Kevin Mitnick is famous (or notorious, depending on your viewpoint) for running the FBI a merry dance when he was one of the most celebrated hackers of his age (the story of his downfall can be read in ‘Takedown’ by his nemesis, Tsutomu Shimomura). Since his release from prison, a reformed Mitnick has been working as a security consultant, passing on his considerable expertise in the cause of network protection.
Any IT manager who buys his new book, ‘The Art of Deception’, thinking they’re going to learn about the intricacies of firewall setup and intrusion prevention technology will be disappointed. Mitnick seems reluctant to talk about computers at all, hardly surprising given that he has been banned from going near one for several years.
The first half of the book is concerned with what should be common-sense business practice - don’t reveal confidential details to anyone who isn’t part of the company. Mitnick illustrates his point with a series of scam anecdotes. However, as none of these stories relate to real (i.e named) companies, it’s hard to tell whether he’s talking about actual cases or hypothetical ones. If they’re real, then all he illustrates is that there are truly dumb employees out there.
Don’t think that this is a problem for the US. A few months ago, I heard an IT director from a leading British company say that he liked to test his employees now and then by asking them to email documents to a Hotmail address. Astonishingly, none of the staff questioned who he might be and happily sent him the documents as requested.
Mitnick’s main thesis is that enterprises will come under attack from what he calls ‘social engineers’ - conmen to the rest of us - who will prey upon employees’ weaknesses, usually through a desire to be helpful to a fellow human being.
All the indications are that Mitnick is correct. It is barely credible but companies can spend millions of pounds or dollars on the most up-to-date technological systems only for the company’s security to be compromised by a gabby receptionist or a bored admin assistant.
Whether Mitnick’s examples are real or not, they could be. Mitnick recognises that the awful truth about security systems is that they’re only as good as the people who administer them. As he says in the book, “There is no technology in the world that can prevent a social engineering attack.”
It’s not until Chapter 11 that Mitnick starts dealing with technology per se. And even then he spends a lot of his time talking about reprogramming PBXs – I would guess that in a country like the UK, where CLI is less commonplace, this will be less of an issue. He does provide some salutary advice about securing PCs from attacks within a firewall however.
The last few chapters provide a useful checklist of procedures that should be set in place to avoid security breaches. There is nothing that would surprise any halfway competent security manager, although it’s useful to have such a list to hand.
This book is being sold on Mitnick’s name alone. Any security expert could have written this book and offered the same advice. I doubt that there’s a company in the world who wouldn’t think the advice contained in this book was useful. I’d lay odds that most of them have very similar security policies.
But I’d also lay odds that a good few of them have suffered some sort of security breach in the last decade or so. As Mitnick has rightly identified, there is always a weak point in security and that’s the human being. As companies pay more attention to customer service, they might find a conflicting demand between the need to be helpful and the need to be secure. How fine is the line between being a jobsworth and being security-aware?
It’s an awkward question. And while Mitnick doesn’t answer it, he does offer much to think about.
The Art of Deception
By Kevin Mitnick (with William L Simon)
Wiley Publishing, 2002