on 11 August 2009
Unauthorised Access is nothing short of a manual for corporate espionage. Author Wil Allsopp, is a "penetration tester", a hired gun brought in by companies to find out how effective the security defences protecting their premises are.
While conventional penetration testing ("pentesting") involves remote hacking, typically through software vulnerabilities, physical pen-testers gain access to a company's offices or data centre with the goal of connecting to a restricted network, planting a bug or even an imitation explosive device
With ten years experience as a pen-tester, Allsopp offers superb insight into common methods used by criminals to manipulate employees, from phone calls to outright espionage. The chapter on social engineering, in particular, is guaranteed to spark paranoia and sleepless nights among even the most grizzled chief security officers.
Specific tactics he reveals include employing politeness, inducing fear, faking supplication, invoking authority, ingratiation and deference, and even sexual manipulation.
Another chapter details several successful pen-tests conducted by Allsopp and his team, including attacks on a UK power plant and a supercomputing facility conducting spatial modelling of nuclear explosions for the military. He also describes the antics of a pentester who bypassed the security of a large corporate by observing the uniform of the firm's security guard, then showing up the next day in identical costume, pulling rank and relieving the man of duty
The enjoyment Allsopp clearly derives from his work is reflected in his book; he writes with that particular tone of repressed glee common among white hat hackers. This, together with his tendency to adopt a Boy's Own adventure narrative style, makes the book very readable but occasionally somewhat glib. And at times it is hard to tell whether Allsopp is offering advice to the CSO, helping the reader start their own pen-testing company or trying to prove to a less salubrious readership how clever he is.
Indeed, many of the techniques described in Unauthorised Access are open to abuse. Allsopp gives the excuse that "the bad guys already know", before urging the reader to consider taking up lock picking as a rewarding hobby.
on 20 January 2011
This book is written from the perspective of a penetration tester, a security professional hired to "break-in" to companies to test their physical and IT security. To summarise, this book is fantastic. It is packed full of great practical information with no wasted narrative. Inside you will find chapters on social engineering, bypassing the security/reception areas of buildings, lockpicking, wireless hacking and lots, lots more. Throughout, the author provides step by step instructions and what tools or software are needed at various stages (he even provides all the links to download them). This is nothing short of a bible on penetration testing. Because of the sheer amount of information packed into the book, it might not go into the depth of detail you are interested in but it will definitely motivate you to find out more about the area that interests you. Near the end of the book, the author even gives some real world examples of some "jobs" he undertook and the challenges he faced at every turn. These were fascinating examples of real world scenarios showing that the penetration tester used a combination of social engineering, hacking and physical breaking and entering to achieve his goal. This one is staying on my shelf as a nice reference manual. A definite must for anyone interested in physical or IT security, auditing or someone interested in getting into the security industry.
It's not often that you can say that someone literally 'wrote the book', but Will Allsopp has done so with 'Unauthorised Access'. This is the starting point for anyone interested in the physical penetration aspects of Information Security, the 'Go To' guide that should be on the bookshelf of any IT Security team. One caveat, which of course applies to all IT books, is that some of the technology mentioned can become outdated. That does not detract from the book overall, as the technology chapters are less important than the physical access ones.
Oddly, Amazon have this listed as being written by Kevin Mitnick. Whilst Kevin certainly provides the 'forward', the book is written by Allsopp - I'm not sure whether this is a genuine error on Amazon's part, or if it's designed to get the book more visibility when people search for IT Security and/or Kevin Mitnick.