This is not a comprehensive list of books that all security professionals should read. It is really my own eclectic collection that I have found valuable in understanding the cyber security landscape throughout my career. If you are new to the field, start with the titles in the "Novels and Books for Historical Context." As the subtitle implies, you should have read these by now.
I just finished reading "The
Wall Street Journal Guide to Information Graphics" by Donna Wong. A
couple of weeks ago, I went on a fan-boy rant
regarding the research and writings of Dr. Edward Tufte; who in my
opinion, is the smartest person on the planet when it comes to conveying
complex ideas in a chart. His books and lectures over the years have
really helped me convey complex security ideas to my bosses and
customers. However, the downside to Doctor Tufte's methods is that he
does not make it easy for you. He expects you to wade through the entire
set of books (count 'em, four in all) and decide for yourself. He gives
no executive summaries, no bullet points and definitely no accompanying
PowerPoint slide decks. Enter Ms. Wong.
According to the back cover, Ms. Wong has been doing information
graphics for more than 20 years and she was a student of Doctor Tufte
back in the day. Compared to Tufte though, Wong is concise; her thin
book of 149 pages is a how-to book for creating effective charts; mostly
for newspaper-type publications as the title implies.
This is not a book you read cover to cover. It is more of a cook book.
Want to know how to do a line chart? Turn to page 49 and admire the
layout. On the left page, Wong describes all the incorrect ways to do
it. "Never shade below a line unless the chart has a zero baseline." On
the right, she shows all the ways to do a line chart correctly. "Choose
the y-axis scale so that the height of the fever line occupies roughly
two-thirds of the chart area." On both pages, she outlines the dos and
don'ts in a terse and easy-to-read form. Unlike Tufte, she is not giving
you the history of line charts from the beginning of time to the
present. She just gives her opinions based on 20 years of industry
experience. If you are in a hurry, this is a book to keep on your shelf
regardless if you are just beginning your security career or if you are a
grizzled veteran.
My only knock on the book is that as the reader gets to latter parts,
the examples tend to be more and more specific to journalism; mostly
financial journalism; however, this is a minor knock. You can learn a
lot by spending three or four hours perusing this book. You can
definitely make your own charts better if you review the appropriate
section of Ms. Wong's book before you go final with your own chart
designs. I think it is so valuable that I am going to add it to my own
recommended book list for security professionals. For those of you
following along at home, here is the latest list:
I'll admit it. I am a fan boy for Dr. Edward Tufte, professor emeritus
of political science, statistics and computer science at Yale. In my
opinion, he is the world's leading expert on how to display complex data
in a visual form. When I learned
last week that President Obama had appointed him to advise the Recovery
Accountability and Transparency Board, I was elated. The board's
mission is to monitor the way the US Government is spending the $787
billion stimulus package. There is not a better person for the job.
I ran into Dr. Tufte almost a decade ago when I was still in the
service. I was running the Army's Computer Emergency Response Team at
the time and we were struggling with how to convey the complex concepts
of network defense, network offense and network exploitation to Army
leadership; mostly to generals who had spent their entire Army careers
leading infantrymen, tankers and artillerymen into battle. These guys
are smart but they do not spend a lot of time in the land of Ones and
Zeros. I needed help. A friend of mine suggested Dr. Tufte's traveling seminar that just happened
to be in town that week.
I was stunned.
He spent eight hours running the audience through a historical
cornucopia of visual presentations, both bad and good, to illustrate
what works and what does not work. His famous example-- how NASA's
engineers might have failed to prevent the Challenger Space Shuttle
catastrophe in 1986 because a badly designed slide deck did not convince
NASA leadership to scrub the launch-- is bone chilling. His more
positive example-- how Dr. John Snow was able to determine the cause of
London's Cholera epidemic of 1854 by plotting the deaths on a city map
and learning that a communal water hole was the most likely source-- is
inspiring.
As a former soldier, I am most impressed with Charles Joseph Minard's chart depicting the
folly of invading into Russia. Tufte thinks that this is "[p]robably
the best statistical graphic ever drawn." On one chart, Minard displays
the gross losses of Napoleon's Army as it traveled to Moscow (Tan Line left to right) and
retreated back (Black Line right to left), the time frame it took, the weather and temperature that
accompanied the Army and the devastating personnel loss of doing
multiple river crossings in the dead of winter during a retreat. Germany's generals would have learned a lot from this chart before they tried and
failed to do the same thing in World War II.
