Hacking for Dummies by Kevin Beaver is an information security professional’s introduction to ethical hacking. It is 22 chapters of information ranging from definitions (kept to a minimum) to reporting findings and everything in between. It also includes an appendix full of tools and resources useful for testing, reporting, and researching. It is not the end-all be-all of ethical hacking. There are topics on which it scratched the surface and others where it spends a little more time. On just about every topic, the author refers to additional resources that are also listed in the appendix. What follows is what I felt were the good points of the book, the not so good, and a final recommendation. As Sun Tzu wrote some 2500 years ago, “Know yourself and know your enemy and you need not fear the outcome of 100 battles.”1
This 6th version of the popular book has a lot going for it. The first section on understanding your adversary is point on. Part of any risk assessment, whether doing a penetration test or just an general risk assessment for your information systems is understanding the threat (Nikolić & Ružić-dimitrijević, 2009; NIST, 2014; Nourbakhshian, Rajabinasr, Hooman, & Seyedabrishami, 2013; Ross et al., 2012)2. In this case the author introduces two overarching types of threats: the insider/malicious user and the criminal hacker or cracker. The major differentiator between these two is the level of access they have: one is internal and the other external. The major differentiator between these two is the level of access they have: one is internal and the other external (Beaver, 2018)3. This was covered briefly but with enough depth for the reader to recognize each adversary.
From the introductory section the author gets into more of the bread and butter of penetration testing. The author spends time with helping the reader build a business case for penetration testing and goes into the initial steps that rely on non-technical means of gaining access or obtaining sensitive information. These include scouring the internet for any publicly available information on the target to social engineering to physical security. Next, the author talks about passwords. Each of these topics is a surface scratch, as they are each a deep topic and could fill volumes with information relevant to them. From here the author spends the bulk of the rest of the book on the technical aspects of “ethical” hacking.
Each chapter in these sections provides information on finding and exploiting vulnerabilities for the chapter topic. These topics ranged from wireless and wired networks to web applications and the backends that support them. Each section includes relevant tools for doing the test as well as practical countermeasures. The author uses relevant experience in each chapter to highlight what worked in the past as well as what didn’t. From testing and gathering data, the author next takes you into reporting and the other less glamorous aspects of testing, fixing what is found.
For this section, the author provided some insight into what to include in a report to the client as well as what steps can be taken to fix what was found. The author also provided some tips on outsourcing information security. Of the sections, this one was my least favorite. While I found that what he suggested to be included in the report were accurate, I also found that my organization has their own reporting format. This might be worth mentioning, especially in a “Dummies” series. And on that note, I am off to what I didn’t like.
For the most part this read like a CEH boot camp. Get to the nitty gritty and just scratch the surface, but it won’t prepare you to be a professional pentester. The author spoke of tools to use and even provided walk-throughs for some of those tools (mostly Windows based). And I am not knocking the use of tools, as I am a big fan of the right tool for the right job. However, most seasoned pentesters use Linux much more than Windows (and some exclusively). Although many of the examples from the book are Windows based, there is an extensive listing of tools in the appendix with both Windows and Linux tools. This once again illustrates that this is more of a book to give you a basic understanding of the topics and not necessarily how to become a pro. But even as an introductory book, I felt a more realistic balance of platforms would be useful in helping the reader decide if this is the path for them.
While some of the content has been updated for the 6th Edition like the inclusion on Windows 10 and Server 2016, some things were not that should have been. A prime example that sticks out is the use of a Windows GUI for nmap. The GUI referenced is no longer maintained and is available for historic reasons. There was no reference to the GUI, Zenmap, that is packaged with nmap. The author (or at least the technical editor) should have taken the time to verify tools prior to referencing them or including links. I do understand that links sometimes change and am allowing for that, but the use of a deprecated tool without mentioning that or providing an alternative is not good. This is especially true for the intended audience, those who are completely new to this topic.
The only other downside I noticed were a few typos. There were instances of words with a space between letters in that word or words with an extra letter at the beginning. These should have been caught during the editing process.
Hacking for Dummies is a great book when viewed as an introduction to penetration testing. The one example of the outdated tool and a few typos do not take away from the overall content of the book. It provides the reader with enough information to build upon but also to decide if outsourcing may be the route to go. Armed with the knowledge contained within this book, the reader can begin to explore penetration testing. More importantly, if outsourcing the penetration testing is chosen. they will know if someone is blowing smoke or really knows what they are doing. The author follows a set path and continues to build upon the foundation established early on. Kevin Beaver4 shoots to hit 20% of the items that will cause 80% of your problems, and I feel he does.
This is a book that I will add to my shelf as a quick reference and a resource as I continue to build my own skillset and for supporting the programs under my watch in my own organization. And while Google can and does provide some resources, the list here may get you some tools you did not think of or may have forgotten. If you are an experienced penetration tester or want to do penetration testing as a profession, then this book probably isn’t for you. Being part of “Dummies” series, it’s intended to give the reader just enough to understand the topic. That it does incredibly well. So, if you are a jack-of-all trades IT professional that wants to get a basic understanding of penetration testing, or you already work in information security/cybersecurity but have no experience with penetration testing, this book is for you.
Hacking for Dummies Freebies
- Hacking Tools You Can’t Live Without
- Common Security Weaknesses that Criminal Hackers Target
- Commonly Hacked Ports
- Tips for Successful IT Security Assessments
And also some great excerpts from Hacking for Dummies and other titles by Kevin Beaver.
NIST. (2014). NIST SP 800-53A, R4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. NIST Special Publication 800-53A, Revision 4, (December 2014), 1–487. https://doi.org/10.6028/NIST.SP.800-53Ar4
Nourbakhshian, M., Rajabinasr, A., Hooman, A., & Seyedabrishami, S. Z. (2013). Enterprise risk management and the process of risk assessment. Interdisciplinary Journal of Contemporary Research in Business, 4(9), 933–945.
Ross, R., Bodeau, D., Williams, P., Stoneburner, G., Rodrigo, S., Quigg, K., … Enloe, C. (2012). Guide for Conducting Risk Assessments (Special Publication No. 800–30 Revision 1). Gaithersburg.
3 – Beaver, K. (2018). Hacking for Dummies (6th ed.). Hoboken: John Wiley & Sons, Inc. ISBN: 978-1-119-48547-6, 416 pages, July 2018
4 – Kevin Beaver is an independent information security consultant with more than three decades of experience. Kevin specializes in performing vulnerability and penetration testing and security consulting work for Fortune 1000 corporations, product vendors, independent software developers, universities, and government organizations. He has appeared on CNN and been quoted in The Wall Street Journal.
Michael J. Conway is passionate about information security. He has been actively working in the field for the last 10 years and have seen that the more things change, the more they stay the same. Along the way, he has worked as an analyst reviewing findings from tools and interviews to lab management to working on the defensive side. His experience runs from development to penetration testing and everything in between. Unlike some, much of his time has been spent with the various Microsoft products and that is an environment with which he is most comfortable.
He is also a bit of a lifelong learner. His formal education journey started in the Air Force and culminated in earning a master’s degree. Since then, he has earned several certifications including CISSP. He also continues to read current research on computers, networks, and information security. Learning never stops.
Mike is a husband and a father. He and his wife just celebrated 18 years of marriage and are looking forward to many more. Their hope for their kids is that they can instill a lifelong passion for learning. Other hobbies include gaming, reading, studying leadership, and woodworking.book review ethical hacking highlight pentest