Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | Google Podcasts

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 2

Top 8 Must-Read Cyber Security Books

EPISODE SUMMARY

In this podcast, we’ll review the top 8 cyber security books that you should read to gain a good perspective of the industry whether you are trying to break into cyber security or preparing to advance your career.

Join Mike Gruen from Cybrary and Joseph Carson from Thycotic as they share their favorites of all time.

FREE Cybersecurity for Dummies ebook

FREE Cybersecurity for Dummies ebook

Show your employees how to protect themselves and your organization

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at Thycotic
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Joseph Carson:

Welcome to the 401 Access Denied Podcast. My name is Joseph Carson, Chief Security Scientist and Thycotic and cohost of this show. This podcast is all about making cybersecurity easy, usable, and fun. Come back every two weeks to listen in and learn about what's the latest news or even submit your own questions via the community.

Hey, Mike. How are you doing? Welcome to, we have another 401 Access Denied Podcast, and an exciting topic. I think this is a really important one, because when you get into really development and people who's either starting a career in cybersecurity or people who's even changing their career, that might be already leaving one job that they've done for many years and getting introduced into in, and even… I think it's really important to always do self development.

One of the things I've learned with my kids is that self development, it's one of the best things we can do, is the continuous learning. It's not something that you do once and then... The careers have changed. It's no longer about having a career for 30, 40 years. You have to continually keep learning new techniques, new skills. And definitely in cybersecurity, that's something that I have been fortunate that I've seen with time, is that we keep having these new skills. We keep having the continuous learning.

Today's show is all about what books have kind of… influenced us in our careers over time to really help develop some skills or give some new ideas or even some fun moments that really kind of make you laugh or revert to some things through your past. This really kind of is one of those to really help those out there into learning about things that can help them, great books, because there's so many out there, and there's so many ones that are either complex or they're dated as well.

And that's what I want to make sure, is that people get the cyber security books that really make a difference, and those who have actually made a difference in the entire security development. Mike, have you any thoughts about how books have changed your life?

Mike Gruen:

Yeah. No. Definitely. It's funny. First of all, continuous learning, that's a core tenant here at Cybrary. It's one of those things that we take very seriously. There were a bunch of books that I read back in the early 2000s, because I'm old... That really had a lot of influence on me. I was a software developer at the time. Security was this sort of thing that I was getting involved in because of just my role on this particular job. And so I started reading, and there were a couple of books that sort of stand out from that time. And then since then, I've really focused more on blogs and other things to sort of stay current than necessarily reading books.

But Bruce Schneier's, and I always trip on his name, security books have always been great. I read about four or five of them. They all sort of merge together. I think we were joking about that a little earlier. They have similar themes. It's all the same voice. It's hard to keep them straight.

But Secrets and Lies and Beyond Fear are two that stand out. They really take it from a very practical level of thinking about security and how to apply it. And I haven't read them in 15 years, but my guess is they stand the test of time, because it is really more of an abstract thinking about applied security and security in depth. And there's some really good anecdotes in there and funny stories of companies getting it right, companies getting it wrong. I definitely recommend those books.

Joseph Carson:

Absolutely. That's a really important kind of topic you just mentioned there, is that books that can sometimes get too technical into relying heavily on software or examples or using solutions out there. The problem I find with a lot of the books that get very technical is over time, software gets updated, and it gets updated almost once a year.

And even now, with things like DevOps and continuous development and integration, is that they get changed so often. UI features change very quickly. And ultimately, those books that have very technical focused, let's say workshops or examples, they quickly come out of date.

And that's one thing you always had to be careful with is when you do go into books, is that sometimes it's even important if you do get into some of the books I'll talk about today, is you have to make sure that you use the same software examples that the book was based on, the versions. It's really important that you make sure that if it says, "Install version five," then it might be version seven or eight now, but it's important that you stick to version five, because slight differences could mean that you get really blocked.

Mike Gruen:

Right. It's interesting. I was looking through some books last night just to help to sort of prep for this, and I came across all of these network security books that I have about securing your wireless network. And I was like, "Yeah. These were great at the time, but they're just, they're no longer even close to being relevant."

Joseph Carson:

Absolutely. What you mentioned is the books that stand through time, the ones that basically are the ones that have the capability of, no matter what changes, they're still relevant, and it's a lot of to do with strategies and examples and use cases. I think those are the ones that really give people at least the core skill set.

One of my favorite books of all time, and I actually read it years ago, and recently I relistened to it, because people about a year and a half ago, I switched to doing audiobooks, because when I'm walking, running, or driving, traveling, the audiobooks allow me to do those. I also get motion sickness when I'm reading and traveling, so it's...

