I've reached a milestone I didn't think I'd achieve for my first self-published book: 2,500 copies sold. It was a project I started mostly to get experience with creating something that I could put on my shelf. It was also an opportunity to share what I've learned after years of teaching and working in infosec. I want to encourage anyone who has an interest in writing a book to go for it--make it your 2018 goal. Here are a few lessons learned that I'd like to share to help you get started.
I created five chapters, and grouped the list of things I wanted to cover into each of those buckets. Going with a textbook format, the first chapter I dedicated to fundamental terms that would be used in the remaining chapters, and ended each chapter with a glossary. The resulting chapters for the book are Introduction, Protect, Detect, Respond (which are based on tenets of the NIST Cybersecurity Framework) and Conclusion. Each chapter also starts with a quote.
Have a target number of words you want your book to have. I went with 20,000 to keep it concise. This also helped me balance out each chapter, and motivated me to keep adding content until I reached that goal. However, be aware that you need a minimum number of pages in order for the book spine to be printable (the spine for mine has no text as a result, which doesn't do much for its bookshelf presence.)
If your book has images, figure out the standard you're going to use ahead of time. I spent a frustrating amount of effort getting the sizing and DPI right so images would display correctly in print and ePub versions. This meant several iterations of converting 27 pictures to different formats and previewing them with various open source tools (not fun). I wish I had hand drawn them instead.
Once it's published and available for purchase on the marketplace, don't overlook marketing your new book. Leverage social media, participate in giveaway promotions, and keep tabs on your reviews. There are also promotion options (some are free, some aren't) like having your book show up when someone searches for certain terms. And look at all the marketplaces where your book is listed. I found a few surprises (some nice, some not so much) in UK, IN and EU markets where my book is also sold.
Freely available tools that you can use to self-publish a book have significantly improved over the past couple of year. Now there are Word Add-ins and applications like Kindle Create where you are able to do all of your formatting and previewing within the same tool. Editing ePub XHTML is no longer needed, making the barrier to "published author status" barely a speed bump. So what are you waiting for? Start writing!
For a 100 page book I self published using Kindle Direct Publishing, sales have definitely exceeded expectations! I created it more as practice and to share what I knew about information security best practices. I still belive if the fundamentals are done, the majority of risk can be mitigated. That said, I'm now approaching 2,000 books sold (Kindle and paperback) at which point I may start work on a second edition. I had one day where I sold 110 books -- wish I knew to whom. I am guessing it was for a class, or giveaway, or maybe they're being resold somewhere else in the world.
I am also enjoying decent reviews: 11 stars in the US and 14 stars in the UK. I apprecate the kind words and feedback! It is rewarding to know that I have been able to contribute to the infosec community, and that something I spent hundreds of hours creating is being well-received by hundreds of others who share my interest in information security.
Cyber Security Basics available at Amazon
For fun I wrote a song about social engineering
Today Bank Info Security reports that a Ukraine bank warns of a new massive malware campaign about to be launched. Here’s the line that’s most frustrating: “It added that the attacks have been spreading via malicious Microsoft Word documents attached to emails.” So here are some best practices to follow to harden your org against phishing attacks:
Most of this advice is common sense. But if I’m just preaching to the choir, why are phishing-based attacks against orgs still so damned successful?
Ukraine Central Bank Detects Massive Attack Preparation: https://www.bankinfosecurity.com/ukraine-central-bank-detects-massive-attack-preparation-a-10209
List of Microsoft Office file extensions (block most of these): https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
I created version 2 of the Alexa skill Security Flashcards. This version uses a JSON file for content (versus having it inline in the code) and has 100 security terms (so far). To use:
The goal is to provide a tool to help prepare for security certification exams, as well as understand some concepts that are part of the foundation of information security.
Please let me know if you disagree with any definitions, or have other suggestions for improvement. If you are interested in creating your own Alexa skill, there are plenty of resources available including starter code on Github to get you started. Enjoy!
I know these are insignificant numbers by most accounts, but for me it’s nice to see something I created being used by other people. And they’ve always been free (which I second guess sometimes.) I would have to completely rewrite the apps to get them updated. Maybe I’ll take some time off to do this.
