The Art of Deception: Controlling the Human Element of Security
© 2005 Kevin Mitnick
The Art of Deception is interesting at first, but very repetitive. Mitnick, who claims his career as a hacker was passed solely on manipulating people to gain information and access, shares stories of others who did the same. These mostly include private investigators, with at least one pair of curious teenagers and a few bits of corporate espionage. The modus operandi in all the cases is very similar: the actor engages in background research to learn a few names and some of the lingo of the business, then makes phone calls to different people and departments within the company. Information is solicited under false pretense from various people, then combined to gain further access or the answers. Mitnick refers to this as social engineering, and it’s obvious from his collection that a high degree of charisma is required to gain the trust or goodwill of subjects; Mitnick also points out how the actors manipulate the people they’re interacting with, pushing buttons for sympathy and fear. There are very few cases included here of people working in person; the simplest case involved a man studying a business to find out when the office staff left, and when the janitors arrived. He then approached the place in a suit and briefcase, and pretended to be an office worker who needed to run in and get a few things from his office — allowing him free run of the place. Mitnick ends each section, and the book in total, with advice on how to secure and compartmentalize information so employees don’t accidentally give the farm away. This includes strict policies and training to control the flow of information, emphasizing the need to verify the identity and need of people requesting information.