# Tuesday, April 13, 2004
Review: The Art of Deception

I'm presenting the Connected Applications: Security Basics talk at TechEd San Diego (vote now in the TechEd survey if you're attending). As part of the run up to the event I'm going to blog about some wider security topics, starting with the human aspects of security.
 
Although it's attractive to think that cryptographic techniques can provide perfect security this can never be the case where systems involve humans. The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick illustrates this well. It is a book about Social Engineering, the practice of getting people to do things they wouldn't ordinarily do). It shows how easy it can be to circumvent an organisation's security through manipulating people.
 
The key point of the book is that natural human instincts to be helpful, avoid confrontation and respect authority can be easily used by a Social Engineer to get around an organization's security. Using fictional scenarios the book demonstrates how a Social Engineer can work. Some of the techniques involve posing as a fellow employee or a new employee requesting help. These techniques are often combined with sounding authoritative and being under time pressure ("I'm the new personal assistant to the CIO. I need to get the figures for the last quarter to the CIO for a presentation tonight otherwise I'll lose this job, but I can't open the spreadsheet on the network - can you help?"). The book also shows how easy can be easy it can be to get innocuous information (operating manuals, managers names, department codes, employee numbers etc.) that can be used in later communications to sound trustworthy and reliable.
 
The book demonstrates how the telephone and fax are great Social Engineering tools because they limited built-in authentication. It's easy to appear as someone else over the phone. In a large company with many different offices or a call centre it's possible to talk to someone you don't know personally and few people would think to validate the person's real identity.
 
Education and training are required to avoid falling victim to these techniques. The difficult part is that the attackers can take advantage of basic human instincts while victims have the harder task of acting against these instincts. The book finishes with a sample security policy for an organisation and flow charts to illustrate how to handle requests for information. This is useful but demonstrates how concerns about security need to be balanced against the ease of doing business (e.g. never take a message for a colleague from someone you don't know personally). I believe the threat modeling and risk-based approach are more useful techniques in helping an organisation come up with a security policy that successfully balances their security risks with their business practices.

The book's story approach did become a little tiresome at times, but overall I was impressed to see how humans are often the weakest link in a security system. While some of the stories involved high-tech techniques, such as hacking into the telephone exchange, others were simple cases of using influencing techniques to manipulate people.

