- Authors:
- Kevin D. Mitnick,
- William L. Simon
The Art of Deception is about gaining someone's trust by lying to them and then abusing that trust for fun and profit. Hackers use the euphemism "social engineering" and hacker-guru Kevin Mitnick examines many example scenarios.After Mitnick's first dozen examples anyone responsible for organizational security is going to lose the will to live. It's been said before, but people and security are antithetical. Organizations exist to provide a good or service and want helpful, friendly employees to promote the good or service. People are social animals who want to be liked. Controlling the human aspects of security means denying someone something. This circle can't be squared.Considering Mitnick's reputation as a hacker guru, it's ironic that the last point of attack for hackers using social engineering are computers. Most of the scenarios in The Art of Deception work just as well against computer-free organizations and were probably known to the Phoenicians; technology simply makes it all easier. Phones are faster than letters, after all, and having large organizations means dealing with lots of strangers.Much of Mitnick's security advice sounds practical until you think about implementation, when you realize that more effective security means reducing organizational efficiency--an impossible trade in competitive business. And anyway, who wants to work in an organization where the rule is "Trust no one"? Mitnick shows how easily security is breached by trust, but without trust people can't live and work together. In the real world, effective organizations have to acknowledge that total security is a chimera--and carry more insurance. --Steve Patient, amazon.co.uk
Cited By
Patterson L, Welch I, Ng B and Chard S Investigating Cybersecurity Risks and the Responses of Home Workers in Aotearoa New Zealand Proceedings of the 35th Australian Computer-Human Interaction Conference, (99-107)- Tian C, Jensen M and Durcikova A (2023). Phishing susceptibility across industries, Computers and Security, 135:C, Online publication date: 1-Dec-2023.
- Frauenstein E, Flowerday S, Mishi S and Warkentin M (2023). Unraveling the behavioral influence of social media on phishing susceptibility, Information and Management, 60:7, Online publication date: 1-Nov-2023.
- Zieglmeier V, Loyola Daiqui G and Pretschner A (2023). Decentralized Inverse Transparency with Blockchain, Distributed Ledger Technologies: Research and Practice, 2:3, (1-28), Online publication date: 30-Sep-2023.
- Bera D, Ogbanufe O and Kim D (2023). Towards a thematic dimensional framework of online fraud, Decision Support Systems, 171:C, Online publication date: 1-Aug-2023.
- Bendler D and Felderer M (2022). Competency Models for Information Security and Cybersecurity Professionals: Analysis of Existing Work and a New Model, ACM Transactions on Computing Education, 23:2, (1-33), Online publication date: 30-Jun-2023.
- Rao S, Chen H and Aura T (2023). Threat modeling framework for mobile communication systems, Computers and Security, 125:C, Online publication date: 1-Feb-2023.
- Yoo J and Cho Y (2022). ICSA, Expert Systems with Applications: An International Journal, 207:C, Online publication date: 30-Nov-2022.
- Zieglmeier V and Loyola Daiqui G GDPR-Compliant Use of Blockchain for Secure Usage Logs Proceedings of the 25th International Conference on Evaluation and Assessment in Software Engineering, (313-320)
- AlKilani H and Qusef A OSINT Techniques Integration with Risk Assessment ISO/IEC 27001 International Conference on Data Science, E-learning and Information Systems 2021, (82-86)
- Lin C and Luo X (2021). Toward a Unified View of Dynamic Information Security Behaviors, ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 52:1, (65-90), Online publication date: 22-Jan-2021.
- Weber K, Schütz A, Fertig T and Müller N Exploiting the Human Factor: Social Engineering Attacks on Cryptocurrency Users Learning and Collaboration Technologies. Human and Technology Ecosystems, (650-668)
- Van Der Heijden A and Allodi L Cognitive triaging of phishing attacks Proceedings of the 28th USENIX Conference on Security Symposium, (1309-1326)
- Fertig T, Schütz A, Weber K and Müller N Measuring the Impact of E-Learning Platforms on Information Security Awareness Learning and Collaboration Technologies. Designing Learning Experiences, (26-37)
- Addae J, Sun X, Towey D and Radenkovic M (2019). Exploring user behavioral data for adaptive cybersecurity, User Modeling and User-Adapted Interaction, 29:3, (701-750), Online publication date: 1-Jul-2019.
- Ghafir I, Saleem J, Hammoudeh M, Faour H, Prenosil V, Jaf S, Jabbar S and Baker T (2018). Security threats to critical infrastructure, The Journal of Supercomputing, 74:10, (4986-5002), Online publication date: 1-Oct-2018.