I was paying for my parking at a ticket machine the other day. As I patiently followed the sequence instructed by the machine, I thought about how machines and software are increasingly training humans. And we're just letting it happen. That same weekend I observed several headlines about Samsung Smart TV exceptional eavesdropping capability. From Samsung: "Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” This isn't new news, but it got me thinking. It is another example of how we have to change our behavior to work around devices and software. Again.
We can't live without our multi-sensor devices we still call "phones." We trust software is doing its job and enabling these cameras and microphones only at our request. We also trust that there are no back doors or malware on the device that enable these eavesdropping features without our knowledge. But it comes down to well-behaved software to not facilitate eavesdropping. The hardware is always ready.
I propose getting back to basics. There should be physically controls in place to disable these cameras and microphones. Similar to the plastic tab you pull out of a newly-purchased device to enable battery contact, or the plastic key you can yank out of a treadmill if the speed of its ad infinitum path gets too much for you. With this would be the manufacturer's certification that these keys, tabs, lens covers…whatever form they take…absolutely block or allow these sensors from being accessible by any software running on the device.
Software has gotten to be too complicated. It's time to reintroduce physical controls. For now there is electrical tape.
I read an interesting article pn Computerworld.com titled "Worm may create an Internet of Harmful Things." It discusses how, as our world becomes filled with Internet-connected devices, concerns over security grow. There is one quote from the article that stands out for me: "Security expert Bruce Schneier…is concerned about the broader risks to the Internet of Things. In many cases, IoT connected systems are using firmware that can be hard to patch. In fact, ‘in many cases, [it’s] unpatchable,' he said." Unpatchable.
When it comes to software security, if it cannot be updated, it should not be used.
This reminds me of an interesting (perhaps unrealistic) software development methodology called "cleanroom engineering". With this approach the focus is on preventing bugs or vulnerabilities from ever making it into production code. The SDLC is heavily weighted on all phases before actual coding begins, because (per this methodology) all you have to do is code to the design, since it should be defect free.
This approach to software development seems like an analogy for vendors who release products that cannot be updated. There three reasonings that I can see for this. The vendor
Replacing products used in production is costly and disruptive, and I can't see the news of any unpatchable security vulnerability endearing a vendor to a customer. In our rush to Internet-ize everything, security may take a back seat again, just like the early days of the Internet or smart phones. As a result, weaknesses will be exposed that attackers the opportunity to do embarrassing, destructive or even dangerous things.
Vendors should operate under the assumption that something will not go according to plan. At some point, a security vulnerability will be discovered in a product even if the vendor did not find it pre-release. And when that vulnerability is found, the vendor should be able to fix (patch) that vulnerability ASAP. Any other approach, such as selling software products that cannot be patched, is downright irresponsible.
Finally taking the time to figure out how to properly sell the book Cyber Security Basics. I have updated the pricing and updated the Kindle version, and started paying attention to the sales dashboard. To date I’ve sold 215 copies of the physical books and 58 of the Kindle ones.
There has recently been an upward trend that I hope will continue as I dig more into the as-of-yet untapped marketing options available to self-published authors. And there are a lot! Thank you to everyone who has purchased a copy. Please review it in Amazon if you have a spare minute–it would be a huge help.
It’s official — I got my Splunk Certified Architect 6.3 badge today. It was a lot more work than I though it would be; it’s definitely not just symbolic. Six classes at about 55 hours total (not including studying) capped off by a final lab that we had 24 hours to complete (I think I took about 8 hours, the first day running well past midnight.)
The best way to learn about many technologies, I feel, is to get certified. Preparing for a certification forces you to study and learn the details and a lot of things that you might not have used before, but after learning them, may come in handy later. These classes and tests helped me understand how Splunk works and the depth of the tools and options it offers. It’s really a massive solution, and now I have a better handle on how to apply its various features for almost any type of environment.
The classes were very good as well as their instructors. The education program shows that it cares as much about the quality of their training materials and delivery as the engineers who built and support Splunk products. I always appreciated how Splunk was created and designed–it just felt like it made sense. Now that I demonstrably know a bit more, my instinct has been validated.