Dawn of the Code War: The U.S. was innocent, we swear!

Dawn of the Code War: The U.S. was innocent, we swear!

by | Dec 4, 2020 | Book Reviews

My Reaction

This novel was a rough read but has some unique insights that make it worth finishing. I personally learned a lot about attacks conducted by the Chinese and Iranian nation states. I had heard of many, but some of the less public ones were interesting to hear about. Unfortunately there is very little in this novel about the technical mechanisms for those attacks. The descriptions are very focused on the politics and history of the events rather than the how.

The foreword and introduction were pointless, rambling, and exceedingly long. I recommend skipping those and starting with chapter 1. Things start to feel a bit more coherent and unique in chapter 2 where Carlin discusses events from the perspective of upper management in fledgling U.S. cyber programs. This perspective is refreshing as its not from the very detached top official and gives some insight into the formation of many U.S. organizations that have matured since his involvement.

Starting in the middle of chapter 4, Carlin’s bias towards the United States and the integrity of his organizations becomes clear and blatant and at odds with reality in some points. For instance, his argument for why Snowden was bad hinged on sunk costs and the fact that what he did was technically illegal. He was unapologetic about his role in spying on U.S. citizens and keeping the country’s cyber program hidden from the public. He posits that it was all legal and necessary because FISSA courts said its all fine.

Recommendation

I do not recommend this novel for security professionals. If you want a good history of cyber war from the U.S. perspective, I would pick up Dark Territory instead. There’s not much in Dawn of the Code War that’s worth exploring that’s not covered in there and Sandworm.

Dawn of the Code War Book Cover

Suitable for:

IT Professionals
★★☆☆☆

Software Developers
★★☆☆☆

Security Analysts
★★☆☆☆

Security Engineers
★★☆☆☆

Security Operators
★★☆☆☆

CISO / CIOs
★★☆☆☆

Other Executives
★☆☆☆☆

My Rating

★★☆☆☆

Amazon Rating

★★★★⯪

Goodreads Rating

★★★★☆

The Plot to Hack America: the 2016 Elections

The Plot to Hack America: the 2016 Elections

by | Nov 17, 2020 | Book Reviews

Synopsis (heavy bias)

Going into the 2020 elections, I thought it would be good to get some insights on how Russian cyber efforts affected the 2016 elections. The Plot to Hack America: How Putin’s Cyberspies and WikiLeaks Tried to Steal the 2016 Election seemed liked it could wrap things up neatly. It did not.

The majority of this novel is focused on the history of Russian spycraft. There are a few sparse paragraphs that discuss how common Russian spycraft methods were applied to the hack of the Democratic National Convention emails, how they use Donald Trump as an unwitting asset, and what role WikiLeaks had on the elections. However it is mostly trying to draw correlation between what Russia is known to do and how people acted going into the elections.

My Reaction

This novel does not talk about the technical methods of getting into the DNC’s emails. It does not address the use of social media to promote their ideology. It does not talk about events were used to manipulate the media. It does not talk about any real cyber security topics.

Overall, this novel does not address its title. It reads as a rant against WikiLeaks and as a means to vilify Russia. Maybe those organizations are horrible, but this book does a poor job of proving it.

Recommendation

I do not recommend this novel for anyone. The only lesson for a cyber security professional in this book is to make sure you consider your software as a service offerings in your security plans. Don’t assume that Google, Microsoft, or any other SaaS provider is doing all the security for you.

The Plot to Hack America by Malcolm Nance

Suitable for:

IT Professionals
★☆☆☆☆

Software Developers
★☆☆☆☆

Security Analysts
★☆☆☆☆

Security Engineers
★☆☆☆☆

Security Operators
★☆☆☆☆

CISO / CIOs
★☆☆☆☆

Other Executives
★☆☆☆☆

My Rating

★☆☆☆☆

Amazon Rating

★★★★⯪

Goodreads Rating

★★★★☆

The Art of Intrusion

The Art of Intrusion

by | Nov 7, 2020 | Book Reviews

Synopsis

Kevin Mitnik’s follow up to The Art of Deception is a closer look at some famous and not so famous hacks of the 90’s. It focuses much more on the logistical and technical side of early hacking. It is again styled as anecdotes from both the author and people he knows.

My Reaction

These two books from Kevin Mitnik are widely considered as required reading for cyber security professionals. While there are now many other books that could fill in the knowledge these books impart, there’s no replacing the real inside view from early days of hacking. Some of the chapters are more entertaining than others, but there is a valuable lesson in each one that technical professionals and leaders both need to pay attention to.

