The Art of Deception: Controlling the Human Element of Security

The Art of Deception: Controlling the Human Element of Security | Kevin D. Mitnick, William L. Simon | Reminding us all what the weakest link in IT security is.

books:

The Art of Decepti...

	The Art of Deception: Controlling the Human Element of Security Kevin D. Mitnick, William L. Simon Wiley, 2003 - 368 pages average customer review:based on 124 reviews view larger image
	for more information click here

highly recommended

So What Is Wrong With Helping That Caller?

Perhaps one of the best known social engineers is Kevin Mitnick. He was a master of the game, that is until he was caught. Sent to prison, and barred from using computers and the Internet for years because of his actions, he emerged a reformed man and set out to educate companies and users how to best protect themselves. One of his efforts, in collaboration with William L. Simon, was the 2002 book entitled The Art of Deception (368 Pages, J. Wiley, ISBN 076454280X). Since I was getting ready to read his new book (The Art of Intrusion), I wanted to read and review this title first so I would have context for his stories. Without I doubt, I am glad I did and this book is now on my "must read" recommendations list.

The reason this book needs to be read is because it was, and really remains, a definitive work on Social Engineering. Too many security consultants and businesses focus time and money in hardware and software solutions, when the reality is that social engineering is the tool that can make all of that worthless and for naught. As prevalent as it is in our everyday lives in good ways, it is often is not recognized and understood when being used by the "bad guys".

Mitnick and Simon take the reader step by step through a number of scenarios which probably did happen. Not only do they lay out what was done, but they analyze how it was done and why it was successful. If that is enough, they also present recommendations on how to counter the attacks at the end of each chapter. They also cover a broad range of attacks from technical to just getting inside the doors.

The greatest asset of this book, which more than makes the book pay for itself, is that fact that the authors include a complete training and security awareness program outline, AND sample security policies to address social engineering. Too many times, this is left out of the picture. With this book as a resource, it is a very easy task to include it in all awareness programs.

Who Should Read This Book?

Information security officers and consultants need to read this book and incorporate the lessons into their own best practices. CIOs and CEOs need to read this book, which is very readable, to understands the nature of the threat. Employees need to read this book to understand how vulnerable they are. Maybe they might say,"Hey that happened to me!". It should even be read by anybody who is concerned about the privacy of their lives and information.

The Scorecard

Double Eagle on a long Par 5

for more information click here

Reminding us all what the weakest link in IT security is.

As the author brilliantly points out, the human element is the weakest link in IT security. It doesn't matter how much hardware stands in the way of the hacker (or "social engineer"), security is often compromised by the unsuspecting employees who operate the computers, and are in most cases just asked for the passwords so the hackers can gain access.

Full of examples of attacks on companies and individuals, "Art of Deception" is a must-read for anyone who works in the IT field, as well as anyone who uses a computer. It also contains practical ways to safeguard information, and most of it is pretty much common sense.

I highly recommend this book.

for more information click here

Almost a 5 star book

Some of the elements of this book are hard to swallow, bordering on pure fiction. Although supposedly based on actual events, the wording ("A Large Telco" or "An Electronics Firm") makes it difficult to mentally follow the story by visualizing the events. A lot of key detail is left out, which makes this book a 4 star.

If you plan to take this book as a literal account of social engineering, it's a 1 star at best. If you hope to gain some general insight into social engineering, backed up heavily on theory and anecdotes, this is a solid book.

for more information click here

It could happen to you

The book explains the phenomenon of "social engineering," which is basically how deceivers entice unsuspecting people to give them information or access they aren't authorized to have. As I read through the different scenarios, I couldn't help but look back over my days in business to see if I had been duped into giving out information I shouldn't have.

The author walks you through several situations, such as a private investigator looking for hidden assets, a corporate spy looking for industrial secrets, or hackers looking for fun. In each of the chapters, he gives the reader an example of the con, then explain how the con works. Although he does leave some of the steps out (to prevent this from being a self-help book for hackers), he does give the reader enough information to see how this could happen.

The end of the book is intended as a checklist for all businesses. Even though a true hacker or social engineer (the difference is explained in the book) could still get through, all businesses should look at the list to ensure that they have done everything they could to prevent a security breach. In a nutshell, the biggest thing businesses can do is educate all employees, because humans are the weakest link in security.

For formatting, the author includes quick notes throughout the book. These get a bit monotonous after a while as the information in the note is already on the page in the text itself. It seems a bit repetitive. In all, however, this is a very informative book.

for more information click here