Unauthorised Access: Physical Penetration Testing For IT Security Teams (Paperback)

~ (Author), Kevin Mitnick (Foreword)

Editorial Reviews

Product Description

The first guide to planning and performing a physical penetration test on your computer's security

Most IT security teams concentrate on keeping networks and systems safe from attacks from the outside-but what if your attacker was on the inside? While nearly all IT teams perform a variety of network and application penetration testing procedures, an audit and test of the physical location has not been as prevalent. IT teams are now increasingly requesting physical penetration tests, but there is little available in terms of training. The goal of the test is to demonstrate any deficiencies in operating procedures concerning physical security.

Featuring a Foreword written by world-renowned hacker Kevin D. Mitnick and lead author of The Art of Intrusion and The Art of Deception, this book is the first guide to planning and performing a physical penetration test. Inside, IT security expert Wil Allsopp guides you through the entire process from gathering intelligence, getting inside, dealing with threats, staying hidden (often in plain sight), and getting access to networks and data.

• Teaches IT security teams how to break into their own facility in order to defend against such attacks, which is often overlooked by IT security teams but is of critical importance
• Deals with intelligence gathering, such as getting access building blueprints and satellite imagery, hacking security cameras, planting bugs, and eavesdropping on security channels
• Includes safeguards for consultants paid to probe facilities unbeknown to staff
• Covers preparing the report and presenting it to management

In order to defend data, you need to think like a thief-let Unauthorised Access show you how to get inside.

From the Back Cover

In this book Wil Allsopp has created a thorough reference for those looking to advance into the area of physical penetration testing. The book also serves as a guidebook for in-house security managers seeking to institute better policy safeguards.” – From the Foreword, by Kevin Mitnick

Most IT security teams concentrate on keeping networks and systems safe from the outside – usually with the entire focus on firewalls, server configuration, application security, intrusion detection systems, and the like. But what if your attacker was on the inside? What if they were sitting at an employee’s computer, or placing a wireless access point hidden in a wiring closet or even roaming inside your server room?

Unauthorised Access provides the first guide to planning and performing physical penetration tests. Inside, IT security expert Wil Allsopp guides you through the entire process from gathering intelligence, getting inside, dealing with threats, staying hidden (often in plain sight) and getting access to networks and data. Learn to think like an attacker with topics that include:

• Types of target vs level of anticipated response
•  Dealing with guards
•  Intelligence tradecraft, satellite imagery and in depth information gathering
•  Planting bugs and covert wireless access points
•  Hacking security cameras
•  Strategic, tactical and operational planning
•  Defeating locks, electronic keypads and other electronic access systems
•  Social engineering - the weakest link
•  Using your “Get Out of Jail Free” card
•  Complying with local laws
•  Attacking wireless networks

Product Details

• Paperback: 302 pages
• Publisher: Wiley (September 22, 2009)
• Language: English
• ISBN-10: 0470747617
• ISBN-13: 978-0470747612
• Product Dimensions: 9.2 x 7.3 x 0.9 inches
• Shipping Weight: 1.2 pounds (View shipping rates and policies)
• Average Customer Review: 5.0 out of 5 stars  See all reviews (1 customer review)
• Amazon.com Sales Rank: #205,014 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

5.0 out of 5 stars Best security book of 2009, November 6, 2009

By	Lev Eriksson (London) - See all my reviews

Unauthorised Access is nothing short of a manual for corporate espionage. Author Wil Allsopp, is a "penetration tester", a hired gun brought in by companies to find out how effective the security defences protecting their premises are.

While conventional penetration testing ("pentesting") involves remote hacking, typically through software vulnerabilities, physical pen-testers gain access to a company's offices or data centre with the goal of connecting to a restricted network, planting a bug or even an imitation explosive device

With ten years experience as a pen-tester, Allsopp offers superb insight into common methods used by criminals to manipulate employees, from phone calls to outright espionage. The chapter on social engineering, in particular, is guaranteed to spark paranoia and sleepless nights among even the most grizzled chief security officers.

Specific tactics he reveals include employing politeness, inducing fear, faking supplication, invoking authority, ingratiation and deference, and even sexual manipulation.

Another chapter details several successful pen-tests conducted by Allsopp and his team, including attacks on a UK power plant and a supercomputing facility conducting spatial modelling of nuclear explosions for the military. He also describes the antics of a pentester who bypassed the security of a large corporate by observing the uniform of the firm's security guard, then showing up the next day in identical costume, pulling rank and relieving the man of duty

The enjoyment Allsopp clearly derives from his work is reflected in his book; he writes with that particular tone of repressed glee common among white hat hackers. This, together with his tendency to adopt a Boy's Own adventure narrative style, makes the book very readable but occasionally somewhat glib. And at times it is hard to tell whether Allsopp is offering advice to the CSO, helping the reader start their own pen-testing company or trying to prove to a less salubrious readership how clever he is.

Indeed, many of the techniques described in Unauthorised Access are open to abuse. Allsopp gives the excuse that "the bad guys already know", before urging the reader to consider taking up lock picking as a rewarding hobby.