It has been a couple of months since I last posted. I have a lot going on right now and I have a few posts coming with updates on many exciting initiatives that I have been involved with, but I wanted to get back with something quick in one of my preferred activities, reading. I have been focused primarily on Information and Network Security lately, even if I did not intended to. So here is what I have been reading since November.
Security Strategy: From Requirements to Reality, by Bill Stackpole and Eric Oksendahl. Not only is a good book around information and network security, but it is also a good book for someone starting to do more strategic work like me.
In Section I: Strategy, the authors discuss methods of how to think strategically, different types of strategic frameworks, and how to develop strategic plans, which require strong leadership skills in order to follow through the planning process which includes performance, monitoring, evaluation and adjustment. Once they lay the ground with these concepts they start going through scenarios that describe how to be strategic about security and why Information Security programs, when aligned with both the culture and overall business strategy, can enhance processes and can even become a great marketing tool and bring competitive advantage. The importance of security convergence or the integration of logical and physical security is also described, as is the need for the increasing need to change the focus from security to risk management. They also describe three different models that organizations use for the delivery of products: In-house Security Model, Security Services-integrator and All Security Services Outsourced.
In Section II: Tactics, Stackpole and Oksendahl go into how to go about implementing your strategic plans. I liked how they laid out four main tactical areas of information security: Defense in Depth, Excellence in Identity Management, Excellence in Security Engineering and Excellence in Operations. The authors also emphasize the importance of observation as a quality of any information security professional and staff cross-training among others. They also give great advice and present good models of delivering Security Awareness Programs for organizations.
Fatal Systems Error, by Joseph Mann. The book starts introducing Brett Lyon as the central character and how he started fighting Distributed Denial of Services attacks (DDoS) to defend companies within the gambling industry from extorcionists. This eventually led Lyon to the creating of Prolexic Technologies, which specialized in fighting Cyberattacks. Lyon moved on to become an entrepreneur and a well-known security industry figure that eventually participated in high profile federal investigations around Cybersecurity in The US. This book offers great insight on how Cybercrimal mobs operate, and how different countries have put themselves in a position where they either serve these organizations, such as the Russian Business Network (RBN); or have felt so behind that they really can't counter or control their attacks. A second character emerges in Europe, British agent Andy Crocker “who followed his leads and plunged deeper than any previous Westerner into hacking the former Soviet Union”. The work of these two men has been critical to “the good guys” advancements into Cybercrime and Cyberwar because they are pioneers that relentlessly explored areas that nobody had before.
The book gives a technical overview on how Cyberattacks such as DDoS and Botnets amongst others work. Mann, does a good job on describing how Cyber-threat has become a very prolific industry and references to many famous cases such the hacks perpetrated on T.J. Maxx and Heartland Payment Systems and how they were discovered by some of the most brilliant minds in the business such as Lyon, and Croker as well as Joe Stewart of Dell SecureWorks or Mikko Hypponen of F-Secure to name a couple.
America The Vulnerable, By Joel Brenner. Mr. Brenner is a former Inspector General of the National Security Agency, NSA, and was also the head of U.S. Counterintelligence for the director of National Intelligence. This book was a great follow up to Fatal Systems Error. While the previous book focused primarily on Cybercrime with slight insight into Cyberwarfare, this book does exactly the opposite. Because of Brenner’s insight into the US national intelligence system, the book focuses on the threat that State-sponsored Cyberthreats, especially from China, represents to our country. It describes how Cybercrime has evolved as a potential lethal weapon to a nation’s critical infrastructure (e.g. power, financial, military industries). It also illustrates the weakness of our current infrastructure and how the People’s Republic of China, PRC, and other nations have been able to exploit The US’s military forces and industries to steel classified information and intellectual property that they have used to catch up with the our technology and use it against us. The author also references how organizations such as WikiLeaks operate and how Hactivist groups such as Anonymous have derived from these organizations. Through a hypothetical scenario, he illustrates how China could potentially create serious damage and pretty much “own” The US on the verge of war. He actually mentioned that while his scenario is fictional, some of the penetrations and techniques used by the PRC have actually already happened.
I have to say that if you work on Information security and you want to catch Sr. Management attention’s you need to read this book and also put a copy in front of management.
The Girl With The Dragon Tattoo, and The Girl Who Played With Fired, by Stieg Larsson. I don’t remember when the last time I read a fiction book was. Holy Enigmatic Girl Batman! I could not put these down. I finished the latter on one night with 200+ pages to go, the most I have ever read in one day…by far! The story of the first book develops around a journalist and owner of Millennium Magazine, Mikael “Kalle” Blomkvist, who is hired to resolved a family mystery about the murder of a girl. Blomkvist does resolve the case by relentlessly digging into the family business with put his life in danger. In the process he runs into Elisabeth “Liz” Salander, a very weird girl whose social skills are not “normal” who happens to be really smart and great at investigations, which she carried on by means of observation and electronic hacking (security theme again, and this time unintentional). Salander becomes the perfect complement to Blomkviest and together the start discovering new facts and connecting dots until they resolve the case. They also engage on a deep and weird personal relationship, which ended abruptly at the end. Salander also managed to get a hold of millions of Kronor (Swedish currency) by means of Cybercrime…really, I did not mean to get here on the Information Security track again, but Salander is a heck of a hacker herself!
The second book, The Girl Who Played With Fire is about an investigation on the illegal sex trade and the prostitution industry carried on by Millennium Magazine through Dag Svensson, a freelancer, and his girlfriend Mia Johansson. While the investigation is going on the story also revels Liz Salander’s turbulent past and how society discriminated and labeled her as a socially challenged. As Svensson got close to the head of the sex traffic industry a link between that beast and Salander surfaces and Svesson and Johansson as well as Salander’s legal guardian are all assassinated by the same weapon which happens to have Salander’s finger prints and the hunt to find her starts. On one side we have the police services desperately yet ineffectively trying to track Liz Salander down. On the other hand, Blomkviest launches his own investigation to probe’s Salander’s innocence. At the end, the head of the mob and Liz engage on a brutal and bloody battle and both end up in critical condition at a Gothenburg hospital and Salander innocence of the three murders is clearer, yet not proved yet. I have to get to the 3rd book for that!
My next books include the 3rd book on Stieg Larsson’s saga, “The Girl Who Kicked The Hornet’s Nest” which I am reading now and “The Hunger Games” saga. As for professional reading, I am going to turn my attention back to my roots, the network, and read “Designing Cisco Network Service Architectures (ARCH) in order to prepare towards completing my CCDP certification (and I sense that there will be a need to become better versed around SAN technologies and virtualization). I also want to read David Allen’s “Getting Things Done”.