The Art of Deception: Controlling the Human Element of Security

I bought this book in 2008, and read it after I got it. I was in love with cyber-security and social engineering was the theme those days. I never reviewed the book back then but I reread this book again yesterday and it hit me that Kevin's ideas are some of the most profound ideas when it comes to human behavior. Our tendency to be helpful. Our tendency to let someone new come into our lives Etc,.. I will be honest, after spending 13 years in financial and marketing industry and reading 1000s of books and having 1000s of experiences I promise if someone wants to set me up they probably can. It's really hard to get away from a good setup. One thing that helped me all these years is that at the end of the day I ask myself two questions. This is a routine I do every day and been doing it for almost 10 years now. 1. Did I try to help a stranger or someone I know today? If yes, then what was the context. 2. Did someone came in my life trying to do good things for me out of blue? (This can be a friend that randomly texts you on FB or emails you after ages.)

After reading it, the book makes one more aware of what to be careful when giving out information of any kind and how to protect yourself and your company's assets. I've heard alot of "Don't ever give out your id/password", "Always have firewalls on your network." One hardly ever hears about 'make sure you're giving information to someone who's supposed to have it'. There's tons of books on security with respect to technology but this is the first one I've seen that actually focuses on the weakest link when it comes to security - the human element. All the firewalls and software can't prevent a social engineer from getting in if he/she knows justs how to act and/or what to say to get what they want. Reading the scenarios really opened my eyes. Theres a scenario where a social engineer pretended to be a manager of a video store. After enough talking to another employee at another branch, the social engineer was able to get enough information to obtain the credit card # of someone who owed money to the client the social engineer was hired by. In reading the scenarios, I'd seen examples where I'd asked for the type of information described for perfectly legitimate reasons. I'd never imagined how someone could take just 1 or 2 pieces of information and create chaos for a person or a company. If you're in the IT industry, or work in any kind of customer service, you really need to pick up this book. This book doesn't bash people for being as helpful as they can be (team player, etc). He's just saying to be more aware of what's going on and when giving out any kind of information, being a little cautious doesn't hurt. As humans, we're not perfect to begin with, but a little awareness will make it just a little harder for that social engineer to get what they want.

Tenés que leerlo!!! No pasa de moda!

Kevin Mitnick, probably the most famous (and controversial) computer hacker of the 1990's, has spent several years of his life on the run, as well as a few years in jail. For years after leaving prison he was forbidden to log on to a computer, a prohibition he appealed successfully. He now runs a computer security business, lectures to large corporations, and has co-authored two books on computer network security. This book focuses on the human element of computer security. Reminding us that even the most sophisticated high-tech security systems can be rendered worthless if the people running them are not sufficiently vigilant, Mitnick goes on to point out the myriad ways in which human carelessness can contribute to security breaches. An experienced con artist who is well-versed in social engineering techniques can often do far more damage by manipulating people to provide information they shouldn't than by relying on technologically sophisticated hacking methods. The book is interesting for the most part, though it would have benefited from a 25% reduction in length, and there are some annoying stylistic tics. Throughout the first 14 chapters, each of which reviews a particular type of `con' used by hackers/social engineers to breach computer security, the chapter setup follows the same schema: (i) an anecdote or vignette, involving fictitious characters but based on actual events, which lays out the deception as it unfolds, following it through to the successful breach (ii) analysis of the `con', focusing specifically on the mistakes or behaviors (at the individual and at the organizational level) which allowed it to succeed (iii) discussion of the changes that would be needed to stop the con from succeeding (e.g. behavior of individual employees, corporate policies and procedures, computer software and hardware). This is actually a pretty decent way to make the points Mitnick wants to get across - starting out with a concrete example of how things go wrong gets attention and motivates the reader to read on to figure out the solution. One feature of the book which was meant to be helpful started to annoy me by about the third chapter. Interspersed throughout each chapter, the authors insert highlighted textboxes of two types: `lingo' - repeating the definition of a concept already adequately defined in the text, or `mitnick messages' - which seemed superfluous, and a little condescending, as they generally repeated what was already obvious. In general, this is not a book you will read for the delights of its prose style (after successfully gaining access to a cache of hidden documents, one hacker is described as spending his evening gleefully "pouring over" the documents); however, the prose is serviceable, managing to avoid lapses into the dreaded corpspeak, for the most part. For some readers, the most useful part of the book may be its final two chapters. Here the authors lay out, in considerable detail, outlines for recommended corporate information security policies, and an associated training program on information security awareness. Though I am no expert in these areas, the outlines strike me as being commendably thorough - complete enough that they could be fleshed out without too much difficulty to generate a comprehensive set of policies and procedures. Despite some redundancy, and occasional infelicities of style, this book seemed to me to be interesting, and likely to be practically useful.

