Divide By Zero - a blog by Kamran Ayub

When you think of a hacker, what comes to mind? A scruffy man sitting in his parent's basement, the constant whirring of servers and computers in the background, staring at all three of their computer monitors, Moutain Dew cans strewn about, typing away madly while streams of code scroll madly down one of the screens? At some level, that may hold true but in the case of social engineers, that is, the craft of conning persons into divulging sensitive or seemingly innocuous information, a different impression should be formed. By their very nature, social engineers are friendly, helpful, clean cut, and have a very good way of making you trust them. That's the other kind of hacker, the kind, it could be argued, that is more dangerous.

This is the mind of the person we are privileged to enter through Kevin D. Mitnick's recent book, The Art of Deception: Controlling the Human Element of Security. Mitnick, one of the more famous, or perhaps infamous, social engineers of our time shares his secrets about how the mind of a social engineer works and how they ply their trade.

Mitnick discusses two ways of formulating a social engineering attack: from the outside and from the inside. By that, he means that you can either use the telephone or actually entering the premises. He cites several techniques a social engineer uses to compromise a victim including directly asking the question, building trust, causing a problem then fixing it, reverse social engineering, email attachments/phishing scams, and a "reverse sting" or causing the victim to ask the attacker for help. A social engineer uses psychological methods to appeal to people's specific emotions like guilt, empathy, and trust.

What I most found interesting in this book was the way Mitnick explained the techniques and methods. Instead of outlining how to attack, he created fictional (but based on real attacks) stories that are from both the attacker's perspective and the victim's perspective. I found that these really helped me understand how social engineering worked, along with his definitions and "Mitnick Messages" peppered throughout. Sometimes, however, I felt that he used too many anecdotes when instead he could have explained more about the background of the attacks. There was minimal use of actual, non-fictional stories to illustrate his points which I think would have increased the impact of these stories. Despite these shortcomings, the stories are very illustrative and thought out, often raising your curiosity as to how these types of attacks can actually succeed. Indeed, there are many stories that will tickle your spine as you realize how vulnerable these large corporations really are.

Mitnick doesn't only provide all the different kinds of problems and attacks your company is susceptible to, he also outlines an entire policy to combat the weaknesses in your human element of security. However, no amount of security policy will ever protect you from all social engineering attacks, as Mitnick warns, "unless everyone in the enterprise understands that security is important and makes it his or her business to know and adhere to a company's security policies, social engineering attacks will always be a grave risk to the enterprise," (p. 259). Even so, there are important ways you can minimize risk from attacks. Some of these include:

• Classifying your data effectively such as Confidential, Private, and Internal.
• Extensive and detailed verification and authorization procedures
• Management policies aimed at executives and management-level employees

There is an entire chapter dedicated to a large and extensive security policy.

While social engineering may not have been something you've heard of, after reading Mitnick's book it is apparent that this is a serious consideration in any organization's policy. Chances are you have been victim of a social engineering attack, I know I have. One time, a solicitor who came to our house was so friendly and convincing that I went out of my way to donate money to his cause in exchange for a magazine subscription. Needless to say, I never got one. If I had read The Art of Deception before that con-man had manipulated me, I might have been smart enough to catch his lie. Don't get caught like I did, do yourself a favor and buy this book, or you may end up losing far more than $20.