• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Book Review - Hack I.T. Security Through Penetration Testing

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Thu Aug 07, 2003 11:47 pm    Post subject: Book Review - Hack I.T. Security Through Penetration Testing Reply with quote

Hack I.T. Security Through Penetration Testing

Author: T.J Klevinsky, Scott Laliberte and Ajay Gupta, Foreword by Simple Nomad
Publisher: Addison-Wesley
Book Specifications:Soft-cover, 512 pages with CD-ROM
Category: Ethical Hacking
User Level: Intermediate-Advanced (Prior General Networking & Security Knowledge needed)
Suggested Publisher Price: $42.99 USA/ $64.50 CAN/ £26.91 Net UK (inc of VAT)
ISBN: 0-201-71956-8
Amazon.co.uk: Hack I.T. Security Through Penetration Testing
Amazon.com: Hack I.T. Security Through Penetration Testing



Info from Cover: "This book covers not just the glamorous aspects such as the intrusion act itself, but all the pitfalls, clauses and other gotchas that can occur. The authors have taken their years of trial and error, as well as experience, and documented a previously unknown black art"

Introduction

This was a book I was very much looking forwards to getting my hands on as penetration testing is something I've always been interested in and is an area I would quite like to move into professionaly.

The authors of this book are all full time pen-testers/infosec pros for Ernst & Young's Security division.

Hack I.T. is a good book for anyone into security really, pen-testing is an important skill to learn and understand even if you only use it against yourself and your own networks.

Most people are afraid of pen-testing, it sounds too much like hacking, destructive, somewhat of a black art. Even if you are a technical manager or someone with a passing interest in security and how hackers (ethical and otherwise) operate, this book will be of interest.

On another tack, for a technical book I have to say I couldn't put it down, I'll admit I've seen most of the techniques and tools in the book, but not all and it's written in a very free flowing and informative manner.

Contents

As a general overview of how the book works, the first part (Ch 1-4) explains the roles and responsibilities of a penetration-testing professional and the motivation and styles of the hacking community. The second part (Ch 5-10) provides a structured framework for a pen-test (standard stuff as you find in Hacking Exposed et al). The third part (Ch11-16) provides greater detail on the tools and techniques used, the final section (Ch 17-23) focuses on advanced techniques useful for those who have seen all the normal stuff (this section includes how to evade firewalls, IDS etc).

Run down of chapters/sections/contents (I feel are important)

Hacking Today
  • What's going on
  • Where everything is at
  • Figures & stats and good stuff to sell pen-testing services.
Defining the Hacker
  • Hacker Skill Levels
  • Hacker Myths
  • Infosec Myths
Penetration for Hire
  • Covers ramifications
  • Requirements (skill set, knowledge, tools, hardware etc)
Where the exposures Lie
  • Application holes
  • BIND
  • Sendmail
  • CGI etc
Internet Penetration
  • Enumeration
  • Analysis
  • Exploitation
Dial-in Penetration
  • War dialing
  • number gathering
  • Tools
Internal Penetration Testing
  • Scenarios
  • Network Discovery
  • NT
  • UNIX
Social Engineering
UNIX Specific Methods
The Tool Kit
All the normal things follow here, vuln scanners, discovery, port scanners, sniffers, pass crackers, web-testing tools, remote control software
Intrusion Detection Systems
Firewalls
DoS
Future Trends

The book is written very progressively, it starts off with a foreword by a well respected hacker Simple Nomad (http://www.nmrc.org/) introducing pen-testing and hacking in simple terms, then a preface explaining the goals and aims of the book, the intended audience and a little bit about the authors and how to use the book.

After this is the Introduction which examines recent trends and security in general terms. The covered is hacking today, what goes on, the damages caused etc.

Then a part I really enjoyed defining the hacker, they have a three tier system with the true 3l33t, second tier (sys admin level) hackers and 3rd tier script kiddies, which well most don't even consider as hackers. But if you look at is a pyramid that's certainly how it works. A few elite, a few more of the second level and shit loads of skiddies.

The book then basically progresses nicely through every area of pen-testing, what skills you need, the hardware and tools you need, what you would actually do, how you would approach it and includes various nice real life scenarios and case studies.

Style and Detail

As mentioned above the book is well written with a nice flow to it and as much details as is needed in case studies etc (all commands and switches used with nmap, netcat etc).

I have to say if you've never heard of nmap and netcat this book may be a steep learning curve for you. To get the most out of this book you'd be familiar with most common 'security' tools, TCP/IP, granular file permissions, ACL's etc.

The book itself is well laid out in an easy to read font with lots of screen shots and the options to use in various tools/apps.

Appendix B also contains a whole load of exploits, how to test for vulnerability and how to protect against them. A veritable arsenal for any pen-tester Smile

The book also comes with a useful CD-ROM which is not packed to the brim with loads of tools, but does contain some of the nifty rare tools and things like Nessus aswell as a handy reference.

Conclusion

As I've said before I was familiar with most of the tools and techniques in this book allready, but that's me and I've been interested in pen-testing for quite a while and have been trying to learn as much as I can on my own.

I was really interested to see how the 'pro's would put it and I'm happy to see I'd got most of the right ideas allready, they just clarify it and make a handy guide to the tools and techniques needed in todays infosec world.

All in all I recommend this book, I recommend it highly.

If you are into ethical hacking of any sort, get hold of this and enjoy it.

I give it a 9/10



This review is copyright 2003 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.

Keywords: Penetration Testing Pen Testing Hack I.T


Last edited by ShaolinTiger on Sun Jan 18, 2004 8:36 pm; edited 3 times in total
Back to top
View user's profile Send private message Visit poster's website
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Fri Aug 08, 2003 12:21 am    Post subject: Reply with quote

I like the way you reviewed this book from my perspective (I already work in the infosec field) and showed me the high points of it. I will have to wait till next month to buy it though. The review and the way it was presented though have piqued my interest enough to lay down the cash.
Well done and I look forward to your next review.
Back to top
View user's profile Send private message Visit poster's website
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Tue Sep 09, 2003 9:21 pm    Post subject: Reply with quote

How would you compare this book to Hacking Exposed 4th Edition? I noticed you gave this one a slightly higher grade. Is there something here that HE doesn't cover? Both books seem to cover the same topic (hacking/pen-testing). Which, in your opinion, is the better book? or are they both worth a read?
Back to top
View user's profile Send private message Visit poster's website
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Wed Sep 10, 2003 1:16 am    Post subject: Reply with quote

Sgt_B wrote:
How would you compare this book to Hacking Exposed 4th Edition? I noticed you gave this one a slightly higher grade. Is there something here that HE doesn't cover? Both books seem to cover the same topic (hacking/pen-testing). Which, in your opinion, is the better book? or are they both worth a read?


Slightly different viewpoints.

HE4 is more of a how to hack thing, with tools common methods, how to protect yourself etc.

This book is more about how to pen test systematically, with figures, legalities, types of hackers/sec pro's, methodology, advanced techniques and so on.

Personally I would thouroughly recommend reading both.
Back to top
View user's profile Send private message Visit poster's website
EricTheBald
Just Arrived
Just Arrived


Joined: 06 Feb 2003
Posts: 3


Offline

PostPosted: Wed Sep 10, 2003 2:03 am    Post subject: Reply with quote

Just ordered it, thanks.
Back to top
View user's profile Send private message AIM Address
CHeeKY
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 3


Offline

PostPosted: Wed Sep 10, 2003 6:54 am    Post subject: Reply with quote

Ah the old team down at E&Y, used to do alot of work with these guys back in the day when I worked there, nice review ST Smile
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register