UNIVERSITY OF WALES NEWPORT

MSc. Computing

AD VANC ED C OMP UT ER NE TWOR K

(C P13 07)

A REFLECTIVE ESSAY
ON

THE ART OF DECPTION

BY
KEVIN DAVID MITNICK & WILLIAM L SIMON
Written By

Onwuegbuzie Innocent U.

DATE SUBMITTED: MAY 11, 2009

RECEIVED BY: Mr. CHRISTOPHER LIM. (Course Lecturer)
1
INTRODUCTION

Organizations has a lot to merry and smile about when they are making success and
declaring excess bonus at its Annual General Meeting (AGM) all seems to be going on fine, they
attribute their success to the strong security back bone they have with regards to the latest
security hardware’s and software’s watching their backs. It is unfortunate to realize that even as
they rejoice upon their success, an antagonist referred to in this essay as Social Engineer is right
their plotting and strategizing on how to wipe the smile out of their faces. He fervently closes up
on them to find the “Slightest Loop-Hole” and lunches his attack at the exact time he feels
convenient. Guess what this Security Loop-Hole is? The humans, manning this so-called
sophisticated, latest hardware and software security infrastructures.

MY PREVIOUS KNOWLEDGE ABOUT ORGANIZATIONAL SECURITY

While I was growing up as an aspiring and ready to break grounds young man, never did
I thought that there was any serious need to secure a company’s information, be it confidential,
private or public information. I felt that the success of most successful companies lies on how
much money they pumped into the business to keep it up and running and how much of
dedication and diligence the workers or staff of an organization put to ensure that the aim and
goals of the company is achieved.
Having heard and read about how some companies winded up and fell out of business, I
most at times attribute it to staff embezzlement, bankruptcy, lack of focus and selfishness on the
part of whosoever aided the collapse. Even when I made personal researches to what might have
lead to the collapse of some of these companies, I only came up with accusing fingers pointed to
the incompetent management staff, and perhaps gathered little or no information concerning the
company’s Vital Information which I will refer to here as; “The Company’s Source Code”, which
entails the secrets of the ways and how the company runs their business and keeping their heads
high above the tides, which might have fallen into the wrong hands.
In the course of my research I sometimes might come up with lack of maintenance of
operational facilities as a major cause of companies collapse, and the management never cares
about it. In as much as the money keeps rolling in, it seems to them that they were doing just
fine.
Right from my early days, most especially when I came to the realization of what a
computer was and what one can achieve with it, I immediately fell in love with its discipline
although I did not study it as a first degree course, I knew from that first day of my encounter
with a computer that this was exactly what I had wanted to study, and as time goes by, I began to
build myself in this direction, my interest never left the computing world as I was constantly
keeping in touch with its growth, developments and implementations.

MY PAST PERSONAL EXPERIENCE

My very first encounter with computer networks and security issues was way back in my
third year in the university, where I was fortunate to do my Industrial Training Programme in an
Internet Service Provider (ISP) Company. There was this particular incidence that took place that
the companys’ network was half-way shut down by virus attack. My Boss and the CEO/owner of
the company who was a High-Level IT officer working at Shell Petroleum Development
Company (SPDC) in my country Nigeria acted swiftly as soon as he was notified of this security
2
compromise. He isolated the segment of the network that was badly hit by the virus, and then
moved the clients that was on that affected channels to another back-up channel were they could
keep up with the service of the company without interruption.
This was my first experience of network security compromise; it was such an eye opening event
for me, this was when I knew about the functionalities of network security devices such as
Firewall, Intrusion Detection systems, Routers, Anti-virus programs etc.
As I grew in this field I came to realize that for your network to be secured, you need the
most sophisticated network security devices and a broader knowledge of how they work and
being configured. For me at this point, it sounded that with all these things in place, then “Your
network is the most secured network in the world”. Little did I know that even at this level, one
is still very vulnerable to network break down and attacks.
The study of my Masters of Science Computing gave me the privilege of reading the
book titled: The Art of Deception: Controlling the Human Element of Security by Kelvin D,
Mitnick and William L, Simon.
My eyes were open to the fact that you might have all the sophisticated network security
hardware’s and software’s, with up to date operating System Patches and Anti-Virus Updates, but
still remain very vulnerable to security compromise to what Kelvin D. Mitnick called Social
Engineers.

MY EXPERIENCE AS I READ ALONG

The book; Art of Deception: Controlling the Human Element of Security, has truly given
me a new dimension of viewing security. An organization might have in place all advanced and
sophisticated hardware and software facilities, as well as having very competent hands to operate
these facilities but still remain very unsecure to Social Engineers. The question now arises, what
is Social Engineering and who is a Social Engineer?
As defined by Wikipedia (2009) Social Engineering is the act of manipulating people into
performing actions or divulging confidential information. While similar to a confidence trick or
simple fraud the term typically applies to trickery or deception for the purpose of information
gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face
with the victim.

