- Authors:
- Kevin D. Mitnick,
- William L. Simon
From the Publisher:
Kevin Mitnick's exploits as a cyber-desperado and fugitive from one of the most exhaustive FBI manhunts in history have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison in 2000, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most famous hacker gives new meaning to the old adage, "It takes a thief to catch a thief."
Inviting you into the complex mind of the hacker, Mitnick provides realistic scenarios of cons, swindles, and social engineering attacks on businesses -- and the consequences. Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. He illustrates just how susceptible even the most locked-down information systems are to a determined con artist impersonating an IRS agent or any other seemingly innocent character. Narrated from the points of view of both the attacker and the victim, The Art of Deception explores why each attack was so successful -- and how it could have been averted -- in an engaging and highly readable manner reminiscent of a true-crime novel.
Most importantly, Mitnick redeems his former life of crime by providing specific guidelines for developing protocols, training programs, and manuals to ensure that a company's sophisticated technical security investment will not be for naught. He shares his advice for preventing security vulnerability in the hope that people will be mindfully on guard for an attack from the gravest risk of all -- human nature.
Cited By
Baldry M, Happa J, Steed A, Smith S and Glencross M (2024). From Embodied Abuse to Mass Disruption: Generative, Inter-Reality Threats in Social, Mixed-Reality Platforms, Digital Threats: Research and Practice, 5:4, (1-36), Online publication date: 31-Dec-2025.- Burda P, Allodi L and Zannone N (2024). Cognition in Social Engineering Empirical Research: A Systematic Literature Review, ACM Transactions on Computer-Human Interaction, 31:2, (1-55), Online publication date: 30-Apr-2024.
- Li T, Song C and Pang Q (2023). Defending against social engineering attacks, IET Information Security, 17:4, (703-726), Online publication date: 24-Jul-2023.
- Elleh F (2022). Cyber Security and COVID-19, International Journal of Systems and Software Security and Protection, 13:1, (1-14), Online publication date: 30-Dec-2022.
- Harris I, Derakhshan A and Carlsson M A Study of Targeted Telephone Scams Involving Live Attackers Socio-Technical Aspects in Security and Trust, (63-82)
- Kawase R, Diana F, Czeladka M, Schüler M and Faust M Internet Fraud Proceedings of the 30th ACM Conference on Hypertext and Social Media, (181-190)
- Wu Y, Fong S and Zhuang Y General Precautions against Security Threats for Computer Networks in SMEs Proceedings of the International Conference on Big Data and Internet of Thing, (134-140)
- Fernandes D, Freire M, Fazendeiro P and Incio P (2017). Applications of artificial immune systems to computer security, Journal of Information Security and Applications, 35:C, (138-159), Online publication date: 1-Aug-2017.
- Meffert C, Baggili I and Breitinger F (2016). Deleting collected digital evidence by exploiting a widely adopted hardware write blocker, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 18:S, (S87-S96), Online publication date: 7-Aug-2016.
- Jaafor O and Birregah B Multi-layered graph-based model for social engineering vulnerability assessment Proceedings of the 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining 2015, (1480-1488)
- Herley C (2014). Security, cybercrime, and scale, Communications of the ACM, 57:9, (64-71), Online publication date: 1-Sep-2014.