- Ghafir I, Saleem J, Hammoudeh M, Faour H, Prenosil V, Jaf S, Jabbar S and Baker T (2018). Security threats to critical infrastructure: the human factor, The Journal of Supercomputing, 74:10, (4986-5002), Online publication date: 1-Oct-2018.
- Postnikoff B and Goldberg I Robot Social Engineering Companion of the 2018 ACM/IEEE International Conference on Human-Robot Interaction, (313-314)
- Ho S, Hancock J and Booth C (2017). Ethical dilemma, Journal of the Association for Information Science and Technology, 68:12, (2729-2742), Online publication date: 8-Nov-2017.
- Oliveira D, Rocha H, Yang H, Ellis D, Dommaraju S, Muradoglu M, Weir D, Soliman A, Lin T and Ebner N Dissecting Spear Phishing Emails for Older vs Young Adults Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, (6412-6424)
- Happ C, Melzer A and Steffgen G (2016). Trick with treat – Reciprocity increases the willingness to communicate personal data, Computers in Human Behavior, 61:C, (372-377), Online publication date: 1-Aug-2016.
- Arachchilage N, Love S and Beznosov K (2016). Phishing threat avoidance behaviour, Computers in Human Behavior, 60:C, (185-197), Online publication date: 1-Jul-2016.
- Mouton F, Leenen L and Venter H (2016). Social engineering attack examples, templates and scenarios, Computers and Security, 59:C, (186-209), Online publication date: 1-Jun-2016.
- Rocha Flores W and Ekstedt M (2016). Shaping intention to resist social engineering through transformational leadership, information security culture and awareness, Computers and Security, 59:C, (26-44), Online publication date: 1-Jun-2016.
- Mouton F, Malan M, Kimppa K and Venter H (2015). Necessity for ethics in social engineering research, Computers and Security, 55:C, (114-127), Online publication date: 1-Nov-2015.
- Cavusoglu H, Cavusoglu H, Son J and Benbasat I (2015). Institutional pressures in security management, Information and Management, 52:4, (385-400), Online publication date: 1-Jun-2015.
- Han D, Dai Y, Han T and Dai X (2015). Explore awareness of information security, Computational Intelligence and Neuroscience, 2015, (11-11), Online publication date: 1-Jan-2015.
- Arachchilage N and Love S (2014). Security awareness of computer users, Computers in Human Behavior, 38, (304-312), Online publication date: 1-Sep-2014.
- Heimo O, Kimppa K, Helle S, Korkalainen T and Lehtonen T Augmented reality Proceedings of the IEEE 2014 International Symposium on Ethics in Engineering, Science, and Technology, (1-7)
- Braun B, Johns M, Koestler J and Posegga J PhishSafe Proceedings of the 4th ACM conference on Data and application security and privacy, (61-72)
- Krombholz K, Hobel H, Huber M and Weippl E Social engineering attacks on the knowledge worker Proceedings of the 6th International Conference on Security of Information and Networks, (28-35)
- LeClair J, Abraham S and Shih L An Interdisciplinary Approach to Educating an Effective Cyber Security Workforce Proceedings of the 2013 on InfoSecCD '13: Information Security Curriculum Development Conference, (71-78)
- Emms M, Arief B and Moorsel A Electronic Footprints in the Sand Revised Selected Papers of the First Annual Privacy Forum on Privacy Technologies and Policy - Volume 8319, (203-214)
- Biddle R, Chiasson S and Van Oorschot P (2012). Graphical passwords, ACM Computing Surveys, 44:4, (1-41), Online publication date: 1-Aug-2012.
- Irani D, Balduzzi M, Balzarotti D, Kirda E and Pu C Reverse social engineering attacks in online social networks Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment, (55-74)
- Luo X, Brody R, Seazzu A and Burd S (2011). Social Engineering, Information Resources Management Journal, 24:3, (1-8), Online publication date: 1-Jul-2011.
- Dimkov T, Pieters W and Hartel P Training students to steal Proceedings of the 42nd ACM technical symposium on Computer science education, (21-26)
- Stajano F and Wilson P (2011). Understanding scam victims, Communications of the ACM, 54:3, (70-75), Online publication date: 1-Mar-2011.
- Sanders B, Chen V, Zahra D, Dowland P, Atkinson S, Papadaki M and Furnell S Online addiction Proceedings of the International Conference on Management of Emergent Digital EcoSystems, (114-121)
- Chatmon C, Chi H and Davis W Active learning approaches to teaching information assurance 2010 Information Security Curriculum Development Conference, (1-7)
- Raskin V, Taylor J and Hempelmann C Ontological semantic technology for detecting insider threat and social engineering Proceedings of the 2010 New Security Paradigms Workshop, (115-128)
- Androulidakis I (2009). On the importance of securing telephony systems, WSEAS TRANSACTIONS on COMMUNICATIONS, 8:1, (102-111), Online publication date: 1-Jan-2009.
