Abbey's Bookshop Logo
Go to my checkout basket
Login to Abbey's Bookshop
Register with Abbey's Bookshop
Gift Vouchers
Browse by Category

Google Book Preview
CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits
— —
James S. Tiller (Raleigh, North Carolina, USA)
CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits by James S. Tiller (Raleigh, North Carolina, USA) at Abbey's Bookshop,

CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits

James S. Tiller (Raleigh, North Carolina, USA)


Whittles Publishing

Network management


389 pages

We can order this in for you
How long will it take?
order qty:  
Add this item to my basket

CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits details the methodologies, framework, and unwritten conventions penetration tests should cover to provide the most value to your organization and your customers. Discussing the process from both a consultative and technical perspective, it provides an overview of the common tools and exploits used by attackers along with the rationale for why they are used. From the first meeting to accepting the deliverables and knowing what to do with the results, James Tiller explains what to expect from all phases of the testing life cycle. He describes how to set test expectations and how to identify a good test from a bad one. He introduces the business characteristics of testing, the imposed and inherent limitations, and describes how to deal with those limitations. The book outlines a framework for protecting confidential information and security professionals during testing. It covers social engineering and explains how to tune the plethora of options to best use this investigative tool within your own environment. Ideal for senior security management and anyone else responsible for ensuring a sound security posture, this reference depicts a wide range of possible attack scenarios. It illustrates the complete cycle of attack from the hacker's perspective and presents a comprehensive framework to help you meet the objectives of penetration testing--including deliverables and the final report.

By:   James S. Tiller (Raleigh North Carolina USA)
Imprint:   Whittles Publishing
Country of Publication:   United Kingdom
Dimensions:   Height: 235mm,  Width: 156mm,  Spine: 30mm
Weight:   862g
ISBN:   9781439880272
ISBN 10:   1439880271
Pages:   389
Publication Date:   December 2011
Audience:   College/higher education ,  College/higher education ,  Primary ,  Primary
Format:   Hardback
Publisher's Status:   Active

Getting Started Audience How to Use This Book Setting the Stage Perspectives of Value Where Does Penetration Testing Fit? What Constitutes a Success? A Quick Look Back Hacking Impacts Resources Information Time Brand and Reputation The Hacker Types of Hackers Script Kiddies Independent Hackers Organized Hackers Sociology Motives The Framework Planning the Test Sound Operations Reconnaissance Enumeration Vulnerability Analysis Exploitation Final Analysis Deliverable Integration The Business Perspective Business Objectives Previous Test Results Building a Roadmap Business Challenges Security Drivers Increasing Network Complexity Ensuring Corporate Value Lower Management Investment Business Consolidation Mobile Workforce Government Regulations and Standards Why Have the Test? Proof of Issue Limited Staffing and Capability Third-Party Perspective It Is All about Perspective Overall Expectations How Deep Is Deep Enough? One-Hole Wonder Today's Hole Planning for a Controlled Attack Inherent Limitations Time Money Determination Legal Restrictions Ethics Imposed Limitations Timing Is Everything Attack Type Source Point Required Knowledge Timing of Information Internet Web Authenticated Application Service Direct Access Multiphased Attacks Parallel Shared Parallel Isolated Series Shared Series Isolated Value of Multiphase Testing Employing Multiphased Tests Teaming and Attack Structure Red Team Vulnerability Explanation Testing Focus Mitigation White Team Piggyback Attacks Reverse Impact Detection Blue Team Incident Response Vulnerability Impact Counterattack Team Communications Engagement Planner The Right Security Consultant Technologists Architects Ethics The Tester Logistics Agreements Downtime Issues System and Data Integrity Get Out of Jail Free Card Intermediates Partners Customers Service Providers Law Enforcement Preparing for a Hack Technical Preparation Attacking System Operating System Tools Data Management and Protection Attacking Network Attacking Network Architecture Managing the Engagement Project Initiation Identify Sponsors Building the Teams Schedule and Milestones Tracking Escalation Customer Approval During the Project Status Reports Scope Management Deliverable Review Concluding the Engagement Reconnaissance Social Engineering E-Mail Value Controlling Depth Help Desk Fraud Value Controlling Depth Prowling and Surfing Internal Relations and Collaboration Corporate Identity Assumption Physical Security Observation Dumpster Diving Theft Internet Reconnaissance General Information Web Sites Social Networking Enumeration Enumeration Techniques Connection Scanning SYN Scanning FIN Scanning Fragment Scanning TCP Reverse IDENT Scanning FTP Bounce Scanning UDP Scanning ACK Scanning Soft Objective Looking Around or Attack? Elements of Enumeration Account Data Architecture Operating Systems Wireless Networks Applications Custom Applications Preparing for the Next Phase Vulnerability Analysis Weighing the Vulnerability Source Points Obtained Data The Internet Vendors Alerts Service Packs Reporting Dilemma Exploitation Intuitive Testing Evasion Threads and Groups Threads Groups Operating Systems Windows UNIX Password Crackers Rootkits Applications Web Applications Distributed Applications Customer Applications Wardialing Network Perimeter Network Nodes Services and Areas of Concern Services Services Started by Default Windows Ports Null Connection Remote Procedure Call (RPC) Simple Network Management Protocol (SNMP) Berkeley Internet Name Domain (BIND) Common Gateway Interface (CGI) Cleartext Services Network File System (NFS) Domain Name Service (DNS) File and Directory Permissions FTP and Telnet Internet Control Message Protocol (ICMP) IMAP and POP Network Architecture The Deliverable Final Analysis Potential Analysis The Document Executive Summary Present Findings Planning and Operations Vulnerability Ranking Process Mapping Recommendations Exceptions and Limitations Final Analysis Conclusion Overall Structure Aligning Findings Technical Measurement Severity Exposure Business Measurement Cost Risk Presentation Remedial Tactical Strategic Integrating the Results Integration Summary Mitigation Test Pilot Implement Validate Defense Planning Architecture Review Architecture Review Structure Awareness Training Awareness Program Incident Management Building a Team People Mission Constituency Organizational Structure Defining Services and Quality CERT Forms Security Policy Data Classification Organizational Security Conclusion Index

James S. Tiller is the Vice-President of Security Professional Services, North American BT Global Services.

Staying in front of the bad guys and sometimes protecting yourself from the brain-dead acts in corporate environments are keys to successful security measures. Tiller teaches on the simplicity of security, breaking it down from smoke and mirrors to time-proven measures.! I have enjoyed reading Tiller's books in the past; his approach and ability to break down what is sometimes made to look like a complicated structure allows for not only a better understanding but a framework that is able to stand the test of time. -- Jeffrey Schmidt, Global Head Business Continuity, Security, and Governance, BT Global Services

My Shopping Basket
Your cart does not contain any items.