Brent’s Interview About His Most Recent Book

 

Introduction

In today’s digital age, the importance of cyber-security cannot be overstated. With threats evolving at an unprecedented rate, organizations need to be proactive in their approach to safeguarding their assets. “We Need To Talk: 52 Weeks To Better Cyber-Security” by L. Brent Huston offers a comprehensive guide to navigating the complex world of cyber-security. We sat down with the author to delve deeper into the inspiration, content, and significance of this book.

Interview

Q1: What inspired you to write “We Need To Talk: 52 Weeks To Better Cyber-Security”?

A1: As a virtual CISO and 30+ year security practitioner, I know how important it is to keep the security team engaged with one another, encourage open discussions, and do continual learning. I wrote the book to give security teams a good basis for these discussions every week for a year. Covering the basics and letting the team discuss sticking points and areas for improvement has led my clients to identify some interesting trends and rapidly mature their security programs. I think, literally, “We Need To Talk”. We need it as practitioners, individuals, teams, and organizations. This is a stressful, detail-oriented, rapid-change business, and talking helps nearly everyone involved.

Q2: Why did you feel it was essential to provide such a comprehensive view of cyber-security?

A2: So much of what we do is complex and touches multiple areas of our organization that we must bring the basics to each. I picked the topics for discussion in the book to address the high-level, technical, and procedural controls that almost every organization needs. I threw in some of the more tenacious topics I’ve encountered in my career and a few curve balls that have bitten us over the years. Information security and risk management are broad-spectrum careers, and we need a broad spectrum of topics to help security teams be successful.

Q3: Can you elaborate on how the structure of the book facilitates this year-long journey?

A3: This is a great question. The book idealizes a weekly security team meeting where the team discusses one of the topics and why it is relevant and then works through a series of questions to help them hone and refine their security program. The book includes a topic for each week, appropriate background information about that topic, and a set of questions for discussion by the team. As I piloted the book with my clients, it became clear that these were ultra-powerful discussions and led to some amazing insights. I knew then that I had to write and put the book out there to benefit security teams and practitioners.

Q4: How did leveraging AI tools shape the content and structure of the book?

A4: I used several AI tools to help generate the content of the book. It was written programmatically, in that I wrote some programming to leverage an AI backend to generate the questions and background information for each topic. I then adjusted the code and moderated the output until I got the book I wanted. It took a while, but it was fantastic when completed. I wanted to experiment with writing with AI tools, and since I knew the book I wanted to create had a specific format and content, it seemed like a good experiment. Ultimately, I learned much about working with AI and using Grammarly for editing and self-publishing. I have been absolutely thrilled with the response to the book and how the experiment turned out. In fact, it gave birth to another project that I am just beginning and will pave the way for some exciting new breakthroughs in how to work with AI tools in the coming years.

Q5: What is the one core message or lesson from your book that you’d like security teams to take away?

A5: The one takeaway I would have them consider is that discussion among the security team can really help a lot of the team members and the organization at large. We need to talk more about the work we do, both inside our teams and to the other teams we work with across the enterprise. The more we discuss, the more likely we can support each other and find the best solutions to our common problems and issues. Implementing the strategies, tactics, and insights we discover along the way might just be the change we need to make information security more effective, easier to manage, and even more fun!

Summary

L. Brent Huston’s “We Need To Talk: 52 Weeks To Better Cyber-Security” is more than just a book; it’s a roadmap for security teams to navigate the intricate maze of cyber-security. Through structured discussions, the book aims to foster collaboration, understanding, and growth among security professionals. With the unique blend of AI-generated content and Huston’s vast experience, this book promises to be an invaluable resource for those in the field.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

3 Books Security Folks Should Be Reading This Spring

I just wanted to drop 3 books here that I think infosec folks should check out this spring. As always, reading current material is an excellent way to keep your skills moving forward and allows you new perspectives on business and security matters. Even books from outside the security domain are useful for insights, new perspectives or indirect references.