Mike Gruen:

Right. Well, I find it hard to read and drive, so...

Joseph Carson:

Yeah. Exactly. Some people do it, especially in San Francisco. The traffic's so bad that you're probably sitting more than you are moving. But I did switch to audiobooks, and people have corrected me saying, "Oh, I read the book again." They're like, "No. You listened to the book again." It's different. I did.

The one book that I highly recommend, if anyone's getting into the career and looking for something to really get insights and understand about the core history of where security came from, and even one of the topics when we talked about, passwords, this book really gives you into the actual introduction of passwords and what they were used for originally.

The book's called The Cuckoo's Egg. And it's by an author, Cliff Stoll, and it was actually goes back to 1985. And Cliff Stoll was actually, he was assistant administrator in Berkeley in one of the labs there. And over time, basically, what happened was he ended up finding a discrepancy in the accounting system of 75 cents. And he decided, he's a perfectionist, he really wanted to understand. He goes into the details about why is there 75 cents' difference?

And ultimately, what happens is the story, he ends up identifying and finding out that there's actually a hacker in his systems using his systems, and using it as a stepping stone to gain access to other systems that were on the same network or had access to that same network.

And it takes you through a journey of not just basically his work and putting together and monitoring the activity, looking at all the command line outputs. Back then, looking at a terminal or serial output was basically sending it to a printer and… through the command lines at a printer, or having different terminals you could actually go through.

And the story really takes you through that experience. I think it was over a year of him searching through and understanding about what this person was actually, what systems they were hacking into, the techniques that they used, and some vulnerabilities in software that they'd use as well. And it's a fascinating story just taking you through that whole time.

And he was involved with all the different agencies, FBI, who didn't want to know about it, because they were more interested in multi million dollar crime, and this was only 75 cents. There's a big difference into getting near a corporation. And then getting involved in the NSA and the CIA and of course, what was it, it's not their bailiwick, was the common term he was using, which is like it's not their responsibility, because it's either not local or it's local or it's state, so it got very complicated.

But it was a really fascinating story. And ultimately, what he ended up finding was, is that the person, the name is Marcus, was basically based in Germany, so he was tracking a spy who was using computers for espionage. And he tracked him basically through satellite links, undersea cables, back into Germany.

And they were actually working basically, let's say, just what we call, it was mercenary hackers that were selling their services to basically East Germany at the time for intelligence information about nuclear systems, military tracking and stuff. And they were selling that intelligence back over to the KGB in East Germany. It's a really fascinating story, and it really shows into the techniques that were used in order to gain passwords, or some of the early password kind of systems were in place, and what they were doing in order to gain…

For me, it's a fascinating book, and one that basically, somebody kind of mentioned to it recently again. I thought, "Oh, that was a great read when I read it, was it 15 plus years ago?" I decided… so if you're really getting into this industry and you really want a foundation, because I think it's really important to understand the history. If you're going to learn something, it's important to understand where it came from, how we got to where we are… technique that were used by hackers back in 1985 are still being used today. It hasn't changed.

Mike Gruen:

Yeah. I agree, because I think we were talking about books standing the test of time and strategies and so and so forth. I think a lot of it comes down to explaining the why's rather than the specific what's. It's sort of how things worked or whatever, and then you sort of abstract from that. How can you apply that in current times?

Because I think that's what a lot of security is, is looking at, well, how does this break down, even if it was a long time ago, and it was this different sort of system? How can I apply that to this? And so understanding more of the underpinnings of that is really the important part.

Joseph Carson:

Yeah. It's the difference between driving a car and knowing how the engine works. And it's something that I have always applied. And we have to be correct as well. The term hacker sometimes is misunderstood and abused, a lot by the media. I consider I, myself, a hacker. I am a person who likes to pull things apart and understand how it works, and can I actually modify it to use it for another purpose?

In many cases, most hackers out there are actually doing their skills and using their skills for good deeds, for actually helping. Some might be a bit more direct than others, but ultimately, the majority out there.

And they get the bad name from the few who abuse it. And I prefer the column criminal hackers or cyber criminals… the term from they're actually abusing their skills for malicious activities. It's really important that we do clarify that when we talk about hackers in general, that not all are bad, and many are using their skills for good.

And this gets to my next book, and I've got the fortunate… aisles at, it was DEFCON, last DEFCON, because this book is The Cult of the Dead Cow by Joseph Menn. And if you're ever familiar with L0pht or Attask and a lot of the kind of well known, basically cult, these are the cult hackers, the ones who really define what it means in the industry over time.

