Had Locked Down: Information Security for Lawyers not been published by the American Bar Association (ABA) and 2 of its 3 authors not been attorneys; one would have thought the book is a reproach against attorneys for their obliviousness towards information security and privacy. In numerous places, the book notes that lawyers are often clueless when it comes to digital security.

With that, the book is a long-overdue and valuable information security reference for anyone, not just lawyers.

Such a title is needed as the legal field has embraced digital technology for nearly every aspect of the legal field, has magazines and conferences about legal technology and much more. Wireless (often insecure) networks are pervasive in corporate offices throughout legal America.

The underlying problem is that while attorneys often know the intricacies of tort law, court proceedings and the like; they are utterly unaware of the information security and privacy risks surrounding the very technologies they are using. In many firms, the lawyers think that someone is protecting their data, but don't understand their requirements around those areas of data protection.

Legal IT systems are a treasure trove of personal data. Many small law firms are extremely attractive to identity thieves gives their systems have significant amount of personal information via social security numbers, credit card information, birth dates, financial information and much more. Small law firms are notorious for weak information security controls and attackers will scan those systems and networks for vulnerabilities.

A pervasive aspect of the book is ABA rule 1.6 regarding the confidentiality of information regarding client-lawyer relationships. The rule requires that a lawyer not reveal information relating to the representation of a client unless the client gives informed consent. The lawyer though can reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary. The myriad details of 1.6 can be left to the bar association to enforce, suffice to say that a lawyer can find themselves on the wrong side of the law if they are not careful with information security controls.

The authors note that although lawyers are all well aware of rule 1.6, the challenge is how to keep client data secure in the digital age. In a world of paper, things were much easier and cheaper This is why the authors note that so many otherwise competent layers fails so miserably in reference to their duty to maintain the confidentiality of digital client data.

The book quotes an ABA 2011 technology survey in which 21% of large law firms reported that their firm had experiences some sort of security breach, and 15% of all firms reported that they suffered a security breach. It is figures like those which show that attorneys really need to read this book and take the information to heart.

The books 17 chapters are in a readable 150 pages, with an additional 120 pages of appendices. Written in an easily understandable style and non-technical for the technologically challenge lawyer.

When it comes to the security of client data, in chapter 4 the authors write that encryption is a topic that most attorneys don't want to touch with a ten-foot pole. But it has reached a point where attorneys must understand how and when encryption should be used. Just as important, they need to know about key managements, and what good encryption is. The chapter provides a high-level detail on what needs to be done regarding encryption.

Chapter 13 is on secure disposal, is an important topic to everyone, and not just lawyers. Digital media needs to be effectively disposed of; and for many lawyers, they often think that means reformatting a hard drive or simply erasing files. The chapter effectively details the issues and offers numerous valuable hardware and software-based solutions.

Chapter 14 on outsourcing and cloud computing is an area where too many attorneys are oblivious to of the security and privacy risks. For example, the authors advise attorneys against the use of the free Gmail service since the terms of service allow Google to do anything it wants with the data. That opens a Pandora's Box when it comes to securing client data. The authors advise to use premium Google business versions, so attorneys can stay in control of their data with added security and privacy features.

Two omissions in chapters 13 and 14 are that the authors don't reference NAID (National Association for Information Destruction) or the CSA (Cloud Security Alliance (CSA).

Firms that outsource their digital disposal to non-NAID certified firms run the risk of having a glorified recycler do their work. As to NAID, it is an international trade association for companies providing information destruction services. NAID's mission is to promote the information destruction industry and the standards and ethics of its member companies; while the mission of the CSA is to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing.

The authors include many real-world stories and case law to reinforce their point.

The book closes with a number of appendices on various rules from the FTC, state information protection regulations, the SANS Institute glossary of security terms and more.

For the lawyer looking for an easy to read introduction to nearly everything they need to know about information security and privacy, the book is a great resource.

The book closes with the note that since lawyers have an ethical duty to protect their client's data, they have no choice but to keep themselves as well educated as possible.

For the attorney that wants to ensure their requirements remain current and are looking for an easy to read introduction about information security and privacy Locked Down: Information Security for Lawyers should be considered required reading.

