Recently in books-reading Category

Given the ongoing primary races for the two "major" parties, the timing of Andy Updegrove's The Lafayette Campaign couldn't be much better. It's a sequel to his most excellent first Adversego thriller, the Alexandria Project.

In The Lafayette Campaign, our intrepid computer security hero Frank Adversego is asked by a super-secret intelligence agency to investigate electronic voting fraud. The farther down the rabbit hole he goes, the crazier things get. The cast of characters seems straight out of the GOP slate. The story will leave you wondering if, as voters, we really do have an actual choice.

By the end you'll be eager for Updegrove's next story in the series. I highly recommend getting your copy now!

Drop whatever it is you're reading and go read The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. This short book will quickly change your perspective on a lot of things, not the least of which being the role and importance of IT within the greater context of business operations, as well as the imperative to more tightly align business priorities with operational risk management.

Go here for more information about the book.

Go here for a free 170-page excerpt of the book.

The book walks through "The Three Ways" as it describes a fictional company transitioning from a badly broken and dysfunctional old school IT and dev environment into a newer-than-new-school DevOps model. A sage guides the new IT director through this transition, with one of the big lessons in the end being the point that IT is so central to all business operations today (and forever more) that the COOs of the future will have to be extremely competent in technology operations, and may just come almost exclusively from an IT background (offset with business school training, or comparable).

It's hard to understate how well this book explains the concepts contained therein. It covers many of the topics that I've mentioned over the years on this blog, but the authors do a much better job explaining those ideas. Security, IT, and Dev should no longer exist as standalone silos, but should instead be all part of one cohesive, optimized unit designed to rapidly evolve and function with great agility.

I could go on, but will spare you... go read the book! :)

I had the recent good fortune of having Andy Updegrove's The Alexandria Project: A Tale of Treachery and Technology suggested to me as a book that I might enjoy. It's a techno-thriller set in modern times, complete with a solid infosec storyline that doesn't even mention APT once. :)

The story starts out set in Washington, DC, where we follow perennial slacker security uber-genius Frank Adversego, currently stumbling through a job at the Library of Congress (LoC), thanks in large part to his former mentor tossing him a lifeline. All of a sudden, things start going very bad, first at the LoC, and then elsewhere, and all fingers point toward Frank. Spin in some not-so-friend inter-department uncooperation between the Bureau and the Company, a little bit of international intrigue, and the threat of nuclear war, and you have a fun techno-thriller.

Overall, the techies in the crowd will enjoy this book, even though it manages not to get down in the weeds. Non-techies will likely still enjoy the pace and story, as well as a couple patient explanations of the more technical topics as delivered to Frank's daughter Marla. In the end, this story has a little bit of everything in it, and it even has a couple friends twists and turns that will keep you a bit off-balance.

The book is only $2.99 for Kindle, so hurry up and check it out! In doing so, you'll be helping promote an up-n-coming author from our own infosec ranks, with the promise of more to come!

I finally bit the bullet and tackled some of my back-log of non-fiction reading. I've been spending most of my free reading time on the Discworld by Terry Pratchett. That being said, I've just zipped through a couple non-fiction titles of note, The 50th Law by 50 Cent and Robert Greene, and Managing Softly by Bertrand Jouvenot. Both are quasi business/life-skills type books. Following is a quick-hit summary of each.

At the suggestion of a friend I picked up The Ender Quartet Box Set: Ender's Game, Speaker for the Dead, Xenocide, Children of the Mind and set about reading through it. I'm currently through the first two books, Ender's Game and Speaker for the Dead. Overall, I liked the first book, scary though it was in terms of potential parallels with the future. It just didn't seem far-fetched enough, I guess (just like Orwell's 1984).

In contrast, the second book (Speaker for the Dead) was interesting, though it was a more challenging read. I think I enjoyed the story, though it was kind of, um, different. I don't know, maybe I had just become too jaded after the first book. The biggest thing that jumped out to me was the disconnect between timeline and technological evolution. The book jumps forward about 3,000 years, but the tech seems not to have changed all that much? That seemed rather odd to me. *shrug*

Overall, I think the series is interesting and worthwhile, though I'm taking a break (reading more of Pratchett's Discworld series) before I finish off the quartet.

Nothing security-related, but for whatever reason I've been able to knock out four (4) books in the last few weeks (on top of my normal reading load). I like to read outside of the industry whenever possible as it provides a good mental break. As such, I polished off two works of fiction and two works of non-fiction. The four are: That Old Cape Magic by Richard Russo, The Color of Magic (the first Discworld book) by Terry Pratchett, The Guinea Pig Diaries by A.J. Jacobs, and Liberty and Tyranny by Mark R. Levin. Following is a quick summary of my thoughts on each book.

Since I'm catching up on my book reviews... forgive me for totally geeking out for a couple minutes to talk about my latest reading obsessions... I'm sure most of you will chuckle, chortle, laugh, or roll your eyes... but I'm guessing a few of you will appreciate this little missive... :)

In addition to regular books (fiction and non-fiction), I've also been exploring the world of graphic novels to help lighten the reading load. Sometimes you just need to break out the cake reading to give your mind a break, ya know? Toward that end, I've found two series that have provided a great break from thinking. :)

I made quick work this week of The New School of Information Security by Adam Shostack and Andrew Stewart. This seminal work brings together all the bits and pieces that have been rolling around in my head for nigh on 10 years now. They've defined the "new school" in a manner that many of us have been talking about for ages. It's a break from the operations-driven, bottom-up, break-fix approach to something much more strategic and sensible.

