Andrew Whitaker, CCSP', is the Director of Enterprise InfoSec and Networking for TechTrain, where he performs penetration tests and teaches ethical hacking and Cisco(R) courses. He has been working in the IT industry for more than ten years, specializing in Cisco and security technologies, and has performed penetration tests for numerous financial institutions and Fortune 500 companies. Daniel P. Newman, CISSP, CCSP, has been in the computer industry for over 12 years specializing in application programming, database design and network security for projects all over the world. He is the managing director and chief security officer for Tribal Knowledge Security and specializes in penetration testing and advanced technical training in Cisco, Microsoft, and Ethical Hacking topics.
Foreword
Introduction
Part I Overview of Penetration Testing
Chapter 1 Understanding Penetration Testing
Defining Penetration Testing
Assessing the Need for Penetration Testing
Proliferation of Viruses and Worms
Wireless LANs
Complexity of Networks Today
Frequency of Software Updates
Availability of Hacking Tools
The Nature of Open Source
Reliance on the Internet
Unmonitored Mobile Users and Telecommuters
Marketing Demands
Industry Regulations
Administrator Trust
Business Partnerships
Hacktivism
Attack Stages
Choosing a Penetration Testing Vendor
Preparing for the Test
Summary
Chapter 2 Legal and Ethical Considerations
Ethics of Penetration Testing
Laws
U.S. Laws Pertaining to Hacking
1973 U.S. Code of Fair Information Practices
1986 Computer Fraud and Abuse Act (CFAA)
State Laws
Regulatory Laws
1996 U.S. Kennedy-Kasselbaum Health Insurance Portability and Accountability
Act (HIPAA)
Graham-Leach-Bliley (GLB)
USA PATRIOT ACT
2002 Federal Information Security Management Act (FISMA)
2003 Sarbanes-Oxley Act (SOX)
Non-U.S. Laws Pertaining to Hacking
Logging
To Fix or Not to Fix
Summary
Chapter 3 Creating a Test Plan
Step-by-Step Plan
Defining the Scope
Social Engineering
Session Hijacking
Trojan/Backdoor
Open-Source Security Testing Methodology Manual
Documentation
Executive Summary
Project Scope
Results Analysis
Summary
Appendixes
Summary
Part II Performing the Test
Chapter 4 Performing Social Engineering
Human Psychology
Conformity Persuasion
Logic Persuasion
Need-Based Persuasion
Authority-Based Persuasion
Reciprocation-Based Social Engineering
Similarity-Based Social Engineering
Information-Based Social Engineering
What It Takes to Be a Social Engineer
Using Patience for Social Engineering
Using Confidence for Social Engineering
Using Trust for Social Engineering
Using Inside Knowledge for Social Engineering
First Impressions and the Social Engineer
Tech Support Impersonation
Third-Party Impersonation
E-Mail Impersonation
End User Impersonation
Customer Impersonation
Reverse Social Engineering
Protecting Again...