The Art of DeceptionKevin Mitnick & William Simon
This book tries to be all about how social engineers get the information they want out of people, how they can talk their way into IT systems, and why you should be afraid of it all. OK, maybe not afraid of it all, but at least aware of it.
The author goes through all kinds of different 'case studies', at least some of which appear to be real life stuff, and talk about different ways Information Technology attackers get in where they want to go. His point basically is that most corporate security spends plenty of time talking about hardware and software security technology, but largely ignores the human interaction side of things. His basic point throughout is that you can have all the security in the world, but if someone with access can be talked into letting an outsider in, all your security is for nothing.
I thought a lot of what he said was stuff that was just obvious. ("Don't open email attachments from people you don't know." "Don't let people into your system unless you are sure you know and trust them." Stuff like that.) Maybe it's just that we are seven years removed from the printing of the book, or maybe I am just more sensitive to that kind of stuff in general.
The book would be a good read for someone who is just stepping out into the world of IT Security, or wants an overview of what kinds of social engineering tricks are out there. This book would also be good for someone looking to start a criminal career in the IT world. Gives some good ideas.
At the end of the book, he gives some ideas to improves IT security, most of which seemed pretty obvious to me. Maybe that is a good sign. I definitely know of some ways our organization can be socially engineered at work, and no, I will not be sharing them here. At least the book let me think about some of that...
No comments:
Post a Comment