And it really gets into, for me, I was really, in the '90s, was messing around with computer games, understanding and programming, and really getting into the industry in the kind of mid, late '90s. And this is really where that cult and that whole... Was it 2,000 or 9,900 or whatever? Was it the different kind of elements to the books and the cults and the magazines was going around. Over 9,000 was one of them.

Mike Gruen:

Yes.

Joseph Carson:

And the other ones will come to me later. But basically, the book basically takes you through the journey of all of those characters that came through the L0pht and came through The Cult of the Dead Cow and kind of even to the point where those individuals that was in that group were speaking at the event last year in DEFCON. And it was fascinating for me, listening to all of the stories that they took through the years about all the tools that they'd created.

It's a great read. If you really want to know kind of the cult and the history and the crafts and the people that really defined our industry today, that book is what takes you through that journey.

Mike Gruen:

Sounds like a great one. I'll put that on my list.

Joseph Carson:

It definitely is fortunate to get to meet and chat with them. For me, it was definitely, it took me through of the years. Especially, I worked on a well known product you're probably familiar with, pcAnywhere and Carbon Copy. These were some of the products that I used to be a product owner for. I used to be managing those products, and we competed with Attask and some of their remote tools that they had at the time.

And listening to some of the discussions from their view, especially when I was on the other side of the picture, because one of the things I was involved into, one of the famous scenarios, was when pcAnywhere's source code got leaked, and then we had the vulnerabilities, and then we had the task force in order to recover from that.

It brought back a lot of memories back then, and reading the book was also definitely a very good journey through the history. Those two books are mandatory reading.

The next book is a bit more technical, and it's basically Peter Kim, and what he's created is this series of books called The Hacker's Playbook, basically taking it like from a football game. We're talking about American football, not the true football of soccer that's what I call football, which we actually use our feet with. But we're talking about the football that you use with your hands and wear lots of protective gear, which makes them…

Mike Gruen:

Something for a different day.

Joseph Carson:

We're talking about the American football, and he's got this book series called The Hacker's Playbook. And they are great. They get into a lot of the tools and techniques.

The good thing is they go through the series of things like reconnaissance, the passive assessments that you get an understanding, because there's a lot of different techniques that we use in just different areas, from if you're into reverse engineering and doing malware reverse engineering, where you have more of a development background.

Or you get into social engineering, and you're doing basically the human side of hacking where you're actually trying to get people to share information with you. Or you're into basically privilege elevation, where you're trying to steal passwords or use tools like Mimikatz and other types of password cracking techniques or Hashcat.

And it all takes you through the playbook is really how you get one foot in the door. Then it takes through, okay, how do I laterally move? How do I elevate? Until ultimately, you get the keys to the kingdom and access to everything. The book takes you through all those different techniques.

A word of caution, though, is because it is technical and it does kind of refer to a lot of tools out there such as Kali Linux, into Hashcat, the good thing is a lot of the command line references still relevant, which is the good thing is those commands still do the test over time. But the ones that have interfaces like Burp or other tools that's in there, BeEf, Cobalt, all of those, the UIs do update, and they do change.

A word of caution is that the book is great. It is very educational, and it will actually understand a lot of the techniques. But the examples, you have to be aware that they do get dated very quickly. My recommendation is if you are going to follow through on some of those examples, make sure you use the versions that the book was referenced at the time. That's one of the important things I have.

But it's a great series. There's three books. The second one was probably the one I'd recommend if people are going to buy. It's the one that basically gives you those techniques, the series. The third one is more for the red team focus. It just focuses more on the red team techniques.

But the second one is probably the one that takes you through a good series of lateral moves and getting in the industry, where the third one is more focused at that red team specific element, which is really defensive type of hackers or the ones that's really trying to do it from the outside in rather than those who's looking really to understand vulnerabilities and techniques.

That one definitely is kind of mandatory reading as well, and something you do have to have your equipment, your laptop. You do have to have access to the tools. It will take you through some of those examples and teach you a lot about how to use them.

The last book, which I find very fascinating, which I was… so this was the challenge that I had. But the last book which really kind of got me going into my childhood and also had a direct kind of, I've been experienced a lot of what happened in the book over time, because I'm based in Tallinn, Estonia, and the book is Sandworm by Andy Greenberg.

And that book itself is really kind of when you think about, it takes you through a journey in history as well. It goes through a lot of really kind of all the different events in Eastern Europe, from the likes of the Ukraine attacks into Estonia, which of course I was in Tallinn at the time and had firsthand experience in the 2007 cyber attack against Estonia. And getting into that of Georgia, and then back to Ukraine and talking about things like WannaCry, talking about NotPetya.