For the price of the course, Dr. Tufte gives you all four of his books on the subject:
That night, I ran home to devour the books. Over the course of a few
evenings, I could do nothing but sift through example after example of
charts and displays from China's Railway Table of 1985 to Galileo's
proof that sun spots were not orbiting the sun, but were actually part
of it. I recommend all of the books highly and, of course, if you get
the chance to attend the seminar,
just do it. You will not be disappointed. I have since been back to
attend a second time.
You may be asking yourself just what does all of this have to do with
security. I am glad you asked.
Like most of you, I do a lot of presentations. In fact, I am a
PowerPoint Ninja. I have done so many presentations that I am getting
close to the magic 10,000 hour number that Malcolm Gladwell mentions in
his book, "Outliers: the Story of Success." I am usually educating an
audience on some security matter or trying to convince leadership to
give me something that I want. In both cases, how I present the
information is key to the success.
You will be interested to know that Dr. Tufte hates PowerPoint; at least
the default way that most people use it: Title, 3-5 bullets of text,
spinning doughnuts that have nothing at all to do with the presentation.
In his seminar, Dr. Tufte does not use it. The fact is though that
PowerPoint, and its non-Microsoft equivalents, are tools of the trade
for most businesses and especially for security people. We need to
report status, explain technical issues and beg for money to start and
maintain pet projects. We all use a PowerPoint equivalent to do it. More
importantly, we as security professionals have to build the charts and
diagrams and graphs that we stuff into those slide decks and other
written reports to make our point. Even though Dr. Tufte hates
PowerPoint, his design guidelines will help you build better decks and
reports.
According to Tufte,
"Presentations largely stand or fall on the quality, relevance, and
integrity of the content. If your numbers are boring, then you've got
the wrong numbers. If your words or images are not on point, making them
dance in color won't make them relevant. Audience boredom is usually a
content failure, not a decoration failure."
He is now helping the government explain where it is spending the
stimulus money at recovery.org.
According to Newsweek,
"The result, as anyone who has spent significant amounts of time
scouring government Web sites for information will tell you, is perhaps
the clearest, richest interactive database ever produced by the American
bureaucracy."
Overall, I really liked the book. Menn
covers the same territory that iDefense has covered in our trends
papers since VeriSign acquired us some five years ago. In fact, if you
combined all of our trends papers and the trends briefings we have
given since 2005, you would have the same content that Menn covers here
minus some stuff about offshore betting, distributed denial of service
(DDoS) attacks and organized crime.
He covers it all: NCPH, Russian Business Network (RBN), the rise of
botnets, the rise of bulletproof hosters, the rise of DDoS attacks, the
rise of cyber espionage, the rise of cyber warfare, the impotence of
law enforcement, the frustration with cooperating with Russian law
enforcement and the lack of respect for the US FBI. He singles out
important cyber security intelligence organizations like VeriSign
iDefense, Team Cymru and SecureWorks. He pointedly leaves out the
anti-virus vendors, he only cursorily mentions Symantec and he was
astonished at Kaspersky's view of the world (how the Russians were not
behind Estonia, Georgia and Kyrgyzstan; this is something that Kimberly
has been reporting for years, that the Russians feel persecuted by the
rest of the world in terms of who is responsible for cyber crime, cyber
hactivism and cyber warfare).
He singles out respected independent security researchers like
Kimberly, Joe Stewart (SecureWorks), Barret Lyon (founder of Prolexic),
Andy Crocker (UK's National High Tech Crime Unit, now replaced by the
Serious Organized Crime Agency, or SOCA), Rafal Rohozinski (CEO
SecDev), Don Jackson (SecureWorks), Jart Amin (independent researcher),
Paul Ferguson (independent researcher), Avivah Litan (Gartner analyst)
and Dimitri Alperovich (Secure Computing).
He also points to cyber security journalists like Brian Krebs, John
Markoff, Jon Swartz, Byron Acohido, Kevin Poulsen, Kim Zetter, John
Leyden and Robert McMillan as being the cream of the crop, with which I
am in total agreement.
