Foreword

There were no books on hacking when I became a penetration tester and security auditor for PricewaterhouseCoopers in 1995. There were tools, techniques, and procedures, though. While the tools have changed dramatically, the techniques and procedures have been remarkably stable, and Kevin Beaver has created the perfect introduction to hacking that incorporates the best procedures with the latest tools. Planning, footprint analysis, scanning, and attacking are all still required. Perhaps there is more emphasis on wireless and web hacking and less on things such as war dialing thanks to changes in the way companies and people are connected. The real value to extract from this book is in understanding the tools and becoming proficient in their use.

Pen testing, or hacking, is the best way to get into the rewarding field of IT security. It is open to anyone with a foundation in computing, coding, or networking. If you do not have a background in all three, you will quickly gain knowledge in the other disciplines because hacking takes you down many paths.

There was a time when a professional hacker had to be a jack-of-all-trades. Now there are thousands of subspecialties within the realm of hacking: mobile app security testing, web app security testing, network penetration, and OS-specific hacking for Mac OS X, Windows, Linux, and Android. Security researchers, specialists who discover new vulnerabilities, are having a big impact on the so-called Internet of Things (IoT) as they discover new ways to hack medical devices, automobiles, airplanes, and industrial control systems, which makes this field that much more exciting and relevant.

Hacking appeals to a special kind of person. Tinkerers, inventors, and just those who are fascinated by the way things work get into IT security through the hacking door.

As Kevin explains though, hacking as a profession requires discipline and careful recordkeeping, perhaps the hardest part for the sometimes brilliant amateur hackers — the ones who will stay glued to their consoles for 24 hours, scripting attacks and wending their way through a network until they hit gold.

For me, the most interesting type of hacking is what I have termed business process hacking. When formalized, business process hacking is an example of what Kevin calls knowledge-based hacking. It is best performed with an insider’s knowledge of architectures and technology and, most important, the business process. This is where you discover flaws in the way a business is built. Is there a third-party payment processor in the loop of an e-commerce site? Can a subscriber to an information resource abuse his access in ways a hacker cannot? Where are the “trust interfaces?” Is the only control at those interfaces: “We trust the user/system/supplier not to hack us?”

You see business process hacking every day. So-called Search Engine Optimization (SEO) experts figure out how to hack Google’s page rank algorithms and controls. Tickets to popular concerts and sporting events are sold out in minutes to bots that scarf them up for resale at a profit. Amazon sales ranks are hacked by authors who purchase their own books in quantity.

This book is your introduction to the challenging and engaging world of hacking IT systems. I predict three things: 1. Hacking will accelerate your career as you gain invaluable experience and become indispensable to your organization. 2. New doors will open for you. You will find that you have many options. You can join (or form) a consulting firm. You can move up the ranks inside your organization, perhaps to becoming the Chief Information Security Officer. You can join a vendor that designs and sells security tools in which you have gained proficiency. 3. You will never stop learning. Hacking is one of the few fields where you are never done.

Richard Stiennon
Chief Research Analyst, IT-Harvest
Author of There Will Be Cyberwar