Security news that informs and inspires

Decipher Library: Holiday Edition 2021

As the year comes to a close, we hope you will have some well-deserved time off to rest and maybe catch up on some reading. We've asked some of our friends and colleagues to recommend a favorite book, new or old, fiction or non-fiction, to help give you a few good options. Enjoy.

Set Phasers on Stun: And Other True Tales of Design, Technology, and Human Error, by Steven Casey

The Atomic Chef: And Other True Tales of Design, Technology, and Human Error, By Steven Casey

The Design of Everyday Things, by Don Norman

I will preface... while I started out my degree as a computer engineer, I switched majors because I didn't want to be designing chips the rest of my life and wanted something more "applied". At the time I was also doing a short work study at the HCII at Carnegie Mellon and really got interested in UX/HCI/UI. While not a major option at the time, I graduated and became a user interface designer for Xerox in Rochester, NY. Some of our textbooks included these in the syllabus, and they really, still to this day, inform how I look at problems and challenges, and how humans interact with them to arrive at a solution. The advantages of these "tales of peril" work well for security practitioners to not immediately dismiss "black swan" or "edge cases" when modeling threats or designing systems and solutions. Plus, at the policy level, never underestimate humans and the ways they can get themselves into unplanned scenarios. The latter came out far after graduation, but is a good continuation of the "tales of woe".

People often complain why things are "so shitty" and it goes back to the struggle of "form over function" in many cases at the design level. I personally was berated by my industrial design professor for building an inelegant solution to the challenge, but given the rules, and desired outcomes, I not only met but exceeded the design requirements. In this case, the design of a stool. I know my classmates really tried to make super beautiful and sleek stools/chairs, but for me, my "wow" moment was removing the core support and using a hidden beam system to support the seat out to thin pillars. Not only did I not have to sit on it gingerly like the other students, but I could get on top of it (with my obese weight at the time) and stand without it moving or collapsing.

It's sometimes better to, as to take one of my talks, not just meet the waterline on design requirements, but to get to a point where you can float above and not be drowning if there's a failure. Sometimes judicious over-engineering of some solutions while still being an elegant design is wholly underrated in tech and other spheres. For that, I give you the massively reference-able "The Design of Everyday Things" - it'll keep you from taking many things you interact with for granted and maybe help you think a bit differently on how you move through the world. – Amelie Koran, Electronic Arts

We Are Bellingcat: Global Crime, Online Sleuths, and the Bold Future of News, by Eliot Higgins

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, by Nicole Perlroth

Reset: Reclaiming the Internet for Civil Society, by Ronald J. Deibert

An international research collective, Bellingcat has made significant contributions to ongoing investigations against threat actors. This book, written by founder Eilot Higgins, shares the story of Bellingcat’s creation and the ways in which Higgins and other researchers use open-sourced intelligence in their investigations. For anyone working in - or interested in - threat intelligence this is an absolute must read.

Part spy novel, part investigative report, New York Times reporter Nicole Perlroth shares her extensive research into the underground market of zero-day vulnerabilities. While the novel isn’t written for cybersecurity professionals, and most of us likely understand the severity of zero day exploits and their historical contexts, Perlroth provides a fascinating historical account of the cyber arms race and a marketplace few of us have encountered first-hand.

Ronald Deibert is legendary in the threat intelligence community for his work at CitizenLab investigating the misuse of consumer data and the targeted surveillance of political dissidents, activists and journalists. In Reset, Deibert describes the risks we face in the unbridled use of technology that too often erodes consumer privacy and even our environmental and political stability. He supports his arguments with fascinating case studies and suggests ways in which we, as a society, can tip the scales toward a more symbiotic relationship with the tech we rely on. – Kristina Balaam, senior threat researcher for threat intelligence at Lookout

Sway: The Irresistible Pull of Irrational Behavior, by Ori Brafman and Ron Brafman.

