The Art of Deception: Controlling the Human Element of Security » (1st Edition)

Kevin Mitnick is the founder of Defensive Thinking, an information security firm, and speaks widely on security issues. He has appeared on 60 Minutes and elsewhere in the media, and his exploits have spawned several bestselling books, including The Fugitive Game.

William Simon is the bestselling author of more than twenty books.

The world’s most celebrated hacker delivers the lowdown on today’s most serious security weakness–human nature

"Finally someone is on to the real cause of data security breaches–stupid humans … Mitnick … reveals clever tricks of the ‘social engineering’ trade and shows how to fend them off."

–Stephen Manes, Forbes

"A tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone. As entertainment, it’s like reading the climaxes of a dozen complex thrillers, one after the other."

–Publishers Weekly

"Mitnick provides hair-raising examples of social engineering–disgruntled employees stealing top-secret research, smooth-talking con men acquiring data on next-generation explosives for terrorists–and explains how to combat it."

–Angela Gunn, Time Out New York

"He was the FBI’s most-wanted hacker. But in his own eyes, Mitnick was simply a small-time con artist with an incredible memory [and] a knack for social engineering… This is Mitnick’s account, complete with advice for how to protect yourself from similar attacks. I believe his story."

–Simson Garfinkel, Wired

Stephen Manes - Forbes

Finally someone is on to the real cause of data security breaches--stupid humans. Notorious hacker Kevin Mit-nick--released from federal prison in January 2000 and still on probation--reveals clever tricks of the "social engineer-ing" trade and shows how to fend them off in The Art of Deception: Controlling the Human Element of Security (Wiley, $27.50).

Most of the book, coauthored by William Simon (not the one running for governor of California), is a series of fictional episodes depicting the many breathtakingly clever ways that hackers can dupe trusting souls into breaching corporate and personal security--information as simple as an unlisted phone number or as complicated as plans for a top-secret product under development. The rest lays out a fairly draconian plan of action for companies that want to strengthen their defenses. Takeaway: You can put all the technology you want around critical information, but all it takes to break through is one dolt who gives up his password to a "colleague" who claims to be working from the Peoria office.

What's useful about this book is its explanation of risks in seemingly innocuous systems few people think about. The caller ID notification that proves you're talking to a top executive of your firm? Easily forged. The password your assistant logs in with? Easily guessed. The memos you tossinto the cheap office shredder? Easily reconstructed. The extension that you call in the IT department? Easily forwarded.

Physical security can be compromised, too. It's not hard to gain access to a building by "piggybacking" your way in the door amid the happy throng returning from lunch. You'd better have confidence in your IT professionals,because they're likely to have access to everything on the corporate system, including your salary and personal informa-tion. Mitnick offers some ideas for plugging these holes, like color-coded ID cards with really big photos.

Implementing the book's security action plan in full seems impossible, but it's a good idea to warn employees from the boss down to the receptionist and janitors not to give out even innocuous information to people claiming to be helpful IT folks without confirming their identity--and to use things like encryption technology as fallbacks. Plenty of would-be Mitnicks--and worse--still ply their trade in spaces cyber and psychological.