Almost all the anecdotes lead to one key idea: defense in depth. Many of the stories told of how hackers found their way into a system and were able to pivot for weeks, months, and even YEARS after making a foothold. The common problem was reliance on a single protection mixed with a “set it and forget it” style of security.

Recommendation

This book is required reading for the security focused, and a great value for all IT professionals. Even if you have nothing to do with IT, this book is a great way to see into how the hacking world use to operate.

The Art of Intrusion

Suitable for:

IT Professionals
★★★★☆

Software Developers
★★★☆☆

Security Analysts
★★★★★

Security Engineers
★★★★★

Security Operators
★★★★★

CISO / CIOs
★★★★☆

Other Executives
★★★★☆

My Rating

★★★★★

Amazon Rating

★★★★⯪

Goodreads Rating

★★★★☆

Security Certification Roadmap October 2020 Update

Security Certification Roadmap October 2020 Update

by | Oct 12, 2020 | IT Career Resources

Feature Updates

This year has seen a big rise in popularity of the Security Certification Roadmap. In order to keep the information on there as useful as possible, I have made the following changes:

  • Aligned the columns with (ISC)2 CBK security domains
  • Moved certifications to new domains as applicable
  • Adjusted some certification rankings in response to feedback
  • Added 26 certifications
  • Added Microsoft Edge support
  • Updated scaling of the chart to full-width
  • Added CSS to allow certifications to be cross domain
  • Added the ability to have sub-domains
  • Simplified the code to allow for easier updates
  • Updated tooltip functionality to avoid off-screen clipping

Future Plans

The following features are in the works for this year:

  • Links to more info on all 39 certificate issuing vendors represented in the roadmap
  • Add a dark mode
  • Reintroduce visual rows to indicate Beginner, Associate, Journeyman, or Expert levels
  • Improve tooltip to include more information and be easier to read

The follow features are planned for the future when I learn how to implement them:

  • Javascript version of the roadmap
  • Add form options to re-order chart based on input such as:
    • Highlight certifications from a specific vendor
    • Highlight certifications that are user goals
    • Highlight recommended certifications based on current achievements such as education, certifications, and experience
    • Reorder roadmap based on career paths
    • Reorder roadmap to exclude certifications for which the user has no interest
  • Add certification planning tools such as saving customized charts, tracking milestones, linking to study resources, and comparing to template charts or other customized charts.

Request for Feedback

This roadmap has been 7 years in the making and community input has been the major driving force. In that spirit I want to encourage feedback for any aspect of the chart form formatting to ranking. Please use the form below if you want to contribute directly!

The Art of Deception

The Art of Deception

by | Oct 2, 2020 | Book Reviews

Synopsis

At the time of my reading, The Art of Deception was 18 years old. It was published in 2001 and covered the career of a hacker that spanned from from the 80’s to the turn of the millennium. As such, much of the information on specific technologies and tactics are painfully out of date. But with that said, the purpose of this book was not to teach people how to write a mainframe code, it is to teach you how to use deception as part of your hacking toolkit. In that regard, this book is timeless.

The book is organized into about 20 anecdotes, each demonstrating a different tactic or imparting a key issue with the way humans hand their information. It shows you that not all hackers sit behind a screen alone using their programming skills to cause havoc. Some cause havoc in person using more analog methods.

My Reaction

While I did enjoy reading about these anecdotes, I feel like these chapters would be better in a blog or a series of social media posts. That said, each one did touch on a very real issue of the time such as phone phreaking, dumpster diving for credentials, and working you way into places you shouldn’t be allowed. The age of the book makes finding those real issues a bit of a drag, but I feel it is worth while to stick with it to the end.

Recommendation

This novel will not teach you how to be a hacker, but it may open your eyes into aspects you previously had not considers. I do count this as mandatory reading for cyber security professionals, but I wouldn’t be upset it if were lower on your list.

The Art of Deception

Suitable for:

IT Professionals
★★★☆☆

Software Developers
★★☆☆☆

Security Analysts
★★★★☆

Security Engineers
★★★☆☆

Security Operators
★★★★☆

CISO / CIOs
★★★☆☆

Other Executives
★★★☆☆

My Rating

★★★★☆

Amazon Rating

★★★★⯪

Goodreads Rating

★★★★☆

Countdown to Zero Day

Countdown to Zero Day

by | Sep 4, 2020 | Book Reviews

Synopsis

Countdown to Zero Day, by Kim Zetter, is an in depth accounting of how the Stuxnet malware package was developed, discovered, and what impact it had on the world. Kim Zetter gives a behind the scenes peak from the perspective of malware researchers from Symantec, as well as insight on the politics behind the attack. This accounting strikes an impressive balance between technical and narrative details that makes Countdown to Zero Day an amazing read for cyber security professionals.

