Book Review: The Art of Deception: Controlling the Human Element of Security
Using a handful of well understood ploys, a social engineer makes his target want to trust and help him. He gathers just enough information to make him appear to be an insider and plays the "I need help" (sympathy) or "I'm someone you don't want to refuse" (authority) card. Sometimes, social engineers will feign a favor, leading the target to feel obligated to do a favor in return.
Regardless of which particular ploy is used, social engineers work toward getting you to identify with them, play on your natural tendency to trust and take advantage of the "I'm here to help" ethic that, in general, serves us and our organizations well. They play on your unfamiliarity with the rules or your willingness to circumvent the normal controls for the sake of kindness of efficiency.
The Art of Deception brings home just how social engineers work and why they are so good at wrangling highly valuable and clearly proprietary information out of unsuspecting employees -- many of whom never even suspect that they have been duped or that anything has been lost. It dissects enough successful social engineering attacks to demonstrate that it's possible to trick a senior engineer into exposing the source code for the big project, an engineering team into sharing project plans with an imposter "business partner" and a security guard into allowing two teenagers to tour a production plant after hours. The book shows how small amounts of insider information -- sometimes as little as an industry buzzword or manager's name and phone extension -- can give a social engineer an air of legitimacy. It describes how a social engineer might go about making his phone calls appear to be coming from within the building. It demonstrates over and over, how starting with nothing, a social engineer can quickly ramp up to having enough information to con smart people out of valuable information assets.
After reading (actually listening) to this book, I've come away with a renewed sense of the importance of employee security training -- and not just for new employees, but annual training for everyone. Employees need to know that passwords are *never* divulged to anyone and, if they already know this, they need to know what other types of information should never be divulged. They need to understand that verifying the identity of anyone asking for information or asking for some operation to be performed on a computer is critical and be trained on a procedure that verifies that a requester 1) is who he says he is, 2) still works for the organization and 3) has the authority to make the request he is making.
The Art of Deception includes a lengthy section of well thought out policies that should be considered and likely adopted in just about any organization. This book would be worth the price and the time it takes you to read (or listen to) if this were all the book contained, but you might not be as ready to jump on the task if you hadn't read the preceding chapters.
If you don't want your company's information assets given away by well meaning staff, you should read (or listen to) this book. And, if you want to understand how Mitnick and others like him came around to being successful social engineers, read the Wizzywig books I reviewed in http://www.itworld.com/security/67872/wizzywig-volumes-1-phreak-and-2-ha... a while back.
The audiobook is available from audible.com.