The Art of Deception: Controlling the Human Element of Security

//The Art of Deception: Controlling the Human Element of Security

The Art of Deception: Controlling the Human Element of Security

[wpramazon asin=”076454280X”]
[wpramazon asin=”0321492668″]

More Modem Pool Products

By | 2012-05-08T22:46:07+00:00 May 8th, 2012|Phoenix Search Engine Marketing|6 Comments

About the Author:


  1. Ben Rothke "Author of 'Computer Security: 20 ... May 8, 2012 at 10:57 pm
    66 of 68 people found the following review helpful
    5.0 out of 5 stars
    Interesting & timely about the dangers of social engineering, October 14, 2002

    Kevin Mitnick says “the term ‘social engineering’ is widely used within the computer security community to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through.” It’s suitable that Mitnick, once vilified for his cracking exploits, has written a book about the human element of social engineering – that most subtle of information security threats.

    Some readers may find a book on computer security penned by a convicted computer criminal blasphemous. Rather than focusing on the writer’s past, it is clear that Mitnick wishes the book to be viewed as an attempt at redemption.

    The Art of Deception: Controlling the Human Element of Security states that even if an organization has the best information systems security policies and procedures; most tightly controlled firewall, encrypted traffic, DMZ’s, hardened operating systems patched servers and more; all of these security controls can be obviated via social engineering.

    Social engineering is a method of gaining someone’s trust by lying to them and then abusing that trust for malicious purposes – primarily gaining access to systems. Every user in an organization, be it a receptionist or a systems administrator, needs to know that when someone requesting information has some knowledge about company procedures or uses the corporate vernacular, that alone should not be authorization to provide controlled information.

    The Art of Deception: Controlling the Human Element of Security spends most of its time discussing many different social engineering scenarios. At the end of each chapter, the book analyzes what went wrong and how the attack could have been prevented.

    The book is quite absorbing and makes for fascinating reading. With chapter titles such as The Direct Attack; Just Asking for it; the Reverse Sting; and Using Sympathy, Guilt and Intimidation, readers will find the narratives interesting, and often they relate to daily life at work.

    Fourteen of the 16 chapters give examples of social engineering covering many different corporate sectors, including financial, manufacturing, medical, and legal. Mitnick notes that while companies are busy rolling out firewalls and other security paraphernalia, there are often unaware of the threats of social engineering. The menace of social engineering is that it does not take any deep technical skills – no protocol decoders, no kernel recompiling, no port scans – just some smooth talk and a little confidence.

    Most of the stories in the book detail elementary social engineering escapades, but chapter 14 details one particularly nasty story where a social engineer showed up on-site at a robotics company. With some glib talk, combined with some drinks at a fancy restaurant, he ultimately was able to get all of the design specifications for a leading-edge product.

    In order for an organization to develop a successful training program against the threats of social engineering, they must understand why people are vulnerable to attack in the first place. Chapter 15 explains of how attackers take advantage of human nature. Only by identifying and understanding these tendencies (namely, Authority, Liking, Reciprocation, Consistency, Social Validation, and Scarcity), can companies ensure employees understand why social engineers can manipulate us all.

    After more than 200 pages of horror stories, Part 4 (Chapters 15 and 16) details the need for information security awareness and training. But even with 100 pages of security policies and procedures (much of it based on ideas from Charles Cresson Wood’s seminal book Information Security Policies Made Easy) the truth is that nothing in Mitnick’s security advice is revolutionary – it’s information security 101. Namely, educate end-users to the risks and threats of non-technical attacks.

    While there are many books on nearly every aspect of information security, The Art of Deception is one of the first (Bruce Schneier’s Secrets and Lies being another) to deal with the human aspect of security; a topic that has long been neglected. For too long, corporate America has been fixated with cryptographic key lengths, and not focused enough on the human element of security.

    From a management perspective, The Art of Deception: Controlling the Human Element of Security should be on the list of required reading. Mitnick has done an effective job of showing exactly what the greatest threat of attack is – people and their human nature.

    Help other customers find the most helpful reviews 

    Was this review helpful to you? Yes

  2. Luke Meyers May 8, 2012 at 11:02 pm
    45 of 48 people found the following review helpful
    3.0 out of 5 stars
    Interesting cons, but repetitive and ego-trippy, March 24, 2006
    Luke Meyers (Seattle, WA USA) –

    Mitnick has his own reputation to live up to with this book, which sets a pretty high bar for the audience who knows him as the “World’s Most Notorious Hacker.” Unfortunately, while he knows the material cold, his skills as an author are less stellar.

