Monday, December 31, 2012

Best Book Bejtlich Read in 2012

It's time to name the winner of the Best Book Bejtlich Read award for 2012!

I started seriously reading and reviewing digital security books in 2000. This is the 7th time I've formally announced a winner; see my bestbook label for previous winners.

I posted yesterday that 2012 was the year I changed what I read. For example, in 2011 I read and reviewed 22 technical books. In 2012, which a change in my interests, I only read and reviewed one technical book. Thankfully, it was a five star book, which means it is my BBBR 2012 winner!

As you might have figured out yesterday, this year's winner is SSH Mastery by Michael W Lucas. Feel free to read my review for details. Note that I bought a Kindle version from, and later MWL mailed me a print copy.

Besides the excellent style and content, one of the reasons I read the book was to experience MWL's first release of a self-published technical book. I think it was a successful endeavor, although I'm not prepared to try that route myself anytime soon.

If I were to name my favorite non-technical book I read in 2012, it would be For the President's Eyes Only: Secret Intelligence and the American Presidency from Washington to Bush by Christopher Andrew. I enjoyed learning more about American history through the eyes of the intel world, but I was shocked by how poorly most presidents understood and (mis)used intelligence.

I'm probably done reading and reviewing technical books, so I consider this to be the final BBBR post. I have over 100 possible (mainly nontechnical) books to read on my Kindle now (in Sample form), but I doubt I will review them when done.

Good luck reading in 2013!

Sunday, December 30, 2012

2012: The Year I Changed What I Read

If you've been reading this blog for a while, you probably know that reading and reviewing technical books has been a key aspect since the blog's beginning in January 2003. In fact, my first blog post announced a review of a book on Border Gateway Protocol (BGP).

Looking at my previous reviews, it's clear that my interest in reading and reviewing technical books expired in the summer of 2011. Since then, the only technical book I wanted to read and review was Michael W. Lucas' excellent SSH Mastery. MWL is such a great author that I read just about anything he writes, and I was interested in his first self-published technical work.

So what happened? Becoming CSO at Mandiant in April 2011 contributed to my changing interests. Since that time I've spoken to almost a hundred reporters and industry analysts, and hundreds of customers and prospects, answering their questions about digital threats and how best to live in a world of constant compromise. (I listed some of the results of talking to the reporters on my press page.)

For me, the most interesting questions involved history, political science, and public policy. Probably not be accident, these are the three subjects in which I have degrees.

Accordingly, I bought and read books to add the historical, political, and policy content I needed to balance my technical understanding of the threat landscape. I also read a few books based purely on personal interest, without a work connection.

I thought you might want to know what these books were, despite my lack of interest in reviewing them at

The books on Chinese topics included:

Of these five, the first was probably the most interesting. The way Chinese intelligence agencies work today appears very much the same way that the author described them almost twenty years ago.

I read three books on intelligence and Russia:

Of these three, the first was exceptional. It combined a history of the US with a history of intelligence through the end of Bush 41's term.

Finally, I read two other books; one related to security, and one completely unrelated:

The first was Bruce Schneier's latest, which I found largely interesting. I recommend reading it, because it may convince you that all the technical safeguards our industry pursues contribute probably less than 10% of the risk mitigation we need in the real world.

The second was another biography of my favorite historical figure, US Grant.

I'm trying to finish Tim Thomas' latest book, Three Faces of the Cyber Dragon, by the end of tomorrow, as well.

In my last post of 2012 I'll announce my Best Book Bejtlich Read in 2012 winner.

Five No Starch Books for Kids, Reviewed by Kids

No Starch was kind enough to send me five books for kids, which I asked my 6- and 8-year-old daughters to read. (I didn't need to "ask," really -- like my wife and I, our daughters think reading is something you have to be told "not" to do, e.g., "put the book down; we don't read at the dinner table.")

I did have to encourage my daughters to review the books. Although the older one writes book reports for school, she's not accustomed to writing reviews for books sent by publishers.

The five books, with links to the reviews, are:

I agree with my daughters: all five of these books are excellent. However, for readers of this blog who have kids, I would most strongly recommend the Python book. I would start with the book we previously reviewed, Super Scratch Programming Adventure!, and then see what your kid can do with Python.