The book itself is great, and it's one of the cyber security books that, at least from the Estonia perspective, that was very technically accurate on the Estonian events. And reading a lot about peers and other people that, good friends of mine in the industry as well, that were referenced in the book, it was a very well, very good, covers the technical portions really good. Very kind of not into very detail, but it covers them very well that you get to understand about exactly what's happening.

It covers things like Stuxnet as well, which I had some involvement into some of the vulnerabilities side of things and the patch management portion of the zero days that were identified then. I think I was between that and Zero Day. That was the two books.

But ultimately, the one that I decided on was the Sandworm, and the reason why was that Sandworm, the reference Sandworm actually comes from basically if you ever heard the planet Rakis, which comes from the movie Dune-

Mike Gruen:

Dune.

Joseph Carson:

... Which the Sandworm is, of course, a reference to the sandworms in Dune. And it was a book that actually got me to pull out my old, dusty copy of Dune, and… from. It was in the early 1980s, late '70s, I think. It was somewhere around that time. And watching that movie kind of made the relevance and kind of really kind of realization into some of those cults and really kind of significant things that really were visionary at the time. And so that was a book that really got me pulling out the old, dusty DVDs. I think it was even a CD at the time. Lucky enough, it wasn't on a VCR cassette.

Mike Gruen:

Right. Right.

Joseph Carson:

It was in the same era as me. I think it was a CD, maybe a DVD. But I was able to find it in my cellar cupboard, pull off the dust, throw it back in again, and watch it. And of course, it was a kind of blast from the past, particularly to my youth, because I remember watching it when I was very young. And there was a lot of those movies that were really cult movies that took us through.

But at the time, I never really compared it to hacking or cybersecurity until, of course, Sandworm book kind of really made the association, and the Sandworm group, of course, which the book references. They had taken their campaign names basically from the movie Dune.

It was a really great read and definitely, for me, a lot of those events from Stuxnet into the Estonian cyber attack and also Ukraine, they were all, for me, technically very accurate, which really enhanced and elevated the book up for me, because sometimes I've read references where they were vague or incorrect in some regards. But this one was excellent. Another great book to read.

Mike Gruen:

Sounds great. There's a couple that I'll definitely be adding to my list and listening to, although probably the more technical ones are definitely worth reading. It's tough to listen to a command line.

Joseph Carson:

Absolutely. If it's command lines, yes. They stand history. They are good, because they're always backwards compatible. But when it gets into the graphical interface, be very careful.

Mike Gruen:

Yeah. Definitely.

Joseph Carson:

I've read a lot of books on Wireshark and on Kali, and very quickly, you get stuck. You're doing a workshop and you're like, "This isn't the same version that I've got. This menu option doesn't exist in mine. What's going on?" Or it changed the name. It sometimes can get you stuck, unless you've got that ability to go back versions. Always a word of caution.

But I also have two special mentions of two books that I think are also important. I did mention Zero Day from Kim Zetter. I think it is also a great book, because it focuses purely into the Stuxnet scenario, which of course was one of the first major weapons used in a kinetic type of cyber war, a great read.

Mike Gruen:

At least, one of the first ones we know about.

Joseph Carson:

One of the first ones we know about. Absolutely. Yeah. Because a lot of time, attributions or also visibility and transparency, we sometimes don't know.

Mike Gruen:

Yeah.

Joseph Carson:

It all was kept in the background. And another special mention is Social Engineering: The Science of Human Hacking, I think it's called, which is from Chris Hadnagy. Also a great read as well, because it really takes you into... and it doesn't use a lot of getting into the tool sets, although then I think it does get into Dave Kennedy's trusted SET, Social-Engineer Toolkit. It talks about it briefly.

But it does a very good job of talking about the philosophy and the theories and the skill sets and basically a lot of the things that makes social engineering and those penetration testers or those who's looking for the human side of hacking. It does really provide a very, very good, thorough knowledge base into some of the things you need to be thinking about if you're actually going into a reception area and you're trying to get past the security guard or you're trying to get into the building.

It goes through those in great detail and great examples. And also, makes you laugh. It's some comedy moments in there as well. That's always a good thing is when you… makes you laugh, especially if you're doing that I'm doing. You're walking down the street with a pair of headsets on, and it's an audiobook. And all of a sudden, you start laughing out of random nowhere, and there's people around you. That definitely is a funny moment.