    The vignettes describing various cons are, in the large, very entertaining. They’re fictionalized, and sometimes the dialogue feels artificial. This book is supposed to convince us how easily people are victimized by social engineers. When the victim’s dialogue plays too obviously into the con man’s hands (for the purpose of illustrating the point relevant to the enclosing chapter/section), this goal is to some extent defeated. It’s too easy to read unnatural dialogue and use that as an excuse to tell oneself, “I don’t have to worry about that sort of attack — I’m not that dumb!” More effort could have been expended in fictionalizing these scenarios without making them so difficult to relate to. Seeing how a con is performed is kind of like learning how a magic trick works — it holds a similar fascination. Imagine seeing an amazing magic trick performed on television, wondering how it was possibly accomplished, and then learning that the trick was all in the video editing. That really sucks the fun out of the magic — analogously, when the “trick” in one of these cons is just that the victim does something obviously stupid at just the right moment, the believability and enjoyment are damaged.

    Despite what I’ve said, the cons are definitely enjoyable to read and do offer some genuine insights. Not all suffer from believability problems. However, the supporting material discussing these scenarios is pretty weak. There’s a rigid format (“Analyzing the con,” “Preventing the con,” etc.) which leads the author to repeat the same points over and over again with very little variation, at times seemingly just to fit the format. The purpose of all this material is to give useful security recommendations and proper motivation for following them. The recommendations are on-target, but repeated ad nauseum.

    The descriptions of social engineers also suffer from a tendency to stroke the author’s own ego — the bigger the con, the thicker the language about how smart, handsome, and clever the con man is. I’d like to be convinced by facts, not hyperbole.

    I think this would really have worked better as two books, for two different audiences. One for entertainment, to read about all the cons and how they work, to get a little history of social engineering. And one for serious security discussion. The blend of the two leads to a schizoid work that’s simply mediocre.

    Help other customers find the most helpful reviews 

    Was this review helpful to you? Yes

  3. Anonymous May 8, 2012 at 11:58 pm
    28 of 30 people found the following review helpful
    5.0 out of 5 stars
    Amazing! This book will make you think, October 9, 2002
    By A Customer

    I went into this book thinking I knew a fair amount about security in general. You know, don’t leave your network password on a post-it on your bulletin board, be aware of strangers in your office, that kind of thing. Then, I finished reading the book, and realized that it challenged all the assumptions that I had about the way I react in these situations. Mitnick’s right – we as human beings are conditioned to be polite and trusting, and as horrible as it seems, that’s not always right. But you don’t have to become nasty and distrustful, just aware. That’s what this book is talking about. The examples are wonderful – they really do read like a mystery thriller. And the advice is really sound. It doesn’t mention it here, but there is a great flowchart in the back of the book that I’ve copied for everyone in my office. It details what to do if someone calls you for information that you are not sure they need or should be getting. All in all, The Art of Deception is a must read for many of us.

    Help other customers find the most helpful reviews 

    Was this review helpful to you? Yes

  4. Melissa D. Binde May 9, 2012 at 12:16 am
    69 of 71 people found the following review helpful
    5.0 out of 5 stars
    Moving from “Good” to “Great” in your sysadmin career, April 6, 2002

    Good sysadmins know the technical details. They can resurrect a dead server, understand the intricacies of sendmail or the Windows registry, and recite all of the types of DNS records by heart. They own copies of the UNIX System Administration Handbook and refer to them regularly. They are good sysadmins, and will contribute solidly at an intermediate level.

    Great sysadmins know all of that and what is in this book. They are the ones who go on to become the senior sysadmins and consultants, have fabulous careers, and are respected by their bosses, co-workers, and customers.

    There is much more to a technical job than simply the technical skills. Don’t buy this book to learn how to run a system or you will be disappointed. Do, however, buy it to learn how to be an effective professional systems administrator.

    It is also useful for a manager of sysadmins who is either non-technical, or has never been a sysadmin himself, as it is a good introduction to the issues and concerns that sysadmins need to face.

    Limoncelli and Hogan cover many topics, including:

    – Trouble ticket systems
    – Desktops and Servers (how they’re the same, differ, etc.)
    – Administrative networks (why bother?)
    – Requirements (gathering, tracking, etc.)
    – Standards and centralization of services
    – How to do debugging (not “you see this problem, do this” but rather learning the process of doing good debugging)
    – Fix things once, not over and over again
    – Security policies (including management and organizational issues for a variety of organizational profiles)
    – Disaster Recovery (again, not how to backup data, but why you’d want to, legal issues, etc.)
    – Systems Administration Ethics
    – Change management and revision control
    – Maintenance windows: what they are and why they’re good for both you and your users
    – Centralization versus Decentralization
    – Helpdesks: sizing, scope, processes, escalation, etc.
    – Data centers (many physical facility concerns that sysadmins don’t often think of, including how to move a datacenter)
    – Managing non-OS software (commercial and free)

