Kevin Mitnick is a name synonymous with hacking. He had outsmarted and outwitted the FBI for 2 years straight, all the while getting jobs, making money, and pursuing his somewhat dangerous hobby. Now out of jail and on supervised release, he heads up the company "Defensive Thinking" out of Los Angeles, consulting other companies on his former pastime. Even though Mitnick could be considered somewhat of a hacking legend, his book deals little with the tricks and technicalities of that dark and dirty world. The Art of Deception deals with the human aspect, and how people are much easier to obtain information from than even the most open computer networks around. He deals with the subtle and often overlooked issues facing company security.
The book, laid out such that each chapter has a set of examples based on the chapter's theme, seems to cover the nitty-gritty of the topic, but when reading, there are some points where it's not exactly clear what Mitnick is talking about, or where he is going with the stories. This is not to say that the book itself is not interesting, just that several times when I was reading it, I had to go back to certain points and read a paragraph over again to get the gist of it. The delving that is done in this book has been well-researched, and as I would imagine many would agree, likely came from Mitnick's experience in this field.
Much of the material deals with the manipulation of people's emotions, and how they can be played to the tune that the social engineer sets. The psychobabble many would think would accompany this is relatively non-existent. Many times Mitnick puts forth common sense that ties into the emotional situation, and how it is used by the Social Engineer. Also, he never limits the examples to hackers and phreakers trying to gain access to a "Gibson". On the contrary, he uses many real world jobs such as Private Investigators, and the elusive Industrial Spy. He even goes as far as to use the malicious intents of a youth in one or two of his examples. Can you guess where they might have come from?
One problem I found with this book is Mitnick's use of technology; although he wrote this book with the average company drone in mind (and I define drone as anyone who works for a big company, including myself), sometimes his relative tech-savvy comes through a little too strong. It's possible that it slipped his mind at some point exactly who this was intended for, and he went back to his greater days of assuming that everyone he talked to had some technical knowledge -- in many of the examples he gives, he has to take on the task of explaining jargon or a small piece of technology in order to aid the reader in understanding what he's talking about. Now I'm not the most tech-savvy cat on the fence, but I have a decent understanding of things technical, and sometimes his explanations left me agape. With this in mind, each chapter comes back to the basics at the end with a discussion that he entitles "Preventing The Con", which explains the rudimentary aspects of each topic he covers, and at the end of every example, he breaks it down in a section entitled "Analyzing The Con", discussing what just happened and why.
As the book is geared towards the corporate community, it should have something in it dealing with corporate activities, and it does. There is an entire section devoted to company security practices and how to set up a corporate security plan to defend against the "Human Factor". Mitnick details procedures quite well, and has them laid out in such a way as to be able to reference each topic. He covers a variety of things from data classification to password handling, and even a small section called "Policies for the Receptionist".
So how would I rate this book? Looking at the information, and the manner in which the book is written, I would definitely recommend this to anybody who has a curiosity about how the Social Engineer works his or her magic on others. Many times I found myself smiling and laughing, realizing that I've seen a ton of the things he's mentioned as far back as my days in high school. On a more technical note, however, the information, writing style and format has much to be desired in some cases. Certain paragraphs left me scratching my head and musing on what had just happened. However, that did not stop me from thoroughly enjoying his writing. On a scale of 1 to 10, I would have to rate this an 8.
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|