World Book Day: Cybersecurity’s Quietest Celebration


The last time you were in a library, or a bookstore, you probably noticed how quiet it was.  This doesn’t mean that people weren’t excited, or downright celebrating, they were engaged in a different method of celebration; the kind that takes place between the covers of a good book.

April 23rd marks the celebration of World Book and Copyright Day. As eloquently stated on the UNESCO web page, “through reading . . . we can open ourselves to others despite distance, and we can travel thanks to imagination.”

We asked a selection of Tripwire friends, and security experts for their recommendations for books that lift, educate, and inspire.  We hope you can use this list, not only to gain more knowledge, but to also strike that spark of insight that lies within.

The InfoSec community isn’t too large, but yet, many are still not aware of the hacker community. Our entire industry is full of hackers, and yet, also ignored by various players. Tribe of Hackers is my favorite book to recommend to folks who recently joined InfoSec, want to join InfoSec, or even to those who have been in the space for a while in Marketing, Sales, Operations, and Engineering.

Our industry needs to come together and recognize hackers in the space, and why they are critical to understand. Tribe of Hackers provides information about the hacker community, written by the hacker community. It showcases red teamers, purple teamers, blue teamers, and leaders. Most importantly, it reminds people that hackers are not the enemies, they are the ones protecting and serving every single moment of the day.

Confident-Cyber-Security

My book recommendation for World Book Day is Confident Cyber Security, by Dr. Jessica Barker. Recently published in September 2020, this book is a must-have for those who want to venture into and start a career in cybersecurity, or perhaps would like an overview of the cybersecurity realm as a whole. Covering everything from security basics, to how to boost your career, this book is absolutely fabulous in more ways than one!  Want to learn more about the human side of security, or are you curious about what roles you could pursue in cyber? Confident Cyber Security is brilliant at articulating a huge range of topics that engages the reader from the get-go.

The book features various security professionals in the field, including myself. Confident Cyber Security showcases cybersecurity at its best, and is an essential component of any cybersecurity library at home.

Parenting for a Digital Future

It is almost impossible to suggest just one book, as there are so many great books for those interested in cyber and digital world. Books like The Digital Disconnect, by Ellen Helsper or This is how they tell me the world ends, by Nicole Perloth are both excellent reads. However, I would ultimately like to suggest Parenting for a Digital Future: How Hopes and Fears About Technology Shape Children’s Lives, by Sonia Livingstone and Alicia Blum-Ross.

During the pandemic lockdowns, our children transferred their social activities from the school playgrounds and the parks to their smartphones and laptops. With the pervasiveness of digital technology in our lives and families, it becomes extremely important for parents to switch to “digital parenting” to manage these new challenges. As the authors note, it is not just about managing technology. It is about family practices and values around technology to explore dilemmas over how to live, what is wellbeing, and what is the hoped for “good life”. Parents may elect to embrace, balance or resist change but at the same time they have to confront the lack of state support, and their kids’ arguments for a democratic family.  This book is a must have for any parent looking to raise responsible digital citizens.

Mitch Parker | (LINKEDIN)

Click-Here-to-Kill-Everybody

More and more devices are connected to the internet, and it is not just traditional devices, such as desktop computers, laptops, and smartphones, it’s also things like microwaves, washers, and refrigerators. Now, the whole world is connected with thermostats, medical devices, and even nuclear power plants.

In the book Click Here to Kill Everybody, Bruce Schneier elucidates that our hyper-connected world leaves lots of reason for security doubt, especially if you consider the motivations of everyone involved.  Companies focus on taking full advantage of profits, and security (or the lack thereof) is often ignored, leaving the consumer to bear the burden.

Schneier raises questions on criminal behavior and broader, government policy considerations in order to try and figure out where we draw the line between the free market, and consumer security.  Questions such as, how much security is needed, what are the correct algorithms, and how will these all be enforced? There is much more to this book, and Bruce builds the basis for much deeper thought, and need for oversight in a completely connected world filled with ongoing synchronization of opportunity and tragedy.

Hacking-Exposed Malware and RootkitsHacking Exposed – Malware & Rootkits, it was one of the first books that really opened my eyes to threats that existed in the world of computers.  I picked up this book in 2010 and it has since been re-released as a second edition.  The book has three parts covering Malware, Rootkits, and then Prevention.  While most of the topics are nothing new in today’s security field, I was amazed back then at the complexity that some of the attack vectors, and counter measures, that were in use.

If you are starting out in cybersecurity and you are looking for an interesting read that provides some fundamentals, then I recommend this book.  Just remember that these techniques have now been around for over a decade, and new ones are being developed every day.  Hope you find it a good read.

