Over the last few months I’ve started a lot of books. There is so much interesting reading out there that between the usual blogs that I read, the effort I’m spending learning Ruby on Rails, and the interesting books I run across in my usual ritual of trolling book stores, I’m finding it hard to focus on a book from start to finish. I think the only ones I’ve been able to read completely over the past few months have been Fight Club, Practical Subversion, Second Edition (reviewed early last week), and todays pick, The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick and William L. Simon.
It is rare that a book conjures up such paranoia in me. The book is described on the back cover like this:
The worlds most celebrated hacker delivers the lowdown on today’s most serious security weakness – Human Nature.
Boy does he ever.
When one thinks of computer security, one normally thinks about things like closing unnecessary services / ports on your systems, using strong passwords, and things like that. All things of a technical nature that are necessary, but aren’t truly secure because of the people that surround the technology.
Mitnick and Simon do an excellent job in walking you through extremely realistic social engineering scenarios and make you realize that the basic pieces of human nature, like sincerely wanting to help others, fear of crossing someone in an authority position, or just plain carelessness can open up your systems to security breaches no matter how well of a handle you have on the technology aspect of security in your company.
Each scenario is followed by a section called “Analyzing the Con”, where they explain, in detail, the factors that contribute to the scenario being played out and your systems being compromised. There is a lot of interesting information in these analyses that you may not have thought of before.
The last chapter of the book gives you approximately 70 pages relating recommended corporate information security policies. This chapter was excellent, explaining the different policies you can enact and, more importantly – and something you don’t get very often from corporate security – the reasons WHY they are important to implement.
For me, this book was a total eye opener. It is interesting to think about the amount of information that can be “leaked” that seems unimportant at the time one can be in a conversation that can be pieced together later on for the purposes of compromising a computer system or a business.
If nothing else, this book will definitely make you think about the next conversation you have with someone. It shows you the dark side of human nature, where people can seem completely sincere in their interactions with you but deep down have only one objective. To get information. It also illustrates the effort in which people can put forth to put together a con with so much detail, over such a length of time, that the individual interactions seem innocuous, but in the end compromise your systems security.
This book is a must read for everyone even peripherally related to IT. Let me rephrase that. This book is a must read for everyone who has even remote contact with people. Its extremely informative and engaging – so much so that I could hardly put it down.
I’ve already recommended this book to numerous people at work and will be putting it on the required reading list for this year for my teams. Its an area of computer security that is often overlooked and I’m glad to see it covered in such detail – and in a very non-technical way. Anyone can relate to the content in this book.
Do yourself a favor. Take the time pick this one up and read the whole thing. I can guarantee, no matter what your role, you will get something useful out of this book.