The Art of The Ruse

At one time Kevin Mitnick was the world’s most famous hacker. At the moment he is a Security Consultant and sought after speaker. I chose to read the book partly because of Mitnick’s profile and partly because I wanted to learn more about Social Engineering.

Reading is a conversation with great minds. If you aspire to be become a trusted advisor in your field then you must converse with leaders in your field. A conversation is a two way thing and these posts are my responses to the thoughts that the authors have expressed in their books. Reading this book has really piqued my interest in reading all of Kevin Mitnick books. I also want to read books by Norman Marks, Marcus Ranum, Bruce Schneier and Lenny Zelter, among others.

Mitnick’s Message

Mitnick begins the book by recalling how as a 12 year old he worked out a way to travel free on the buses in the greater Los Angeles area. It seems to me like Mitnick was born with the security mind-set.  He graduated into phone phreaking and eventually hacking. He maintains that he only hacked for the thrill of gaining access to privileged information and never with malicious intent. He spent some time in prison and the book is an attempt the right past wrongs by teaching others how to avoid being duped by social engineers.

The idea behind the book is to secure the human firewall. Organisations may invest in great technologies but they also need to invest in training their people to be aware of social engineering attacks, phishing attacks and the various threats that are out there.  

The Art of Deception describes various scenarios in which a social engineer uses deception to gain information from unsuspecting employees. Reading through each scenario, the auditor in me, became increasingly alarmed at the apparent ease with which innocuous pieces of information from different sources within an organisation could be used to build a connection with a stranger over the phone and obtain confidential data. I began thinking about the various internal controls that could be implemented to counter these threats. Towards the end of the book Mitnick does offer some guidance for organisations.  

For start information security awareness sessions should be part of your on boarding process and all employees should attend annual refresher courses to ensure that the information is current and security is in employee’s minds as they go about their work. The training should be customised for groups of employees.

 To counter social engineering threats, personal assistants, help desk employees and security guard should receive customised training because their jobs require them to assist people which makes them a prime target for a skilled social engineer.  Cleaners should also attend security awareness training as they often have access to the whole building and can be tricked into allowing access to social engineers. Depending on your level of paranoia, I meant to your risk appetite, you could do background checks on your cleaners as well. Another recommendation is to have accountability for information security embedded within position descriptions and to reward  good security behaviour.

At the organisation level, data classification schemes are recommended. A Data Classification scheme assigns labels to information assets based on their criticality to your business. These labels are used to   determine how much one would be willing to spend to protect against threats to the confidentiality, integrity and availability of your information assets.

Takeaways

To counter the threat of social engineering he advocates having a classification scheme and handling procedures of the level of classification.

The Four classifications, a brief description and handling procedures are listed below:

 Public- Freely available to the public. No need to verify if requestor has authorisation to access information.

1.  Internal – For use within the company. Verify that the person requesting the information is  an active employee. For non employees ensure that they have signed a nondisclosure agreement and management has approved their access to the information.
2.  Private – is information of a personal nature intended for use only within the organisation. When current employees are requesting the private information, check with the Human Resources Department that they are authorised to access this information. When nonemployees are requesting private information, they must have signed a Non-Disclosure Agreement and they must have authorisation to access the information.
3.   Confidential - Shared only with people with an absolute need to know within the Organization.  When current employees request for confidential information, they must have prior written confirmation of Senior Management, the Information Owner or a proxy. Only Management personnel are allowed to disclose information to persons not employed by the company.

 I have come across classification schemes in the past but their application in a social engineering context was my takeaway from the book.

In order to distribute information to unverified persons users must positively identify the person, their employment status and verify their authority to access the information.

The book was written in 2005 and technology has changed a lot since then. I posted about reading, Rich Dad, Poor Dad on another social media platform and a wise guy commented that he read that book ten years ago. I am running my own race, when you compete against others you get bitter but when you compete against yourself you get better. 

"...when you compete against others you get bitter but when you compete against yourself you get better. " Anonymous

Justin Wohuinangu is an IT Auditor in Port Moresby, Papua New Guinea and is documenting his attempt to prove that the following Earl Nightingale quote is true"One hour per day of study in your chosen field is all it takes, One hour per day of study will put you at the top of your field within three years. Within five years you’ll be a national authority. In seven years, you can be one of the best people in the world at what you do”.