INLS 187 Book Review
The Art of Deception
|
|
The Art of Deception
|
|
Everyone should read The Art of Deception by Kevin Mitnick co-authored with William Simon. In his book, Mitnick explains the human side of information security, also known as social engineering. Social engineers artfully extract seemingly harmless information from unsuspecting people so that they can gain access to computer systems and top-secret information. Mitnick opens up your eyes to a world that you may never have known existed. He will leave you wondering if you have ever been conned by a social engineer; what information you may have unknowingly provided to someone that allowed them to do terrible things.
For the first portion of the book, Mitnick explains in careful detail exactly how social engineering is done. Perhaps the most frightening aspect is how easy it is for the social engineer to attain what he is seeking. Mitnick shows this by providing a short scenario with dialogue from the point of view of the person being attacked. For example, Mitnick describes in detail how a man walked into a small start-up while the boss was on vacation. The man convinced the entire office that he was a partner of the boss. The staff trusted this man so much that they sent him the source code for their project. Several months later a company opened and launched the product as their own. The start-up lost everything.
After describing the scenario, Mitnick then provides a review of the scenario from the point of view of the attacker. It is useful to understand both perspectives as it provides insight into how the attacker thinks and the process he goes through when planning a social engineering attack. In many of the scenarios, the attacker only asks for a small bit of information that alone is harmless. However, he acquires several of these pieces of information from several different people and combines his efforts to acquire the highly-sensitive information he is really after. Another disturbing realization is that the victims often never know that they were attacked and that their company’s security has been compromised. Mitnick also analyzes what key measures could have been taken to prevent the attack or at least significantly reduce the risk of the attack.
In the second portion of the book, Mitnick outlines an extremely detailed security policy that a company could employ to protect themselves against all types of security attacks, but social engineering attacks in particular. The policy is divided into sections according to whom the policy is for (the type of employee) such as information technology staff versus administrative support staff. It also explains the benefits and pitfalls of each of the measures that can be taken to protect against attacks.
This book is extremely easy to read and very fascinating. I would actually recommend that anyone read this novel, particularly the first part, because it makes you very aware of how vulnerable anyone is to a social engineering attack. I think that even people who do not work with computers on a daily basis would find this book intriguing and useful. Additionally, information technology people, particularly those in charge of security should read this book because the main point that it makes is no matter how many firewalls you have, how good your password schemes are, etc, your company is still vulnerable to the social engineering attack.
From a critical perspective, I did not feel that the book really had any shortcomings. I feel that it very clearly made its point about social engineering. The goal of this book is to make people aware of the human side of information security; that information security is more than hardware and software. Information security relies most on the people that are in your organization. The first portion of the book is engaging and flows nicely. It is valuable for anyone to read this section and easy for them to understand no matter what their technical level. If they are interested in more specific details, they can read the second portion of the book that outlines different security policies and how to implement them in more technical detail.
Additionally, it is nice to have the perspective of Kevin Mitnick. He is very open and honest about his history and what makes him the social engineering expert that he is. Who better to explain how it works than a master of the art? It is like reading about how to protect your home from cat burglars who spent their lifetime breaking into people’s homes and not getting caught.