Wow! This is a must read book for just about everyone, even those who have not entered the information age yet. In a world that incessantly grows complex and beyond the understanding of the common man, one simply cannot cope with the new risks and threats that arise on a daily basis. This leads to innocent mistakes that can cause us serious harm. Often - techies and geeks believe technology is the answer - and to an extent that is true; however, the human element is the weakest link - and this book shows that in a nice way. Read this book to understand the ploys used, the tactics of a vicious mind (or mischevious), and how easy it is for a vast majority of the people to fall victim. The good thing is that you will get ideas on what you and your company should be doing different. Remember - although you will learn a lot - maintaining your guard and building immunity against deception is a moving traget. As such - you will need to strive and go beyond the many points covered in the book. Read it and implement better practices in your work and life without any delay...the risks are not worth it.

This is the first book that I've read from cover to cover in close to 7 years. I could not put it down! Read it in 2 weeks, taking notes, evaluating the way I responded to calls at my companies help desk, reviewing some of the links mentioned in the book, etc., etc.,etc. This is one book that if you read it you will have the ability to better defend and better compromise anything and anyone, but if you don't read it you will eventually regret it because there is a wealth of information that I haven't found anywhere else. There are popular web links mentioned that I was shocked to find were still valid. The detail and instruction are immaculate and if you don't read it....simply put you are a foolish morron. Headlines should read, "Mitnick does it again with a simple Mitnick Message!". Kevin, you inspire me and I wish I had your knowledge and influence.

Kevin Mitnick has been arguably the most famous computer hacker out there. His story has been told by others in several books. But here Mitnick is not trying to really share his experiences - rather he calls upon his collection of acquaintances and others he knows to illustrate how people can be engineered. Most of the book is essentially a series of stories of social engineering (getting someone to do what you want without their realizing it) and then some superficial analysis of why it worked. He then tries to synthesize his earlier chapters into a set of practical security precautions, many of which are common sense, and most of which the reader would have already figured out from reading the book. The stories he chooses to share are fairly interesting, both in their daring and setup and in their simplicity. What this book would be best for would be handing it to a corporate manager and allow him or her a wake up call as to security. As we try to work together, have things automated and available on-line and as our organizations grow the catchword is results, even if you have to bend the rules a bit. This is what the social engineer can exploit. Many of the stories skate along the edge of the law, and Mitnick points out when it would cross into illegal. While interesting, after a while the book becomes more tedious in structure and what is being said. Still it is very accessible and would be a great book for someone not so familiar with computers and hacking to see how some of it is done. It should serve as a wake-up call for management as to some of the dangers we face every day. And while most of the stories presented are more in the spirit of curiosity, or fun, or revenge, it would be easy to take them up a notch into activities with serious corporate impact.

Such a great book by such a talented person rest in peace, Kevin.

Interesting book. Capital 16, and basically the last 100 pages were boring and outdated.

Excelente livro, super recomendo, principalmente se você trabalha na área de segurança da informação!

I didn't read fully but it's just amazing. It got me hooked up.

Es un libro consiso, facil de entender y escrito por una de las figuras mas importantes de la seguridad de la informacion. Solo me falta el capitulo final, pero ya queria opinar acerca de este libro. Del primer al penultimo capitulo es completamente entendible, dando definiciones claves para los no familiarizados con el tema de la informatica.

困難な状況に追い込まれたとき、人間は、誰も考えなかったような、とんでもないことを思いつく。本書に書かれている、ソーシャルエンジニアの犯行は、どれも、「よくこんなことを考えつくものだ」「なるほど、こんな手があったのか」と目から鱗が落ちる騙しの技術（Art of Deception）ばかりだ。読み物として、本当に面白い。「1ダースの複雑なミステリーのクライマックスの部分を次から次へと読むようなもの」と評されるのも納得できる。ただ、こうした、人間の負の想像力＆創造力がもっと別の肯定的な方面に発揮できないか、と思うのは評者だけだろうか。