Countdown-to-Zero-Day

My favorite cybersecurity book is Countdown to Zero Day, By Kim Zetter. This book goes into great detail about the “STUXNET” attack, describing the zero-day attack that security researchers launched against a facility to sabotage a nuclear development program.  It goes on to explore how the attack was supported by a covert government operation in an effort to gain political insight and control.

It’s extremely interesting because it details how several attack surfaces were all chained together to make such a sophisticated cyber weapon. This ranged from common social engineering tactics, to secret USB files that in turn, created Kernel root kits that then masked payloads behind executable packers in dynamic link library (dll) files that followed strict converting algorithms and sandboxing techniques with the addition of DNS masking and encrypted phone-home communication abilities.  This was all carefully designed to target Critical Infrastructure Operational Technology in a particular region of the world.

I enjoyed this book because it demystifies the how, and why security is so important along with how it can have life changing financial, organizational, and political effects.

The-Third-Wave

First published in 1980, The Third Wave was a groundbreaking book by the late, highly regarded futurist, writer, and businessman, Alvin Toffler. It followed his first book, Future Shock, (which first popularised the term ‘information overload’) and explores the ever accelerating evolution of mankind through the lens of three distinct societal ‘waves.’ The ‘first wave’ belonging to an agricultural society gradually developed over thousands of years, a second more rapidly advancing and disruptive wave born out of the industrial revolution, and the third, being the lightning fast, post-industrial, information age.

Cybersecurity is of course very much a product of this third wave, and an understanding of how we have got to where we are and where we may yet go, should inspire and interest many of its practitioners. Today, the book still works on many levels. It is packed with ideas which not only foresaw many of the technological developments we take for granted, but it also anticipated the irreversible impact they would have on the way we think, act, and live. Other developments may just be emerging. Whilst signaling the warnings of such advancement for those displaced, and acknowledging the inevitable conflict as the third wave awkwardly collides with the last, Toffler’s vision was not of some dystopian future, however, but more one of cautious hope, and new possibilities. In popular culture, the book is also recognised as having a profound impact on Detroit’s highly influential ‘Techno’ music pioneers and innovators.

Tribe-of-Hackers

Depending on which expert you turn to, there are anywhere from 4 to 8 learning styles. Knowing how you learn best can really make a difference in how you assimilate new information. For me, reading or visual learning is number one.  This is probably why I too was so drawn to the Tribe of Hackers series written by Marcus J. Carey and Jennifer Jim. Reading the book was like dropping into a coffee tête-à-tête between a group of security experts extraordinaire!

Using the same well-chosen set of questions for each expert, the comments range from specific security viewpoints to career advice. The full series is great, but I recommend starting with the first in the series Tribe of Hackers. The interview format was easy to consume in short bursts, say over my morning coffee!

While reading specific individual opinions was valuable, I especially found fascinating the overall trends that came from having 70 experts opine on the same questions. In particular, how many experts still point to basic security hygiene such as; strong passwords, 2FA, asset inventory, change management, and, how many companies are still ‘waiting for a breach’ to justify the budget to create a security program based on recommendations such as the Top 20 CIS controls.

In the long run, using my favorite way of learning – reading – this series improved my personal knowledge around cyber security and is a great resource to have on hand.

WebMageWebmage by Kelly McCullough is an amazing story, told in a magnificently engaging style.  Webmage follows a hacker/sorcerer called Ravirn, in a world where the ancient Greek mythos reigns, magic has been upgraded to the digital world, and sorcery can be performed using programs. Or, if you’re in a bind, by whistling the raw binary. Ravirn is asked by someone he can’t really refuse, to debug a ‘program’ that would effectively remove free will from the world. When he refuses, his would-be employer sends thugs and assassins after him, and Ravirn races to defang the program before it can be implemented.

While it’s technically a young adult novel, the presentation of programming and hacking as magic really struck my fancy when I first caught sight of the book a few years ago. The author has a good enough understanding of cyberspace and the terminology to transform it into this magical world where a web “spider” is in fact shaped like a spider, and a laptop is also a sentient goblin familiar. This is the first book in a series that has continued to delight, as McCullough expands on the unique universe he created, and Ravirn goes from small-time hacker kid to a power in his own right.

Sandworm

I’m not much of a book reader, but over the course of the pandemic, I’ve found myself listening to audiobooks on a regular basis. Several of these books have focused on technology, privacy, and security. I enjoyed several of them including Snowden’s Permanent Record, Clarke and Knake’s The Fifth Domain, and Menn’s book on Cult of the Dead Cow, but it was Andy Greenberg’s Sandworm which left the biggest impression on me.

