Saturday, 4 October 2014

Social Engineering - The Art of Deception

After a friend read my blog post about securing your virtual identity, he recommended that I read the book "The Art of Deception: Controlling the Human Element of Security" by Kevin Mitnick, which can be purchased from Amazon.

The book is structured with stories and anecdotes about how people have fallen for social engineering, and what lessons can be learnt from these situations.  Having worked in an IT security environment for nearly a decade, I am aware of vendor and technical solutions to tackle issues that IT environments without security measures.

Growing up I watched a number of films, including the likes of Wargames, Hackers, The Net and Swordfish.  They may not be great films, but they gave a romantic view of hacking.  I was interested in this realm of IT when I first started my career nearly two decades ago, but I'd say I was a failed script kiddie.  I didn't understand the systems well enough to penetrate the security measures, and struggled to get the tools to work correctly.  

I'd hear the stories of social engineering conquests and I'm in awe of the confidence and arrogance to manipulate people to test an organisations security!  Reading this book shows how easy it is to manipulate people and how easy it is to have them carry out tasks in isolation that seem so insignificant, but when couple with a number of tasks, you have all the pieces of a jigsaw to manipulate a company!

The book was incredibly easy to read and even though I'm not a big reader, I finished it in less than two days.  It's real page turner, and even though it was written nearly 12 years ago it is still very relevant.  If you just read the book about what you shouldn't do, anyone with IT security awareness will tell you they have been told this already.  Taking the story of the manipulation and how to con worked and why is eye opening.

The book ends on how to create a security awareness program, including how to train staff.  Following all the advice will not mean you are secure, but it will certainly help and have people think about who is requesting the action.  All the technology in the world will not secure you and your organisation, but stopping the people from being the weak link will certainly help.

No comments:

Post a Comment