Chapter 1: Further Reading — Introduction to Ethical Hacking

An annotated bibliography of essential resources for deepening your understanding of ethical hacking fundamentals. Resources are organized by category, with annotations explaining why each is valuable and how it connects to the chapter's content.

Foundational Books

The Art of Deception by Kevin Mitnick and William L. Simon (2002)

Wiley. ISBN: 978-0471237129

The definitive book on social engineering, written by the most famous hacker in history. Mitnick presents real-world social engineering scenarios that demonstrate how attackers manipulate human psychology to bypass technical controls. Essential reading for understanding the human factor in security — a theme that runs throughout this textbook. Start here if you want to understand why technical controls alone are never sufficient.

Ghost in the Wires by Kevin Mitnick and William L. Simon (2011)

Little, Brown and Company. ISBN: 978-0316037709

Mitnick's autobiography covering his hacking career, pursuit by the FBI, imprisonment, and transformation. Beyond being a compelling narrative, it provides insight into the mindset of a skilled attacker and the evolution of both hacking techniques and law enforcement capabilities from the 1980s through the 2000s. Directly relevant to Case Study 1.1.

Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (2014)

No Starch Press. ISBN: 978-1593275952

An excellent practical introduction to penetration testing that complements this textbook's theoretical foundation with hands-on technique. Weidman walks through the complete pentest lifecycle with real examples. While some tool versions are dated, the methodology and approach remain highly relevant.

The Hacker Playbook 3: Practical Guide to Penetration Testing by Peter Kim (2018)

Independently published. ISBN: 978-1980901754

Structured as a "playbook" of offensive techniques organized by the phases of a penetration test. Kim draws on his experience as a professional pentester to provide practical, actionable guidance. The playbook format makes it an excellent reference during actual engagements.

Red Team Field Manual (RTFM) by Ben Clark (2014)

Independently published. ISBN: 978-1494295509

A pocket-sized reference guide containing essential commands, syntax, and procedures for penetration testing. Not a learning resource, but an invaluable quick-reference for the commands and techniques you will use daily. Keep it alongside your Kali VM.

Standards, Frameworks, and Official Guidance

NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment

National Institute of Standards and Technology. Available free at csrc.nist.gov

The U.S. government's authoritative guide to security testing methodology. Covers planning, execution, and reporting of security assessments. Essential reading for anyone conducting tests in regulated environments or government contracts. Provides the formal framework that many organizations reference in their pentest procurement.

PTES (Penetration Testing Execution Standard)

Available at pentest-standard.org

A comprehensive standard for conducting penetration tests, covering pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. More detailed than the five-phase model presented in this chapter, PTES provides granular guidance for each phase.

OWASP Testing Guide

Available at owasp.org/www-project-web-security-testing-guide/

The definitive guide for web application security testing. While focused on web applications (covered in depth in later chapters), the testing methodology and reporting guidance are broadly applicable. The guide is continuously updated and freely available.

MITRE ATT&CK Framework

Available at attack.mitre.org

Introduced in detail in Chapter 2, ATT&CK is essential reference material from Chapter 1 onward. Familiarize yourself with the Enterprise matrix, technique descriptions, and threat group profiles. The ATT&CK Navigator tool (mitre-attack.github.io/attack-navigator/) is particularly useful for visualizing attack coverage.

Industry Reports

IBM Cost of a Data Breach Report (Annual)

Available at ibm.com/reports/data-breach

The most widely cited source for breach cost data. The 2024 report (referenced in Section 1.5) provides essential statistics for making the business case for ethical hacking. New editions are published annually. Read the executive summary at minimum; the full report provides granular data by industry, country, and breach characteristics.

Verizon Data Breach Investigations Report (DBIR) (Annual)

Available at verizon.com/dbir

The most comprehensive analysis of real-world breach data, covering tens of thousands of incidents annually. Essential for understanding the threat landscape, common attack patterns, and which security controls actually matter. The DBIR's findings directly inform what penetration testers should prioritize.

Mandiant M-Trends Report (Annual)

Available at mandiant.com

Based on Mandiant's (now part of Google Cloud) incident response engagements, this report provides detailed analysis of attack trends, dwell time statistics, and adversary behaviors. Particularly valuable for understanding post-compromise activities and detection gaps.

Legal and Ethical Resources

Electronic Frontier Foundation: Computer Fraud and Abuse Act Resources

Available at eff.org/issues/cfaa

The EFF maintains comprehensive resources on the CFAA, including analysis of court decisions, reform proposals, and guidance for security researchers. Essential reading for understanding the legal boundaries of ethical hacking in the United States.

Department of Justice: Computer Crime and Intellectual Property Section

Available at justice.gov/criminal/criminal-ccips

The DOJ's official resources on computer crime prosecution, including the text of relevant statutes, case summaries, and guidance documents. Useful for understanding how federal prosecutors approach computer crime cases.

ACM Code of Ethics

Available at acm.org/code-of-ethics

The Association for Computing Machinery's professional code of ethics, referenced in Section 1.10.1. Provides a broad ethical framework applicable to all computing professionals, including ethical hackers.

Certification Preparation

Offensive Security: OSCP Certification

Available at offensive-security.com

If you are planning to pursue the OSCP (the most respected hands-on pentest certification), start by reviewing the exam guide and syllabus. The "Try Harder" philosophy of Offensive Security aligns perfectly with the mindset we describe in Section 1.8.

CompTIA PenTest+ Study Guide

Sybex/Wiley. ISBN varies by edition.

For those earlier in their careers, PenTest+ provides a more accessible certification path. The study guide covers the same penetration testing lifecycle we introduce in this chapter, with additional depth on tools and techniques.

Online Resources

SANS Reading Room

Available at sans.org/reading-room

Thousands of free research papers on cybersecurity topics, written by SANS students and instructors. Search for "penetration testing methodology" or "ethical hacking" for papers directly relevant to this chapter.

Krebs on Security

Available at krebsonsecurity.com

Brian Krebs's investigative journalism on cybercrime and cybersecurity is essential reading for staying current with the threat landscape. His reporting frequently covers the real-world incidents that ethical hackers are paid to prevent.

Daniel Miessler's Blog

Available at danielmiessler.com

Thoughtful analysis of security concepts, including regular updates to curated resources like SecLists (a collection of wordlists used in security testing). His "Unsupervised Learning" newsletter provides excellent weekly summaries of security news.