One of the challenges in reading The Plateau Effect: Getting from Stuck to Success is figuring how to classify it. Amazon has it ranked mainly in applied psychology, but also time management and inexplicable personal finance. In some ways it is all of the above and more. In fewer than 300 pages, the authors reference myriad different areas of science, mathematics, psychology and more; in the effort to show the reader how they can elevate themselves from the stuff in life that glues them to the status quo.

With that, the premise of the book is that the plateau effect is something that affects everyone. We all have our ups and down in life, relationships, work and more. The book attempts to help the reader identify plateaus in their life, in order to break through them.

While a plateau is often simply flat terrain, the authors are all over the terrain in the book. They quote and reference liberally from science, statistics, life sciences, psychology, ethics, information technology and much more. From that end, the book is a fascinating and insightful read.

At the start of the book, the authors use the term acclimation to refer to the plateaus that many of us reach. This is the inability to notice changes in the environment around us. To a degree, acclimation is a critical element of our lives. If everything was brand new, life would be overwhelming; both to our senses and psyche. The downside is that this acclimation often leads us to accepting things the way they are, staying at the plateau, getting stuck and the inability to move forward.

The authors note that a real plateau means that you have stopped growing and that your mind and senses are being dulled by sameness; by a routine that sucks the life and soul out of you. Plateaus force you to make bad decisions and feel desperate. By understanding the force and tapping into it, you can get more out of life with less effort, and feel more in tune to your existence. If this scares you that the book sounds like a new-age title, relax, it is far from it, thankfully.

Chapter 3 is one of the many fascinating sections in the book where the authors detail the greedy algorithm, where the locally optimal choice is what is generally preferred. They tie this into the Gekko mantra of greed being good. But note that research has shown that long-term greed is good, but short-term greed, the type that maximizes the here and now seems to work for a while but almost always leads to a plateau. And as you realize, plateaus are bad.

Chapter 5 details flow mechanisms, step functions and choke points. Author Hugh Thompson is a mathematician and its obvious this chapter is his baby. A choke point is a part of a system that breaks first and slows everything else down. The book notes that a common cause of plateaus is not recognizing when and where choke points will occur.

Chapter 6 is another fascinating chapter that details people's inability to effectively deal with risk. The example given is around shark attacks. While the risk of shark attack is extraordinarily low, the media often makes it seem like an epidemic, and the gullible populace overreacts. The authors give many examples of where people don't comprehend risk and statistics. The authors note that people buy lottery tickets, often described as a tax on the mathematically disinclined, despite knowing the odds. They also write that due to various factors, people and society have become overly risk-averse, not realizing how risky that is.

While not new, chapter 7 details the problems with multitasking and its illusions of productivity. The authors quote Jordon Grafman, chief of the cognitive neuroscience section of the National Institute of Neurological Disorders and Stroke who states that multitasking is actually a misnomer. He terms it rapid toggling between tasks. The downside to this rapid toggling is that people become less effective and productive. The reality they show is that people can't multitask.

While the book is indeed a fascinating and valuable read, some readers may find it somewhat frustrating that the authors at times can seem like they are all over the place, quoting and integrating different facets of science and psychology. While the theme of the book is plateaus, there is not always a discernible sense of unity between all of the examples.

Another lacking is the shortage of prescriptive actions the reader can take. For the reader who may be indifferent to their need for change, the book may not be of full value to then. It would have been appreciated if the authors could have created action items and exercises for each chapter.

But perhaps the best advice is on the 3rd to the last page of the book. The authors note that if your company is stuck and has plateaued, and unable to get past some vexing problems. What should you do? Tell the type A's in the room to be quiet for a while and set out some frontline introvert an ask for their advice. Giving voice to the quietest person in the room might be the most unique exercise a firm undertakes.

With that, The Plateau Effect: Getting from Stuck to Success is an extremely stimulating read. For the reader who wants to grow and move off their plateau, this will certainly help them. The book promises to help the reader unstick themselves from the things in life that weigh them down. It certainly lives up to its promise and makes for a fascinating read.