- Singh A, Liu L and Ahamad M (2008). Privacy analysis and enhancements for data sharing in *nix systems, International Journal of Information and Computer Security, 2:4, (376-410), Online publication date: 1-Jan-2009.
- Palmer A (2008). Criteria to evaluate Automated Personal Identification Mechanisms, Computers and Security, 27:7-8, (260-284), Online publication date: 1-Dec-2008.
- Androulidakis I, Christou V, Karametis A and Papanikolaou C Modern telephony threats & countermeasures Proceedings of the 12th WSEAS international conference on Communications, (106-109)
- Eusgeld I References Dependability metrics, (267-300)
- Brainard J, Juels A, Rivest R, Szydlo M and Yung M Fourth-factor authentication Proceedings of the 13th ACM conference on Computer and communications security, (168-178)
- Ma X, Pang H and Tan K (2006). Masking page reference patterns in encryption databases on untrusted storage, Data & Knowledge Engineering, 58:3, (466-483), Online publication date: 1-Sep-2006.
- Tari F, Ozok A and Holden S A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords Proceedings of the second symposium on Usable privacy and security, (56-66)
- Glisson W, McDonald A and Welland R Web engineering security Proceedings of the 6th international conference on Web engineering, (257-264)
- Gross R and Acquisti A Information revelation and privacy in online social networks Proceedings of the 2005 ACM workshop on Privacy in the electronic society, (71-80)
- Nolan J and Levesque M (2005). Hacking human, ACM SIGGROUP Bulletin, 25:2, (33-37), Online publication date: 1-Feb-2005.
- Thornburgh T Social engineering Proceedings of the 1st annual conference on Information security curriculum development, (133-135)
- Flinn S and Stoyles S Omnivore Proceedings of the 2004 workshop on New security paradigms, (97-105)
- Flechais I, Sasse M and Hailes S Bringing security home Proceedings of the 2003 workshop on New security paradigms, (49-57)
Index Terms
- The Art of Deception: Controlling the Human Element of Security
Recommendations
Reviews
Vernon Stagg
Many books on information technology (IT) security are available, covering a wide range of issues at both the technical and managerial levels. While these books do recognize the existence of the human and social elements of security, very few cover these important areas in depth. This book provides a detailed, insightful, and entertaining look at one of the weakest links in the security process: the human element. The book consists of three main sections, a chapter that provides a quick reference to the social engineering methods discussed in the second section, and a detailed index. Mitnick begins by explaining social engineering: getting information often by just asking for it, a process he considers cracking the human firewall. He also discusses the differences between amateur, nuisance hackers who aim for quantity, and sophisticated hackers who target valuable information. He goes on to detail the ways in which current information security solutions are inadequate when it comes to addressing social engineering. The next section considers the value of seemingly innocuous information. Mitnick demonstrates how easy it can be to obtain information (specifically, getting an entire company directory of staff names and phone numbers) using various case studies, and from both the perspectives of those obtaining the information and of those providing it. He demonstrates that attackers are effective as a result of careful planning and preparation, for example by collecting specific insider details (namely staff names, branch IDs, and lingo), and shows how they use this to their advantage to obtain the information they are after. Mitnick outlines how attackers are often patient, establishing trust with their victims before attempting their objective. Following each case study is an analysis of the type of social engineering employed, and a discussion of the various steps that can be taken to protect such information. Many of the chapters in this section finish with a list of recommendations and steps that organizations can employ to avoid becoming victims of these kinds of social engineering efforts. Mitnick also reiterates the message that personnel should beware of giving out information that may seem harmless, but that, when combined with other details, can allow an attacker to successfully penetrate otherwise well-protected systems. The last section discusses staff awareness and training, and the benefits of establishing such programs. Security policies are examined, and a series of detailed policies are provided, ranging from management policies (data classification, information disclosure, and phone administration), to information technology policies (general, help desk, computer administration, and computer operations), to general staff policies. Each policy documents various issues, and Mitnick provides explanatory notes to accompany the recommendations. Overall, this book is a thoroughly entertaining and informative read. Many of the case studies are based on real-life events, and show the ease with which determined attackers can gather information about an employee or an organization, and use it to their advantage to bypass seemingly secure systems and processes. This book is suitable for both managers and technicians involved in information security, and the detailed policies provided offer an excellent resource to any organization. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.