This is one of my favorite human behavior books - It’s incredibly insightful and a lot of fun to read, and it focuses on the intersection of economics, sociology, and psychology as it relates to the hidden and often illogical drivers behind human decision making. Aside from being a fascinating subject, I found it really useful for creating frameworks of “why” that can be applied to the anti-patterns that annoy use as security professionals, as well as tools to work with those irrational drivers instead of constantly trying to fight against them. - Casey Ellis, founder and CTO, Bugcrowd

Thinking Better: The Art of the Shortcut in Math and Life, by Marcus du Sautoy

Think Like a Freak: The Authors of Freakonomics Offer to Retrain Your Brain, by Steven D. Levitt and Stephen J. Dubner

Cybersecurity is a really hard problem to solve. Yet, too often we try to solve problems caused by cyber threats with technical solutions instead of looking at the bigger picture and tackling these problems more strategically. I love these books not because they spell out explicit ways to solve problems, but because they guide you through thinking about various problems in different ways to develop potential innovative solutions. While Thinking Better sounds like it would be a dry math book, it's really about exploring strategies to think more efficiently. In a world where too many companies treat AI like a cybersecurity panacea, this book demonstrates the power of the "human laziness" and how purely automated solutions are never a silver bullet. Think Like a Freak walks through different problems, from how to win the World Cup to solving poverty, and shows how behavioral economics--a mix of psychology and economics--has been used to develop creative, and sometimes counterintuitive, solutions or explanations. And for those that still need a hard link to cybersecurity, Think Like a Freak even contains a chapter that talks about why Nigerian scammers use seemingly unsophisticated tactics to identify ideal targets. - Crane Hassold, director of threat intelligence at Abnormal Security.

CivilWarLand in Bad Decline, by George Saunders

I spend so much time at work reading and writing about infosec that I refuse to read security books in my free time. Sandworm is the only exception. I might have read Countdown to Zero Day, a book I received as a gift at the 2014 Security Analysts Summit in Mexico, but it wouldn't fit in my bag. Sorry, Kim.

So my recommendation isn't about infosec. Technically speaking, it's not really a book either—it's a collection of short stories from the 90's that was on my list for years until I finally read it a few months ago. It's called CivilWarLand in Bad Decline, it's by George Saunders, and it is amazing.

There are basically two types of stories in the collection, and they're objectively the best kinds of stories: stories about freak show tourist attractions and stories about dubious business ideas. Oftentimes the two ideas merge. As an example, CivilWarLand is in fact a Civil War-themed amusement park, and it is undeniably in bad decline. Another story revolves around an ethical raccoon removal and relocation business, but really they just kill the raccoons and toss their bodies in a raccoon pit behind the office. More broadly, every story seems to take place in the sort of dystopian capitalist hell-scape that feels warm and familiar to the hapless inhabitants of the early 2020s. It's not just CivilWarLand that's in bad decline. Everything is.

Despite being overtly grim, these stories are either hilarious, strangely hopeful, or both. – Brian Donohue, senior information security specialist, Red Canary

Oathbringer, by Brandon Sanderson

There are a number of reasons why this book (as well as the series) is a must-read if you are a fan of fantasy. However, the reason why I chose this book was because it, more than any other book I have read in a long time, made me reflect and become introspective. Which was quite unexpected.

There is a quote in the book where the protagonist is looking back on the decisions he made in his past and someone says to him: 'The most important step a man can take. It’s not the first one, is it? It’s the next one. Always the next step.'

This quote really drove home something for me that I think anyone who has had to make decisions that impacts other people deal with. Whether you are building a product, managing groups of people, or even just raising children, there are times where you make the best decision you can at that time. After the fact you look back and start second guessing the decisions you have made. This quote alone (and the situation in the book surrounding it) really helped me to recognize that the decisions I have made in my career that in hindsight I would have maybe done differently, are not to be dwelled on but used as a learning opportunity. As long as I am continuing to be better with each step/decision/action, that's all that I can do. -Glen Pendley, CTO at Tenable

Code Girls, by Liza Mundy

Breaking Backbones, by Deb Radcliff

I like reading about history, and am fascinated by the stories of the women of Bletchley Park, the top-secret Allied facility devoted to breaking codes during World War 2. Liza Mundy’s Code Girls tells the story of their American counterparts. There were 11,000 female codebreakers working for the United States, and Mundy combines research from the National Cryptologic Museum and the National Archives with firsthand stories from 20 of these women. This isn’t the book to read if the goal is to learn about specific methods used to break codes. The focus is on the day-to-day experiences, the toll this kind of work took on the codebreakers. The stress of dealing with high-pressure jobs over a sustained period of time is something that we are talking about now as we urge managers to prioritize the mental health of their security teams. Apparently some things haven’t changed in the sixty or so years.

