Review of the first Kevin D. Mitnick book – The Art Of Deception

I am, today, reviewing the book The Art Of Deception from Kevin D. Mitnick that I red a while ago. This book was issued in 2002, but this is still a hot topic.

The Art Of Deception (ISBN-13: 978-0764542800), the first Kevin D. Mitnick’s book is another type of Information Security lecture. Kevin was for a long time the FBI most wanted computer hacker. Now a security contractor, he shares with us in this book, his acquired experiences over the years. Instead of going in details on how to break firewalls and code, Kevin wrote about his specialty: Social Engineering.

I first decided to buy this book to learn more about Social Engineering, and I must say that Kevin’s mission was successful, I learned a lot. Going through the chapters, you discover a whole new way to attack networks, through the weakest link: people controlling and using it.

As I’ve been working in Information Security for a few years, I often hear that “a secretary wouldn’t give away her password” either because she is smart or because she knows not to do so. That being said, this book makes you realize how easy it can be to fool that “smart” secretary into giving away her password to an attacker that uses Social Engineering, not because she is not smart, but because Social Engineering is all about using influence and persuasion to get to the goal: information gathering. That information can be in different form, be it a username, a password, a merchant ID or a PIN, etc. Several techniques can be learned throughout this book, where most of them are build on Trust an employee may have to a manager, service provider or law officer. By impersonating those roles, an attacker can play the game with his own rules and exploit that trust.

The book gives you a lot of phone call examples (maybe a bit too many as it becomes redundant near the end), to makes you think about ways information leakage can happen. Examples range from one simple call to multiple, more complex, phone calls. If you are already a Social Engineering expert, you can benefit from those examples by improving your skills and techniques.

While phone calls are mostly used in Part one and two of the book, Part three goes more in depth by using physical and computer related attack. Stories are written to keep your mind busy with questions like “what would I do in that situation?”, “would I fall for this?” or “Do I verify guest identity properly?”. On their side, computer attacks are going where most of us, security professional, are more comfortable. Phishing, dictionary and Trojan horse attack are all used in conjunction with Social Engineering to gather information.

The last chapter, “Chapter 16 – Recommended Corporate Information Security Policies”, can be very useful to someone writing policies for an enterprise. Kevin did a nice job to include often forgotten policies related to the main topic. Each of them has a short explanation that was proven useful to me.

If you are looking for easy and entertaining reading as well as a way to learn about Social Engineering, I encourage you to buy that book. Even if some parts starts to be redundant near the end, it is definitely a must have on that topic.