I do have quibbles.
Menn claims that RBN was responsible for Estonia and Georgia, with which we completely disagree.
Menn strongly asserts that organized crime, as in the old "Godfather"
type of organized crime, is way more involved in Russian cyber fraud
than iDefense believes.
He implies that Russian cyber crime is really the work of a small
number of hackers (less than a 100; my number) and not a cadre of
hackers, as iDefense has asserted (more than 1,000; again, my number).
I don't like the way that he jumps back and forth in the timeline;
for example, he talks about events in 2008 and then jumps to 2002 and
then to 2006. He makes it tough to understand the narrative arc. I
understand why he did it, but a timeline of everything might have been
useful.
I don't like the way he quotes Kimberly without any association
with VeriSign or iDefense, as if she were an independent researcher.
I don't like the way he sources iDefense without any association
with VeriSign. We have been a VeriSign business unit for five years.
I didn't think that his first chapters about offshore betting and DDoS attacks were that interesting.
Like I said, these are quibbles. This book is a good historical
resource. If you are interested in how we got to where we are today in
terms of the cyber security landscape, you would do well to read this
book. Menn does not get everything right, but he is close. I am going
to add it to my must-read list for cyber security professionals. Here
is the updated list:
Interesting Cyber Security Novels that I Just Liked
"Cryptonomicon" by Neal Stephenson
"Killobyte" by Piers Anthony
"The Zenith Angle" by Bruce Sterling
Gaming and Future Intelligence Collection "Daemon" by Daniel Suarez "Halting State" by Charles Stross
I just finished reading Charles Stross' book entitled "Halting State." I heard about it on Roderick Jones' blog, MetaSecurity,
and put it on my list. I am certainly glad that I did. Those of you who
have been around for a while know that I am very interested in how
virtual worlds might be used in intelligence collection and police work
in the future. This book is right down my alley. It has orcs robbing
banks in a World of Warcraft type game and hauling real money out to
the physical world. It has shadowy spy agencies running live action
role playing games (LARPs) and using the players to collect real
intelligence to get points in the game. The players themselves think it
is all make-believe, but in reality, the situation is all dangerously
authentic. The author writes in a staccato style, peppering the page
with clauses and phrases of rich insights into what the world might be
in the near future. Stross throws hundreds of ideas at you throughout
the story: eyeglasses that everybody wears because they are the
man-to-machine interface to the metaverse, cops on a crime scene
recording everything they are doing as evidence with both video and
audio (through their glasses), the deployment of certain high-pitched
sounds that cause extreme vertigo and nausea into houses and businesses
as defensive measures against criminals, and terrorists running
training camps in "Second Life" like environments.
I am starting to see a pattern in near future sci-fi literature where
the bad guys figure out how to lasso the gaming communities to execute
game missions to further some nefarious purpose. The other two books I
am familiar with are "Daemon" and its sequel "Freedom,"
both by Daniel Suarez. "Daemon" is the first in a reported trilogy
where an evil genius creates a World of Warcraft type game and recruits
players for his nefarious missions out of the game. He crafts quests in
the game designed to identify certain player-character traits. As these
players are successful and move up in the game and others fall to the
wayside, the evil genius continues to send the successful gamers highly
specialized quests. At some point, he starts sending key players out of
the game and into the real world to perform missions for in-game
rewards. Hollywood is making a movie out of "Daemon," and "Freedom"
just hit the bookstore shelves this month.
At iDefense, we have identified virtual worlds as one of our cyber
security disruptors, that is, technologies or ideas that are not mature
at present but in a few short years will fundamentally change how we
all protect the enterprise. There are key factors supporting this idea.
The establishment of virtual currencies, the exponential growth in the
number of players, and the slow convergence of the thousands of gaming
environments into one metaverse as outlined by Neil Stephenson in his
book "Snow Crash," just to name three.
If you are a newbie to this, my advice is to read "Snow Crash"
first, then "Daemon," "Halting State" and "Freedom" in that order. I
recommend all of them. Besides, you should have read "Snow Crash" by
now. It is required reading for anybody in the cyber security field.
