Cyber Canon Book Review: Hacks that Shocked the World

We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite.  

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Cyber Canon Book Review:  "Cyber Wars: Hacks That Shocked the Business World" by Charles Arthur

Book Reviewed by:  Tracy Z. Maleeff, Cyber Analyst

Bottom Line:  I don't recommend this book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.

Review:

This book provides an easy-to-read, non-technical account of some of the biggest cyber attacks in recent years: Sony, HBGary, John Podesta, TJX, TalkTalk and Mirai. It’s a great resource for those who are new to information security and for practitioners looking for examples of how to communicate security practices to non-technical management and end users.

Information security practitioners need to clearly articulate the consequences of poor enterprise security, though they don’t necessarily have the soft skills to do so. One of the best ways to convey that message is through storytelling. Author Charles Arthur uses storytelling to makes some of the biggest recent breaches understandable and relatable through this non-technical narrative. For that accomplishment, this book should earn an Honorable Mention from the Cybersecurity Canon.

Almost every chapter dissects a large, well-publicized breach that occurred within the past decade. Each chapter could easily stand alone as a resource for presenting warnings and best practices for enterprise security. Information security professionals  sometimes lack the ability to communicate without using too many technical terms or jargon. That is why a book like “Cyber Wars” can help boost a culture of security by giving presenting a user-friendly accounts of security incidents.

Two chapters of the book delve into some older events that predate the breaches in the book, to lay some groundwork on how some of these later in incidents came about. Chapter 6 focused on ransomware, and chapter 9 observed the present and future of hacking. While both of these chapters addressed specific security incidents, the overall theme was to present in-depth background on those techniques. What may hit closest to home for the average reader are hypothetical hacking scenarios presented in chapter 9. Potential security risks with self-driving cars and in-home devices are illustrated and give readers much to consider about cybersecurity.

I only have a few, minor criticisms of Arthur’s approach:

He uses the terms “breach” and “hack” interchangeably. While this is fairly common in mainstream use, they do have different meanings and this book could have presented a good opportunity to explain those differences.

I appreciated the “Lessons from the Hack” at the end of each chapter. It was refreshing to see an expert doling out advice in mostly non-technical terms to help people digest what they just read about a cyber incident. Yet some of these lessons seemed inappropriate for a mainstream audience. The lessons at the end of the John Podesta chapter, for example, advised readers to “Learn what phishing looks like” and “Enable two-factor authentication.” Both are fair and solid lessons, but then the author recommends: “If at all possible, don’t use email,” and recommends the communications app Signal instead. I think that bit of advice would be confusing to consumers and outright rejected by senior management of an enterprise.  A suggested lesson from TJX chapter was to “Set up monitoring systems inside your perimeter. Question new connections.” That which made me wonder who the book is written for. 

The lessons learned and references at the end of each chapter make this a resource that gives readers takeaways to use in their personal or business lives. For the most part, technical terminology was explained in context to make this appropriate reading for those outside the industry.

It would be difficult to recommend this as required reading, but I do think it deserves an Honorable Mention because there are two other groups of people for whom it should be a must-read: Those new to the industry, students and career-changers as well as end users who either need to know or want to know more about security lessons learned so that we’re not doomed to repeat the past.