Here’s what I suggest you check out this spring:

1. Antifragile by Taleb – This book will set your mind on fire if you are a traditional risk assessment person. It is astounding, though often difficult to read, but the ideas are a logical conclusion of all the previous Taleb theories from the Black Swan series. Beware, though, the ideas in this book may change the way you look at risk assessment, prediction and threat modeling in some radical ways! Long and tedious in spots, but worth it!

2. Linked: The New Science of Networks by Barabasi & Frangos – This book is an excellent mathematical and scientific discussion of networks, both logical and physical. It describes the sciences of graph theory, link analysis and relational mapping through easy to read and quite entertaining story telling. Given the rise of Internet of Things environments, social networks and other new takes on old-school linked networks, this is a great refresher for those who want to re-cover this territory with modern insights.

3. Hacking Exposed 6 by Scambray – That’s right, go old-school and go back and learn how penetration techniques from some of the best general hacking books in the industry. HE6 is an excellent book for covering the basics, and if there is anything all infosec folks need, it is a strong grasp of the basics. Learn and master these techniques in your lab. Work through the examples. Go ahead, we’ll wait. Have fun, and learn more about how bad guys still pwn stuff. Lots of these techniques or variants of them, are still in use today!

There you go, now get reading! 🙂 

Book Review: VMware vSphere and Virtual Infrastructure Security

VMwarevSphereandVirtualInfrastructureSecurity
VMware vSphere and Virtual In!astructure Security: Securing the Virtual Environment (Prentice Hall) is written by Edward L. Haletky with the assistance of our friend, Tim Pierson. Another friend, Christofer Hoff, wrote the Forward. Pierson is currently working with us to integrate the power of HPSS in his security courses. (Very cool!) Hoff is a forward thinking security professional who is respected among his peers. The book immediately confronts the security issue with VMware. Chapter 2 presents the “anatomy of an attack.” Attack perspectives are from a Pentester, a hacker, a script kiddie, and a disgruntled employee.

Chapters 6, 7, and 8 focus on deployment, management, operations and virtual machine security. Some common operational issues are discussed to protect and audit your environment. Chapter 9 is especially useful, posing real-world questions discussed on the VMware VMTN Communities forums. The latter part of the book features a patch for Linux, a security hardening script, and an assessment script output. A reading list and links are included in the final section. A great addition to your IT library from Amazon for $40.56.

Microsoft IIS 6.0 WebDav Vulnerability – Urgent

We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.

The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.

As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.

Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.

Book Review: Computer Security and Cryptography

fsecuritym444a6d61

Computer Security and Cryptography (Wiley) by Alan G. Konheim, is a great resource to understand and implement data security systems. Chapters are organized to help develop technical skills, describe a cryptosystem and method of analysis, and provide problems to test your grasp of the material and ability to implement practical solutions.

The book begins with the history of cryptography and moves into the theory of symmetric and public-key cryptography. Chapter 18 focuses on cryptography application. Included is Unix password encipherment, password cracking and protecting ATM transactions.

With consumers becoming increasingly wary of identity theft and companies struggling to develop safe, secure systems, this book is essential reading for professionals in e-commerce and information technology. Written by a professor who teaches cryptography, it is also ideal for students. Available at Amazon for $90.00.

Book Review: Hardware Based Computer Security Techniques to Defeat Hackers

193396_cover.indd

Hardware Based Computer Security Techniques to Defeat Hackers (Wiley) by Roger Dube, maps out solutions for hardware devices used by the Intelligence and Defense communities. Dube begins with an overview of the basic elements of computer security and then covers areas such as cryptography, bootstrap loading, and biometrics. 

   Chapter Twelve does a good job of covering “tokens,” such as a key card or photo ID. The computer security mantra, “something you have and something you know” is true with securing tokens. Issues such as cost, usability and lockout must be evaluated when considering the use of tokens as part of the user-authentication process.