- Holzer A, Garbinato B and Vessaz F Middleware for location privacy Proceedings of the 2012 ACM Research in Applied Computation Symposium, (296-303)
- Kim D, Dunphy P, Briggs P, Hook J, Nicholson J, Nicholson J and Olivier P Multi-touch authentication on tabletops Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, (1093-1102)
- Kostakos V Human-in-the-loop CHI '08 Extended Abstracts on Human Factors in Computing Systems, (3075-3080)
- Gonzalez J, Sarriegi J and Gurrutxaga A A framework for conceptualizing social engineering attacks Proceedings of the First international conference on Critical Information Infrastructures Security, (79-90)
- Flechais I, Riegelsberger J and Sasse M Divide and conquer Proceedings of the 2005 workshop on New security paradigms, (33-41)
Index Terms
- The Art of Deception: Controlling the Human Element of Security
Reviews
Ghita Kouadri Mostéfaoui
There is a huge interest in security engineering, but researchers focus mainly on the technological aspects of security, ignoring the most important part of it: human nature. This book addresses this factor, in 17 chapters. Part 1 (chapter 1) discusses the weakest link of security: the human factor. It introduces the book, by enumerating a set of real scenarios, arguing that the social engineer (defined as an unscrupulous magician, who has you watching his left hand while he steals your secrets with his right) is the greatest threat to security. Part 2 (chapters 2 through 9) reviews the art of the attacker, by identifying the main ways in which attackers operate: innocuous information (chapter 2), direct attacks (chapter 3), trust (chapter 4), and friendly persuasion and intimidation (chapters 5 through 9). Part 3 (chapters 10 to 14) addresses similar issues, such as industrial espionage. Part 4 (chapters 15 and 16) proposes two approaches to improve security against social engineering. In chapter 15, the author argues that information security awareness and training should be seriously considered. Chapter 16 presents specific security policies, designed to minimize a company's risk with respect to social engineering attacks. The author, Kevin Mitnick, is a well-known hacker. Based on his experience, he provides a series of stories describing a serious security weakness: the human factor. The book is mainly composed of these stories. In my opinion, what is missing in this book is a discussion of effective ways to prevent these types of security threats. Even if the last part (chapters 15 and 16) is dedicated to addressing this issue, there is a lack of detailed procedure. The discussion is rather intuitive and literal, following the nontechnical aspect of the whole publication. I don't recommend this book for classroom use, but rather as a general reference, reviewing the most spectacular social engineering security attacks in modern times. Online Computing Reviews Service
Melanie R. Rieback
An important point that is often neglected in information security texts is emphasized in this book: humans are the weakest link in security. Mitnick and Simon demonstrate that purely technical security measures (firewalls, fancy access control mechanisms, and intrusion detection systems) provide only a weak defense against social engineers, who can manipulate corporate employees into bypassing these security defenses and providing access to sensitive corporate data. The contents of the book are logically divided into two main sections. The first section consists of the first 200 pages of the book (Parts 1 to 3), which contain fictional scenarios to illustrate how social engineers can trick company employees into providing access to confidential information. The second section, consisting of the last 100 pages of the book (Part 4), summarizes and formalizes the material presented earlier. Each chapter contains an interesting collection of stories. Mitnick reveals how humans are, by far, the weakest link in information security (chapter 1). Social engineers can gather and use "innocuous" seeming information to convince company employees that they have a relationship with the target organization (chapter 2). The attacker may gather information by directly asking for it (chapter 3), by gradually building the trust of the victim (chapter 4), by offering help (chapter 5), by soliciting help (chapter 6), or by using sympathy, guilt, and intimidation (chapter 8). Mitnick offers many examples of how internal employees, especially at entry level (chapter 12), can do the dirty work of gathering, modifying, or forwarding confidential corporate data (chapters 9, 13, and 14). Technology also provides a useful tool to the scam artist, since the attacker can direct a victim to download malicious software from a Web site or email attachment (chapter 7), and can enlist the help of other "hacking" tools such as password crackers (chapter 11). While usually a last resort, a social engineer can also gain information by physically breaking into company premises (chapter 10). The last two chapters are more formal and less entertaining. Mitnick offers advice on security awareness and training (chapter 15), and provides a suggested corporate information security policy (chapter 16). Mitnick makes a uniquely appropriate storyteller for these tales of deception, due to his notorious past as one of the FBI's most wanted computer criminals. While this fact does not necessarily color the book itself, it can sometimes introduce some irony. In one particular section, Mitnick warns how individuals should not be deceived into downloading untrusted applications from Web sites. He then, at the end of the same section, proceeds to list the Web addresses of some anti-Trojan software that is freely available on the Internet. Mitnick's past, however, also gives this book credibility. The stories seem a bit far-fetched at times, and I found myself wondering if people really do reveal their username and password simply because a social engineer asks for it. I'm afraid that the answer is "yes." Mitnick would probably have never become as notorious as he did if the tricks described in this book did not work. The weakest parts of this book are the content summary and the suggested security policy. The content here is extremely dry, and will probably not hold the interest of casual readers. Additionally, the security policy is overly simplistic. While intended as a model for corporate executives to examine, it is a typical multi-level policy, operating on the principle of least privilege. It is subject to the same pitfalls as traditional multi-level security systems (such as security versus usability, or the inevitable inflation of privileges). While this policy might provide some food for thought for chief executive officers (CEOs), I suspect that a group-based or role-based security policy would be more useful in practice. Despite these few disadvantages, this book is definitely worth reading. The stories are not only entertaining, but they also contain a very important message that deserves to be more widely spread. Both computer security professionals and nontechnical readers will learn a great deal from this book. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.