The Art of Deception: Controlling the Human Element of Security is a collection of short stories and detailed examples explaining how humans are often the weakest link in the IT security chain. Written by hacker-turned-security consultant Kevin Mitnick, the book’s 16 chapters cover the art of social engineering – essentially breaching security by tricking people. Techniques range from the high-tech (phishing emails and websites, and malware) to low-tech but highly convincing fake phone calls and impersonation. The most basic attacks involve simply asking people for sensitive data, using charm or intimidation (“OK, if my boss asks I’ll tell him you wouldn’t cooperate”) to eventually extract the required information.
One of the most interesting examples is the “Let me help you” ruse. A soon-to-be hacker calls an employee posing as the computer help desk, informs him of a potential computer fault and leaves his cell phone number in case of problems. A couple of days later he arranges a network fault: the victim calls the hacker, who then fixes the problem and convinces the victim to download a “software patch” (really a Trojan Horse) to “stop the problem happening again”. Backdoor installed: security compromised.
Each story is presented – often as a series of telephone calls – followed by an analysis of the attack and where the victim went wrong. Typically the mistakes made are only minor, but add up to create a serious security problem. Often it is amazing how willing employees and other individuals are to give sensitive details to people without first authenticating them.
The final chapter looks at what companies can do to prevent attacks like those described throughout the book, covering organisational policies and training programmes.
Most of the stories in The Art of Deception are highly relevant to ITGS students, relating strongly to the social and ethical issues of security, authentication, and policies. Mitnick’s style is clear and accessible, with key language and points highlighted, and the book’s structure makes it easy to quickly dip in and read one or two stories. ITGS students or teachers with even a passing interest in computer security should find it a worthy read.