Recently in books-reading Category

I had the recent good fortune of having Andy Updegrove's The Alexandria Project: A Tale of Treachery and Technology suggested to me as a book that I might enjoy. It's a techno-thriller set in modern times, complete with a solid infosec storyline that doesn't even mention APT once. :)

The story starts out set in Washington, DC, where we follow perennial slacker security uber-genius Frank Adversego, currently stumbling through a job at the Library of Congress (LoC), thanks in large part to his former mentor tossing him a lifeline. All of a sudden, things start going very bad, first at the LoC, and then elsewhere, and all fingers point toward Frank. Spin in some not-so-friend inter-department uncooperation between the Bureau and the Company, a little bit of international intrigue, and the threat of nuclear war, and you have a fun techno-thriller.

Overall, the techies in the crowd will enjoy this book, even though it manages not to get down in the weeds. Non-techies will likely still enjoy the pace and story, as well as a couple patient explanations of the more technical topics as delivered to Frank's daughter Marla. In the end, this story has a little bit of everything in it, and it even has a couple friends twists and turns that will keep you a bit off-balance.

The book is only $2.99 for Kindle, so hurry up and check it out! In doing so, you'll be helping promote an up-n-coming author from our own infosec ranks, with the promise of more to come!

I finally bit the bullet and tackled some of my back-log of non-fiction reading. I've been spending most of my free reading time on the Discworld by Terry Pratchett. That being said, I've just zipped through a couple non-fiction titles of note, The 50th Law by 50 Cent and Robert Greene, and Managing Softly by Bertrand Jouvenot. Both are quasi business/life-skills type books. Following is a quick-hit summary of each.

At the suggestion of a friend I picked up The Ender Quartet Box Set: Ender's Game, Speaker for the Dead, Xenocide, Children of the Mind and set about reading through it. I'm currently through the first two books, Ender's Game and Speaker for the Dead. Overall, I liked the first book, scary though it was in terms of potential parallels with the future. It just didn't seem far-fetched enough, I guess (just like Orwell's 1984).

In contrast, the second book (Speaker for the Dead) was interesting, though it was a more challenging read. I think I enjoyed the story, though it was kind of, um, different. I don't know, maybe I had just become too jaded after the first book. The biggest thing that jumped out to me was the disconnect between timeline and technological evolution. The book jumps forward about 3,000 years, but the tech seems not to have changed all that much? That seemed rather odd to me. *shrug*

Overall, I think the series is interesting and worthwhile, though I'm taking a break (reading more of Pratchett's Discworld series) before I finish off the quartet.

Nothing security-related, but for whatever reason I've been able to knock out four (4) books in the last few weeks (on top of my normal reading load). I like to read outside of the industry whenever possible as it provides a good mental break. As such, I polished off two works of fiction and two works of non-fiction. The four are: That Old Cape Magic by Richard Russo, The Color of Magic (the first Discworld book) by Terry Pratchett, The Guinea Pig Diaries by A.J. Jacobs, and Liberty and Tyranny by Mark R. Levin. Following is a quick summary of my thoughts on each book.

Since I'm catching up on my book reviews... forgive me for totally geeking out for a couple minutes to talk about my latest reading obsessions... I'm sure most of you will chuckle, chortle, laugh, or roll your eyes... but I'm guessing a few of you will appreciate this little missive... :)

In addition to regular books (fiction and non-fiction), I've also been exploring the world of graphic novels to help lighten the reading load. Sometimes you just need to break out the cake reading to give your mind a break, ya know? Toward that end, I've found two series that have provided a great break from thinking. :)

I made quick work this week of The New School of Information Security by Adam Shostack and Andrew Stewart. This seminal work brings together all the bits and pieces that have been rolling around in my head for nigh on 10 years now. They've defined the "new school" in a manner that many of us have been talking about for ages. It's a break from the operations-driven, bottom-up, break-fix approach to something much more strategic and sensible.

