Many books on information technology (IT) security are available, covering a wide range of issues at both the technical and managerial levels. While these books do recognize the existence of the human and social elements of security, very few cover these important areas in depth. This book provides a detailed, insightful, and entertaining look at one of the weakest links in the security process: the human element.

The book consists of three main sections, a chapter that provides a quick reference to the social engineering methods discussed in the second section, and a detailed index. Mitnick begins by explaining social engineering: getting information often by just asking for it, a process he considers cracking the human firewall. He also discusses the differences between amateur, nuisance hackers who aim for quantity, and sophisticated hackers who target valuable information. He goes on to detail the ways in which current information security solutions are inadequate when it comes to addressing social engineering.

The next section considers the value of seemingly innocuous information. Mitnick demonstrates how easy it can be to obtain information (specifically, getting an entire company directory of staff names and phone numbers) using various case studies, and from both the perspectives of those obtaining the information and of those providing it. He demonstrates that attackers are effective as a result of careful planning and preparation, for example by collecting specific insider details (namely staff names, branch IDs, and lingo), and shows how they use this to their advantage to obtain the information they are after. Mitnick outlines how attackers are often patient, establishing trust with their victims before attempting their objective.

Following each case study is an analysis of the type of social engineering employed, and a discussion of the various steps that can be taken to protect such information. Many of the chapters in this section finish with a list of recommendations and steps that organizations can employ to avoid becoming victims of these kinds of social engineering efforts. Mitnick also reiterates the message that personnel should beware of giving out information that may seem harmless, but that, when combined with other details, can allow an attacker to successfully penetrate otherwise well-protected systems.

The last section discusses staff awareness and training, and the benefits of establishing such programs. Security policies are examined, and a series of detailed policies are provided, ranging from management policies (data classification, information disclosure, and phone administration), to information technology policies (general, help desk, computer administration, and computer operations), to general staff policies. Each policy documents various issues, and Mitnick provides explanatory notes to accompany the recommendations.

Overall, this book is a thoroughly entertaining and informative read. Many of the case studies are based on real-life events, and show the ease with which determined attackers can gather information about an employee or an organization, and use it to their advantage to bypass seemingly secure systems and processes. This book is suitable for both managers and technicians involved in information security, and the detailed policies provided offer an excellent resource to any organization.