Hack I.T.: Security Through Penetration Testing

The book has a nice 'human' touch, and makes the reader very aware of the expectancies of corporate clients (those that may employ 'Penetration Testers').

Many of the links to 'tools' are no longer up, but there are many alternatives (as a simple google search will reveal). And of course a CD is included with the book to get you up and running in terms of some basic tools.

This book is a 'must-have' for guys (like myself) new to the Security/Penetration Testing field. Great work Klevinsky/Laliberte/Gupta. Give us more!!!

Rating:
Summary: Nothin new
Review: This book is fairly well written but like the author mentions, there is nothing in this book that can not be found on the net. In short, this book is a compilation of various sources up for grabs for free on the net. What is a valuable in this book are all the lessons learnt and real life scenarios that are included.

Since not much new is revealed in this book I suggest not buying this book and instead check out the Open Source Security Methodology Testing Manual, which is a decent framework for penetration testing, including methodology and tools. Alternatively have a look at the NIST publication on penetration testing. Both come at a great price - they are FREE!

If your are exteremely lazy or a newbie to penetration testing then the Hack I.T. book might come in handy as an introduction. However, I suggest using one of the frameworks mentioned above and supplement with sources that are freely available on the web and dedicate time to learn the penetration testing methodologies, tools and techniques instead of reading only one book which scratches the surface.

Rating:
Summary: Good only if you're a newbie
Review: This book is good ONLY if you're a newbie. If you're in the field, save you're money and buy something with some teeth to it. Such as, Hacking Exposed. The title itself is very misleading. There is no Pen testing. Unless you get all the tools they talk about and launch an attack. The authors are also a little biased on their choices of tools. I can think of better tools to use, in some situation, then what they suggest. All-in-all, it's just an OK book, if you're new...really new.

Rating:
Summary: Guns don't kill - criminals do
Review: This book is like a loaded gun. In the wrong hands the information can be used to harm, but in more benevolent hands the information can be used to protect. This is especially true when you subscribe to the adage that forewarned is forearmed.

The authors have collected the most common penetration exploits and tools used by those who will attempt to penetrate your systems and have presented them in encyclopedia fashion. Each of the techniques and tools are thoroughly discussed from the aspect of defense through penetration testing to assure that common exposures are deal with. This information is valuable for two reasons:

(1) Each of the most common security exposures are identified, and how attackers exploit them is thoroughly examined. This is the forewarning part that you'll come away with.
(2) The tools your attackers will probably use are provided on CD ROM, and the book shows you how your attackers will probably use them, as well as how you can use these tools to test your systems. (NOTE: many of the tools are provided as source code).

Here are the book's strengths and weaknesses:
Strengths: it raises awareness, provides tools and techniques, and discusses the legal aspects of penetration testing. The last strength is especially important because you're need a signed "get out of jail" card before embarking on penetration testing, either as an employee or consultant to the target. One key point the authors make, and which should be at the top of any checklist, is ensuring that whomever authorizes the penetration testing actually has the authority to do so.

Weaknesses: no structured approach - the authors provide many anecdotes, discuss cases and what they did, but is appears to be ad hoc with no test plan or test cases. These should have been included because penetration testing should be a part of any test strategy developed and executed by software QA personnel as a part of acceptance and product qualification test cycles. Since the authors are all employees of a well known international consulting firm I was disappointed that this material was omitted.

Overall: this book is valuable because it addresses head on the techniques and tools against which you need to defend your systems. The added value is that you'll become skilled in the use of these tools and techniques to exploit your own systems, discover the holes and close them. Of course you should prudently track the latest attack ploys by monitoring the URLs and newsgroups that are provided in the book because the tools and techniques are constantly evolving. The book will get you started, but it's up to you to keep up. On the other hand, the unskilled "script kiddies" will also benefit from this book because it clearly explains the technical underpinnings. That unintended audience can, unfortunately, use this book to increase their skills. Despite the noted weaknesses this book is valuable as long as you're aware that it's only a starting point and it's your responsibility to take the knowledge and tools and keep them up-to-date.