    They will help you answer questions like

    – Does server hardware really cost more? Do we go with a few expensive servers or many cheap ones?
    – What does “redundancy” actually mean?
    – Why would we spend money on backups? There’s never been an outage…
    – What do I do when asked to do something illegal?
    – How do I communicate and schedule large system changes?
    – How do I do a safe server upgrade?
    – They want to decentralize the sysadmin group — what do we do?
    – How do we move our datacenter?
    – What sort of policy issues are there with email?
    – How do I deal with my customers abusing printers?
    – What do we have to worry about if we’re implementing remote access (e.g. dialup modem banks) for our users?

    Finally, they close with an entire section on Management:

    – How to deal with cost centers, management chains, hiring, customer support, and outsourcing.
    – How to manage your customers perceptions and your team’s visibility
    – How to manage your own happiness (time management, communication, professional development, managing your manager, etc.)
    – How to be a technical manager, how to work with non-technical managers, manage your own career growth, etc.
    – How to hire good sysadmins, recruiting, interviewing, soft skills, technical skills, employee retention, etc.
    – The special concerns around how to fire sysadmins (often problematic, given their higher level of access)

    They even have a chapter for non-technical managers who are in charge of sysadmins (this entire book would be very useful to give to a non-technical manager who doesn’t really ‘get it’.)

    The book closes with three appendixes:

    A. The Many Role of a System Administrator
    B. What to Do When…
    C. Acronyms

    Appendix B is particularly useful, answering a wide variety of questions with solid, practical answers.

    The skills and concepts in this book are the make-or-break in many careers. They turn you from just another sysadmin into a star performer, sensitive to your customers and the business, able to interact with a wide spectrum of people.

    Help other customers find the most helpful reviews 

    Was this review helpful to you? Yes

  5. Amy Rich May 9, 2012 at 1:04 am
    31 of 32 people found the following review helpful
    5.0 out of 5 stars
    A must have for any sysadmin, regardless of skill level, November 18, 2001
    Amy Rich (Beverly, MA) –

    As a UNIX sysadmin veteran, I wish this book had been around when I started out. It would have saved so many headaches as I “learned the hard way.”

    Though not a nitty gritty technical book, this one is a must have for every sysadmin, regardless of skill level or the technology s/he uses. For the novice admin, it offers a good big picture look at the most important “whys” of system administration. For the intermediate admin, it has great advice on how to balance fire fighting with project work that will lessen the need for the fire fighting. For the senior admin, there are gems of design wisdom and sections on how to deal with being in a managerial or team leader role. Because it’s more high level, this book is even a good buy for people who manage sysadmins but are not themselves technical.

    The chapters are conveniently split into the “basics” and the “icing,” depending on the skill of the reader and the state of the reader’s work environment. The authors back up their sound advice with real world case studies and personal experiences. Best of all, not only was it a good read cover to cover, it’s organized so that the reader can come back to it as a reference later.

    Kudos to Tom and Christine for writing an excellent book, one which I will certainly be recommending to my clients and colleagues!

    Help other customers find the most helpful reviews 

    Was this review helpful to you? Yes

  6. Dale Dellinger May 9, 2012 at 2:01 am
    23 of 23 people found the following review helpful
    5.0 out of 5 stars
    A Mentor in a Book, August 29, 2004

    Amazon Verified Purchase(What’s this?)

    The book market is flooded with books that will tell you all about the technical details of administering various software products and operating systems. Their scope is usually limited to whatever technical product is being written about and they become outdated as quickly as the technology becomes outdated. This book is very different. It gives guidelines in a very readable, coaching style, that can be applied to many different aspects of the System Administration trade.

    I have been a System Administrator for a few years now, but this book clarifies many of the issues that I work with daily. It’s like a having a mentor on my bookshelf that I can pull down and consult for advice. I especially like the whole section of seven chapters dealing with different aspects of management. These chapters should be mandatory reading for every SA — and their bosses.

    The book is written in a very readable style and has many useful and insightful real-world examples that show that the authors have been around and learned a lot on the way. The book is worth reading just for these examples. I read the book from cover to cover.

    I first heard about this book when I attended a seminar Tom Limoncelli

    taught at the 2003 LISA conference titled “Time Management for System Administrators: How to Keep from Going (More) Crazy”. Many of the topics in the seminar are covered in detail in the book.

    If you’re a system administrator, you should read this book.

    Help other customers find the most helpful reviews 

    Was this review helpful to you? Yes

Comments are closed.