Deception seeks to point out the weakest link in any security system: the human factor. Mitnick describes the process of what he terms social engineering or "getting people to do things they wouldn't normally do for a stranger" (xi). Chapters 2-9 deal with different ways that social engineering is employed to breach the security of businesses and organizations. Chapters 10-14 deal with even more serious threats from social engineers who "up the ante". These types of attacks can result in disastrous breaches of security. Finally, chapters 15 and 16 are devoted to ways that companies can work to prevent social engineering attacks on their business through training and policies. The book also provides a template security policy, designed by Mitnick, to help with developing a system to successfully guard against social engineering attacks.
The bulk of the book is devoted to 'based-on-fact' narratives of different social engineering attacks by private investigators, corporate spies, malicious criminals and curious hackers. The narratives show how social engineers use sympathy, trust, intimidation and the desire to be helpful to achieve their ends. The book identifies these integral weapons of the social engineers arsenal and how they are employed. The last part of the book deals with counteracting the social engineers' methods. The book stresses that security technology, such as firewalls and anti-virus software, are not sufficient to prevent social engineering attacks by themselves. Critical to protecting against social engineering attacks is "security technology combined with security policies that set ground rules for employee behavior, and appropriate education and training for employees" (245). Preempting social engineering attacks requires, first, awareness that they exist and knowledge of how they're perpetrated and, second, effective policy-making.
The book is clearly written for professionals involved in business and/or corporate
security. However, the straight-forward, anecdotal writing style of the author
makes it accessible and interesting to anyone interested in the subject matter.
The book could actually be useful to anyone who interacts with important (or
even seemingly-innocuous) company information on a daily basis.
Critique
Interestingly enough, while the book does an excellent job of calling attention
to an all too often overlooked aspect of information security, it also would
be an excellent resource for someone interested in exploiting an organization
to acquire information not accessible to the public. Many of the stories and
"analyzing the con" sections read like how-to articles on how to acquire
supposedly secure information. Naturally, any book that attempts to identify
security flaws is going to point out such flaws to those who are attempting
to prevent and perpetrate attacks alike, but Mitnick's work would prove quite
useful to someone to trying to carry out a social engineering attack. It has
to be asked if Mitnick may not have some desire to share his considerable talent
with some of his former acquaintances. Either way, the book's greatest shortcoming
certainly has to be the fact that it can be as much a manual on how to carry
out an attack as it is a manual on how to defend against one.
Overall, the book does an excellent job of identifying an area that is far too often overlooked by security administrators. Best of all, the book does more than simply point out the flaw, it offers feasible and helpful tips on how best to adjust security policy in order to be prepared for such attacks. Certainly the experience and perspective that Mitnick brings to this area are helpful additions to the tools that security administrators have to prevent unwanted proliferation of sensitive information