TechEd
posted on Tuesday, April 13, 2004 11:06:57 PM (GMT Daylight Time, UTC+01:00)  #   
Related posts:
Office Server 2007: Can it help me write less code?
Ray Ozzie: Services Disruption and the need for 'Client Server Service Synergy'
The fastest transport isn't always the best choice
What port does WSE default to with soap.tcp://localhost?
TechEd Amsterdam: Wrapup and Photos
BOF012: SOA - What does it really mean?
 Tracked by:
"cheap phentermine" (cheap phentermine) [Trackback]
"viagra" (viagra) [Trackback]
"buy cialis" (buy cialis) [Trackback]
"fioricet" (fioricet) [Trackback]
"discount fioricet" (discount fioricet) [Trackback]
"buy cheap fioricet" (buy cheap fioricet) [Trackback]
"buy fioricet" (buy fioricet) [Trackback]
http:// [Trackback]
"cialis" (cialis) [Trackback]
"sesso gratis" (sesso gratis) [Trackback]
"buy tramadol online cod" (buy tramadol online cod) [Trackback]
"cheap fioricet" (cheap fioricet) [Trackback]
"foto sesso" (foto sesso) [Trackback]
"phentermine diet pills" (phentermine diet pills) [Trackback]
"tramadol" (tramadol) [Trackback]
"phentermine" (phentermine) [Trackback]
"tramadol hcl" (tramadol hcl) [Trackback]
"tramadol hcl" (tramadol hcl) [Trackback]
"cialis" (cialis) [Trackback]
"cheap phentermine" (cheap phentermine) [Trackback]
"phentermine" (phentermine) [Trackback]
"cheap fioricet" (cheap fioricet) [Trackback]
"buy fioricet" (buy fioricet) [Trackback]
"phentermine without prescription" (phentermine without prescription) [Trackback]
"fioricet" (fioricet) [Trackback]
"fioricet without prescription" (fioricet without prescription) [Trackback]
"fioricet prescription online" (fioricet prescription online) [Trackback]
"buy phentermine" (buy phentermine) [Trackback]
"40 mg fioricet" (40 mg fioricet) [Trackback]
"cheapest cialis" (cheapest cialis) [Trackback]
"levitra online" (levitra online) [Trackback]
"viagra" (viagra) [Trackback]
"ricetta" (ricetta) [Trackback]
"gazzetta dello sport" (gazzetta dello sport) [Trackback]
"corriere dello sport" (corriere dello sport) [Trackback]
"sport" (sport) [Trackback]
"last minute offerta viaggi" (last minute offerta viaggi) [Trackback]
"offerta viaggi last minute" (offerta viaggi last minute) [Trackback]
"viaggi maldive" (viaggi maldive) [Trackback]
"biglietto invito" (biglietto invito) [Trackback]
"biglietto invito compleanno" (biglietto invito compleanno) [Trackback]
"biglietto aeri" (biglietto aeri) [Trackback]
"sfondi calcio" (sfondi calcio) [Trackback]
"giochi online calcio" (giochi online calcio) [Trackback]
"amore incontro" (amore incontro) [Trackback]
"calcio scommessa" (calcio scommessa) [Trackback]
"incontro sex" (incontro sex) [Trackback]
"incontro on line" (incontro on line) [Trackback]
"incontro italia" (incontro italia) [Trackback]
"incontro adulto" (incontro adulto) [Trackback]
"incontro donna veneto" (incontro donna veneto) [Trackback]
"annuncio incontro italia" (annuncio incontro italia) [Trackback]
"incontro sesso" (incontro sesso) [Trackback]
"estrazione del lotto" (estrazione del lotto) [Trackback]
"medicina naturale" (medicina naturale) [Trackback]
"sesso anale" (sesso anale) [Trackback]
"sesso gratis" (sesso gratis) [Trackback]
"sesso animale" (sesso animale) [Trackback]
"webcam sesso" (webcam sesso) [Trackback]
"sesso" (sesso) [Trackback]
"grossista articolo regalo" (grossista articolo regalo) [Trackback]
"prenotazione albergo" (prenotazione albergo) [Trackback]
"musica classifiche" (musica classifiche) [Trackback]
"spartito musica classica" (spartito musica classica) [Trackback]
"prenotazione albergo roma" (prenotazione albergo roma) [Trackback]
"software musica" (software musica) [Trackback]
"prenotazione hotel parigi" (prenotazione hotel parigi) [Trackback]
"prenotazione albergo parigi" (prenotazione albergo parigi) [Trackback]
"prestito personale" (prestito personale) [Trackback]
"incontro adulto" (incontro adulto) [Trackback]
"order xenical without prescription" (order xenical without prescription) [Trackback]
"phentermine diet pills" (phentermine diet pills) [Trackback]
"homeowners insurance" (homeowners insurance) [Trackback]
"Blackjack" (Blackjack) [Trackback]
"Online Casinos" (Online Casinos) [Trackback]
"Homeowners Insurance" (Homeowners Insurance) [Trackback]
"Slot Machines" (Slot Machines) [Trackback]
"naprosyn" (Naprosyn) [Trackback]
"Keno" (Keno) [Trackback]
"Online Video Poker" (Online Video Poker) [Trackback]
"Home Owner Insurance" (Home Owner Insurance) [Trackback]
"Homeowner Insurance" (Homeowner Insurance) [Trackback]
"discount phentermine" (discount phentermine) [Trackback]
"asians posing in lingerie" (asians posing in lingerie) [Trackback]
"viagra" (viagra) [Trackback]
"generic cialis" (generic cialis) [Trackback]
"taking viagra with cialis" (taking viagra with cialis) [Trackback]
"tramadol" (tramadol) [Trackback]

Page rendered at Sunday, March 14, 2010 7:45:59 AM (GMT Standard Time, UTC+00:00)