technical solutions and commentary

    • July 27, 2006

    Lessons in Social Engineering

    Filed under: Uncategorized — Jason Hartley @ 4:08 pm

    I recently finished the book ‘The Art of Deception’ by world famous hacker Kevin Mitnick. The book was excellent and really opens your eyes to tactics of social engineers. Going through the CISSP training increases your awareness of people, especially employees, being your biggest security risk. This book is a great supplement to CISSP training and really hits home on HOW employees can be a security risk by disclosing seemingly innocent information, or even information that may be thought of as public information or common information.

    There are many examples of how social engineers can take this information and use it to sound like an authoritative company employee, business partner, or just a fellow employee from another office or department that needs help.

    This book is really a collection of true short stories. Each true story is setup and it’s scenario is walked through. Then the motivation and the steps to complete the attack are explained. Kevin explains how this type of attack can be avoided and how you can train your employees to protect the company. He book also contains “The Mitnick Message” which is a brief tip, moral, or “take-away” point from the story.

    Part way through the book you find yourself starting to try and guess how the attacks where planned and executed by the social engineer. You also begin thinking of ways the attacks could have been prevented. I was continually trying to figure out how the attack was setup by the social engineer and how it could have been stopped before I got to the explanation.

    At the end of the book, an employee awareness training program is outlined and discussed. There is also a sample of a basic company security policy which can be useful. The lessons in this book drive home the point that no matter how much you spend on technology to “protect” your company’s information assets, it’s really of limited value unless you train your people to protect the information they hold or can access.

    Great read and recommended. Now I have “The Art of Intrusion” to read.  

    Leave a Reply