That being said, I was a bit disappointed by the book, having heard all the hype. Really, I think the work is targeted more to people outside the industry than it is to people in the industry. Freshly minted CISSPs would benefit greatly from reading this book, as would those who think that infosec belongs in ill-conceived silos. Technology is not infosec, and infosec is not technology. Neither is compliance, for that matter. The sooner the world comes to understand and accept this, the sooner we'll be able to truly revolutionize this industry.

Conclusion: Buy and read this book. If you've been in the industry for a while and "get it" then this will seem like a good cursory summary. If you're new to infosec, or if you're living in a deluded world of silos, then read it and take it to heart. No bad will come from learning and accepting the lessons offered.

I finished reading Ari Juels' Tetraktys this week. Ari is Chief Scientist at RSA Labs, so brings a lot of tech cred to the table. This book is his first official work in the non-fiction realm, and it's definitely worth a read. I look forward to more from him.

In general, this book is typical of a first fiction work in that it has a degree of awkwardness. However, I think there's a lot of potential for the lead character, Ambrose Jerusalem, to grow into a series a novel that far exceeds Dan Brown's Dr. Robert Langdon, and is perhaps on-par with peak Tom Clancy's Jack Ryan. None of which is to say that Juels has written an action novel by any means. Just that the character has good sustainability potential.

Following is my review of the recent release CISSP in 21 Days. A sample chapter can be retrieved from here.

Summary:
CISSP in 21 Days by M. L. Srinivasan is a CISSP exam prep book. By its own admission, it is not a comprehensive, end-all-be-all book for preparing for the CISSP. What it does claim is the ability to take you through a well-reasoned progression over the course of 21 days to hit on the key concepts and topics of the CISSP, with the last day focused on taking a 250-question sample test. Overall, I think the book accomplishes its goal and could be a useful study guide.

There is no shortage of CISSP prep books today. Shon Harris alone accounts for a lion's share of the market, and one should also not overlook the Tipton and Krause anthology Information Security Management Handbook. In the face of these books, one might wonder why Srinivasan would even bother with an attempt. However, if there's one thing that is clear from most CISSP prep books, it's that they've taken the "quantity over quality" approach, oftentimes burying the reader in hundreds of pages of oftentimes duplicated and sometimes error-ridden work.

In this instance, the book covers all major topics in 225 pages, broken up into 20 days of study, where each of the 10 CBK topics is covered at 2 days each. The layout is clean, lightweight, and concise, hitting the important points. One should not feel overwhelmed by the amount of materials presented, though one might also be left wondering if this is really all there is (it isn't - there's more). However, the book never claims to be a complete, comprehensive training guide - merely a guide for reviewing topics. Specially, the book points out that it "assumes that the candidate already has sufficient knowledge in all 10 domains of the CISSP CBK..."

Strengths:
   * Concise: The book is very brief and to the point. It does not waste ink or pages on unnecessary explanations.
   * Logical: A reasonably logical approach is taken to the topics, starting with security and risk management and expanding from there.
   * Straightforward: The explanations provided are very straightforward and clear.
   * Clean Layout: The book is laid out in a manner that is easily read and followed. Ample room is left in the margins for notes.

Weaknesses:
   * Thin: This is not a comprehensive prep guide, but rather a review guide. The book is not aimed at beginners.
   * Few References: In the "Introduction" the book mentions that there will be a reference section at the end. It turns out this Reference section has 9 entries, including Wikipedia. Not complete or particularly useful. One of the links is for the ISO organization, but it incorrectly uses a TLD of .ch instead of .org.
   * Rigid Language: The language is fairly rigid in its construct. This is fine, but it can be off-putting for some readers.
   * Some Grammar Issues: The author is an Indian National, and thus there are the occasional grammar flubs. The errors are not terribly serious, but they may be distracting or off-putting to some readers, particularly speakers of American English.
   * Slightly Pricey: The eBook (PDF) lists for $22.39 and the print+eBook lists for $40.79. Given that this is just a review guide and not a comprehensive prep guide, I feel that anything over $20 is asking too much.