That being said, I was a bit disappointed by the book, having heard all the hype. Really, I think the work is targeted more to people outside the industry than it is to people in the industry. Freshly minted CISSPs would benefit greatly from reading this book, as would those who think that infosec belongs in ill-conceived silos. Technology is not infosec, and infosec is not technology. Neither is compliance, for that matter. The sooner the world comes to understand and accept this, the sooner we'll be able to truly revolutionize this industry.

Conclusion: Buy and read this book. If you've been in the industry for a while and "get it" then this will seem like a good cursory summary. If you're new to infosec, or if you're living in a deluded world of silos, then read it and take it to heart. No bad will come from learning and accepting the lessons offered.

I finished reading Ari Juels' Tetraktys this week. Ari is Chief Scientist at RSA Labs, so brings a lot of tech cred to the table. This book is his first official work in the non-fiction realm, and it's definitely worth a read. I look forward to more from him.

In general, this book is typical of a first fiction work in that it has a degree of awkwardness. However, I think there's a lot of potential for the lead character, Ambrose Jerusalem, to grow into a series a novel that far exceeds Dan Brown's Dr. Robert Langdon, and is perhaps on-par with peak Tom Clancy's Jack Ryan. None of which is to say that Juels has written an action novel by any means. Just that the character has good sustainability potential.

Following is my review of the recent release CISSP in 21 Days. A sample chapter can be retrieved from here.

Summary:
CISSP in 21 Days by M. L. Srinivasan is a CISSP exam prep book. By its own admission, it is not a comprehensive, end-all-be-all book for preparing for the CISSP. What it does claim is the ability to take you through a well-reasoned progression over the course of 21 days to hit on the key concepts and topics of the CISSP, with the last day focused on taking a 250-question sample test. Overall, I think the book accomplishes its goal and could be a useful study guide.

There is no shortage of CISSP prep books today. Shon Harris alone accounts for a lion's share of the market, and one should also not overlook the Tipton and Krause anthology Information Security Management Handbook. In the face of these books, one might wonder why Srinivasan would even bother with an attempt. However, if there's one thing that is clear from most CISSP prep books, it's that they've taken the "quantity over quality" approach, oftentimes burying the reader in hundreds of pages of oftentimes duplicated and sometimes error-ridden work.

In this instance, the book covers all major topics in 225 pages, broken up into 20 days of study, where each of the 10 CBK topics is covered at 2 days each. The layout is clean, lightweight, and concise, hitting the important points. One should not feel overwhelmed by the amount of materials presented, though one might also be left wondering if this is really all there is (it isn't - there's more). However, the book never claims to be a complete, comprehensive training guide - merely a guide for reviewing topics. Specially, the book points out that it "assumes that the candidate already has sufficient knowledge in all 10 domains of the CISSP CBK..."

Strengths:
   * Concise: The book is very brief and to the point. It does not waste ink or pages on unnecessary explanations.
   * Logical: A reasonably logical approach is taken to the topics, starting with security and risk management and expanding from there.
   * Straightforward: The explanations provided are very straightforward and clear.
   * Clean Layout: The book is laid out in a manner that is easily read and followed. Ample room is left in the margins for notes.

Weaknesses:
   * Thin: This is not a comprehensive prep guide, but rather a review guide. The book is not aimed at beginners.
   * Few References: In the "Introduction" the book mentions that there will be a reference section at the end. It turns out this Reference section has 9 entries, including Wikipedia. Not complete or particularly useful. One of the links is for the ISO organization, but it incorrectly uses a TLD of .ch instead of .org.
   * Rigid Language: The language is fairly rigid in its construct. This is fine, but it can be off-putting for some readers.
   * Some Grammar Issues: The author is an Indian National, and thus there are the occasional grammar flubs. The errors are not terribly serious, but they may be distracting or off-putting to some readers, particularly speakers of American English.
   * Slightly Pricey: The eBook (PDF) lists for $22.39 and the print+eBook lists for $40.79. Given that this is just a review guide and not a comprehensive prep guide, I feel that anything over $20 is asking too much.

Recommendation:
So, the magic question: Would I recommend this book? My answer is a qualified "yes", though perhaps not at the current listed price point. This book could be useful for an experienced IT professional who already understands security, but has never looked at taking the CISSP before. From this standpoint, it would be very useful to quickly bone-up on what the requirements and expectations are.

That being said, this book will only be once piece in the overall puzzle, and it's lack of useful references means that the aspiring student will still need to go research other references.

This book is definitely not for the inexperienced IT professional. If you cannot speak knowledgeably to risk and security management, network security, system security, or physical security, then you will not find this book to be very useful. On the other hand, if you know these topics inside-out, then you may think this book isn't terribly useful.

If you're not familiar with the CISSP, but have the skills, this book can provide a useful starting point. If you don't have the skills, then don't start here.