I am going to be banging on the SANS Holiday Hack Challenge to finish out 2021, but will also be making time to work through the first installment of Deb Radcliff’s Hacker Trilogy. Breaking Backbones: Information is Power takes place in a world where we have traded away our privacy for convenience. We don’t yet have a microchip implanted in us at birth, but considering our heavy reliance on the digital world, it doesn’t feel so far-fetched as plotlines go. -Fahmida Y. Rashid, editor at Dark Reading and former senior managing editor of Decipher

Spam Nation, by Brian Krebs

With everything happening across the cybersecurity landscape, a CISO might almost feel guilty for setting aside a little time outside of work to read just for pleasure. So earlier this year I formed “The Encrypted Press, A CISO Book Club” as a way of bringing together cybersecurity professionals through virtual meetings to discuss interesting and thoughtful books…without the guilt. Most recently we covered Spam Nation, and had the incredible opportunity to hear directly from the author, Brian Krebs, during a lively fireside chat. What I love most about this book is the vivid picture Brian paints of the threat actors targeting us all, and the impactful solutions he offers to counter the online risks we face daily. It’s a compelling read for both the seasoned CISO and novice computer user. -Lucia Milică, Global Resident CISO at Proofpoint

Managing Transitions: Making the Most of Change, by William Bridges

Breaking the Social Media Prism: How to Make Our Platforms Less Polarizing, by Chris Bail

When I first started reading Managing Transitions: Making the Most of Change in March 2020, I was trying to take control and navigate some of the personal changes in my own life. Ironically, that same month, COVID-19 sent shockwaves across the world, adding outlandish complexities to everyday tasks, as simple as going to the grocery store. Suddenly, the takeaways from this book felt very real: Times of transition are strange, whether it’s during a workplace reorganization, a personal life event or a pandemic. People react in different ways. Sometimes they lash out, other times they surprise themselves, step up to the plate and maintain control over the situation. This focus on human nature, which is sometimes lost in the shuffle, is emphasized in William Bridges’ book when he draws parallels between how transitions are handled and what they mean for workplace management and company morale. That message really hit close to home when we look at how the pandemic has impacted workplaces in particular - including, from my perspective, how companies struggled to prioritize security as workplaces went fully remote. Another more recent favorite read, Breaking the Social Media Prism, explores the impact on society of “being stuck in the echo chamber” of social media. The effects of disinformation campaigns and other issues tied to social media have been well explored over the years and are pretty obvious at this point, but Chris Bail does a great job encouraging us to take a step back and give an introspective look at our online presence and the role it should play - and that it realistically plays - in society. -Lindsey O’Donnell-Welch

Where Wizards Stay Up Late: The Origins of the Internet, by Katie Hafner and Matthew Lyon

When I read this book, in 2001 or so, I was a young reporter at one of the big tech weeklies and was trying to absorb as much information, history, and lore about the industry and the Internet’s history as possible. One of my editors gave me a few books to get going, including The Soul of a New Machine, Dealers of Lightning, and Where Wizards Stay up Late. I loved them all, but Where Wizards Stay Up Late has become my favorite. It’s 25 years old now, but the story it tells is as important and vital now as it was then, perhaps even more so, given that the Internet has taken over the damn world. Hafner and Lyon detail the pre-history of the network, the development of the underlying technologies that made it possible, and most importantly, the people who made it happen. The portrayals of folks such as Larry Roberts, the visionary ARPA administrator, Vint Cerf, the pioneering engineer, and Bob Kahn, who co-developed TCP/IP, are nuanced and detailed, without being fawning. Telling a story as broad and deep as the beginning of the Internet is brutally difficult, and making it interesting is harder still, but Hafner and Lyon nailed it. History, turns out it’s kind of important. –Dennis Fisher