My Reaction

Kim Zetter refrains from toning down many of the technical details behind the attack, as many other novelists do. Its a breath of fresh air to see actual filenames, algorithms, and specific mechanisms discussed as part of a larger narrative. That said, she still provides plenty of narrative to help the uninitiated glean valuable lessons from the tale of the first nation state cyber war attack. While sometimes the political insights tend to drag on, the overall story is succinct enough that I finished the whole novel in just two sittings.

Recommendation

I highly recommend any cyber security professional to pick up this book. Besides learning a lot about this specific attack, the novel exposes some aspects of bug bounty hunting, malware reverse engineering, and operational technology security. Many may thing OT/ICS security doesn’t affect them but with IoT, self driving vehicles, and automated factories – you may be faced with tough security questions faster than you think.

Countdown to Zero Day Book Cover

Suitable for:

IT Professionals
★★★★☆

Software Developers
★★★☆☆

Security Analysts
★★★★★

Security Engineers
★★★★★

Security Operators
★★★★★

CISO / CIOs
★★★★☆

Other Executives
★★★★☆

My Rating

★★★★★

Amazon Rating

★★★★⯪

Goodreads Rating

★★★★☆

Security Certification Roadmap July 2020 Update

Security Certification Roadmap July 2020 Update

by | Aug 7, 2020 | IT Career Resources

Feature Updates

Thanks to word of mouth from Reddit and LinkedIn, the Security Certification Roadmap has become more popular than I expected. Because of this increased traffic, I figured it would be important to make the page presentable. The following “features” are now working:

  • Render roadmap using HTML5/CSS3 (no Javascript)
  • Make roadmap compatible in Chrome and Firefox
  • Make roadmap vector scaleable for large screens
  • Make roadmap work on mobile devices
  • Make roadmap text searchable
  • Make certification blocks link to the vendor’s cert page
  • Add hover info for full name, price, and exam type
  • Add description for each certification category

Future Plans

The following features are in the works for this year:

  • Microsoft Edge support
  • Links to more info on all 39 certificate issuing vendors represented in the roadmap
  • Change scaling to look better at resolutions under 1920×1080 (1080i)
  • Add a dark mode

The follow features are planned for the future when I learn how to implement them:

  • Javascript version of the roadmap
  • Add form options to re-order chart based on input such as:
    • Highlight certifications from a specific vendor
    • Highlight certifications that are user goals
    • Highlight recommended certifications based on current achievements such as education, certifications, and experience
    • Reorder roadmap based on career paths
    • Reorder roadmap to exclude certifications the user has no interest in
  • Reintroduce visual rows to indicate Beginner, Associate, Journeyman, or Expert levels
  • Add certification planning tools such as saving customized charts, tracking milestones, linking to study resources, and comparing to template charts or other customized charts.

Request for Feedback

This roadmap has been 7 years in the making and community input has been the major driving force. In that spirit I want to encourage feedback for any aspect of the chart form formatting to ranking. Please use the form below if you want to contribute directly!

Taking Up Serpents: Snakes, why’d it have to be Snakes

Taking Up Serpents: Snakes, why’d it have to be Snakes

by | Aug 7, 2020 | Book Reviews

Synopsis

The follow up to Invasion of Privacy, Taking up Serpents is another techno-thriller in Ian Sutherland’s Brody Taylor series. It continues the story of Brody, a white hat hacker this time following up on things that happen in the previous novel. Brody is on the hunt to stop a hacking organization that has threatened his life after his past escapades, and stumbles onto clues from a recently deceased friend. Again, Brody is off to solve a mystery while his girlfriend solves more physical crimes that ends up colliding with Brody.

My Reaction

This novel has a lot of the same great beats as the previous novel: realistic use of technology, insight into the life of professional hackers, and absurd drama to drive the story forward. The romance picks up a bit in this novel which is not exactly what I was hoping for. However, the novel balances that out by touching on more diverse topics such as computer forensics and malicious programming.

Recommendation

If you’re looking for a break from the real world stories that haunt our cyber lives, this is a great reprieve. Even if you are not a techy, there is not a lot that would be considered technobabble, but enough to make the well initiated happy.

