Review: Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk

review practical vulnerability management

Andrew Magnusson started his information security career 20 years ago and he decided to offer the knowledge he accumulated through this book, to help the reader eliminate security weaknesses and threats within their system.

As he points out in the introduction, bugs are everywhere, but there are actions and processes the reader can apply to eliminate or at least mitigate the associated risks.

The author starts off by explaining vulnerability management basics, the importance of knowing your network and the process of collecting and analyzing data.

He explains the importance of a vulnerability scanner and why it is essential to configure and deploy it correctly, since it gives valuable infromation to successfully complete a vulnerabilty management process.

The next step is to automate the processes, which prioritizes vulnerabilities and gives time to work on more severe issues, consequently boosting an organization’s security posture.

Finally, it is time to decide what to do with the vulnerabilities you have detected, which means choosing the appropriate security measures, whether it’s patching, mitigation or systemic measures. When the risk has a low impact, there’s also the option of accepting it, but this still needs to be documented and agreed upon.

The important part of this process, and perhaps also the hardest, is building relationships within the organization. The reader needs to respect office politics and make sure all the decisions and changes they make are approved by the superiors.

The second part of the book is practical, with the author guiding the reader through the process of building their own vulnerability management system with a detailed analysis of the open source tools they need to use such as Nmap, OpenVAS, and cve-search, everything supported by coding examples.

The reader will learn how to build an asset and vulnerability database and how to keep it accurate and up to date. This is especially important when generating reports, as those need to be based on recent vulnerability findings.

Who is it for?

Practical Vulnerability Management is aimed at security practitioners who are responsible for protecting their organization and tasked with boosting its security posture. It is assumed they are familiar with Linux and Python.

Despite the technical content, the book is an easy read and offers comprehensive solutions to keeping an organization secure and always prepared for possible attacks.

Review: Web Security for Developers: Real Threats, Practical Defense

Review Web Security

Malcolm McDonald, with his 20 years of experience in programming, poured his knowledge into this book to offer comprehensive information about everything a developer needs to know to do their job properly and thoroughly.

After a short lesson in internet history, the author puts the reader in the shoes of the attacker and explains how simple it is to hack a website, as well as how easy it is to obtain and apply hacking tools.

The author proceeds to offer basic knowledge about how the internet, browsers, web servers and programmers work.

Every following chapter explains major vulnerabilities and how to fix them, but also the various types of attacks, describing the damage they can cause. To help the reader better understand these processes, the author added coding examples.

Luckily, tools needed to help secure a website are also freely accessible and easily implemented.

As he points out, the goal is not only to protect a website but also to make it safe for the users. This means, besides preventing major system compromises, it is crucial to simultaneously protect users’ data by securely storing it, requesting authentication and implementing encryption.

Who is this book for?

Whether you’re just starting out in your career as a web developer or are a seasoned pro, Web Security for Developers: Real Threats, Practical Defense will provide all the necessary information about the possible and imminent threats you will face and how to prepare yourself and your team to avoid them.

Although the content is very technical and covers coding and programming topics, the book reads easily and provides essential knowledge to aspiring web developers.

The Third Edition of Ross Anderson’s Security Engineering

The Third Edition of Ross Anderson’s Security Engineering

Ross Anderson’s fantastic textbook, Security Engineering, will have a third edition. The book won’t be published until December, but Ross has been making drafts of the chapters available online as he finishes them. Now that the book is completed, I expect the publisher to make him take the drafts off the Internet.

I personally find both the electronic and paper versions to be incredibly useful. Grab an electronic copy now while you still can.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Review: Cyber Warfare – Truth, Tactics, and Strategies

review cyber warfare

Dr. Chase Cunningham holds a Ph.D. and M.S. in computer science from Colorado Technical University and a B.S. from American Military University focused on counter-terrorism operations in cyberspace. He is a retired U.S. Navy chief with more than 20 years’ experience in cyber forensic and cyber analytic operations, and has spent time in work centers within the NSA, CIA, FBI, and other government agencies.

He has served as a director of cyber threat intelligence operations at Armor and was the computer network exploitation lead for Telecommunication Systems and the chief of cyber analytics for Decisive Analytics. He is currently a cybersecurity principal analyst at Forrester.

Cyber Warfare – Truth, Tactics, and Strategies

To help the reader understand the scale of today’s cyber threats, the author explains the history behind them and how they kept pace with the evolution of information and communications technologies, as they became an essential part of out everyday lives.

Many future battles will be fought with cyber weapons, narrowing the resources and capabilities gap that long existed between rich and poor nations. All of them can now effectively bring their enemy down.

The author describes the flaws of the networks we have built, why cybersecurity is a never ending pursuit and specifically why perimeter-based security is no longer a good option in the era of remote working and BYOD.

