Social engineering is the term used to describe the tricks used by criminals and private investigators to manipulate people within a company or organisation that they would not normally be given access to. For instance, an industrial spy might want to get hold of the plans for a target company's new product, or a private investigator might be asked, by a client thinking about divorce, to get hold of a spouse's bank account details.
Kevin D. Mitnick used to be a social engineer, and in this book he describes in detail the ways that social engineers can rapidly gain trust and then extract increasingly valuable information out of company employees, usually over the phone. Most people know that they shouldn't give out passwords to strangers, but they aren't at all concerned about giving out names and telephone extensions to those same strangers. A social engineer can use such seemingly harmless scraps of inside information to gain the trust of another employee at the same company, and then use that trust to obtain a slightly better-protected piece of information. And so on, until employees are handing out sensitive information to a total stranger over the phone simply because he sounds like he's one of them.
The book is full of brief fictional scenes that serve to demonstrate how different types of social engineering attack play out. I have to admit that, at first, I read these fictional scenes muttering to myself that there was no way that real employees would behave as described. But the more I thought about it, the more examples I could think of in real-life where people had been more than obliging over the phone, despite not knowing me. And Mitnick makes it clear that one employee's refusal to cooperate is no obstacle, as a seasoned social engineer will simply hang up and try again later when a different employee is manning the line.
After each fictional scene, Mitnick analyses the reasons why the social engineer was able to get what he wanted, and at the end of each chapter he offers guidance to prevent the same trick being used against your organisation. Mitnick urges that companies take information security very seriously, and the book ends with a substantial template for creating a customised information security policy for all employees to be trained in. He also makes it clear that, without regular training, staff are never going to be a barrier to information theft.
At times it felt like the chapters dragged a little, with the same technique described in several fictional scenes, one after the other. And it did bug me at first that the scenes were all fictional, with almost none of them based on real events. Possibly this was unavoidable because Kevin D. Mitnick was on supervised release from prison at the time of writing this book, and may have been limited in what he was allowed to talk about. In the rare cases where Mitnick does describe his real-life activities in detail, the tales are quite compelling. It sounds like he got up to a lot in his youth.
I also got the impression that Mitnick rather enjoyed writing the fictional scenes, as they had a hint of old-fashioned noir about them. Fictional or not, the scenes do drum into you how easy it can be for a social engineer to get employees to give him whatever he wants, if the employees haven't been trained thoroughly.
Even if The Art Of Deception doesn't quite make for casual reading, it really could be a wake-up call to large organisations that have never given a thought to the threat that social engineering poses. For anyone that simply assumes that staff won't give out passwords or internal secrets over the phone, this book is likely to be an eye-opener. And for anyone in charge of a company, big or small, that doesn't train staff in information security, a book like this ought to be a must-read.