on June 22, 2004
In The Art of Deception, Kevin D. Mitnick, a corporate security consultant who was once arrested for computer hacking, has written a fascinating book about how to control security lapses due to the "human element." With writer William L. Simon, he describes how con artists use social engineering to gain information by lying to pass themselves off as insiders. By being sensitive to human behavior and taking advantage of trust, they learn to bypass your security systems. The book teaches you how to ward off such threats and educate employees. Yet, problematically, this information could also help con artists be more sophisticated. In any case, this highly informative, engaging book includes sample conversations that open the door to information, along with tips about how various cons are used and what to do about them. We recommend this book to corporate officers, information managers, human resource getAbstract. directors and security personnel, but don't tell anybody.
on July 31, 2015
i thank you for the oportunity to write a few words describing my overall view of the book in question. I SHOULD however mention that I am indeed able to speak french read french language items ,but a long time ago,after french school and living in the Quebec prov; 1950, I started to work and live in Englih. I attended military colleges, legal studies, and some medical studies, all in ENGLISH. all told, some 20plusyears in schools, thereafter for a 25 yearscarreer in the Royal Canadian Navy retiring as LCDR again, in english and thus i do not write in English.My fami ly , wife and daughter lives is English, Consequently, this review need be in the language I AM actually able to express myself as Idid for some other reviews I have sent you. THE BOOK THE ART OF DECEPTION is a magnificent text. I likely unknowingly been a targe but the book has made me much more aware of the enemy within as in fact I have mentioned and recommended the book to a few people in my enviro, and more especially to my daughter who as a practicing lawyer hasher own firm, where activities of such as mentioned in the book are bound to take place. the book informs on myriad ways which can make you a victim I have also mentioned to ordinary people such as me that the book in question is a must read nowadays and I have told people where they can purchase the book with a compendium of the ways and means of the art. readers will not be disapointed. It is a most interresting subject about which one needs be familiar.
on April 18, 2004
Other reviewers write that this book is repetetive, and I agree - I believe that Mitnick is trying to convey a mindset. Each scenario in the book, taken alone, is insignificant. You can skip through the book, reading here and there, without losing much. Don't expect to learn much in this book about technicals of network security. But then again, all the computer and telecommunications savvy in the world does not make a hacker.
The right technical skills and knowledge, plus the mindset presented in this book equals hacking. If you are on the security side of things, reading this book (or a few chapters of it, at least) will help you get into the mindset of a hacker, and thus better detect weaknesses in your organization or system.
By the way, I thought the book was an entertaining read. Others say it was boring. I think they expected the wrong thing out of the book. For those of you that have read Harvey Mackay - this book is a lot like "Swim with the Sharks Without Being Eaten Alive" - he tells parables to get the message across.
on February 20, 2004
This book is both educational, and entertaining. Mitnick is the authority on the subject. And even though the techniques in this book used in the scenarios might seem dated, they still still get the point across, that the 'Human Element', is one of the greatest security holes. In this day and age network administrators feel that they have an edge against hackers with firewalls, and proxies, and what not...but when somebody wants to really get in, and they have the skill of somebody like Mitnick, then trouble is at hand. Though when reading the book, most people will probably get the feeling that Kevin Mitnick is just skimming the surface, or giving us the shortened version of each scenario. Even so this is great reading, and a great addition to anybody interested in corporate security, 'dumster diving' type of techniques, or hacker/anti-hacker techniques. Definite must reading for anybody that would train employees about security, and privacy/sensitvity of material and documents. Truly the art of being sneaky is a gift to Mitnick, alongside his hacking skills. One of the greatest lessons learned in this book is the fact that most people are just not paranoid enough, information that you think isn't sensitive, or important, could just be the key to any hacker's plan. If you want to get into Company X, then don't through the front door, go through the sewer lines....
on February 12, 2004
The human factor is truly security's weakest link according to Kevin Mitnick, famed hacker, now turn security consultant.
Mitnick, based on his illustrious experiences, writes about social engineering; the human factors involved with information security. The book goes into multiple ways of showing social engineering in practice, such as convincing an employee to reveal his computer username and password or tricking someone to download spyware.
The book is definitely an eye-opener, bringing awareness of such devious, unorthodox tactics and attacks that users, net administrators and companies are commonly uneducated about. For counteractive measures, Mitnick goes on to recommend the establishment of training and awareness programs in addition to security policy guidelines.
But an interesting note surrounding the publication of this book was "the lost chapter". Much of the preface section never made the final cut but happened to mysteriously turn up on the Internet.
It revealed a lot more of Mitnick, with him recounting his life as a hacker and fugitive, about incidents whereby he was wrongly accused and his later arrest and incarceration where he was denied his constitutional rights...and John Markoff of the New York Times who couldn't get his facts straight.
At the end of this "lost chapter", it's safe to say you'd have some sympathy towards the legendary Mitnick, a hero in his own right. But then you'd have to give it a second thought, wouldn't you? After all, the book is about deception. ;-)
[+] Many methods of social engineering, an eye-opener.
