Constant improvement is what your adversaries master at. Even though you might go for a new certificate from time to time – this is not the improvement I am talking about. Webinars are not improvement. Good, old-school reading and putting what you learned into practice is going to make you a master of your craft. Let the others go for the certificates – you will not be competing on their low level anyway.
How do you become a cybersecurity expert?
Your mastery of the Cyber Defense craft is imperative to your own success and the success of your organization.
I cannot promise you many things – but I can promise you this: if you dedicate the time to read this list of books you will be on your way to becoming a Master among your peers. Just trust me on this one. Every book will move you forward, every book will build your mindset and every book will drive you to learn new things – even ones not mentioned inside. It does not matter which field are you trying to excel at – pentesting, auditing, managing a security team, secure programming, security monitoring, etc. – the books below will provide an incredibly solid foundation on which you can build further.
Finally – please stop making blogs and blog posts your primary source of infosec news and start reading well written books and military-grade papers on security – they are not that difficult to find. Let the “certified professionals” post and read on blogs – this book is for the ones who want to go beyond a certification or a degree (if you hold any certificate please do not get offended – I’ve seen the good and the bad from people holding them and can say it only depends on the person – some people know what they’re doing, many don’t). Remember the golden rule of being an expert – read the books the authors of your bestseller books had to read to become good enough to write your bestseller books! Do you really think they would have written them by reading blog posts? Don’t think so.
Recommended books to build a solid cybersecurity knowledge foundation
The list is not comprehensive – and is a personal recommendation. Yet I still trust that after reading it you will be miles ahead of people who only study what they have/need to. Your understanding of the core concepts in this field will allow you to make much wiser decisions.
Philosophy / Military Art
There were times when warriors (and defenders) had to prove themselves in battle as opposed to paper degrees, certifications or LinkedIn profiles. And in order to become victorious in your daily battles, you need strategy – strategic thinking they do not teach you on the certifications tracks and in universities. Military insight collected over the centuries and distilled into books is invaluable for cybersecurity professionals.
The Art of War – Sun Tzu – let this be your foundation. Many know about this book – but not everyone knows that it has an amazing successor. Sun Tzu had a great-grandson (some say great-great-great grandson) – Sun Pin, and his book (Sun Pin: The Art of Warfare) is a must-read, too. There is actually one book on Amazon which has both in one. The best you could do is to buy the “The Complete Art Of War: Sun Tzu/sun Pin (History & Warfare)” – as it contains both books and a very good commentary by people who have spent years in studying the books, as without them you would have a hard time understanding some of the specific ancient Chinese concepts.
The Book of Five Rings
If you liked “The Art of War” you will like this one. It is Japanese – and it is said that Yakudza are governed at large by the rules of this book.
Please do not be alarmed by the large quantities of fighting techniques, sword and other weaponry usage guidelines – yes, there is a lot of that, but it is definitely not useless and can be applied to modern cyber attack / defense tools. Think of it in this way: both you and your attacker possess defensive and offensive capabilities. While many see cyber defense as their only legal option, cyber offense is possible and can be legal.
Yes, you cannot hack back. But you can track down and capture with the help of any local police. You cannot steal their information, but you can provide local (to the attacker) law enforcement with ways to obtain that information, and so on. Just as the attackers can use strategy to break through your defenses, so can you. And they are not as scary as their tools are to your security vendors – in most cases hackers are much less protected than an enterprise. It is surprisingly easy to track them down and capture them if you have the right people, tools and resources at hand.
The books above are the Foundation. Reading them once is a good start. Reading them for a second time after a year is necessary. You will understand, after time, that you cannot fully comprehend what a military master has accumulated over a lifetime and compressed into a book, over a single reading. And when you read them for the second/third time your brain will eventually start to build connection between the cyber world and the real world, between ancient fighting strategies and modern cyber war strategies.
Diplomacy (Touchstone Book) – this book will give you many good examples on diplomacy, and this skill is critical in our daily work.
Cyber Security History
The Best of 2600: A Hacker Odyssey
This one is a gem. Not actually a book – but a collection of quite a lot of issues of the 2600 magazine – starting from the earliest. The whole cyber security culture, a lot of its mindset are compressed inside.
I can’t think of any other book which would give you such a good of a perspective on the history of our craft as it developed through the years.
Yes, you read that right. Novels. Severely underestimated in the benefits and knowledge they provide – the books below are a must-read.
You are really lucky the series below are available as a single Kindle purchase for under $50. Back in the day, I had to order them book by book and ship them to Europe – the price was much higher.
Stealing the Network: The Complete Series Collector’s Edition and Final Chapter
This is one of the most important readings one could have as an INFOSEC professional. It will open your eyes and mind to an incredible amount of real-life attacks. Through a captivating story the books will guide you through hundreds of techniques cyber criminals use to compromise their targets and stay undetected.
Trojan Horse: A Novel
A book by Mark Russinovich and Kevin Mitnick. And amazing combination.
