Clearing up the complexity: Security for non-technicians

IT security is almost always complex, covering many different areas and creating the sensation of a technical equivalent to “doctors’ handwriting”.

Who hasn’t had a moment where two security technicians start talking about the “APT exploiting a XP kernel CVE and exfiltered by HTTP using 404 modifieds, and thank God the IDS caught it and we put up a deny in the firewall before it dropped a new version of the malware C2”.

If you’re a security technician you’re probably smiling at these lines, but if not, you probably haven’t understood a word of it. The problem is obvious: IT security is complicated, and communicating in IT security is even more complicated.

In my opinion, all us IT security experts should work on our communication skills. We need to convince management to invest more time and resources in improving it, and convince users that security is necessary (for their own good in many cases).

For that reason, I’d like to propose a book list, of texts written by technicians, but where several of the main IT security concepts are explained in clear, simple and even agreeable ways.

”Secrets and Lies: Digital Security in a Networked World”, Bruce Schneier – Ed Wiley

Schneier is one of the best disseminators of IT security around at the moment. As well as his IT security blog he has published several books where he treats in a simple way such subjects as risk, system protection, cryptography and even society’s own trust base. All his books are interesting but “Secrets and lies” is the best. If your boss only has time to read one security book, let it be this one.

”The Code book”, Simon Singh – Ed. Anchor

If there’s one field of IT security that’s particularly complicated that’s cryptography (I have the theory that “public key cryptography can only be understood the third time it’s explained”). However, Singh does a great job of perfectly explaining the most complex concepts of cryptography, all based on historic moments and full of anecdotes. A wondrous book.

“Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon”, Kim Zetter – Ed Crown

Stuxnet is considered by many to be the first act in the cyberwarfare in all senses: intention, sophistication and complexity are words that spring to mind when we think about a malware that, possibly, has opened Pandora’s box and without doubt will be studied in future times. Zetter is able to tell us how it was detected, analyzed and eradicated in such a pleasant almost addictive way and his story becomes a kind of techno thriller.

“Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door” – Brian Krebs, Ed. Sourcebooks

Krebs is possibly the most famous journalist specialized in IT security in the world. From blog“>his blog he analyses all the most important IT security news critically but clearly. His book is a complete guide to cybercrime, telling us, with all the inside details, the sub world of IT crime from spammers to how they launder the money they make.

“The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers” – Kevin Mitnick & William Simon, Ed. Wiley

Kevin Mitnick (aka “The Condor”) is one of the better known hackers in history, being especially famous for his mastery of social engineering (or as he calls it, “hacking people”). In his book, based on his own stories and those of other hackers from the time, he tells how to overcome several different security systems with few or no technicisms. Applying lateral thinking is very interesting and how they attack certain problems jumping security in sometimes dumb but very effective ways.

“Inside cyberwarfare” – Jeffrey Carr, Ed O’Reilly

Cyberwarfare, cyberespionage, cybercrime… However tightly we close our eyes, they’re still going to be there. Carr makes a very complete list of problems we can find in the Internet, concentrating on how far different countries are capable of cyberwarfare, as well as the different scenarios and technologies to use. Although Carr is analytical and clear, running from trying to panic people, the fear it puts into you when you read it is … upsetting.

There are plenty more “simple” books talking about IT security, but these are the ones I think most representative. What about you? Do you have a bedside book to teach non-technicians about IT security? Share it!