[-] The scenario examples are fictionalized. He doesn't regale us with his actual stories.
on January 8, 2004
This book is about you. Yes, you. The carbon-based life form in his natural habitat - the cubicle - tapping high-spirited and without worries on the keyboard. In the age of abundant security hypes and the painful, daily confrontations with the insecure reality, you finally managed to build a secure environment. Life is good.
A system is technically perfect when the only flaw in the system is the Human that operates, maintains and works with it. That makes you and every employee in the organization a target.
Organizations in the world invest massive amounts of money in firewalls, anti-virus software, intrusion detection ,VPN technology... but often neglect the most important and vulnerable security component: humans.
Kevin Mitnick brings you an essential piece of valuable awareness training packed in an easy reading book. Using realistic cases, interweaved with side notes, tips and lingo explanations from the master, you can start to mature and to fill the gaps in your security policy.
Review: The art of deception, controlling the Human Element of Security.
By Kevin D. Mitnick, William L. Simon.
Publisher: Wiley Publishing, Inc. ([...]
on December 26, 2003
There was little material in here that I didn't already know, so I gave it 4*, for its use as refresher. For those unfamiliar with the topic, it probably does rate 5* as a primer.
Like other reviewers I didn't enjoy Mitnick's self-congratulatory / self-apologetic tone.
What it did remind me of is the lack of security at my own company :
* our employee car park beneath the building is permanently unmanned, so multiple passengers could enter the building piggybacking - and they have access to the office space behind the 'firewall' of the reception desk.
* in common with many companies we know have outsourced lots of things, including our Systems Security. So who's protecting who? I get lots of requests to send e-mails of commercially sensitive material outside our network to developers in India; but I refuse. Of course their own staff based onshore could be forwarding it on, and we wouldn't know.
I recommend everyone reads this book to see if they can improve upon their own security.
on November 30, 2003
As the previous reviewer pointed out, you have to get past the fact that the author of this book has been convicted of a heap of crimes due to his application of the techniques he lays out in this book. I admittedly was a bit indignant about taking Mitnick's advice at first, but recognized early on that this is judgemental and immature, and this book has good info in it.
So basically this book is almost a "must-have" for the infosec professional because ... it's really the only book like it right now. Most well-rounded infosec books *include* info on social engineering. This book is *about* it, meaning you finally get an in-depth analysis of the techniques and methods used by social engineers, and suggestions to stop them.
Actually my biggest problem with this book is that the author(s) couldn't seem to figure out their target audience. They wrote a book that filled an infosec niche, then constantly defined terms like "Brute Force", which everyone reading this book probably figured out at the kindergarten level of infosec. They do this a lot and overall I found this, coupled with the simplistic writing style, to be a bit condescending. That's why I say this is a 3.5 and not a true 4.
SUMMARY - Good info, more in-depth knowledge of social engineering than anywhere else, dumb writing style. At least worth borrowing or picking up used like I did.
on October 21, 2003
This is one book that every security manager NEEDS! So often (too often), information security is only addressed at a purely technical level (e.g., firewalls, IDS, etc.) while "traditional" types of security are completely ignored or (worse yet) ridiculed as "old fashioned".
If you're expecting Mitnik to dive into the IP stack headfirst, this book is NOT for you. No fancy tools are needed for these "hacks". Instead, it shows how a slick tongue, human nature, and a bit of logical thinking often combine to wreak havoc. This is hacking at its finest - no audit trails, no intrusion detection - just pure system access that somebody handed to you in a basket!
If you're an INFOSEC manager, read this book. Learn what you can from it, then take an honest look at how easy it is to get around security measure in your own organization. (Start by taking a peek your wastepaper bins or those paper recycling boxes after hours. It's amazing what can be found!)
Great book for managment and INFOSEC people alike....but I'd think twice before handing it over to a bored 15-year old! :-)
on August 28, 2003
Story by story, Mitnick (once described as the FBI's "most wanted hacker") reveals some tricks-of-the-trade. Fair enough. But if you are expecting technical details about defeating system login controls or busting through firewalls, you will be disappointed. Mitnick's favorite hacking tools are the telephone, plus the experience and nerve to deceive unsuspecting members of the organizations he is attacking into defeating the controls from the inside.
Reading this book, you will quickly come to realize that Mitnick's toolbox is every bit as effective as the hacking and cracking technology ... and as you read further, it may dawn on you just how hard it is to counter the social engineering attack. After all, much as you might like to, you can't simply plug in a new program to security-patch your employees!
Mitnick's suggested countermeasures in section 4 of the book are fairly straightforward (a wide-ranging security awareness program and a decent set of policies) but implementing them effectively and persuading employees to pay attention requires those very social engineering skills described in sections 1-3.
I'm left with the distinct impression that Mitnick is teasing us by describing a few simple deceptions whilst keeping the best to himself. But think for a moment about the success of the "419" advance fee scams. Otherwise sane, intelligent individuals are evidently being drawn into parting with their hard-earned cash on the basis of these crude deceptions. The implications are truly frightening.
My bottom line: take this book on holiday with you. Once you start, you will not want to put it down and you can reflect on it at the bar. Free drinks anyone?