A Social Engineer is a person that uses the above defined techniques to achieve his aim or
goals. An organization might not really appreciate the gravity of the attack of a Social Engineer
until the bomb he has planted explodes. This could lead to winding up of an organization or
perhaps threatens the standard of such organization in the global market.
Social engineering attacks are increasing in frequency and can be technical or non-technical;
both manipulate staff to gain unauthorized information which can then be used to damage the
organization or for criminal purposes. Social engineering concentrates on exploiting the
weaknesses of people, rather than IT systems or the computer security process. Staff targeted
tends to be those who work in customer facing roles, especially IT, help desks, receptionists,
security guards, cleaning and catering.

Imagine the operational procedures of an organization to be in the freelance hands of a social

Engineer, definitely this does not sound good to hear to an organization that fall victim.
Social engineers use several avenues of attack.
• Via the telephone: this is the most common form of Social Engineering approach usually to
the front facing support desk staff to gain their confidence and active support.
3
• Face to face: a targeted member of staff will be approached and manipulated and tricked into
giving support or information.
• Via email: Phishing are the most common forms of Social Engineering attack via email. Emails
are created to look like a legitimate request from a bank or other trusted organization with which
you are happy to transact.
• By searching through waste/trash bins for personal information: this is called Dumpster
Diving or Skimming. It is a key activity in identity theft attacks. Social Engineers search for
documents such as credit card statements and invoices and organizational documents to aid their
strike.
• Web searches, where too much detailed information about staff, departments, products,
services and the organization’s key activities is posted on web sites. This is often a very simple
open source search for Social Engineers; it assists them in the target acquisition process.
• Online, Open Information. Online curricula vitae (CVs) are another useful source of personal
information, and some web sites and news groups give details about whom you are and where
you work if you have posted that information.

To this end it is seen that Social Engineers has so many ways in which they can lunch
their attacks, it is obvious that security firewalls, Intrusion Detection Systems, and other security
devices are no match to them because one of their most powerful tool is human manipulation.
Social Engineers manipulates the personnel’s manning these security devices to gain access into
the corporate organization, hence at this juncture it is very pertinent for security experts to
broaden their security perspective towards considering the human weakness and devising
appropriate measures to checkmate this vulnerable loop hole.

MY CURRENT KNOWLEDGE ABOUT ORGANIZATIONAL SECURITY

No doubt I now see things in a different way and a broader spectrum when it comes to
network and organizational security. It is not enough for an organization to have all the
sophisticated and latest hardware and say it has it all. Network and organizational security goes
beyond just hardware’s alone but well and carefully planned Network and Management Security
Policies that caters for the human weakness in security issues.
Kelvin D, M, and William L, S, (2002, p.7) in his book said “There is a popular saying
that a secured system is the one that is turned off. It sounds clever but false: The Pretexter simply
talks someone into going into the office and turning that computer on”, once the system is on a
Social Engineer uses his Hacking knowledge to gain access into that computer from a distance.
Am now of the opinion that for an organization to fully boast of tight and secured system
then it has to invest in training its employees against the attack of Social Engineers. This can
done by delegating this responsibility to experts on Anti-Social Engineering or perhaps contract
it to an Anti-Social Engineering Consulting firm.
The entire staff of the organization should be trained, regardless of position and status, as
Social Engineers can use any employee as a victim. To this end I will recommend the following:
• Train employees/help desk to never give out passwords or other confidential info by
phone

• Tight badge security, employee training, and security officers present

• Don’t type in passwords with anyone else present (or if you must, do it quickly!)

• All employees should be assigned a PIN specific to help desk support

4
 • Require all guests to be escorted

• Lock & monitor mail room

• Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on
equipment

• Control overseas & long-distance calls, trace calls, refuse transfers

• Keep all trash in secured, monitored areas, shred important data, erase magnetic media

• Continual awareness of system and network changes, training on password use

• Mark documents as confidential & require those documents to be locked

• Keep employees on their toes through continued awareness and training programs

Security Focus (2009)

CONCLUSIONS

The consequences of the attack of a Social Engineer are immeasurable compared to

embezzlement and money laundry most especially if it leads to the winding up of an
organization.
Organizations should stop beating their hands on their chest in a way to boast of the extent of
security of its system if the only implementation is on hardware’s alone, because as far as the
Social Engineer is concern he still remains very porous.
The success of every business depends on the commitment of its employees towards
their duties. Since Social Engineers have seen “Human factor as security’s weakest link”, as said
by Kelvin D, M, and William L, S, (2002, p.3), then employees should be properly and
adequately aware of the existence of social engineers and the havoc they can cause the
organization if they are allowed to strike. If an organization fails to take all necessary security
measures seriously, then smart Social Engineers will take these measures against them instead.

5
REFERENCES

• Kelvin D, M, and William L, S, 2002, Art of Deception (Controlling the Human Element
of Security), 1st edn, Wiley Publishing Inc, Indianapolis, Indiana, USA.
• Wikipedia 2009, Social Engineering, Wikipedia: The Free Online Encyclopedia. Viewed
April 16, 2009 from; http://en.wikipedia.org/wiki/IPsec.
• Security Focus 2009, Common intrusion tactics and strategies for prevention, viewed
April 16, 2009 from; http://www.securityfocus.com/infocus/1533.