RealSecurity

This book was published in late 2004 and it’s experienced an interesting life from inception to how it’s being used and referenced today.

I wrote the book because I saw a gap in how penetration testing was being performed. There was, and still is, a great deal of focus in the technical space. Of course, this is absolutely necessary because technology changes and technical prowess is core to poking holes in systems to make them stronger. Additionally, tactics and tools are essential attributes of a testing approach as to best reflect the types of advisories for which you may be exposed.

However, these same core philosophies used in the technical domain were not addressed within the broader concept of how this activity relates to the business and underlying intent. Moreover, this gap resonated in execution, affecting the ability to gain as much value from the process. The basis of the concept is that regardless of how you may try, you simply cannot accurately mimic a real threat. Limitations or restrictions (implied or enforced) in time, funding, capabilities, tools, scope, and methods influence the results. This phenomenon is completely unavoidable.

Nevertheless, when one embraces the model of execution from the perspective of value and not simply one of a technical nature, you find huge opportunities that lend themselves to closing these gaps, while vastly increasing the value and effectiveness of the exercise.

The framework I write about provides a method to exploit these nuances in each phase of testing from planning to reporting. The goal was to expose opportunities that are well within your control to manage and demonstrate that when not utilized actually work against generating true value to the business and security as a whole.

Interestingly, the life of the book since it was published has been interesting. There have been several very positive reviews of the book, for exmaple from IEEE and Secure Management. Here are a few excerpts:

• “Tiller does a fantastic job explaining the process of the ethical hack from beginning to end. By way of charts, diagrams, graphs, and comparisons, the reader is led step by step through a penetration test.”
• “The Ethical Hack is one of the most complete books on penetration testing available. It can be confusing due to the complex nature of some of the information, but Tiller does his best to lighten the material with humor and reinforcement of key concepts.”
• “This book differentiates itself by presenting a structured approach to testing an organization’s security.”
• “Tiller’s writing style makes the book easy to follow, and he uses plenty of real-world examples. Having worked in the industry for a while, I’ve seen many examples of how not to conduct an ethical hack; Tiller describes common pitfalls and presents examples of penetration tests that have little or no real value for the organization being tested.”
• “And while security vulnerabilities constantly change, the framework that Tiller describes will remain valid because security’s fundamental aspects will change slowly.”

As time passes it seems to get more attention. For example, Norwich University is now offering a popular security class that is completely based on my Ethical Hacking book and the framework it defines. The classes have gone very well and there is a potential it may become a required, accredited course in their information information assurance masters program beginning next year (2010).

One quote I received was, “The textbook was also a great resource. I found I used that the most out of the course.” – a student at Norwich University.

The book is listed in university libraries around the world. I found roughly 70 universities that maintain this book for their students and identified as supporting materials for various classes on business IT management and security.

It’s also been referenced by several other publications, such as Journal of Theoretical and Applied Electronic Commerce Research, Journal of Computer Science and Information Security, and Information Systems Security Journal, to name a few.

One of the more interesting aspects is that I’ve learned from a number of large organizations that they use my Ethical Hack book as the foundation of their security program. I haven’t received approval from them to share their names (well, more accurately, I didn’t ask), but the list includes global finical firms, large retail and manufacturing companies, and logistic companies. I’ve also learned that governments and agencies have used this book, here in the US, Australia, and in Germany. I was visiting a large manufacturing company in Germany and was ushered past several cubes and offices on the way to the room where we were having the meeting. As we walked I noticed several cubes where the framework chart (a fold-out in the back of the book, which is well hidden if you don’t know it’s there) was pinned up on the walls being used as a common reference, which of course made me proud.

However, in a bizarre twist of irony, growing popularity does come with interesting results. I’ve found more than 100 different methods to get the book online. One torrent feed had more than 14,620 downloads the last time I checked. I didn’t write the book to make money… if that was the case I’d starve. But, I do have concern for my publisher; they made significant investments in its production. Nevertheless, it’s – in a very weird way – “nice” to find the book is so popular, even if it’s through illegal activities. Well, such is life.

You can Google this book and get millions of hits and find numerous references and comments about it. Admittedly, when I do this about me or my publications, I’m always waiting to pick a link where someone slams me or my writing. Not that this isn’t out there, but the opposite has been true about this book. I’ve found discussion threads, people list the book as part of their library along with other books and authors I respect immensely, five-star ratings from book clubs, and of course a few hackers that have made a pile of positive comments.

I really enjoyed writing the book and very proud that it has been well received and growing in popularity. The fact that Norwich University is using as the basis for a security course is truly satisfying for me as an author.