Summary and Group’s Critique of
The Art of Deception: Controlling the Human Element of Security By
Christina Sobinova
Luis Rivera
Ryan Gatewood
Ryan Larson
Chauncey Solinger
Ryan Warren
Professor Qing Chang
ISM 3011
Mon & Wed 9-10:15 am
April 7, 2006
Review
The Art of Deception by Kevin Mitnick provides an in depth look at social
engineering through primarily falsified examples (though they could all be implemented to some extent). Its purpose is to showcase just how easy it is to avoid the security standards that have been put in place to protect organizations simply through a little human manipulation. It further lends ideas on how to prevent human manipulation through changes in security policies and employee training. This book is divided into four parts:
1. Behind Scenes: provides security’s weakest link, the human factor, and why companies are at risk from social engineering attacks.
2. The Art of the Attacker: describes how social engineers can take advantage of humans to get what they want.
3. Intruder Alert: describes how social engineers can take their manipulation to the next level to truly thwart high security measures.
4. Raising the Bar: talks about how organizations can prevent social
engineering attacks.
Social Engineering
The Art of Deception: Controlling the Human Element of Security states that
even if an organization has the best information systems security policies and procedures; most tightly controlled firewall, encrypted traffic, hardened operating systems patched servers and more; all of these security controls can be obviated via social engineering. Social engineering is a method of gaining someone's trust by lying to them and then abusing that trust for malicious purposes - primarily gaining access to systems. Every user in an organization, be it a receptionist or a systems administrator, needs to know that when someone requesting information has some knowledge about company procedures or uses the corporate dialect, that alone should not be authorization to provide controlled information.
The book is full of examples describing social engineering at work. Each example sets up a situation, walks you through it, analyzes it, and then provides potential security measures that would have stifled such an attack. For instance, \"The New Business Partner\" example on pg. 228 describes how a competitor can pretend to be a business partner in order to steal secretive plans for an upcoming product. The competitor finds out when the CEO will be out of the office, then makes it a point to come in on that day for a meeting with him. He pretends to have mistaken the date of the meeting, and offers to take some employees out to
lunch since he'll be their new partner and is already in town. While at lunch, he coaxes each individual into telling him vital information and eventually obtains the product designs. The CEO returns to find out that his product designs have been stolen. Months later, a similar product emerges onto the market and we can only guess that its design is based on the same plans that were so kindly given away by the staff. Mitnick then analyzes the con and describes why he took each step. He also describes why someone might take such a risk. He later wraps up the chapter by including ways to prevent such industrial espionage attacks through means like verification of identity.
The Art of the Attacker
Kevin Mitnick explains that there is a certain art form that goes along with being a social engineer. They must be good with people, able to handle stress well, good liars, etc. Once an engineer has mastered these techniques he is able to plan his attack. The attack usually goes through certain stages as outlined in the book. Some social engineers just come right out and ask for the information they want. This works occasionally, but if it doesn’t there are ways around it. The engineer can establish trust with the employee that he/she is dealing with. This is done through their people skills as they manipulate them. Another way is by helping the employee out that the engineer is attacking. People are always grateful when they are helped out of a jam. Mitnick shows that the social engineers know this and take advantage of it. They either fix a problem that is
already happening, or they actually create a problem and solve it. Once they do this they ask for a small favor in return and that is how they obtain their information.
As quickly as a social engineer can create a problem and fix it, he/she can also ask for help. Mitnick explains that a social engineer can make himself/herself appear to be in a tight spot and get sympathy from their victims. This is another effective approach.
According to Mitnick social engineers never stop thinking about ways to infiltrate the system. Other attacks they might try are sending e-mails with phony attachments that promise false free gifts to appeal to the side of us that loves to receive gifts. They always will try to get sympathy from you, or perhaps make you feel guilty. Finally, they can even use intimidation to get what they want.
Intruder Alert
The third part of the book is titled Intruder Alert and explains how social engineering step their manipulation up a notch to get through very tough security. Mitnick explains in this part how social engineers truly can manipulate any given person on any given day. On pg.155 he says “Manipulative people usually have very attractive personalities. They are typically fast on their feet and quite articulate. Social engineers are also skilled at distracting people’s thought
processes so that they cooperate. To think that any one particular person is not vulnerable to this manipulation is to underestimate the skill and killer instinct of the social engineer.” He also says, that a good social engineer, on the other hand, never underestimates his adversary. This is a very important quote by Mitnick. It shows that everybody is vulnerable and there isn’t one person who is 100 percent safe.
Social Engineers aren’t above getting down and dirty to get their information. They routinely rummage through a company’s trash to find the information they seek. It is very easy to find a phone number or a title that was thrown away without any regard. Companies do have paper shredders, but many employees either forget or just flat out don’t use them.
