Friday, March 21, 2014

[Quote] The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick

<- Previous Post | Main Post | Book review | This is the last post]

“… because the human factor is truly security weakest link.”
“Anyone who thinks that security products alone offer true security is settling for illusion of security.” 
“Security is not a product. It’s a process. Moreover, security is not a technology problem. It’s a people and management problem.”
--Bruce Schnier
“Many people look around until they find a better deal; social engineers don’t look for a better deal, they find a way to make a deal better.” 

“First rule: Never visit the premises unless you absolutely have to. They have a hard time identifying you if you’re just a voice on the telephone. And if they can’t identify you, they can’t arrest you. It’s hard to put handcuffs around a voice.”
“Most of the time, if the victim believes you’re trying to help him or do him some kind of favor, he will part with confidential information that he would have otherwise protected carefully.”
“Social engineers know better than to stay at the scene of the crime any longer than necessary.”
“… the skilled social engineer often targets lower-level personnel in the organizational hierarchy. It can be easy to manipulate these people into revealing seemingly innocuous information that the attacker uses to advance one step closer to obtaining more sensitive company information.”
“It’s all about the ones and zeros--meaning that in the end, everything comes down to information.”
“The truth is that there is no technology in the world that can prevent a social engineering attack.”
“The central goal of any security awareness program is to influence people to change their behavior and attitudes by motivating every employee to want to chip in and do his part to protect the organization’s information assets. A great motivator in this instance is to explain how their participation will benefit not just the company, but the individual employees as well. Since the company retains certain private information about every worker, when employees do their part to protect information or information systems, they are actually protecting their own information, too.”
“The threat is constant; the reminders must be constant as well.”
“Security policies are clear instructions that provide the guidelines for employee behavior for safeguarding information, and are a fundamental building block in developing effective controls to counter potential security threats.”
“Effective security controls are implemented by training employees with well- documented policies and procedures. However, it is important to note that security policies, even if religiously followed by all employees, are not guaranteed to prevent every social engineering attack. Rather, the reasonable goal is always to mitigate the risk to an acceptable level.”
“... management must do more than merely provide an endorsement, it must demonstrate a commitment by personal example.”

Source: The Art of Deception: Controlling the Human Element of Security

Book or Audiobooks?

          Personally, I prefer audiobooks. It's fun, and I can listen when I'm doing something else. It also makes other activities (e.g., jogging) a lot more fun. For more detail about audiobooks, please read [this post]. 
          There is one more reason that may encourage you to go for the audiobook version. You can get it now for FREE. Audible offers you a free trial for 14 days. Even if you get the book and cancel the subscription right away (so that you don't have to pay), you can keep the book. And, don't worry if you lost the audiobook file. Just log into You can keep downloading the over and over again.
    About the summary: It takes time to finish up a book. And, when you do, sometimes, you want to review what you learn from the book. If you do not make  notes as you read, you might have to go through the book once again. This can be time-consuming when you are dealing with a book. But you can still flip through the book and locate what you are looking for.

However, when the material is an audiobook, it is extremely hard to locate a specific part of content. Most likely you will have to listen to the entire audiobook once again.

This book summary will help solve the pain of having to go through the book all over again.

I am leaving out the details of the books. Most books have interesting examples and case studies, not included here. Reading the original book would be much more entertaining and enlightening. If you like the summary, you may want to get the original from the source below.

1 comment:

  1. Great Article
    Cyber Security Projects

    projects for cse

    Networking Projects

    JavaScript Training in Chennai

    JavaScript Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training