Kudos to No Starch for publishing high quality books that teach kids skills they can use in the work place (programming), or for fun!

Wednesday, December 26, 2012

The Value of Branding and Simplicity to Certifications

At the risk of stirring the cyber pot (item 3, specifically) I wanted to post a response to a great mailing list thread I've been following. A reader asked about the value of the CISSP certification. Within the context of the mailing list, several responders cited their thoughts on SANS certifications. Many mentioned why the CISSP tends to be so popular. I'd like to share my thoughts here.

In my opinion, the primary reason the CISSP is so successful is that it is easy to understand it, which facilitates marketing it. It is exceptionally easy for a recruiter to search LinkedIn profiles, other databases, or resumes for the term "CISSP." If you encounter a person with the CISSP, you basically know what the person had to do to get the certification.

Before continuing, answer this quick question: what are the following? 1) SSCP, 2) CAP, 3) CSSLP?

Let me guess -- you didn't recognize any of them, just like I did?

Now, let me see if you recognize any of the following? 1) GGSC-0400, 2) GNET, 3) GAWN-C, 4) GBLC, 5) GCIM?

I believe you didn't recognize any of those either.

How about? 1) GISP, 2) GLEG, 3) GCIH, 4) GAWN?

I'm guessing some of you might recognize GCIH as the SANS "GIAC Certified Incident Handler," which actually doesn't have much to do with "incident handling." That's a topic for another day, but it does show GCIH benefits from decent branding.

You've probably figured out that the last two lists of acronyms were SANS certifications. The first list was a selection of a few of the retired SANS certifications. There's 26 of those.

The second list was a selection from the list of 24 active SANS certifications.

What about the first list, starting with "SSCP?" Those are other certifications offered by ISC2. They're utterly forgettable. Had I not visited the ISC2 Web site, I would never have known they existed.

Now, one could argue that the brand "SANS" is as recognizable, or even more recognizable, than the brand "CISSP."

The problem is that a person's resume could list "SANS" as a course he or she attended, without noting if a certain achievement (i.e., certification) was achieved. "SANS" is also a poor search term because the diversity of the SANS ecosystem means you could be dealing with a legal person, or a reverse engineer, or a UNIX system administrator.

What is the answer for SANS, if the CISSP will likely continue to out-market it? I recommend adopting the model used by Cisco. If you hear a person has a CCIE, that means something -- you immediately think of deep knowledge, several levels of work, and grueling hands-on testing over two days in a controlled environment.

The genius of Cisco's approach is that they have "tracks" for the CCIE, e.g. Data Center, Routing and Switching, etc. Those aren't the brands though; that stays with CCIE.

The Cisco approach isn't perfect, because you can't simply search resumes for "CCIE" intending to get a CCIE in security. You might find a CCIE in routing and switching, or wireless. However, if one finds a CCIE, you get a sense of the level of seniority and ability to operate in a stressful environment (at least as far as a test can simulate).

SANS has tried something like the CCIE with their "GIAC Security Expert (GSE)." The GSE is similar to the CCIE in many respects, including horribly tough hands-on labs, but unfortunately hardly anyone knows about it. It is really difficult to reach that level in SANS certification. However, because only 63 people hold it, there's no real market for them.

By the way, I smell a branding failure when SANS certifications like GSE, GCIH, and so on all have a "G," which references another acronym -- "GIAC," for "Global Information Assurance Certification." That doesn't even include the term "SANS," which is the stronger brand. GIAC originally meant "Global Incident Analysis Center," but that's another story.

In brief, I think SANS could increase the branding value of their certifications if they retired the existing acronyms and names, incorporated "SANS" into a new naming scheme, and concentrated on a "level" approach seen with Cisco. Focus on Entry-Level, Associate, Professional, and Expert as Cisco does, and develop programs to accelerate the adoption of the Expert level among its constituency as Cisco did with CCIEs.

Rebranding would cause lots of SANS folk plenty of heartache, but I think integrating "SANS" into the new level-oriented structure would more than compensate for the initial transition costs. Ultimately the system would be stronger for everyone.

What do you think?