Companies need to also be aware of their employees. Mitnick explains on pg. 161 that the greatest threat to a company is from the people on the inside. In the book he refers to them as the insiders and states they are the ones with the “intimate knowledge” that is needed to hit the company where it hurts the most. Companies must be careful with who they hire, and who they put in high security positions. Mitnick also states that companies must train their employees to try and detect when an attack is being made,
Throughout this book Kevin has talked over and over about finding the weakest link and how social engineers always find a way. He even explains that
something as harmless as an employee checking his or her e-mail from a conference room can be a risk for security breach. He is constantly conveying the message of “trust no one,” in part 3 of the book.
Raising the Bar The final part of this book is about how companies can protect themselves to the fullest. While Mitnick explains that no company is 100 percent safe, and a determined social engineer will breach through the toughest security, there are still ways to stop most attacks. Some simple forms of defense are basic things such as caller ID, callback, vouching, shared secret, employee’s supervisor, secure e-mail, voice recognition, and many others. These are the weaknesses and from what Mitnick states, the more you have the safer you are. It is better to have multiple nets of security in order to thwart attacks. Some social engineers might opt to go for an easier route and abandon their initial quest in search of another company with far less security and risk.
Mitnick explains ways to distribute information throughout a company in safe ways such as, in person, by internal mail (sealed and marked with the Confidential classification), and if information must be delivered outside the walls and the way to do it is a reputable delivery company. He discusses ways to discuss sensitive information over the phone, transfer of software, etc. etc. Basically what Mitnick is trying to get across is that a company must be thorough with their security. It
may seem like a bunch of useless nonsense to an employee but top management knows the necessity of each and every step. Remember one thing, when security works no one ever hears about it, however when it breaks the whole world will know, especially if it is a large corporation, or even a bank.
Conclusion
The Art of Deception by nature has two audiences: social engineers and
companies wishing to prevent social engineering. Mitnick provides social engineers with some quick means and useful tools to enhance their hacking skills. He also provides organizations, likely businesses and government agencies, with a powerful 'road map' to understanding social engineers' thought processes making it possible to foil their plans. Companies will also learn how to set up their security policies to counteract potential social engineering attacks.
While there are many books on nearly every aspect of information security,
The Art of Deception is one of the first to deal with the human aspect of security;
a topic that has long been neglected. For too long, corporate America has been fixated with cryptographic key lengths, and not focused enough on the human element of security. The book discusses hacking from a non-technical perspective making it easy for anyone to understand and implement its teachings. One without any computer skills at all can still benefit from reading this book. Mitnick has done an effective job of showing exactly what the greatest threat of attack is
- people and their human nature.
Group’s Critique
Some readers may find this book on computer security penned by a convicted computer criminal profane. Rather than focusing on the writer's past, it is clear that Mitnick wishes the book to be viewed as an attempt at redemption.
The Art of Deception: Controlling the Human Element of Security spends most of
its time discussing many different social engineering scenarios. At the end of each chapter, the book analyzes what went wrong and how the attack could have been prevented.
Our group would advise Mitnick to limit his use of examples that are infeasible for most. He should cut back on those examples that rely upon the social engineer having \"insider information\" and a working knowledge of the company's infrastructure. There are very few of us who have these capabilities. For example, Linda's story on pg. 108-109 takes an unrealistic approach: \"I started rummaging through the papers I had managed to take home just before I left my job at the phone company. And there it was - I had saved a repair ticket from once when there was a problem with the telephone line at Doug’s, and the printout listed the cable and pair for his phone.” Very few people would have such a working knowledge of the infrastructure of a local phone company along with just happening to have papers from the last time the phone was fixed. How
many people actually know what to do with the cable and pair numbers? We believe his purpose of doing this was to once again warn companies about how dangerous their employees can be and cause them to set up a strict security policy.
The Art of Deception can be used to set up company guidelines regarding
security and the protection of company information. The section \"Security at a Glance\" provides a brief summary of all that an organization would need to take from this book to set up a sufficient security policy. The diagram on pg. 337 showing how to respond to a request for information is just one helpful tool included.
Overall, the book is quite absorbing and makes for fascinating reading. With chapter titles such as The Direct Attack; Just Asking for it; the Reverse Sting; and Using Sympathy, Guilt and Intimidation, readers will find the narratives interesting, and often they relate to daily life at work. In closing, our group found The Art of Deception by Kevin Mitnick very informative and worth the time and effort to
read. It's a great book for those interested in human manipulation or the protection against it, without being overwhelmed by technical jargon.
因篇幅问题不能全部显示,请点此查看更多更全内容