Behind nearly every security vulnerability is poorly written or insecure code. Fix the code and a majority of the security vulnerabilities go away.

In the just released 2nd edition of Secure Coding in C and C++, author Robert Seacord of CERT has created an invaluable resource for developers.

Research from OWASP and CERT shows that a lion's share of core vulnerabilities can be found in a small number of root causes. In the book, Seacord tackles those root causes.

Like a good programmer, the book is methodical and details all of the core areas which can lead to security vulnerabilities. The book shows how they are exploited and how they can be fixed.

The average C programmer knows about buffer overflows, authentication, format strings and more. But if they don't know how to write secure code, they will invariably write insecure code.

Aside from the inherent security and privacy benefits, there is significant cost savings to writing secure code.

For anyone who codes in C or C++, Secure Coding in C and C++ should be required reading.

One of the myriad benefits of the Internet has been the increase in efficiency and speed of communications. What used to take days and weeks to transmit can now be sent instantly with Facebook, e-mail, Twitter, and the like. In Cybersecurity: Public Sector Threats and Responses, author Kim Andreasson provides an over­view of how government agencies and other public-sector groups can use the Internet without introducing unnecessary risks to their constituents.

The book recognizes that the Internet has rapidly changed the way the public sector interacts with citizens. The quick ramp-up to Internet connectivity has led many public sector agencies to give short shrift to the issues of security and privacy. This work provides a high-level overview of security trends surrounding the effort to make government more connected, taking a broad approach with a heavy international focus. Numerous case studies demonstrate how agencies worldwide have dealt with the threats and vulnerabilities involved in moving to an e-government mode.

One challenge that governments face is that they often move at a snail's pace, while security threats move substantially more quickly.

For those who need a highly detailed approach to cybersecurity in the public sector, this may not be the best title. But for those seeking a broad overview of the topic, it is a good starting point.

I got a great deal on these. But I think the reason they are so cheap is that they are cheaply made.

I have gone through half of the spindle of 50 attempting to burn audio files.

My failure rate so far is about 13%.

The end result is you get what you pay for.

In Applied Information Security: A Hands-on Approach, authors David Basin, Patrick Schaller and Michael Schläpfer detail some of the labs exercises and texts that they used for courses they gave at ETH Zürich (Eidgenössische Technische Hochschule Zürich), an engineering and science -based university in Zurich, Switzerland.

In fewer than 200 pages, the book is an intense introduction to the fundamentals of information security. The authors wrote the book to be used as a primary reference for an undergraduate or post-graduate level course.

The book is written by college professors for a college level reader, and it is expected that the reader have a solid understanding of networks and programming. The book is made for the reader looking to take their core technical knowledge and apply it to information security.

The main focus of the book is on network security, O/S security and web applications. Large tomes could be written on the security aspects of each of these, so the book should not be seen as a definitive reference, rather an introductory text.

The reader is expected to complete the labs to get the full benefit of the text. These labs can be downloaded here.

This is not a For Dummies style of book with the verbosity that comes along with it. But for those looking for an intense but brief and concentrated introduction to some of the fundamentals of information security, to supplement other more comprehensive references, Applied Information Security: A Hands-on Approach, is a an excellent book.

When I first heard about the book The Death of the Internet, it had all the trappings of a second-rate book; a histrionic title and the fact that it had nearly 50 contributors. I have seen far too many books that are pasted together by myriad disparate authors, creating a jerry-rigged book with an ISBN, but little value or substance.

The only negative thing about the book is the over the top title, which I think detracts from the important message that is pervasive in it. Other than that, the book is a fascinating read. Editor Markus Jakobsson (Principal Scientist for Consumer Security at PayPal) was able to take the collected wisdom from a large cross-section of expert researchers and engineers, from different countries and nationalities, academic and corporate environments, and create an invaluable and unique reference.

The premise of the book is that the Internet is a cesspool of inefficient management and vulnerabilities that threaten to undermine its use.

In the preface, Jakobsson asks the obvious question: is the title a joke? He writes that ultimately, if the Internet can't be secured, and that the underlying amount of crime and fraud make the Internet useless and dangerous, then it indeed will lead to the tipping point where the result would be the death of the Internet. Where is that point? Nobody knows.