He digs deep into the reality of today, from the use of social media with malicious intent by exploiting the power of influence, to the abuse of deepfakes, AI, ML, and misinformation.

He emphasizes the importance of strategy in cyber warfare. Just like warfare in the physical space, a change in tactics is essential. One must adapt to new circumstances posed by the cyber enemy.

To help the reader better understand this issue, he correlates cyber attack tactics and techniques with real life (military) examples from the Iraq War.

The author also illustrates tools and technologies that can be useful to boost the security posture of an organization and help respond quickly and effectively to a potential cyber threat.

Though not in the traditional sense, this is a war, and only those who are well prepared and have a good strategy in place will be left standing.

The book ends with a list of major cyber incidents throughout 2019.

Who is it for?

Cybersecurity experience is assumed, so the book is primarily aimed at cybersecurity professionals who are interested in gaining knowledge about how to improve their organization’s cyber resilience and be prepared for possible threats.

It’s also a great read for those who are concerned about their security in the digital world, especially when it comes to social media. It’s an issue that affects all of us and the author has provided essential information in a very comprehensive way.

Review: Cybersecurity – Attack and Defense Strategies

Cybersecurity Attack and Defense Strategies

Yuri Diogenes, a professor at EC-Council University and Senior Program Manager at Microsoft, and Dr. Erdal Ozkaya, a prominent cybersecurity professional, advisor, author, speaker and lecturer, published the second edition of their acclaimed book “Cybersecurity – Attack and Defense Strategies”.

Cybersecurity – Attack and Defense Strategies

The book emphasizes, first and foremost, the necessity of every enterprise being aware of its threat landscape and its weakest points, and thus implement the right methods to boost its security posture.

This book will teach you how to identify unusual behaviors within your organization and use incident response methods by applying blue team and read team strategies.

You will also learn about the importance of a good cybersecurity strategy and how to develop it.

The authors explain common hacker tactics, techniques and procedures and the processes of a cyber attack, with a detailed description of tools commonly used during a cyberattack.

The book contains a lot of practical examples that can be applied/tested in a virtual lab. You’ll learn how to avoid wireless attacks and credential theft, how to protect a network, how to avoid phishing incidents, how to protect operating systems, how to avoid mobile phone attacks, details about the most common cloud hacking tools, and so on.

The authors highlight the importance of a well constructed security policy, which should include clearly defined procedures, standards, guidelines and best practices. Of course, these rules are only effective if you educate your staff, but should minimize the likelihood of your organization falling victim to compromise.

To boost performance and improve security, they point out the correct planning and implementation of network segmentation, but also that of a variety of active sensors that monitor unusual activities and threats.

The final chapters cover the procedures of an incident investigation and a recovery process, which give you insights on how to maintain business continuity and implement disaster recovery best practices.

Who is it for?

This is clearly a book aimed at IT professionals who are familiar with penetration testing, Windows and Linux operating systems, and are acquainted with the concept of information security. The content is evidently technical, but the language is clear and comprehensible.

It’s an excellent read for those who want the have all the essential information about how to protect their organization, all in one place. Besides getting detailed practical examples, the book offers various links to web sites to further broaden your knowledge.

Richard Stiennon publishes Security Yearbook 2020, covers the history of the IT security industry

Author, industry analyst, and founder of IT-Harvest, Richard Stiennon, announced the release of “Security Yearbook 2020: A History and Directory of the IT Security Industry.” The new book is available for immediate shipping from Amazon.

Security Yearbook 2020

Cybercrime is one of the biggest issues that humanity will face in the coming years. Cyber espionage and cyberwarfare can destabilize governments, undermine elections and exploit vulnerabilities in a nation’s critical infrastructure. Its economic impact is driving drastic changes to how every organization is deploying technology.

For more than 20 years, companies have been built and burnt in the quest to provide the best cybersecurity solutions to keep the bad actors at bay. This is the first time their stories have been collected in one place to give a true historical analysis of one of the most important emergent industries in modern times.

The result of over a decade of research, “Security Yearbook 2020” starts at the early days of RACF, ACF2, Check Point Software, Symantec, and McAfee, coming right up to the present day comprised of over 2,336 vendors worldwide, where hundreds of companies are competing daily to bring the next breakthrough in the security market to life.

Security Yearbook 2020 is not a review of technologies; this is a book filled with rich histories of the vendors and the people behind the companies – the misfits and pioneers – that have together built the $300+ billion cybersecurity industry of today.

Their individual stories are recounted in their own voice alongside the author’s market research and analysis, making this a one-of-a-kind read and an indispensable guide to the entire IT security industry.

