Read Like an InfoSec Pro
Summer holidays are coming and we asked our security specialists and consultants what is on their reading lists. For the pros out there, the list we got is no surprise as it is full of modern classics of penetration testing and related topics, ranging from iOS hacking to risk assessments. In the newer end we have Kevin Mitnick's new Art of Invisibility that delves into details of operational security. For those with unlimited data plans, there's also a couple of interesting e-books and e-learning material available.
So if you are fed up with crime novels and chick lit and want something to read on a rainy day or while traveling, this is the blog post for you!
Boost Your Hacking Skills
Testing the security of mobile applications is something we at Nixu do a lot. Much worn copies of these are always seen on one of our penetration testers' desks:
- The Mobile Application Hacker's Handbook. The quintessential guide to hacking anything mobile, including Android, iOS, BlackBerry and Windows Phones. This book has so much content that the 750 pages doesn't even sound like that much.
- Android Hacker's Handbook. Today and especially tomorrow, Android is everywhere and not just in our phones. Makes a lot of sense knowing how to hack them, right?
- iOS Hacker's Handbook. This book explains the iOS security architecture and gives a glimpse to the history of iOS attacks as well as fuzzing and jailbreaking.
Whether you're developing mobile applications for Android or iOS and want to do it more securely, or are an ethical hacker wanting to broaden your skills, these are the books to pick.
For more traditional web application testing, the classic reference guide is Web Application Hacker's Handbook: Finding and Exploiting Security Flaws (2.edition). To date, there is no book that explains web application (in)security in so much detail, co-authored by Burp's creator Dafydd Stuttard.
Enhance your Threat and Risk Analysis Skills
You don't always have to test or review code to be able to identify security problems. You can just ask!
Thread modeling is the art of of finding the potential threats related to computer systems or applications. It can be either highly technical, using the STRIDE approach, or more focused on business risks. Threat modeling - designing for security is an excellent guide on the subject. The book works both as a how-to guide for beginners and a go-back-to reference guide for more seasoned threat modelers. A must read both for information security specialists as well as software developers!
And be careful to not get confused about threats and risks and vulnerabilities! When you have identified the threats, you (or your financial manager) might ask, what is the risk associated with these threats. A very systematic approach to information risk analysis is given in Measuring and Managing Information Risk: A FAIR approach.
Incident Response to the Rescue!
After all the latest #Petya incidents, you might be interested in how to do incident response properly and efficiently. The one-stop shop for learning about collecting and analyzing forensic data, and working with indicators of compromise is Incident Response and Computer Forensics, Third Edition. Already in its third edition, this incident response book co-authored by nobody else than Kevin Mandia (yes, Mandiant).
With the growing need for more complex network environment monitoring, data analysis sure is a capability security organizations need. A good place to start learning about network data collection, analysis and visualization is Network Security Through Data Analysis: Building Situational Awareness.
If you're into good stories, you might be interested in Helpful Hackers - How the Dutch do Responsible Closure. Available both in paper and free ePub, this book tells the stories of ethical hackers, system owners, IT specialists, managers, journalists, politicians and lawyers who have been involved in responsible vulnerability disclosures. Also featuring one Nixuan!
Learn to Protect your Privacy
Not yet worried about your privacy? You will, after reading Kevin Mitnick's newest book! So get wrapped up in your tin-foiled blanket and read The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data. After following all the steps for making anonymous calls, GDPR regulation suddenly seems easy-peasy.
Code Like a Hacker
To learn how to build your own Burp Suite extensions or want to learn sockets programming, grab a copy of Black Hat Python: Python Programming for Hackers and Pentesters. There are many books written about pentesting with Python - at least this one seems to be full of useful tips, tricks and scripts.
If you're new to Python, Cybrary offers a free crash course into Python: Python for Security Professionals. Hands-on exercises with a focus on what you might need as a security analyst.
Reading List
Whether you want to catch up on hot security topics on your holiday or need to get some CPE's for certifications, check these out. No sponsors involved - these are the books that many Nixuans will read over summer or have read already and recommend.
- The Mobile Application Hacker's Handbook
- Android Hacker's Handbook
- iOS Hacker's Handbook
- Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
- Threat modeling - designing for security
- Measuring and Managing Information Risk: A FAIR approach
- Incident Response and Computer Forensics, Third Edition
- Network Security Through Data Analysis: Building Situational Awareness
- Helpful Hackers - How the Dutch do Responsible Closure
- The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
- Black Hat Python: Python Programming for Hackers and Pentesters
- Python for Security Professionals in Cybrary.it