   The book not only discusses the solutions but devotes a chapter at the end to explain how to implement them. A good investment for the CIO and IT Administrator. Available through Amazon for the sale price of $71.96. (retail $89.95)

IT Compliance and Controls by James J. DeLuccia, IV

  IT Compliance and Controls: Best Practices for Implementation is a timely book that takes a good look at IT internal controls and answers the question, “How much is enough?” Along with providing protection for their organizations, the CIO/CTO needs to address compliance issues identifying appropriate controls and its relationship with the global market. Author James J. DeLuccia, IV presents field-tested ideas forged from the fires of direct experience with clients who are daily hammering out their technology to become competitive business models.  

    DeLuccia lays a foundation by examining the importance of internal IT controls defining US government oversight measures. He then explains why silo IT strategy wastes time and resources, offering a better solution in having an IT enterprise control environment.

     The third section of the book covers implementation, focusing on risk analysis, technology strategy orchestration, life cycle management, access and authorization,  and other areas. Available through Amazon for an affordable $40. A very useful book for the CIO, CTO, IT auditors, audit managers, and IT managers.

Book Review: The Handbook of Information and Computer Ethics

 Another serious textbook, The Handbook of Information and Computer Ethics is an ambitious in-depth look at the dizzying playground where technology meets  human behavior. The book is a compilation of varying professors in philosophy and technology, offering their take on issues such as privacy and anonymity, hacking, and responsibility and risk assessment. 

The editors, Kenneth E. Himma and Herman T. Tavani, explore the relationship between the internet and one’s ability to co-exist with it ethically.  Himma especially has an interesting definition of the term “hacker” and ponders if the concept of trespassing means the same as the  term “digital intrusion.”

The chapter on responsibilities for information on the internet is challenging by questioning who truly owns it. Another chapter explores the issue of Software Development Impact Statements. (SoDIS) It is a fascinating book. For $100 (On sale at Amazon!), you can stretch your mind with all types of scenarios. A great book to pass along to your network staff.

Book Review: Hacking Exposed: Linux Third Edition

ISECOM, the renowned research organization for security, has again “made sense” of securing a Linux network against attacks. The book is a thorough guide to understanding how to “separate the asset from the threat” and block hackers from playing in the ultimate playground of Linux.  The authors take you from the elements of security, to hacking the system, to hacking the users. 

What is particularly helpful are the case studies. If you or your company’s employees need to travel and access your company’s website via wireless connection, you’ll be especially interested in the case study in Chapter Eight, where a hacker tracks a signal to a hotel’s access point and creates legit-looking error pages in order to obtain the account information of the user. Also helpful are their usual attack and countermeasure icons, which further define how to pinpoint areas of risk.

Security teams looking to evaluate their areas of vulnerability within Linux will be forearmed with the powerful arsenal of preventative approaches covered in this edition. All of the material is new, based upon the most recent and thorough security research. The hacking and countermeasure are based on the OSSTMM, the security testing standard, and cover all known attacks on Linux as well as how to prepare the system to repel unknown attacks. A pretty good buy for the $49.95 cost.

Book Review: Security for Wireless Ad Hoc Networks

Authors: Anjum & Mouchtaris
Publisher: Wiley
Cost: $75.00
Rating: 3 out of 5

This book reads like a PHD thesis. It is long on technical and mathematic detail and a little short on real-world scenarios. The examples are well researched and deeply technical. While the reading is a little tedious, those seeking an in depth understanding of wireless security will benefit greatly from this book.

At just under 250 pages it’s likely to take longer than a weekend to complete the read, but especially if you’re a mathematical genius, this book should be right up your alley. One of the highlights of the book is the content that relates to intrusion detection systems. The section did an excellent job of explaining various techniques and architectures for wireless intrusion detection. This content will be especially interesting to engineers and vendors in the wireless security space.