Taking up Serpents

Suitable for:

IT Professionals
★★★★☆

Software Developers
★★★★☆

Security Analysts
★★★★☆

Security Engineers
★★★★☆

Security Operators
★★★★★

CISO / CIOs
★★★★☆

Other Executives
★★☆☆☆

My Rating

★★★★★

Amazon Rating

★★★★⯪

Goodreads Rating

★★★★⯪

Dark Territory: The Secret History of Cyber War

Dark Territory: The Secret History of Cyber War

by | Jul 3, 2020 | Book Reviews

Synopsis

Dark Territory was an interesting history of how the U.S. government has approached information security from Reagan’s era through Obama’s presidency. As the title suggests, most of the focus was on the offensive side of cyber. This meant that a majority of the content was about the NSA. The difficulty of defending against cyber attacks was mentioned many times, however not a lot was said about what was actually done to protect the government’s networks.

My Reaction

Overall, I think this is a great history of cyber at a nation state level. It’s focus and low technical level are great for industry outsiders to get a view of nation state cyber operations. It’s details into policies and agencies is great for industry insiders.

Reading this novel would give good foundational knowledge that would make reading novels on direct topics a bit easier to frame. For instance, learning about what went wrong and what happened in cases such as Snowden, Wikileaks, or StuxNet would be easier to understand with this history in mind.

Recommendation

I recommend this novel if you are a leader in government or industry with even a passing concern about cyber security. It is also an excellent primer for people who are in or getting into the cyber security field in order to learn what the stakes are.

Dark Territory Cover

Suitable for:

IT Professionals
★★☆☆☆

Software Developers
★★☆☆☆

Security Analysts
★★★★☆

Security Engineers
★★★☆☆

Security Operators
★★★☆☆

CISO / CIOs
★★★★☆

Other Executives
★★★★☆

My Rating

★★★★☆

Amazon Rating

★★★★⯪

Amazon Rating

★★★★☆

Invasion of Privacy: Fantasy for Pentesters

Invasion of Privacy: Fantasy for Pentesters

by | May 1, 2020 | Book Reviews

Synopsis

Invasion of Privacy is Ian Sutherland’s first full novel and a follow up to the short story Social Engineer. While reading Social Engineer is not necessary before picking up Invasion of Privacy, it follows the same protagonist for whom the series is named – Brody Taylor. Brody is a white-hat hacker that does penetration testing for companies in a style that is reminiscent of Kevin Mitnik’s stories from The Art of Deception and The Art of Intrusion.

Th story follows Brody as he accepts a challenge on an online hacker forum that leads into the more tactile criminal world. Brody works with police to solve murders while working against a more nefarious enemy online

My Reaction

This novel is a lot of fun. The events and elements in the story are very realistic and plausible – albeit highly dramatized. Taylor Brody is a believable character using real tactics to help in a criminal investigation. Ian Sutherland takes the time to draw a great picture of a paranoid hacker who takes extra precautions to keep his digital trail clean. I really enjoyed the story and hope Ian Sutherland continues to produce more.

Recommendation

I recommend this novel to people with an interest in “hacking” who want a realistic story. The tactics used are described in enough detail to entice more experienced IT professionals without getting so bogged down in jargon that a casual reader would get distracted.

That said, there’s not a lot to learn from the fictional story except possibly a look into a worse case scenario. But its a great break from the more serious histories of cyber warfare.

Invasion of Privacy cover

Suitable for:

IT Professionals
★★★★☆

Software Developers
★★★★☆

Security Analysts
★★★★☆

Security Engineers
★★★★☆

Security Operators
★★★★★

CISO / CIOs
★★★★☆

Other Executives
★★☆☆☆

My Rating

★★★★★

Amazon Rating

★★★★⯪

Goodreads Rating

★★★★⯪

CyberStorm: A Techno Thriller for the Masses

CyberStorm: A Techno Thriller for the Masses

by | Mar 2, 2020 | Book Reviews

My Reaction

For IT and cyber security professionals, CyberStorm is a decent read that is just techy enough to relate to, but not techy enough to remind you of your day job.

Matthew Mather does a good job creating a scenario that is believable. Although I do not think this scenario could play out in reality, the effects do seem realistic. The perspective of a mildly tech-saavy group of family and friends stuck in a cyber war makes for an interesting analysis of what people might do in such a situation.

