Hack Attacks Testing: How to Conduct Your Own Security Audit and over one million other books are available for Amazon Kindle. Learn more
CDN$ 43.99
  • List Price: CDN$ 54.99
  • You Save: CDN$ 11.00 (20%)
Usually ships within 3 to 5 weeks.
Ships from and sold by Amazon.ca.
Gift-wrap available.
Quantity:1
Add to Cart
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Hack Attacks Testing: How to Conduct Your Own Security Audit Paperback – Mar 12 2003


See all 2 formats and editions Hide other formats and editions
Amazon Price New from Used from
Kindle Edition
"Please retry"
Paperback
"Please retry"
CDN$ 43.99
CDN$ 32.20 CDN$ 3.20

Join Amazon Student in Canada


NO_CONTENT_IN_FEATURE

Product Details

  • Paperback: 560 pages
  • Publisher: Wiley; 1 edition (March 12 2003)
  • Language: English
  • ISBN-10: 0471229466
  • ISBN-13: 978-0471229469
  • Product Dimensions: 3.1 x 18.4 x 23.1 cm
  • Shipping Weight: 853 g
  • Average Customer Review: 3.3 out of 5 stars  See all reviews (3 customer reviews)
  • Amazon Bestsellers Rank: #2,193,713 in Books (See Top 100 in Books)
  • See Complete Table of Contents


Inside This Book (Learn More)
First Sentence
Within the International Information Systems Security Certification Consortium's Common Body of Knowledge domains, vulnerability scanning and penetration testing are positioned as part of problem identification auditing for network defense testing against techniques used by intruders. Read the first page
Explore More
Concordance
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index | Back Cover
Search inside this book:

Customer Reviews

3.3 out of 5 stars
5 star
0
4 star
2
3 star
0
2 star
1
1 star
0
See all 3 customer reviews
Share your thoughts with other customers

Most helpful customer reviews

Format: Paperback
John Chirillo routinely stuffs his books with a wide variety of hard to find technical gems. This book is no exception as he has created an exceptional manual on security auditing. His compilation of tools is excellent and the book descriptions and how-to's, even better. For those that are inclined, he outlines the building of a Tiger Box (testing system) which takes full advantage of the tools contained on the CDROM. The head to head comparisons of the popular security tools help you in selecting the security tool that is right for you. If you are playing catch up in the mad-cap world of Internet security, this book can help you level the playing field. The CDROM also contains the highly functional Tiger Tools Suite which takes the difficult job of security testing to the level of simple mouse clicks. This is a good book to break in a beginner and is full of information to satisfy the security veteran.
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again.
Format: Paperback
I enjoyed the detail in this book and the configurations are technically sound. The author covered the best known software with clear instructions on getting up and running and then performing an audit with each package. The book closes with an interesting evaluation ranking chart and compares each package based on number of issues detected. The text is easy to follow and formatted well. This is a good beginner guide to vulnerability assessments (veterans need not apply).
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again.
Format: Paperback
I find this to be a rather confusing book.
The title suggests I will learn how to conduct my own security audit,
but when I've finished the book, all that seems to remain is how
I install Windows 2000 Server and Linux/Solaris, a number of brief
user guides about various vulnerability scanners, and a short comparison
of them. Where did the audit bits go? Looking for them in the table of
contents produces nothing.
There is a description of what a security audit should include in the
introductory text of Part I. It's almost hidden away -- Part I is
titled "Building a Multisystem Tiger Box", and not even the table of
contents hints that there's more important information here.
The book says a security audit consists of seven phases:
blind testing, knowledegable penetration, Internet security and services,
dial-up audit, local infrastructure audit, WAN audit and reporting.
It comes as a disappointment to find, then, that only
phase 1 (blind testing) and phase 4 (dial-up audit) will be covered.
I hoped I would get pointers where to look for information how to do
the remaining five phases, but it seems to have been omitted.
The dial-up audit, furthermore, seems to have been lost. The only place
where it is mentioned in the book (according to the index) is in this
description.
My personal reaction is of course to retitle the book: "How to
do 1/7ths of a security audit". I feel a bit cheated.
The book goes on to describe how to set up a multi-boot system to use
for security audits (chapters 1-3).
Read more ›
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again.

Most Helpful Customer Reviews on Amazon.com (beta)