In this book, Greenberg uses interviews with key players to peel back the curtain of international cyber-espionage and warfare with a specific focus on entities of the Russian federal government. The book is full of interesting accounts of pivotal events like the Aurora Generator Test, attacks against Estonia, and the aftermath on the ground in the wake of NotPetya. I really liked the historical context included in the book and how this can tie together various seemingly disparate events into a cohesive story.  The book is absolutely eye-opening with regard to just how badly a sophisticated adversary could disrupt society through a cyberattack, as well as to understand some of the mechanisms and motives of Russian cyber aggression.

The-Perfect-Weapon

In the book, The Perfect Weapon: War, Sabotage and Fear in the Cyber Age, by David E. Sanger, Sanger illustrates how cyber weapons have changed the way wars are fought, similar to the way the atomic bomb changed warfare in World War One. Cyber weapons can cripple critical infrastructures, tamper with elections, and do much more with little to no attribution as to who made the first move. The book also discusses how two U.S. Presidential Administrations succeeded and struggled to get a grasp on the impact on cyber weapons and warfare tactics.

This resonated with me because my career in cybersecurity began while I was serving in the United States Air Force stationed at Ft. Meade in Maryland. During my career, I worked many roles on the NSA campus and was a witness the beginnings of CYBERCOM. I was part of the government that was “figuring out this cyber thing.” I became a Digital Network Exploitation Analyst, where we learned about STUXNET and various cyberattacks, to help us better understand the cyber threat from which we were being charged to protect America.

Reading Sanger’s perspective on the United States’ response or lack of response to the cyber threat was very real for me. I lived it. It is a good read for those who are technology-dependent, but clueless about how deep cyber warfare actually is and who the threat actors are in the work arena. Overall, definitely worth reading.

Cybersecurity-Leadership

In Cybersecurity Leadership: Powering the Modern Organization, author Mansur Hasib does a  great job of providing an academic and historical perspective of cybersecurity, including its evolution and what it is, and what it is not.  While maintaining that cybersecurity leadership is a business discipline, and not a technology discipline, the author offers several examples that demonstrate the multi-disciplinary and multi-dimensional approach that is necessary to achieve effective cybersecurity leadership.  This is a great book for business executives and individuals seeking the role of Chief Information Officer (CIO), or Chief Information Security Officer (CISO).  The book’s content provides a practical lens through which leaders should view cybersecurity.

The author weaves in the history of cybersecurity, cybersecurity teaching, training and awareness models, historical references to leadership, including historical figures who were considered ethical leaders, and connects the dots between types of leaders and types of leadership, and the narrower topic of cybersecurity leadership.  Throughout the book, you will read very simple and practical definitions of leadership, as well as examples of what constitutes good leadership and bad leadership.

In addition to those who aspire to the role of CIO, the book is a practical resource for individuals who may be responsible for serving in an advisory role to the CIO or who would like to understand how to successfully collaborate with the current CIO within their organization.  The book includes high-level information related to developing a cybersecurity program, as well as some very specific recommendations related to education, healthcare, and technology.  I like that the author focused on the evolution of the CIO’s role from an operational one to a strategic one, and I think those individuals participating in the CIO or CISO hiring process will appreciate the discussion of salary negotiations and reporting structures.

Practical-Packet-Analysis

My favourite book is a little biased, as I was the technical editor on the second and third editions. The book is Practical Packet Analysis, by Chris Sanders. If you want to understand Wireshark, it is the best book on the market, and it’s from the greatest publisher of technical books, No Starch Press. The book really digs into the details of Wireshark and teaches a lot of tips and tricks to make your life easier when performing packet analysis on large chunks of data. I highly recommend picking this book up either to read or just to keep as a handy reference guide. I have multiple copies of it on my shelf, and frequently recommend it to my students.

When we step away from technical books, I’ve loved a lot of books over the years and tend to be loyal to authors more than genres. When I was younger it was Clive Cussler and as I grew out of those it was Dean Koontz, Christopher Moore, and Jim Butcher. In recent years, a Tripwire colleague, Christopher Minori has taken up space on my bookshelf. His book Little Idiots, from 2018, was a joy to read, and his new book, Stealing Destiny, is next on my reading list. Minori’s work, technical books, and comics, have been my main go-to books for the past few years, so I’d be remiss not to mention my own comic, Captain Tripwire as a great read. You can check it out for free right here on our blog.

We hope that you can enjoy some of the recommendations from our experts. No matter what genre you like to read, or whether your preference is a digital reader, a printed and bound book, or an audio book, you can join in the festivities of World Book and Copyright Day.  Happy reading!



Source link