Table of Contents

INTRODUCTION Perspectives of Value SECURITY AND HACKING Information Security Security Architecture Hacking Impacts THE FRAMEWORK Business Planning and Operations Reconnaissance Enumeration Vulnerability Analysis Exploitation Final Analysis Deliverable Integration INFORMATION SECURITY PROGRAM Scope of Information Security Programs The Process of Information Security Component Parts of Information Security Programs BUSINESS PLANNING AND OPERATIONS Business Objectives Security Policy Previous Test Results Business Challenges The Business of Security Reasoning Overall Expectations How Deep is Deep Enough? Timing is Everything Attack Type Source Point Required Knowledge Inherent Limitations Imposed Limitations Multi-Phased Attacks Teaming and Attack Structure The Security Consultant The Tester Logistics Technical Preparation Managing of the Engagement Scenario RECONNAISSANCE The Hacker Reconnaissance Techniques ENUMERATION Technical Objective Soft Objective Scope of Effort Looking Around or Attack? Preparing for the Next Phase VULNERABILITY ANALYSIS Weighing the Vulnerability Source Points Reporting Dilemma EXPLOITATION Intuitive Testing Evasion War Dialing Threads and Groups Operating Systems Password Crackers Rootkits Applications Network Services and Areas of Concern FINAL ANALYSIS Critical Warning Informational DELIVERABLE Overall Structure Aligning Findings Format INTEGRATION Mitigation Defense Planning Incident Management Security Policy CONCLUSION APPENDIX-SPOOFING AND SEQUENCE ATTACK