The Art of Deception, Controlling the Human Element of Security

Berglund Authority Level 3

by Jeffrey Barlow <barlowj@pacificu.edu>

Mitnick, Kevin D, and William L. Simon, The Art of Deception, Controlling the Human Element of Security, Indianapolis, Indiana: Wiley Publishing, 2002.


Kevin Mitnick was the personal face put upon the first wave of anxiety regarding electronic communication: the arch-hacker who led law enforcement agencies a complicated electronic chase for several years before his indictment for illegal entry into corporate computers in 1996. (For an electronic inventory of relevant legal documents see http://www.kevinmitnick.com/ the "Free Kevin Mitnick" www site.) Released in 2000, Mitnick wrote this book on what he calls "Social Engineering", or obtaining the information necessary to hack into protected computer systems by lying to and manipulating corporate employees. This anxiety about the safety of computer systems is clearly one of the major impacts of the Internet, and hence an appropriate subject for an Interface review.

To my surprise, Mitnick's success in gaining entry into closely guarded sites had a lot less to do with his hacking expertise than his ability to manipulate employees, usually over the telephone, to give him the information he needed to crack into a guarded computer system. His examples are also frightening ones in that weeks and sometimes months of planning went into his efforts. It is terribly easy to imagine him being successful with just about any site he targeted.

The book has real value. Mitnick demonstrates how very important it is that corporations and institutions train their employees in properly controlling all information pertinent to protecting electronic security. On the other hand, you may feel, as did I, that Mitnick takes his past crimes very lightly.

The organizational device followed in the book is one common to "true crime" treatments, a recounting of spectacular examples of successful "social engineering" or penetrations of institutional security under the understanding that these were stores told to Mitnick rather than actual examples of his own crimes. But it is difficult to escape the feeling that these events are figuratively accompanied by a broad wink as he ascribes them to others.

While one hates to see any criminal benefit from his or her crimes, this book is a valuable one for anyone interested in securing valuable information. The many examples of actual scams demonstrate the many human weaknesses in most security programs. The last two chapters lay out the broad outlines of possible corporate training programs intended to keep others like Kevin Mitnick out of their computers and are well worth reading by anyone involved in protecting computer systems.


Jeffrey Barlow
Editor, Interface.