Recommendation:
So, the magic question: Would I recommend this book? My answer is a qualified "yes", though perhaps not at the current listed price point. This book could be useful for an experienced IT professional who already understands security, but has never looked at taking the CISSP before. From this standpoint, it would be very useful to quickly bone-up on what the requirements and expectations are.

That being said, this book will only be once piece in the overall puzzle, and it's lack of useful references means that the aspiring student will still need to go research other references.

This book is definitely not for the inexperienced IT professional. If you cannot speak knowledgeably to risk and security management, network security, system security, or physical security, then you will not find this book to be very useful. On the other hand, if you know these topics inside-out, then you may think this book isn't terribly useful.

If you're not familiar with the CISSP, but have the skills, this book can provide a useful starting point. If you don't have the skills, then don't start here.

I've finally finished reading Daniel Pinchbeck's 2012: The Return of Quetzalcoatl. It's an intriguing book that looks at redefine Apocalyptic predictions into a spiritualistic movement and event horizon, suggesting that what we humans conceive of as "the end" could really just mean "the end of an era" and the beginning of a truly new page in history. Of course, he then ends talking about the Hopi Indians and how they hold a more disturbing vision that includes nuclear holocaust and lots of physical destruction. So, who knows.

If you're interested in the future of the planet and humanity, and if you're open to somewhat "different" interpretations of that future, then this is probably a good book for you. I'm not fully comfortable with the degree of recreational use of hallucinogenics that Pinchbeck practices, and he did leave some issues unresolved, but nonetheless, his views are interesting and unique. I'd rather like to think that his interpretation is correct, that the future will be marked by a sudden evolutionary advancement. What I'll be more interested to see is the number of crazies who will come out of the woodwork the closer we get to Dec 2012.

I've recently read through (most of) James Flaherty's Coaching: Evoking Excellence in Others. This book is very information and excellent in the way that it directly challenges the status quo of people management in the modern corporate environment. I think of all the companies I've worked in or with over the years, and every single one would have benefited significantly from Flaherty's guidance.

Instead of going into a lot of detail about the book, allow me to just recommend it to you. I'm doing this because my next post will be my thoughts on applying the coaching approach and mentality to improving information security within organizations, which will cover much of the material in the book. However, rather than leave you empty-handed, allow me to provide a quote from early in the book in which Flaherty states his case for this approach:

"It is one of the central tenets of this book that command-and-control organizations cannot bring about the conditions and competencies necessary to successfully meet the challenges holistically. For the most part, organizations know this and have attempted to reorganize themselves using the principles of total quality management and reengineering. The usual problem with these interventions is that they are implemented by and end up reinforcing the command-and-control structure. Here's my objection to that: command-and-control organizations are based on the premise that a power and knowledge hierarchy is the most effective way of structuring an organization. People at the top make the decisions and people further down implement those decisions, changing them as little as possible. The process is slow, expensive, and has at its core belief that people cannot be trusted and must be closely monitored. As long as those beliefs are in place any organization will have tremendous difficulty flourishing in today's world. Of course, what I'm saying here is not a new statement. What I'm offering in this book is an alternative to working in a command-and-control environment by beginning with the new premises. It's been my experience that organizations must be dedicated to allowing people to be both effective and fulfilled. Organizations are the ongoing creations of the people who work in them. Treating organizations as if they are huge machines, as is done with command and control, badly misunderstands the nature of the phenomenon. To sum up and simplify what I'm saying, coaching is a way of working with people that leaves them more competent and more fulfilled so that they are more able to contribute to their organizations and find meaning in what they are doing. I hope that reading this book will convince you that this is possible and that you will experiment with the ideas presented here. That is the only way you can find out for yourself that what I'm saying here is worthwhile." (p2-3)