The “Certified Ethical Hacker: Study Guide” by Kimberly Graves have gained considerable attention and popularity in recent years in response to the need for professional information security practitioners to increase their awareness in the techniques, tools and motives used by hackers. In doing so, the information security practitioner will understand what is needed to implement better protection for the corporate networks. The book has been used for more than just a tool to obtain the Certified Ethical Hacker (CEH) certification administered by EC-Council, but as knowledge source to better understand networking concepts, computer operating systems, hacking tools and hacking concepts. Graves has aided the information security community by releasing “Certified Ethical Hacker: Study Guide.” This book is the key to protecting the infrastructure and according to the author, “By learning the same skills and employing the software tools used by hackers, you will be able to defend your computer networks and systems against malicious attacks.”
The table of contents depicts an orderly and organized method to learning the subjects in the book. The book begins with introductory topics and builds to more advance concepts and techniques in later chapters. I appreciated the details provided in the table of content and how it served as an outline to perform penetration testing. In reviewing the list of detailed topics per chapter, it provided insight of the organizational structure and the progression of the book.
The body of the book consists of fifteen chapters, an appendix and glossary. Each chapter ends with a chapter summary, exam essentials, review questions and the answers to the review questions. I found the review questions to be extremely useful by testing my knowledge of key concepts in each chapter.
Chapters 1 through 3 offered a great introduction to the book as well as some key issues and definitions used in later chapters. Introduction to ethical hacking, ethics and legality (Chapter 1), gathering target information (Chapter 2) and gathering network and host information (Chapter 3). Although these chapters covered basic material, most readers including advance security professionals should find them useful as a refresher. I found the use of figures, diagrams and screenshots to be extremely effective in those chapters.
Chapters 4 through 7 discussed typical hacking attacks that are performed by hackers. System hacking (Chapter 4), Trojan, backdoors, viruses and worms (Chapter 5), gathering data from networks (Chapter 6) and denial of service and session hijacking (Chapter 7). The author covered key topics by providing definitions, concepts, tools and techniques on how to use the various hacking tools, then provided details on how to detect and protect against the attack implemented by those same tools.
Chapters 8 through 11 discussed additional hacking techniques that were less typical but common amongst hackers. These chapters encompassed hacking material relating to web hacking (Chapter 8), attacking applications (Chapter 9) and wireless network hacking (Chapter 10). In addition, the author also discussed non-technical attacks to physical site security (Chapter 11). I found these chapters to be very detailed in its content and found (Chapter 11) physical site security to be very informative due to the lack of concern often placed on the location where information security functions are being performed.
The final four chapters covered advanced and evasive hacking techniques. Hacking Linux systems (Chapter 12), bypassing network security (Chapter 13), cryptography (Chapter 14) and finally performing penetration test (Chapter 15). Many of the concepts from earlier chapters came into play on (chapter 15) performing a penetration test. Graves discussed the penetration testing steps that consist of the pre-attack phase, the attack phase and the post-attack phase. The subjects discussed in earlier chapters set the stage to successfully implement the penetration testing steps successfully.
Graves’ coverage of the subjects in Certified Ethical Hacker: Study Guide went far beyond a book to aid a person obtain a certification. It was written in a manner suitable for a novice interested in the information security field, to the seasoned information security practitioner trying to obtain additional information to assist in the protective and detective posture of the corporate network. This book is an important contribution to the information security community and will likely aid in producing knowledgeable information security practitioners in the future.
Graves, K. (2010). Certified Ethical Hacker: Study Guide. Wiley Publishing, Inc. Indianapolis, Indiana