The Art of Deception
You’ve got to read this book by Kevin Mitnick, the notorious cracker. You’ll learn to take security a lot more seriously. Mitnick describes scam after scam that involve social engineering—tricking people into thinking they should give you information. The lesson is that all the systems in the world won’t stop fraud by themselves. Only people can stop fraud.
Most of the scams he describes do not require a computer. The scams work by convincing people that the scam artist is somebody they should trust, such as the vice president in the LA office, the security consultant or some other coworker you’ve never met. They provide just enough believable information to get the next bit of information they need for their scam.
We need to be careful about what information we give out. What may seem like a useless piece of information (the name of your boss, your fax number, when you’ll be on vacation, your kids’ names, your dog’s name) could be the information the social engineer needs to pull off the next part of his scam.
In one story, a kid makes two phone calls to video stores to find out his dad’s credit card number. In the first call, he finds out the manager’s name and store number of a local branch of the video store. In the second call, he convices another branch that he’s the manager at the first branch and his computer has gone down. Then he asks for the account information and finally the credit card number. His father, who was sitting right next to him, was shocked.
How hard would it really be for a social engineer to find out how to get into your secure data? Once he had access to that information? How much damage could he do?
HIPAA sets out security guidelines to help us protect against this kind of intrusion. However, until we fully understand the risks of giving out information, we’re unlikely to implement “need to know” regulations correctly. This book will make you think seriously about security.