These books are definitely, for me, anyone who's in this career is looking for something for the next reading or self-development, especially when people's at home right now and have maybe a little bit more time. If you're not listening to a podcast like these, which are fantastic, definitely pick up one of those books. It'll lighten you, give you a good journey through time, and give you a lot of good knowledge and skill sets on the other side.

Mike Gruen:

Yeah. Definitely. And I think social engineering is one that's really, that's where I think I got my start in a lot of ways, was learning more about that side of it and how fascinating that was.

And there were a number of management books that were recommended to me over the years that talk about how to sort of, how to manage people and sort of their motivations. And it has direct correlations, because it's the same thing. People want to be helpful, in figuring that stuff out. I'm trying to remember a couple of them, but they're just not coming to mind.

Joseph Carson:

I hear that. Yeah.

Mike Gruen:

But, yeah.

Joseph Carson:

Sometimes it's hard. I do that, too.

Mike Gruen:

Exactly.

Joseph Carson:

I get the moments of, oh. I think it's age.

Mike Gruen:

I think it's just how long ago it was since I've read those books.

Joseph Carson:

No, no, no. It's not about how long ago it is. I think it's that our brains, we've got so much knowledge in our brains that in order to make room for new knowledge, we have to let some go.

Mike Gruen:

Oh. Yeah. Definitely. There's definitely stuff that's been swapped out and deleted.

Joseph Carson:

Archived.

Mike Gruen:

Archived. All right.

Joseph Carson:

But absolutely. For me, in my career, I was always more of a hands-on person at the beginning of my career, and I do regret not taking the opportunity to read more. And things like Audible and Kindle. And I love getting, every time I get a Kindle book or I do an audiobook, I love it, I will actually purchase the physical copy as well.

It was even hard, actually, with The Cult of the Dead Cow, I first had it in a Kindle, then I went to Audible, and then when I met them at DEFCON, I was faced with a challenge into how do I get them to sign my Audible book?

Mike Gruen:

Right.

Joseph Carson:

And I think it was DilDog actually mentioned, DilDog's one of the characters, one of the kind of guys that was there, and he mentioned, he's like, "Why don't we just do an audio recording?" And eventually, I end up buying the physical book as well … three versions of the book on different formats.

Mike Gruen:

Wow.

Joseph Carson:

But, yeah. That's one thing I do tend to do, is if I really enjoy a book, I will get the physical copy as well, just for kind of the references and the passion.

And also, kudos to the authors, because I myself, I've authored a few books as well, and I know the effort and the time and really kind of the sacrifices that goes into creating a book to share with others. It is difficult and not easy. Definitely a shout out to the authors out there that really spend the time and put effort into creating great books.

Mike Gruen:

Yeah. No. Definitely. And I definitely encourage buying the book. I worked briefly at, or not briefly, for a while at the National Library of Medicine on their digital library, and one of the first things that I learned was paper lasts way longer than digital formats. Having the paper copy is definitely worthwhile.

Joseph Carson:

Yeah. Absolutely agree. I think for those who's listening, I think this is a perfect way to ... We did have a shout out to the community out there, and they did come also back with their own recommendations. There's a couple of Kevin Mitnick's books, which are awesome as well. Kevin, he's quite a character in the industry, fantastic guy, has a very, very fine, amazing history in our industry, has spent some time on the other side of the fence. And his books are great reading and very educational.

And then, there was also Bruce Schneier was also from the community, recommended quite a few of his books as well. Definitely Bruce and Kevin. Their books are great, in addition to the ones we've talked about.

I think for the audience, for those listening, really, hopefully, you enjoyed the discussion. Hopefully, these books will give you some good things to really put in the backlog of things, because I've got a backlog of things to read. Hopefully, this will give you some good things to think about. And hopefully, you get into reading.

And if you're starting in the industry, we welcome you. We need more people. We need definitely more people in the industry, new talent, new ideas, new passion. Learning, continuous learning is what we need, and definitely will make a difference.

Awesome, Mike. Great to chat with you again. It's great being... Love your image in the background.

Mike Gruen:

Thanks.

Joseph Carson:

Better than the village at the open. And awesome, and looking forward to speaking with you again in the next episode, so-

Mike Gruen:

Yeah. Definitely. Always a pleasure talking to you.

Joseph Carson:

... Absolutely.

Mike Gruen:

Talk to you soon.

Joseph Carson:

Likewise. Talk to you soon.

Mike Gruen:

Bye.

Outro:

Learn how your team can get a free trial of Cybrary for Business by going to www.cybrary.it/business. This podcast is also brought to you by Thycotic, the leader in Privileged Access Management. To learn more, visit www.thycotic.com.