The Art of Deception.

For this weeks blog decided to scan through the pdf version of Kevin Mitnick's book “The Art of Deception.” This book gives an interesting examination of the workings of social engineering. Mitnick describes how social engineering can defeat even the strongest security systems. He stated, “Companies that conduct security penetration tests report that their attempts to break into client company computer systems by social engineering methods are nearly 100 percent successful.”

He gives many interesting examples of scams. These scams are mostly fictional but they are based on real life situations. If I were the victim of some of these scams I could see myself falling for them.

Social engineers know how to play on human nature. They know how to play on trust, desire to help or be helped, ingratiation, friendliness, and authority. Mitnick stated, “Some of these stories might lead you to think that I believe everyone in business

is a complete idiot, ready, even eager, to give away every secret in his or her

possession. The social engineer knows isn't true. Why are social engineering

attacks so successful? It isn't because people are stupid or lack common sense.

But we, as human beings are all vulnerable to being deceived because people can

misplace their trust if manipulated in certain ways.”

Mitnick's examples show how even seemly innocuous information can be useful to gain more sensitive information. Social engineers are skilled at extracting little bits of information at a time. These pieces of information allow them to successfully poise as someone else and get the information they want. Small things like a cost center number, employee ID number, or phone extension number may be the key. Much of the success as a social engineer comes from being able to use the right insider language and knowledge. Much of the effort of social engineers is spent on gaining this knowledge.

Mitnick describes social engineers as follows, “Manipulative people usually have very attractive personalities. They are typically fast on their feet and quite articulate. Social engineers are also skilled at distracting people's thought processes so that they cooperate. To think that any one particular person is not vulnerable to this manipulation is to underestimate the skill and the killer instinct of the social engineer. A good social engineer, on the other hand, never underestimates his adversary.”

I found some examples interesting. People have been deceived to installing a trojan horse by someone poising a IT support person. They were tricked into installing what they were told was an urgent security patch. People have claimed to be law enforcement officers to gain access to confidential records. Other people have fallen to attackers claiming to be doing a customer survey. It is amazing what people can get away with if they have a good story. Even pretending to be a person who called a wrong number can work. He discuss finding information through dumpster diving and methods of using social engineering to gain access to buildings.

Mitnick gives practical advice with his examples on ways to improve security. The book gives a useful and detailed section on company security policies. Some of the technical information is dated. Mitnick stressed the need for training people so that they are aware and on guard against the dangers of social engineering.