The Ethical Hack: A Framework for Business Value Penetration Testing. By James S. Tiller; published by Auerbach Publications, 800/272-7737 (phone), www.crcpress.com (Web); 352 pages; $69.95.
Along with “jumbo shrimp,” “random order,” and “negative growth,” some people may consider “ethical hack”—intrusion into a company’s computer systems to test their vulnerability—to be an oxymoron. But in this comprehensive work author James Tiller explains not only why ethical hacks are viable, but also why they are critical.
After an overview of penetration testing, Tiller explains why some organizations may need more comprehensive testing than others, for reasons such as cost and time-value of information. He advises caution in choosing penetration testers, however, not just because of potential compromise of corporate systems but also because of civil or criminal ramifications for management should certain proprietary information be uncovered or exploited during the test.
Tiller does a fantastic job explaining the process of the ethical hack from beginning to end. By way of charts, diagrams, graphs, and comparisons, the reader is led step by step through a penetration test. Also provided are sample incident reports and response forms, examples of documentation needed for the test, and an example of how the finished penetration-test document should be presented.
No matter how elaborate the test, however, penetration testing is just one part of an overall systems security plan, Tiller emphasizes. Policies, training, physical security, and other elements are also critical.
Tiller also makes clear that there is no cookie-cutter approach to penetration testing. Tests should be designed with the purpose of the system and the specific type of prevention desired in mind. In addition, threats evolve so quickly that penetration testing should be a regular occurrence, not just a one-time event.
The Ethical Hack is one of the most complete books on penetration testing available. It can be confusing due to the complex nature of some of the information, but Tiller does his best to lighten the material with humor and reinforcement of key concepts.
The book is geared strictly toward security professionals and system administrators needing a reference source on penetration testing. Nonetheless, some information would be useful for graduate students or other professionals looking for general information on the topic.
William Eardley, IV, has sixteen years of experience in security and corrections. He has a graduate certificate in information security from Eastern Michigan University. He is a member of ASIS International.