Amazon.com: 5 reviews
32 of 35 people found the following review helpful
How to conduct 1/7th of your security audit March 26 2003
By Anders Thulin - Published on Amazon.com
Format: Paperback
I find this to be a rather confusing book.
The title suggests I will learn how to conduct my own security audit,
but when I've finished the book, all that seems to remain is how
I install Windows 2000 Server and Linux/Solaris, a number of brief
user guides about various vulnerability scanners, and a short comparison
of them. Where did the audit bits go? Looking for them in the table of
contents produces nothing.
There is a description of what a security audit should include in the
introductory text of Part I. It's almost hidden away -- Part I is
titled "Building a Multisystem Tiger Box", and not even the table of
contents hints that there's more important information here.
The book says a security audit consists of seven phases:
blind testing, knowledegable penetration, Internet security and services,
dial-up audit, local infrastructure audit, WAN audit and reporting.
It comes as a disappointment to find, then, that only
phase 1 (blind testing) and phase 4 (dial-up audit) will be covered.
I hoped I would get pointers where to look for information how to do
the remaining five phases, but it seems to have been omitted.
The dial-up audit, furthermore, seems to have been lost. The only place
where it is mentioned in the book (according to the index) is in this
description.
My personal reaction is of course to retitle the book: "How to
do 1/7ths of a security audit". I feel a bit cheated.
The book goes on to describe how to set up a multi-boot system to use
for security audits (chapters 1-3). As far as I see, it's just basic
installation walkthroughs, without any discussions of why a particular
configuration choice is made, or how it affects the purpose of using
the multi-boot system. Also, very little is said about the problems
involved in multi-booting (such as choosing good partition sizes), and
there is nothing on how much disk is required, though the Solaris
description suggests 5 Gb for Solaris alone. The problem of sharing
information between the different environments is not touched upon either,
but will be encountered very quickly by anyone actually using the system in practice.
Nor is there anything about why Windows 2000 Server is used for the
installation description (what with all the bits about Active Directory, domains,
trust etc.), and there's nothing at all about the problems
and benefits of being able to conduct an audit both entirely outside a Windows
domain, as well as being part of it.
Part II is about using security analysis tools on windows. Again it starts
off with an introductory part (again hidden away to anyone
using the table of contents) describing audits of the SANS Top 20 Vulnerabilities.
I can't imagine why the table of contents does not mention this: it
is important. Some of the suggestions, though, (such as the question of missing
backups) does not really come withing the scope of the book, or even the full
seven phase security audit described earlier: security policies are not
covered. This is rather confusing: it feels as if something was missing from the book.
The main chapters of Part II describe the capabilities of Cerberus
Internet Scanner, CyberCop Scanner, ISS Internet Scanner, Harris STAT,
and TigerSuite 4.0. The descriptions are more of the nature of short
user guides -- it would have been far more useful to have actual
pratical experience from using them.
The last product (TigerSuite 4.0) can hardly be compared with the other
vulnerability scanners, and it's not clear from the description in what way
it may complement them. The only practical application described in that
of tracerouting, but it could easily have been done with already available tools.
Part III does the same, but for Linux, Solaris and Mac OS X. The different chapters
describes various Unix programs: hping2, Nessus, nmap, SAINT, SARA.
As the introductory part gives a list of Linux commands, it appears to
be intended for the novice, but already in the chapter on hping2 the
reader is expected to read and understand substantial material from tcpdump
without any help from the text.
The reason hping2 is included seems to be
on the idea that it can be used for IP spoofing -- indeed, there's a
fairly long description how spoofing was used by Kevin Mitnick to gain access to
another system. But just how this connects with hping2 is not explained.
Part IV is titled "Vulnerability Assessment" and contains one single
chapter in which the result from running the various vulnerability scanners
against a specially designed target network are compared in various tables.
No interpretation is provided, unfortunately.
In addition to the odd lacunas in the table of contents that already have been
mentioned, the text appears to has been badly served by the editor: there are
numerous ambiguities sprinkled around. One if the best can be found on the very
first line of the introduction:
"The objective of this book is to fill a gap found in most books on
security: How security examinations can be conducted via illustrations
and virtual simulations."
Most readers will hopefully be able to figure out what the intended meaning is.
Those 'virtual simulations' (whatever they may be) are found on the CD:
short recorded demo walkthroughs of how to use some of the tools described in
the book.
The two stars are mainly for the information on the vulnerability scanners.
Had the book described the pitfalls in using automated tools (such as the
inevitable false positives) and went into the pratical issues around using
the tools it would easily have obtained a third star, provided the title had been
modified to indicate that the book is mainly about tools.
I would recommend the book "Hack I.T. -- security through penetration testing"
by Klevinsky, Laliberte and Gupta instead. It works with a smaller scope -- that
of the penetration test, not the full security audit -- but covers it far better.
2 of 2 people found the following review helpful
I Learned Absolutely Nothing From This Book Sept. 15 2006
By P. Fleming - Published on Amazon.com
Format: Paperback
I expected this book to cover security audits.

This book is a step by step guide to using a handfull of auditing tools (including installation).

If you have never seen an auditing tool like Nessus or hping then this book may teach you something. However, after reading this book alone, you will by no means have the knowledge required to conduct a security audit. You are only shown how a few tools work. Not what to do with the information provided, not what it means, nothing.
2 of 2 people found the following review helpful
Good Beginner Guide to Vulnerability Assessments March 29 2003
By "shlane" - Published on Amazon.com
Format: Paperback
I enjoyed the detail in this book and the configurations are technically sound. The author covered the best known software with clear instructions on getting up and running and then performing an audit with each package. The book closes with an interesting evaluation ranking chart and compares each package based on number of issues detected. The text is easy to follow and formatted well. This is a good beginner guide to vulnerability assessments (veterans need not apply).
Way outdated Sept. 6 2008
By I. Sfiligoi - Published on Amazon.com
Format: Paperback
This book may have had some value when it was written, but most of the content is obsolete by now.

Moreover, it spends a good portion of the text describing how to install the products and most of the rest is dedicated to the description of the options (essentially a cut-and-paste) from the manuals.

A waste of time (money and paper).
3 of 5 people found the following review helpful
Excellent starting place for security evaluation training Sept. 22 2003
By "larsenk" - Published on Amazon.com
Format: Paperback
John Chirillo routinely stuffs his books with a wide variety of hard to find technical gems. This book is no exception as he has created an exceptional manual on security auditing. His compilation of tools is excellent and the book descriptions and how-to's, even better. For those that are inclined, he outlines the building of a Tiger Box (testing system) which takes full advantage of the tools contained on the CDROM. The head to head comparisons of the popular security tools help you in selecting the security tool that is right for you. If you are playing catch up in the mad-cap world of Internet security, this book can help you level the playing field. The CDROM also contains the highly functional Tiger Tools Suite which takes the difficult job of security testing to the level of simple mouse clicks. This is a good book to break in a beginner and is full of information to satisfy the security veteran.

Product Images from Customers

Search


Feedback