The Art of Deception: Controlling the Human Element of Security - Kevin Mitnick

veritas_libertas

I finished The Art of Deception: Controlling the Human Element of Security during my lunch break. Though the book was often repetitive and sometimes dry I learned much about Social Engineering, and how the attack is formed. The last chapter of the book was a well written plan on how to train your employees, and contains an excellent flow chart for Help Desk employees to use for answering questions posed by callers.

Now I need to decide whether to begin reading one of Bruce Schneier's books or the ISC(2) guide to the SSCP.

Paul Boz

That's a good book and I'm glad I read it before I started doing social engineering professionally. It's scary how successful social engineering is. You never hear about it because no one gets caught. I've got a personal success rate of about 80% of the banks and credit unions that I target in person and slightly higher over the phone. I've personally been able to successfully compromise at least 30-40 credit union and bank branches / operations centers. Success constitutes unsupervised access to sensitive areas, access behind the teller line, and in some cases (if the client approves) taking material off-site.

There is no amount of security you can put into place to mitigate me getting into your facility as a pest inspector, copy machine repair man, auditor, or anything else. I'll do whatever it takes to get in.

veritas_libertas

Paul Boz wrote: »

That's a good book and I'm glad I read it before I started doing social engineering professionally. It's scary how successful social engineering is. You never hear about it because no one gets caught. I've got a personal success rate of about 80% of the banks and credit unions that I target in person and slightly higher over the phone.

There is no amount of security you can put into place to mitigate me getting into your facility as a pest inspector, copy machine repair man, auditor, or anything else. I'll do whatever it takes to get in.

It is frightening to me how easily major organizations can be manipulated into giving out information without them even realizing it happening. I could easily talk my coworkers out of information if I wanted to. All they want to see is that you work for the IT department. All I would have to do is walk up to them and say, "Our security department shows that your computer has been infected with malware and I need to fix this problem right away." I could then pop in a thumb-drive and steal HR info.

GAngel

veritas_libertas wrote: »

It is frightening to me how easily major organizations can be manipulated into giving out information without them even realizing it happening. I could easily talk my coworkers out of information if I wanted to. All they want to see is that you work for the IT department. All I would have to do is walk up to them and say, "Our security department shows that your computer has been infected with malware and I need to fix this problem right away." I could then pop in a thumb-drive and steal HR info.

No need to even talk to them. You could just lose a USB stick next to there desk. Human curiosity always wins out and 10 minutes later i've got a netcat session running on there machine.

That's part of the importance of hiring good people.

sys_teck

Hi, Veritas

Kevin Mitnick's book is really good. I start reading it as well, and I love his description of how humans can be manipulated (social engineering).

Kevin Mitnick is on the same level as Bruce Shneier "Shneier on security" excellent book. Just how data can be manipulated from Corporations up the federal goverment. Bruce Shneier just puts a common sense.