Mather does not go into great detail on the actual cyber attacks or what people are doing to recover. However he does go into what real people might do if our precious internet fails us. A highlight was when one of the characters creates a metropolitan area network in order to share information. In the event of a cyber attack that takes our or severely degrades our access to the internet, creating our own smaller internet is very viable and this novel explores how that could be useful.

Another highlight is how information doesn’t quite flow without technology. The people in the story don’t know what is happening and end up filling in the blanks with some preconceptions and rumors. This ends up paying off quite well in the end.

Lights out in Manhattan (Credit: Jeremy Echols)

One thing that I found quite jarring was that around halfway through the novel, chapters started ending with suspense that promised action in the next chapter. However, the next chapter would fast forward a few hours and tell what happened rather than show it. This wasn’t a consistent theme throughout the book, but it happened quite a few times in a single act making that section feel unsatisfying.

Recommendation

Overall, I was a little let down by how little this book utilized technology and cyber war concepts. However, the story was captivating with the sprinkling of technology and cyber security “what ifs”. After reading many reviews I understand that this book would not be popular if it were more technically complicated. I still enjoyed the read and liked most of the characters. I would recommend this book to my fellow IT professionals, but I won’t oversell it.

CyberStorm

Suitable for:

IT Professionals
★★☆☆☆

Software Developers
★★☆☆☆

Security Analysts
★★★☆☆

Security Engineers
★★☆☆☆

Security Operators
★★★☆☆

CISO / CIOs
★★★☆☆

Other Executives
★★☆☆☆

My Rating

★★★★☆

Amazon Rating

★★★★☆

Goodreads Rating

★★★★☆

Chasm Waxing: A great story in need of an editor

Chasm Waxing: A great story in need of an editor

by | Feb 2, 2020 | Book Reviews

Synopsis

Chasm Waxing has an excellent premise and a covers a great variety of topics. For cyber security and/or IT professionals, this book really employs a lot of concepts that you will appreciate. For the not so tech savvy, B. Michaels offers great explanations of hard concepts. It does not require a doctorate in computer science to follow the plot, but having one will surely make this book a more interesting read.

The first act offered great – albeit dramatized – insight into cyber security, emerging technologies, and start up strategies. It is not action packed, but it is mentally and emotionally engaging.

The second act is a dramatic and welcome change in pace that feels a bit like a new story, but weaves all the concepts of the first act together into real tension. The character roles are well defined, the antagonist emerges, and the stakes are made clear.

The third act returns to the same voice as the first act with a lot of learning and exposition about the implications of technology. It mostly sets the stage for the second book with a lot of cliffhangers in the final chapter.

My Reaction

If you are looking for a real cyber thriller that uses real technology in a deep and accurate way, this is the book for you. Even if you don’t know what AES, strong AI, or a start-up accelerator is, you will enjoy this story and hopefully learn a little about these topics.

However, this book desperately needed more editing or proofreading to catch grammar mistakes and real-word spelling errors. The last line in the first paragraph had a real-word spelling error, which put me on guard for the rest of the story. They are few and far between in the first half of the book, but start getting rather frequent and distracting in the last quarter. I have highlighted and noted some, but I got a bit tired of doing so after awhile.

The use of quotation marks was a bit maddening and I often had no idea who was talking or if anyone was talking. In some places the wrong names were used which required a few extra readings to work out if that person suddenly joined the conversation or if it was a writing mistake. In other places, sentences had no punctuation at the end.

The redactions were interesting the first 2-3 times, but after a few chapters they really detracted from the story. At one point, two whole pages were redacted and I was left not knowing what was happening. However I don’t think anything critical to the plot was in those redactions.

The book spent a good amount of time building up to a sequel. Its been 4 years since this story was published and there’s no sign that a sequel is in the works. For what its worth, I hope the sequel pans out as I would love to continue this story.

Recommendation

This book was a fun read from a cybersecurity perspective. I have not yet found another novel that integrates so much newer technologies and cyber processes into a story line. I would recommend this book to readers who aren’t as picky about editing mistakes as I am, and who like to read techno-thrillers. There’s not a significant amount to learn in this novel, however the part about the accelerator was quite new to me.

Chasm Waxing Cover

Suitable for:

IT Professionals
★★☆☆☆

Software Developers
★★★☆☆

Security Analysts
★★★☆☆

Security Engineers
★★★☆☆

Security Operators
★★★☆☆

CISO / CIOs
★★★☆☆

Other Executives
★★★☆☆

My Rating

★★★☆☆

Amazon Rating

★★★★☆

Goodreads Rating

★★★★☆