Rogue Code: A Jeff Aiken Novel (Jeff Aiken Series) is another one worth the read. You will have fun and keep learning – can it get any better?
Hacking a Terror Network: The Silent Threat of Covert Channels – this book will open up a whole new world of data exfiltration / steganography in a very realistic way.
The Art of Deception: Controlling the Human Element of Security – a classic by Kevin Mitnick. An absolute must when it comes to understanding social engineering.
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers – another great read by Kevin Mitnick, this time on a more technical side. Very realistic – although slightly dated – exploitation today happens in a very different way. Still, very much worth a read.
Just 2 titles here – we are laying the foundation. There are many ways to focus on a specific areas of expertise – but a certain foundational technical level is still needed to get started.
Hacking Exposed, 7th edition – no doubt, you SHOULD read this book, if you haven’t already. It will build a solid foundation for whichever direction you decide to develop in.
Security Intelligence: A Practitioner’s Guide to Solving Enterprise Security Challenges – the second technical book you should get. Much deeper and tougher to digest. Note: not available in some countries, but guess what: you can buy it from O’Reilly directly as an e-book: http://shop.oreilly.com/product/9781118896693.do
Standards and Best Practices
Try and stay away from cyber security standards which are built around an auditing / compliance / security certification industry, same as ‘best practices’ being offered by educational entities for marketing purposes. I mean, surely you will not be able to if you work at a large organization, but you should definitely not rely on them for any practical usefulness beyond protection on paper.
The ones which are focused on practical controls are tough to implement and really tough to control – that is why there are very few consultancies specializing on auditing non-US companies against NIST 800-53v4 or US DoD 8500 controls.
Most focus on ISO standards – well, I personally dislike them for the damage inflicted on organizations believing to be secure after being declared “compliant” to some brand standard or the sorts of them. Not that ISO standards are bad – they are not. But the way they are being enforced and audited against is not right. There must be much stricter control over which proofs of compliance should be accepted, because a control on paper is not the same as an effective practical control which is tested and working against real threats. Often the auditors themselves lack basic infosec knowledge and can’t see beyond their checklist.
Then again, there is nothing wrong with checklists. Take this one for example –https://www.stigviewer.com/controls/8500 – as long as the controls and the proofs of their existence are checked properly.
“Is a port closed?” – run nmap and check. Don’t just accept ‘yes’ as an answer from the network engineer. “Do you perform information security awareness training” – interview several employees from multiple departments, check their knowledge, test them with a fake phishing page, see how many report it and how many submit their domain credentials… Do you see now, how different that is from the audits most organizations are used to? And then they wonder why their compliance does little for their real-life security. It’s all about proper verification.
Now, if you really want the “big guns” – review the US DAG (Defense Acquisition Guidebook, all 1248 pages of it) Defense Acquisition Guidebook which defines in great detail the requirements towards systems and processes, before being accepted to service. After you go through it you will see the difference with popular standards and requirements for yourself.
There is no way to catalog all best practices worth reading here – but I am making a point. There are ones built by commercial organizations and ones built by defense engineers. Choose the latter every time you have the opportunity.
One good starting point to refer to cyber security standards and best practices is the CyberSecurity Reference Tool, developed by NIST, located here:
http://www.nist.gov/cyberframework/csf_reference_tool.cfm – which can be used not only to refer controls to their respective standards / best practice references, but also when needing to explain why a certain control needs to be implemented to higher management. Backing your words with control details, names and referencing best practices and standards linked to these controls you have a stronger convincing power.
It provides you with a really handy XLS file, listing all relevant references per category and sub-category:
For example, for the Asset Management category, it lists the subcategory of “ID.AM-1: Physical devices and systems within the organization are inventoried” and the references for this subcategory:
|CCS CSC 1
|COBIT 5 BAI09.01, BAI09.02
|ISA 62443-2-1:2009 184.108.40.206
|ISA 62443-3-3:2013 SR 7.8
|ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
|NIST SP 800-53 Rev. 4 CM-8
You can also use Google to find valuable guides and information.
The Australian Government Information Security manual page is an incredibly good resource, too: http://www.asd.gov.au/infosec/ism/index.htm – and the 3 documents – Executive, Principles and Controls – are incredibly well written. Even though most of this book is focused on what the US government infosec teams have provided to the world for free, the Australian teams are breathing in their necks in terms of quality and usefulness.
Strive to read the best information possible.
And since the following is totally free, you could attend and pass every single training which matches with your interests from the list here:
These are web-based training materials (WBT), containing hundreds upon hundreds of the highest-quality security training you could ever find for free online. These are not vendor-based, not created for profit, but created with the sole purpose of efficiency. I could not recommend them high enough.
Some of them might be applicable to all your colleagues (like the Phishing or Cyber Awareness Challenge), others might be relevant to your IT team.
The second course you can see on the screenshot above – “Mission Assurance for Senior Leaders” is also an excellent materials for you as the reader of this book.