Art of Deception: Controlling the Human Element of Security, The

Kevin D. Mitnick, William L. Simon
The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech securityKevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief."Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.

Reviews

Reviewed: 2019-09-02
The Art of Deception is one of two books by famous hacker Kevin Mitnick, the other being "The Art of Intrusion". Intrusion focuses primarily on physical or technological hacks, while this book focuses almost exclusively on social engineering attacks.

A number of problems prevented this book from being very good. The main problem is simply that Mitnick did not have enough material to fill an entire book. This book would have been better if it were shorter and simply one section in a larger book about security. A great deal of the book feels like padding, the anecdotes about various social engineering attacks seem repetitive and pointless - reading just one is often enough, but Mitnick consistently indulges himself with identical tale after identical tale.

I'm not entirely sure who the audience for this book could really be. It doesn't seem like it's for technical people, because the book goes out of it's way to define what things like "http" mean. The book claims to be geared toward nontechnical people or businesspeople, but the fact of the matter is that the subtle differences between a lot of the social engineering attacks will be missed by nontechnical people. To your average joe, 20 or so of the stories in the book will seem identical, testing the patience of the reader.

The book is also frustrating in its design. It's constructed as a book to help managers and businesspeople manage security at their companies. Every story about a social engineering attack is followed by a "Mitnick Message" where Kevin explains how to prevent the attack from happening to you. In reality, however, the real focus is the story itself - the attackers are consistently painted as the hero of the story, with the hapless victims being drawn as naive morons. It's clear that Mitnick admires the attackers in these tales, and the "Mitnick Message" feels like it's been forced into the book to keep up the ruse that the book is intended for anyone other than wannabe hackers. Mitnick's advice is a restated form of "verify the identity of the caller" in nearly every instance.

The book is, to put it simply, a bore. Reading it was a challenge, and I had to fight the frustration to skim or skip sections nonstop. The Art of Intrusion is far more interesting, and I recommend it over this book without reservation. There is value for businesspeople to read this book, but I imagine it will present a significant challenge to their patience.

As an aside, Mitnick offers terrible advice regarding passwords. He argues that passwords should not consist of a constant combined with a predictable variable, such as "kevin01", "kevin02", "kevin03". I agree. He also says that users should not write down their passwords and tape the paper to their monitor or under their keyboards. I agree again. He also, unfortunately, argues that passwords should expire every month. Well, that's terrible advice. Passwords need to be something people can remember, or they have to write them down. If they are going to be memorable, they can't change constantly. If they change constantly and must still be memorable, people have no choice but to add some predictable pattern to a memorable portion of a password. In short, of options A) Don't write passwords down B) Don't use a simple increment in a password C) Change passwords monthly, security administrators can pick any two. To try for all three is delusion.
Item Posts
No posts