X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
“The Art of Deception: Controlling the Human Element of Security” by Kevin D. Mitnick and William L. Simon John Wiley & Sons, New York, 368 pages, $27.50 Kevin Mitnick was one of the most notorious computer hackers of the 1990s. Numerous books, articles and films have described his exploits prior to his arrest in February 1995. Mitnick pleaded guilty in 1999 to federal charges and admitted that he broke into a number of computer systems and stole proprietary software belonging to Motorola, Novell, Fujitsu and Sun Microsystems. He was sentenced to 46 months in prison and to supervised release for three years upon his release from prison, which included a prohibition against using computers and accessing the Internet, a condition that just ended. What made Mitnick so unique as a computer criminal was not his technological ability but his “social engineering” skills that allowed him access to computer systems that would not otherwise have been possible regardless of the hacker’s level of skill. Now, with the help of veteran journalist William Simon, Mitnick has written “The Art of Deception: Controlling the Human Element of Security,” which provides guidelines for developing protocols, training programs and manuals to assist companies from becoming the victim of the next Kevin Mitnick. The book begins from the premise that the weakest link in security, including computer and information security, is the human factor. No matter how much money a company spends on the latest computer security devices, such as firewalls, intrusion detection systems or stronger authentication devices such as time-based tokens or biometric smart cards, it is vulnerable to security breaches if it has not taken steps to prevent the exploitation of the human element. Indeed, the reliance on the latest technology may make a company even more vulnerable by creating the illusion of security. Mitnick argues that the greatest threat to the security of a company’s proprietary information and computer security is “the social engineer — an unscrupulous magician who has you watching his left hand while with his right he steals your secrets. This character is often so friendly, glib, and obliging that you’re grateful for having encountered him.” In other words, someone exactly like Kevin Mitnick. The book is then broken down into three parts entitled “The Art of the Attacker,” “Intruder Alert” and “Raising the Bar.” The first two parts each contain a number of chapters that describe fictionalized situations involving the use of social engineering to successfully obtain proprietary information from companies. The chapters then “analyze” these situations, which Mitnick refers to as “cons,” and conclude by offering methods to prevent them from happening. Many of the chapters are very informative and describe techniques of social engineering that most people would think could never really happen. The most interesting and informative chapter demonstrates how even the most innocuous information can be used by a skilled social engineer as a basis to acquire truly valuable information. The chapter describes how, for example, employees may let their guard down if they are confronted with a person who seems to already know inside information about them or the company for whom they work which, in turn, may lead them to divulge a company’s most prized secrets. Part three contains two chapters on specific steps that companies can take to increase information security and prevent becoming the victim of social engineering and provides recommended corporate information security policies. Mitnick believes that the only truly effective way to mitigate the threat of social engineering is through the use of security technologies combined with security policies that set ground rules for employee behavior and appropriate education and training for employees. To that end, Mitnick describes what should be included in an effective computer and information security training and awareness program. The last section of this chapter — entitled “What’s in it for me?” — suggests that a security plan should reward employees who detect and prevent an attempted social-engineering attack. While this is certainly not a bad idea, perhaps, Mitnick may have been thinking of himself in this section since he suggests that an information and computer security program should also include “providing copies of the book to all employees.” While many of the chapters recount interesting scenarios involving social engineering and lessons to be learned from them, the book suffers from its colloquial style and from sentences such as: “Naturally phone companies don’t make these books easy to get hold of; so phone phreaks have to be creative to get one. How can they do this? An eager youngster with a mind bent on acquiring the directory might enact a scenario like this.” In addition, Mitnick’s claim that the scenarios described in the book are “purely fictional” also weakens its impact. Because of this claim and, despite Mitnick’s extensive personal experience in this area, a reader cannot help but wonder whether the scenarios that form the cornerstone of nearly all of the chapters are nothing more than the figment of the author’s fertile mind and are no more likely to occur than some fantastic plot in a Hollywood movie. The author understandably may not have wanted to identify his friends from his hacking days; however, the “fictional” nature of these events undercuts the seriousness of the book and its subject. By every yardstick the level of cybercrime is soaring, driven by a weak economy, the increasing riches flowing through cyberspace and the relative ease with which such crimes can be committed. Recent studies suggest that U.S. companies are losing billions of dollars from cybercrime and many companies are not doing enough to reduce their risks of becoming victims. Despite its weaknesses, “The Art of Deception” offers corporate executives an inside look into the mind of a skilled social engineer and is a valuable resource for companies interested in improving their computer and information security. One can only hope, for the author’s sake and for society as a whole, that Kevin Mitnick is truly serious with his claim that he is a changed person and is turning his not-inconsiderable talents and knowledge about information security and social engineering to helping companies prevent information security threats rather than creating them. Peter J. Toren is a partner at Sidley Austin Brown & Wood, where he specializes in intellectual property and cyberlaw. Before private practice, he was one of the first attorneys with the computer crime and intellectual property section of the U.S. Justice Department, where he prosecuted computer hackers and other cybercriminals.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.