Chapter 16-The End

The final chapter is now history and I feel that it was a good way to end the book. The part that I found the most interesting from this final chapter was the fact that most companies never report any social engineering attacks, yet they happen all the time. What Mitnick said was true; that if word of these attacks spread, it could ruin the company. The public reaction to these attacks could end up being more harmful than the attack itself. After all who would want to do business with a company that cannot guarantee that your information is secure? For example if a scam became public at a company like America Online and even just one customer’s personal information was compromised, I know I would think about switching providers. In today’s highly competitive corporate world businesses cannot afford to take chances on possibly losing the trust of their customers. Mitnick closes out the book by illustrating different procedures and policies that may be effective in preventing most scams.

I agree with some of the other bloggers in my group that this book could have been a little shorter. Some of the social engineering scams became repetitive but now that I think about it perhaps that was the point. While reading Mitnicks tip’s towards the end of each chapter I found myself actually predicting what he was going to say. By hammering his message into the readers head for 16 chapters, it would be hard to forget what he taught us in this book. Overall, I think that this book is a must read for whomever is in charge of security procedures at any company no matter how small. While these scams cannot be stopped completely, they can be greatly reduced by listening to Mitnick’s message.

Chapter 15

This chapter takes all of the lessons learned so far in the book and begins to tie them all together. The main point is that there is no technology out there that a manager can go out and purchase that will protect his/her company 100%. While Mitnick admits that technology can help to reduce your risk of becoming a victim to social engineering attacks, he suggests that the best way to protect yourself or your company is through a comprehensive training program. While this may seem obvious to most of us, I’m sure that there are plenty of business owners out there that feel secure because their company has passwords protecting their computers or have unlisted phone numbers to secure departments. The truth is that no technology is a match for the human brain and when the human brain is used to deceive others it is extremely hard to stop.

Testing is something else that Mitnick suggests to ensure that employees are on top of possible security breaches. I feel that this is the only way to ensure that employees are up to date and paying attention to the material which is being taught to them during the aforementioned training program. Like the MBA student who only bothers remembering something if it is going to be on the test, employees often are only concerned with what they will be evaluated on. By continuously testing employees on the proper security procedures, you will be able to see where the weak links in your organizations are and help them to improve. All it takes is for one employee to doze off during their security training to leave an opening for a social engineer. In my opinion testing will expose this and eliminate the threat.

Chapter 14

I really enjoyed reading this chapter. The first thing that stood out to me was that it didn’t make sense that the company that stored the files for the pharmaceutical company in the first example did not have an alarm. In the example the private investigator gained access to the building where the files were kept simply by picking a lock. It seems to me that a company that specializes in storing valuable content (evidenced by the password system they have in place to retrieve files) should have an alarm system. The second useless fact that stood out to me was the fact that the con man in the second example supposedly only spent $150 on taking several employees of the robotics company to lunch at the “best restaurant in town.” Not only did they eat lunch, but he paid for drinks too! I think the real con is how he got away with only spending $150.

This chapter showed some more aspects and techniques of social engineering. I really feel that it takes more skill to pull something off like in the second example (the lunch). With the phone scams, the social engineer can always hang up if someone catches on. When you are physically in someone else’s office, the situation is not as easy to back out of. I guess the lesson learned here is if a well dressed handsome man shows up unannounced and tries to wine and dine you, you better think twice.

Chapter 13

I’ll be the first to admit when I’m wrong. For one of the first chapters in the book, I wrote a post talking about how dumb companies were for not investing in caller i.d. in order to prevent these social engineering scams. Well I now learned from this chapter that these “phone-phreeks” as their called, can program the caller i.d. to show whatever number they want it to. So if they call you claiming to be President Bush, your caller i.d. will show the call coming from the White House which is pretty scary. So ignore what I said in my previous post, caller i.d. will not help.

Mitnick explains later on in the chapter that there is a service called ANI which is a lot more reliable than caller i.d. However in my opinion it is only a matter of time before someone figures out how to manipulate that as well. Before reading this book I never knew that it was possible to manipulate the phone company in so many ways. What I have learned so far is that pretty much nothing that you hear or see can be verified 100% All you can do as a manager is train your employees the best you can for basic security operations and show them plenty of examples such as the ones in this book.

Chapter 12

First we learned about how social engineers like to prey on new employees, now we see that entry-level employees are also major targets. This is a major problem for companies. Entry-level employees are paid less than others and usually have the least amount of education however their jobs are arguably some of the most important. Low-level employees are usually the ones who come into contact with the customers. For example at a restaurant, the waiters have total control over the experience that that the guest has. The owner of the restaurant can plan all they want however if a guest has a rude/inept waiter they will have a bad experience. This holds true in terms of information as well. These low level employees often have clearance to information that is just as valuable as what managers have.

In order for a company’s security to be compressive it has to stretch across the entire organizational chart. ALL employees need to be properly trained and educated in the company’s security policy. Like the example with the security guard showed, even someone at the bottom of the food chain in the organization can have a profound impact. Management needs to pay more attention to these “low-level” employees because in my opinion, they are the lifeblood of the organization.

Chapter 11

Chapter 11 shows more of the technical side of social engineering. Here we see that there is sometimes a lot more involved in these schemes than just being friendly on the phone. The first example showed how one person was able to mess around with phone lines so he was able to talk to a partner of his in jail. By combining extensive knowledge of phone companies with social engineering skills he found out what area of the prison his friend was in, and arranged a time they could talk privately on the phone. To me if this guy was really that good he would have tricked the guards into letting his friend go free!

The chapter continues with an explanation of how computer hackers were able to once again combine social engineering tactics with knowledge of hacking to find valuable information on a video game. While someone who possesses skills in one specific area can be effective, the well rounded social engineer (quick thinking on the phone as well as strong technically) is truly hard to stop. When you combine the techniques we learned about in previous chapters (name dropping, using lingo) with the skills that were talked about in chapter 11 (hacking, phone skills) the social engineer becomes much more effective.

Chapter 10

This chapter was pretty interesting because it started off with an example that didn’t immediately involve a phone call! The example of the teenagers who snuck into the helicopter plant was pretty interesting although I would personally never take that risk just to “see if I could do it.” I guess that is what separates the social engineer from the normal person. These social engineers seem to take pride in what they do and that is probably why they are so good at it. As I read on I also found the dumpster diving example to be interesting and honestly something that I had never thought of before.

Usually when you see someone digging through trash you figure that they are homeless and trying to find some food/clothes. Typically you do not think that the person wading through your trash could be looking for information that could be quite valuable. I never knew that the FBI also used this technique to take down some pretty high profile criminals In the past. This example makes a paper shredder seem like a rather inexpensive preemptive measure that a business can take in protecting their information. You never know who will take a dive in the dumpster for some info!