The Art of Deception: Controlling the Human Element of Security - Hardcover

Über die Autorin bzw. den Autor

KEVIN MITNICK is a security consultant to corporations worldwide and a cofounder of Defensive Thinking, a Los Angeles-based consulting firm (defensivethinking.com). He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government's information systems. His articles have appeared in major news magazines and trade journals, and he has appeared on Court TV, Good Morning America, 60 Minutes, CNN's Burden of Proof and Headline News. He has also been a keynote speaker at numerous industry events and has hosted a weekly radio show on KFI AM 640 Los Angeles.

WILLIAM SIMON is a bestselling author of more than a dozen books and an award-winning film and television writer.

Von der hinteren Coverseite

A legendary hacker reveals how to guard against the gravest security risk of all-human nature

"...a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone. As entertainment, it's like reading the climaxes of a dozen complex thrillers, one after the other" --Publishers Weekly

Kevin Mitnick's exploits as a cyber-desperado and fugitive from one of the most exhaustive FBI manhunts in history have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison in 2000, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most famous hacker gives new meaning to the old adage, "It takes a thief to catch a thief."

Inviting you into the complex mind of the hacker, Mitnick provides realistic scenarios of cons, swindles, and social engineering attacks on businesses-and the consequences. Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. He illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent or any other seemingly innocent character. Narrated from the points of view of both the attacker and the victim, The Art of Deception explores why each attack was so successful and how it could have been averted in an engaging and highly readable manner reminiscent of a true-crime novel.

Most importantly, Mitnick redeems his former life of crime by providing specific guidelines for developing protocols, training programs, and manuals to ensure that a company's sophisticated technical security investment will not be for naught. He shares his advice for preventing security vulnerability in the hope that people will be mindfully on guard for an attack from the gravest risk of all-human nature.

Aus dem Klappentext

Kevin Mitnick's exploits as a cyber-desperado and fugitive from one of the most exhaustive FBI manhunts in history have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison in 2000, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most famous hacker gives new meaning to the old adage, "It takes a thief to catch a thief."

Inviting you into the complex mind of the hacker, Mitnick provides realistic scenarios of cons, swindles, and social engineering attacks on businesses-and the consequences. Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. He illustrates just how susceptible even the most locked-down information systems are to a determined con artist impersonating an IRS agent or any other seemingly innocent character. Narrated from the points of view of both the attacker and the victim, The Art of Deception explores why each attack was so successful-and how it could have been averted-in an engaging and highly readable manner reminiscent of a true-crime novel.

Most importantly, Mitnick redeems his former life of crime by providing specific guidelines for developing protocols, training programs, and manuals to ensure that a company's sophisticated technical security investment will not be for naught. He shares his advice for preventing security vulnerability in the hope that people will be mindfully on guard for an attack from the gravest risk of all-human nature.

Auszug. © Genehmigter Nachdruck. Alle Rechte vorbehalten.

When Innocuous Information Isn't

What do most people think is the real threat from social engineers? What should you do to be on your guard?
In reality penetrating a company's security often starts with the bad guy obtaining some piece of information or some document that seems so innocent, so everyday and unimportant, that most people in the organization wouldn't see any reason why the item should be protected and restricted.
Yet, much of this seemingly innocuous information is prized by a social engineering attacker because it can play a vital role in his effort to dress himself in a cloak of believability.
The Art of Deception shows how social engineers do what they do by letting you witness the attacks for yourself--sometimes presenting the action from the viewpoint of the people being victimized, allowing you to put yourself in their shoes and gauge how one might have responded.
Here's one of the many scenarios we present.

Peter Abels gets a phone call.
Hi, the voice at the other end of the line says. This is Tom at Parkhurst Travel. Your tickets to San Francisco are ready. Do you want us to deliver them, or do you want to pick them up?
San Francisco? Peter says. I'm not going to San Francisco.
Is this Peter Abels?
Yes, but I don't have any trips coming up.
Well, the caller says with a friendly laugh, you sure you don't want to go to San Francisco?
If you think you can talk my boss into it . . . Peter says, playing along with the friendly conversation.
Sounds like a mix-up, the caller says. On our system, we book travel arrangements under the employee number. Maybe somebody used the wrong number. What's your employee number?
Peter obligingly recites his number. And why not? It goes on just about every personnel form he fills out, lots of people in the company have access to it--human resources, payroll, and, obviously, the outside travel agency. No one treats an employee number like some sort of secret. What difference could it make?
The answer isn't hard to figure out. Two or three pieces of information might be all it takes to mount an effective impersonation--the social engineer cloaking himself in someone else's identity. Get hold of an employee's name, his phone number, his employee number--and maybe, for good measure, his manager's name and phone number--and a halfway-competent social engineer is equipped with most of what he's likely to need to sound authentic to the next target he calls.
If someone who said he was from another department in your company had called yesterday, given a plausible reason, and asked for your employee number, would you have had any reluctance in giving it to him?
And by the way, what is your social security number?
MITNICK MESSAGE
The moral of the story is, don't give out any personal or internal company information or identifiers to anyone, unless his or her voice is recognizable and the requestor has a need to know.