|
The books reviewed below have contributed in some measure to our knowledge and research for the NoticeBored security awareness materials.*
 Computer Security
for the Home and Small Office
This is a self-help IT security book aimed at those who work from a Small Office/Home Office (SOHO). Written by The Register’s Associate Editor, it should be
no surprise that the book challenges accepted norms such as Microsoft Windows, Office and Internet Explorer. A worthwhile security awareness text for a general if rather IT-literate audience.
 Lessons Learned in Software Testing
We are currently researching and reading for a forthcoming new awareness module on application security. Through a series of nearly 300 “lessons”, the authors share
their accumulated wisdom about how to test application systems - not so much which buttons to press but more how to establish and manage a test team, plan the work and dynamically adjust the testing process.
Corporate Espionage
To complete our look at Ira Winkler books and coincide with this month’s awareness module on protecting trade secrets, we’ve reviewed his first book. It is very similar to, and every bit as engaging as, Spies Among Us, albeit slightly more raw. If your
managers need a bit of a wake up call to appreciate the need for information security controls, this could be it.
The Insider
The Insider is built around an extensive collection of real-life security incidents
involving both insiders and outsiders. The book is essentially a collection of in-depth news reports, peppered with a few brief notes from anonymous corporate
evaluations of a network traffic analysis tool. The lack of meaningful analysis detracts from the books value.
 Zen and the
Art of Information Security
If you have no background in information security, this book would make an interesting if rather superficial introduction to the issues. It falls short on useful,
sound advice. If you have read Ira Winkler’s previous books, you are unlikely to learn anything new but you’ll be entertained nonetheless.
 
IDEO on innovation
 We’ve enjoyed reading and reviewing two non-security books for once. IDEO’s creative techniques for innovative product design have worthwhile application in designing
effective security awareness programs and indeed other products and services.
 Net Crimes & Misdemeanors - Outmaneuvering Web spammers, stalkers, and con artists
Net Crimes explores the dangers of the online world covering a broad assortment of
Internet security issues, with useful descriptions and helpful advice for all Web users. This is a good security awareness book for anyone who is relatively new to the net, combining
realistic threat descriptions with pragmatic security advice.
 Insider Threat - protecting the enterprise from sabotage, spying, and theft
“Insider threat and corporate espionage rely on the fact that it is sometimes better to live in denial and be happy than to know the truth and have to deal with it.” This book reveals the ugly truth and outlines some of the control measures you should take to minimize the risks. Deny it no longer!
 Know Your Enemy - learning about security threats
The Honeynet Project is a fascinating project researching hacker techniques by, in effect, inviting hackers to do their stuff on specially-configured network machines that capture the details. This well-written technical book details how honeypot
systems are configured in honeynets, and how hacker activities are analyzed.
 Phishing - cutting the identity theft line
Phishing is simply about someone sending out emails inviting you to ‘update your details’, right? Well, yes ... and no. There’s rather more to it than that. Authors Rachael Lininger and Russell Dean Vines lift the covers on a seedy underworld where
criminal hackers combine social engineering with malware.
 Google Hacking for penetration testers
Johnny Long’s book, the professional Google hacker’s instruction manual,
is an information security manager’s horror story. Page after page reveals creative uses of the worlds biggest and best search engine to find security
vulnerabilities and breaches on websites and web applications. By all means read our review but think twice about reading the book if you are a security
professional of a nervous disposition. Sleepless nights guaranteed.
Computer Security 20 Things Every Employee Should Know - The Employee Handbook for Securing the Workplace
At just US$8 a copy, this neat little booklet summarizing computer security for
ordinary employees could usefully support a structured security awareness program or security induction course, but do not rely on it alone. Read our book review.
 Enemy at the Water Cooler Real-life Stories of
Insider Threats and Enterprise Security Management Countermeasures
Ignore the main title – look at the subtitle. This book is little more than a sales pitch for Enterprise Security Management systems, or more specifically the ESM sold by
the author’s company. The link to “insider threats” is tenuous at best and in the most part is merely used as an excuse to hype the wonders of ESM. Read our unflattering review here.
 IT Governance: A manager’s guide to data security and BS 7799 / ISO 17799
Despite the subtitle, this third edition by Alan Calder and Steve Watkins is arguably more
of a practitioners’ guide to the implementation of ISO 17799. The introductory chapters do indeed cover IT governance but the bulk of the book concentrates on information
security management. Read our book review for more ...
 The CISO Handbook
Another good read we are happy to recommend - this one offers sage advice for anyone tasked by management with ‘fixing information security’. It highlights the program
management aspects of building and running an effective security improvement program rather than the content of the individual security projects.
 Managing an Information Security and Privacy Awareness and Training Program
At last! A textbook on security awareness that we are happy to recommend
unreservedly. Rebecca Herold has written a real winner, packed with helpful advice. Read our glowing book review for more superlatives.
 Spies Among Us
Read our review of this valuable and recommended book. The case studies on actual social engineering penetration tests are exactly the kind of thing that might wake
up complacent managers who believe their organizations are somehow immune to the social engineers.
 Spreadsheet Check & Control
We really value this book. If you write spreadsheets, especially if spreadsheets
to calculate and report important business information, study this book carefully. It may save you a fortune. Click here for the review, or if you have decided already,
click here to buy it from Amazon (~$26).
.
 Information Security Awareness
We have published a detailed review of this book by Tim Layton. The book’s subtitle “The
psychology behind the technology” reflects the assertion that information security is as much to do with how people behave when making choices about security as about the technical
controls employed. We agree with the assertion, but read the critique to find out what we made of Tim’s book.
 IT Governance
“The most important predictor of top governance performance was the percentage of managers in leadership positions who could accurately describe their enterprise’s IT
governance.” ’Nuff said. Read our book review.
 You Are a Loser
Read our brief review of this interesting little book of case studies on information security
breaches to find out how it can help your security awareness program.
 The Art of Deception
Kevin Mitnick’s book was a tremendous source of inspiration for the NoticeBored awareness materials on social engineering. This is our review of the book.
* NB: most of our book reviews include links to purchase the books from Amazon. We earn a little
commission on these, “little” being the operative word unfortunately but this diminutive income does at
least occasionally allow us to purchase, read and review yet more books. If you begrudge us our meager income in return for us reviewing the books, feel free to visit Amazon or your favorite book seller
independently of our links.
|
