Book Review: The Art of Deception: Controlling the Human Element of Security

The Art of Deception by Kevin MitnickThe problem with “The Art of Deception” is its age and the limited scope of the exploits Kevin Mitnick discusses.

Almost every (usually fictional) exploit that Mitnick describes involves exploiting large organizations — places where there are clear heirarchies, overlapping departmental responsibilities and integrated networks.

Also, a significant amount of what he discusses involves phone phreaking; given that was how he cut his teeth in the social engineering game, it’s not surprising.

But when you read an example that involves dialing in to a Nortel DMS-100, you know you’re reading dated material. Sure, some companies still use 30-year-old telephone switches, and PBX is still a highly exploitable technology. But an update to 21st century tech is sorely wanted here.

Generally speaking, every example Mitnick provides for a successful social engineering attack comes down to three basic steps:

  • Get a name and title on someone in a large company.
  • Call a low-level employee on the telephone, masquerading as that person, and ask for some information that lines up the target.
  • Call the target, repeat the information given by the low-level employee, get the target to compromise the system.

Sure, this can work — if you target large enough an operation. But what about small companies? Or individuals? Or non-corporate espionage? They go largely unaddressed.

Mitnick briefly discusses identity theft, and his favored strategy is Dumpster diving. Which, again, is becoming increasingly less relevant as paper becomes less relevant, at least for smaller organizations / individuals.

He also gives very little attention to face-to-face exploits, claiming that they’re largely too risky. But by the same token, his constant refrain is that the successful social engineer is first charming and personable. I guess I miss where that would only be true of the average crook when he’s on the phone.

Finally, when discussing how one goes about protecting against social engineers, Mitnick almost always suggests restrictive rules and punishments, suggesting that the average employee responds appropriately to such inconveniences if it’s made plain to him the importance of not screwing up. That’s spoken like someone who’s never supervised an employee in his life.

People want autonomy, challenges and proof their work means something. Thus, he should discuss a reward-centered approach that says, “we trust you to protect your work product, we publicly recognize and reward vigilance, and we find ways to enable you to do what you need to do to get work done, in ways that ensure our information remains secure.”

I don’t mean to suggest that Mitnick’s book is of no relevance today. His basic points — that human nature is to help others, we can all sympathize with the poor sot who’s in a jam and needs our help, and what seems innocuous to the average employee is often the information that gets a social engineer’s foot in the door — are well-taken and will always be pertinent to security.

But times have changed. This book, unfortunately, hasn’t.

Finally, I got the Kindle version of this book, and not enough attention was paid to cleaning up the text during the conversion; punctuation, capitalization and other miscellaneous errors are rampant.

Also, the surfeit of sidebars — which usually explain a technical term, or give a quick tip on how to avoid an exploit — weren’t carefully placed; sometimes, they interrupt paragraphs of the main text.

All links in this post on delicious:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Check out the Commenting Guidelines before commenting, please!
  • Want to share code? Please put it into a GitHub Gist, CodePen or pastebin and link to that in your comment.
  • Just have a line or two of markup? Wrap them in an appropriate SyntaxHighlighter Evolved shortcode for your programming language, please!