Chapter 1 observes that if a hostile country or organization wants to hurt us, they may find that the easiest way of doing so is by attacking the Internet, and our very dependence on the Internet invites attacks. We are more vulnerable to these attacks as our dependence on the Internet grows.

Chapter 3 provides an in-depth look at how criminals profit off the Internet and provides an intriguing overview of how click fraud works. While the click fraud rate at one point was as high as 30%, it is still in the range of 20%. The book notes that while the overall click fraud rate has been on the decline, there is the emergence of new schemes and those that focus on display ads. The click fraud schemes are so effective that the fraudsters are operating large scale automated attacks in a way that is difficult for the ad networks to distinguish between fraudulent and real clicks, thus producing high revenue for the fraudsters.

The chapter also provides an interesting look at the malware industry. It notes that malware development and distribution is highly organized and controlled by criminal groups that have formalized and implemented business models to automate cybercrime. The authors detail the interaction between the various components in a typical cybercrime business model, in which individual groups of criminals coordinate their efforts. The outcome is a product known as CaaS - crimeware as a service.

Many have often called the Internet the Wild West. Chapter 4 details the Internet infrastructure and cloud, in which the amorphous cloud images may help fuel the false perception that the Internet is a lawless and unaccountable entity that exists beyond policy. The book notes that what is breaking the Internet is not lack of policy, but lack of enforcement and accountability. Internet criminals appears to exists outside the policy structure when the reality is that they are embedded in it and their livelihood in fact depends on the Internet functioning regularly, quickly and efficiently.

While much of the book is focused on cybercrime and fraud, the book also points fingers at ICANN (Internet Corporation for Assigned Names and Numbers) for in some ways facilitating this Internet crime wave. ICANN is the organization that coordinates the Domain Name System (DNS), Internet Protocol (IP) addresses, space allocation, protocol identifier assignment, generic (gTLD) and country code (ccTLD) Top-Level Domain name system management, and root server system management functions. Their premise is that ICANN is more interested in generating revenue and profits than in security.

Due to systemic failures, cybercriminals often hide behind false WHOIS information held by Registrars who do not perform adequate due diligence or enforcement. This is primarily due to the fact that the more domain names that are sold create more revenue for the Registrars. Chapter 4 notes that this weak oversight by ICANN is also one of the biggest threats to the stability of the Internet. The chapter quotes a Godaddy executive who stated that proactive measures to make Internet registries more accurate would not be affordable or useful.

The book provides an analysis of social spam, which has become more pervasive with the emergence of Web 2.0. People are sharing vast amounts of personal data that opens them to these spam attacks. Since the defining characteristic of Web 2.0 is its social nature, it encourages people to share information, collaborate and form social links. These features of social media have the implication that they create a large network of connections between users and content that is controlled almost entirely by the users. This places great power in the hands of well-intentioned users to engage with others and express themselves. But it also provides an opportunity for spammers to exploit the social web for their own interests. As a result, social web applications have become tempting targets for spam and other forms of Internet pollution.

Another fascinating observation around Web 2.0 is that the authors were able to perform use analysis, in which they were able to identify pieces of information about the users which are not necessarily shared directly by their profiles. Items such as sleeping patterns, daily routines, physical locations, and much more are able to be extracted via metadata and other external analysis.

By the time one gets to chapter 5, they have read 200 pages detailing the problems with security and privacy around the Internet core. Exacerbating this is the role of the end user where the chapter notes that if people are offered the choice of convenience or security, then security will lose. The average Internet user is more lazy than security aware; not at all an encouraging observation.

Chapter 7 details one of the banes that have plagued information security; poor user interfaces. It details the four sins of security application user interfaces: popup assault, security by verbosity, walls of checkboxes and all or nothing switches. The book is worth purchasing just for this section.

The book ends with some thoughts for the future, but there is no magic wand or quick happy endings that Jakobsson and his band of ultra-smart contributors offer. Throughout the book, the contributors do though write how there are ways to secure the Internet, but those take thorough and comprehensive strategies and design. There are countermeasures for most of the threats and vulnerabilities detailed and the book provides an unparalleled view of the current state of Internet security.

