[Book Review] The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick
Over the years one of the techniques that comes up over and over again as one of the most efficient hacking techniques is Social Engineering. The technique requires you to be a high quality con-artist in many cases, both in person, over the phone or text. One person who is an amazing Social Engineer is Kevin Mitnick [1]. He has written/co-written a lot of books on IT Security, where one of these books is The Art of Deception [2]. It is a book I have read a few times from cover to cover and some times used as a reference, when explaining the idea of social engineering to people. I have just never gotten around to write a review, so here it is.
Overall
The book is split into four parts where the first part focuses on the weakest link in most security, not just IT, the human element. The part outlines how humans act and behave, even on a subconscious level and it is possible to exploit this in general.
The second part of the book focus on what an attacker can do to use his/her skills to attack a company and how an attack can behave when gaining trust/access.
The third part of the book is similar to the second part, but focus on attacks with a higher risk of discovery. As an example there is a full chapter on Entering the Premises.
The fourth part is focused on how we can increase the awareness towards Social Engineered intrusions and in general increase the awareness of security.
The parts are well structure and “build” on top of each other, in the sense that they can be read individually. But you will get a better understanding why the attacker is doing a specific thing if you have read the chapter/section is build on top off. However, I highly recommend that on your first read you do not skip any of the first part of the book. It is the foundation for why any of the following attacks will work and it is explained without “to much psychology”.
Presentation
All parts of the book, first explains a concept from an abstract point of view, followed by one or more well structured concrete examples. This gives the read a deeper understanding of how the process of the concept works and how to use it in reality. The examples are also the gateway drug for newcomers to the world of social engineering, as they make it seem approachable. Side note: I was listening to the podcast Darknet Diaries [3] where the IT security professional known as Tinker [4][5] was interviewed in the episode Jeremy from marketing[6]. During the interview Tinker talked about Social Engineering a lot and because I had read Mr. Mitnicks book, the attacks and techniques described was very easy to follow.
One critic, I have is that some times the attack seems to expect the target, to be of either an extremely low IQ or way to trusting. But that is the only critic I have and I would highly recommend people to read the book, even if they have no interest in IT what so ever. They might learn a thing or two.