“My vision for this book began when I realized I had been writing books about the history of cyber-attacks while neglecting the history of the very industry I have been part of for 24 years; those creating the product we rely on every day for defense,” said Richard Stiennon.

“This will be my fifth book and can be enjoyed by anyone with an interest in the origins of cybersecurity and what the future holds for the industry.”

Sections are devoted to network, endpoint, data, identity, and compliance sectors. New sectors such as security analytics, threat intelligence, and deception will be of particular interest to practitioners who are looking to understand advanced cyber defense tools and practices.

Security Yearbook 2020 will also be the first published directory of all vendors listed by country and product category. It will be an indispensable desk and online reference for analysts, investors, industry veterans, and students.

Review: Cyber Minds

Cyber Minds

Humans are an essential part of any enterprise and should be considered the foundation of its cybersecurity. That’s probably easier said than done, but Shira Rubinoff has some useful tips for you.

Aside from being a prominent cybersecurity executive, speaker, cybersecurity and blockchain advisor, and having built two cybersecurity companies, Rubinoff also has an educational background in psychology. That’s why Cyber Minds is very human-oriented, meaning she views cybersecurity through its interconnectivity with humans.

Inside Cyber Minds

Every enterprise should take care of its cybersecurity by taking care of every single employee and giving them the opportunity and the knowledge to practice good cyber hygiene within the company. A company’s cybersecurity is as strong as its weakest link and every executive must realize that.

The author emphasizes four essential steps to achieve cyber hygiene that every company should implement in their workforce development strategies:

  • Continuous training
  • Global awareness
  • Updated security and patching
  • Zero trust

After giving you these guidelines, she warns about the most common behaviors that could lead to a data breach and the psychology behind them.

The next chapters include interviews with cybersecurity professionals where they share their opinions and knowledge, as well as give you real-life examples.

They talk about the possible impact of blockchain on the future of cybersecurity, about cloud technology concerns, the biggest breaches, the trends in cybersecurity, how to keep IoT safe, and the benefits of introducing military elements into cybersecurity.

The author dedicates a chapter to AI and the fear that such technology induces. AI is, without a doubt, the technology of the future and will become part of our lives whether we want it or not. The question is, can it be trusted? Can we let it manage cybersecurity?

Who is it for?

The book aims at business leaders, to make them recognize the importance of cybersecurity and the fact that setting rules is not enough. Employees must be educated and, from a psychological point of view, feel as an essential link in the cybersecurity chain.

The language is simple and comprehensible, the author doesn’t use excessive technical language, and the book is a great read for those in the C-suite that want to have a broader perspective of their company’s cybersecurity posture.

Review: Cyber Smart

Cyber Smart

Do you believe you’re not interesting or important enough to be targeted by a cybercriminal? Do you think your personal data doesn’t hold any value? Bart R. McDonough proves why those beliefs are wrong in his book Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals.

McDonough, CEO and Founder of Agio, is a cybersecurity expert, speaker and author with more than 20 years of experience in the field, and this is his debut book.

Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals

He starts by debunking the most common cybersecurity myths, like the one mentioned above. Whether you like it or not, you are important, and your data is important. Also, everything has a price.

McDonough explains all the possible risks and threats you could encounter in a connected world, who are the bad actors, what their goals are and, most importantly, their attack methods.

The author presents five golden rules – or, as he calls them, “Brilliance in the Basics” habits – you should be complying with to maintain a good cybersecurity hygiene: update your devices, enable two-factor authentication, use a password manager, install and update antivirus software, and back up your data.

The second half of the book gives you detailed and specific recommendations on how to protect your:

  • Identity
  • Children
  • Money
  • Email
  • Files
  • Social media
  • Website access and passwords
  • Computer
  • Mobile devices
  • Home Wi-Fi
  • IoT devices
  • Your information when traveling.

McDonough doesn’t use scare tactics that could possibly make you want to forego all technology and go live in the woods. On the contrary, he wants you to embrace it and understand that even if the online world poses so many threats, there’s a lot you can do to protect yourself.

Who is this book for?

You don’t need to be a cybersecurity professional to understand this book. Its language is simple and it offers many comprehensible everyday examples and detailed tips. It’s a book you should definitely have in your home library, also for future reference.

The author has a very clear message: don’t just sit back and hope bad actors will pass you over. Be proactive and take all the possible and necessary steps to secure your data and your devices.

Review: Foundations of Information Security

Computers have become an essential part of everyday life, but this widespread usage comes with serious risks, especially for organizations. To address the issue, the author, Dr. Jason Andress, an experienced security professional and researcher who has been writing about security for more than 10 years, wrote this very detailed book that guides the reader through the essentials of information security. Foundations of Information Security The book contains a total of 14 chapters which, as … More

The post Review: Foundations of Information Security appeared first on Help Net Security.