Situational awareness is defined as the perception of environmental elements with respect to time and/or space, the comprehension of their meaning, and the projection of their status after some variable has changed. For those looking for a book to gain situation awareness about the dangers of the Internet, one is hard pressed to find a better title than The Death of the Internet.

Imagine if the smart guys from the SANS Institute came to the Federal Energy Regulatory Commission (FERC) and told them there it was impossible that the smart grid could be effectively secured. What are the chances that FERC and other state regulators would put the brakes on this new modern power infrastructure? The reality is that the chances would be very low, as the smart grid is coming hell or high water.

With that, the smart grid in its full-form is imminent and it is anybody's guess on how secure it ultimately will be. In Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure, authors Eric Knapp and Raj Samani provide and excellent overview on what the smart grid is and how it can be secured. The book offers many glimmers of hope from a security and privacy perspective. The hope can shine if the security controls are correctively and effectively implemented.

Knapp is a veteran SCADA and smart grid security guru. His previous book Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems, which I reviewed here, is an equally valuable resource.

The book provides an introduction to the smart grid, details its architecture, and then enumerates the security and privacy issues around it. There are numerous security models for SCADA and the smart grid which the book enumerates.

For those looking for a detailed and technical introduction to smart grid security and a synopsis of the security and privacy issues, Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure is a great place to start.

At nearly 1,400 pages, Introduction to Computer Networks and Cybersecurity is more than just an introduction to the topic. Rather than simply an introduction, it is a comprehensive guide to the subject.

The book is meant as a primary text to be used for a one (networking or security) or two semester course for the entire spectrum of networking and information security. Written by Professors Chwan-Hwa Wu and J. David Irwin of Auburn University, the book is written in a very jam-packed and dense style.

The book notes that networks and information security are closely connected. With that, the book includes a comprehensive overview of network architectures and the various network layers.

The networking portion of the book is the first 16 of the books 28 chapters. In the remaining 12 chapters on cybersecurity, the authors provide an extremely all-inclusive summary.

Each chapter concludes with a set of problems and questions.

While not written for the CISSP candidate in mind; the book nonetheless is an excellent resource for anyone preparing to take the ISC2 CISSP exam.

For the instructor looking for an all-inclusive college level course, or the student looking to gain a comprehensive understanding of the fundamentals of networking and information security, Introduction to Computer Networks and Cybersecurity is an excellent reference and resource.

Risk management in the real world is not an easy endeavor. On one side, people use toilet seat covers thinking they do something, on the other side, millions of people smoke cigarettes, ignoring the empirical evidence of their danger.

In Managing Risk and Information Security: Protect to Enable, author Malcolm Harkins deals with the inherent tension of information security - that between limitations and enablement.

Harkins, in his role as CISO at Intel, argues that a new and fresh approach to information security is called for and he outlines it in the book.

At under 150 pages, the book provides a good introduction and high-level overview of the fundamentals of information security risk and details numerous risk management strategies.

One of the books key points is that information security often has a disconnect to the underlying business needs that it is expect to secure. Harkins accurately notes that the only way to create an effective risk mitigation strategy is to ensure that the business and technical groups communicate.

As to Harkins new approach to managing risk; he writes that given the increasing role of technology and the resulting information-related business risk, a new approach to information security built on the concept of protecting to enable is needed. Because compromise is inevitable, managing risk and surviving compromise are the key elements of this strategy.

Harkins writes that this new approach should:

* incorporate privacy and regulatory compliance by design, to encompass the full scope of business risk
* recognize that people and information--not the enterprise network boundary--are the security perimeter
* be dynamic and flexible enough to quickly adapt to new technologies and threats

Harkins writes that we need to accomplish a shift in thinking, adjusting our primary focus to enable the business, and then thinking creatively about how we can do so while managing the risk.

Not only is this a good book, it is part of the Apress Open format and is available for free. Amazon also offers it as a free Kindle download.

The book doesn't propose a single definitive solution, as Harkins notes that information is a journey without a finish line. For those looking to commence on that journey, Managing Risk and Information Security: Protect to Enable is a great place to start.