Skip to main content


Showing posts from December, 2013

Book Review: “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power” by David Sanger

Executive Summary
This book is an interesting read for foreign policy buffs but a must-read for cyber security professionals interested in the evolution of cyber warfare. It is the first published book that chronicles the current US government’s thinking about the merits of cyber attacks as a middle-ground diplomacy option between invading a country on one hand and sanctions or negotiations on the other. It is also the first book that gave the public details about operation “Olympic Games,” a multiyear covert operation that the governments of the United States and Israel directed against Iran that changed the cyber security landscape forever. Security pundits have been saying for years that cyber warfare is theoretically possible or, more precisely, that cyber weapons could cause physical damage on a massive scale. Olympic Games demonstrated conclusively that hackers can use a cyber vector alone, without the aid of other kinetic weapons, to destroy components of a country’s critical in…

Book Review: "Security Metrics: Replacing Fear, Uncertainty, and Doubt" by Andrew Jaquith (2007)

Executive Summary
This book is a must-read for all cyber security professionals. It is not a part of the canon because it attacks a sacred cow of the industry—Annualized Loss Expectancy (ALE) as a means to justify your security budget—and the community has yet to fully embrace the idea that ALE might not be a good idea in all cases. But you should seriously consider this notion and this book is your gateway to do so. Consider it a Canon-Candidate. Jaquith describes why capturing and analyzing security metrics is a good and powerful thing and how you can use that intelligence to better understand the porous nature of your networks. It will help you unshackle yourself from the chains of probabilistic risk assessments. It will turn you away from the dark side and toward a more meaningful process to assess your enterprise’s security. You should have read this by now.
I have been interested in cyber security metrics and how to visualize them since before we were connecting the In…

Book Review: “Cryptonomicon” by Neal Stephenson (1999)

Executive Summary
Cryptonomicon is the quintessential hacker novel. The author, Neal Stephenson, describes a story that is set around the intersection between the discovery of world-changing math insights and the incipient designs of our computer science founding fathers. Stephenson delights in explaining how all of these things go together. His collection of fictional and nonfictional characters orbits each other across a thousand pages and propels the reader through dual timelines of World War II and the dot-com startup decade of the 1990s. The result is a multigenerational treasure hunt worthy of an Indiana Jones adventure, but unlike Indiana Jones, this is not a light read. It is dense with ideas. You do not skim through this looking for the good parts, but if you take the time to savor the journey, you will not be disappointed. You will be fed cyber security history, rollicking adventure, heartbreaking tragedy, the pleasures and perils of a multigenerational family, and the awkwar…