Book Review: ‘Well Aware,’ by George Finney

Posted by Charles Buege and Laura Penhallow on Feb 25, 2021 4:20:23 PM

Thursday, February 25, 2021

Review by Charles Buege and Laura Penhallow, Fuel Editorial Advisory Committee Members

blur-1283865_1920The Fuel Board of Directors’ own George Finney is an exceptionally talented cybersecurity professional. In his more than 25 years of experience in the cybersecurity field, he has authored several books, taught cybersecurity at Southern Methodist University, has been recognized as one of the top cybersecurity leaders in 2018 by Security Magazine and is a part of the Texas CISO council.

In this article, we will showcase his latest book, “Well Aware,” a security handbook for people. There is no need to be technically-adept, or even in IT, to gain valuable insight from this book. Using anecdotes and real-world analogies, Finney explains the nine habits he believes are crucial to master cybersecurity. Once mastered, these habits can be integrated into everyday responses and decisions to increase your security at home, in the office and beyond.

Throughout the book, Finney drives the point home that cybersecurity is not a set of skills or certifications or even a job title — rather, it’s a learned behavior. The nine habits he has identified are as follows: 

  • Literacy

  • Skepticism

  • Vigilance

  • Secrecy

  • Culture

  • Diligence

  • Community

  • Mirroring

  • Deception

We will briefly touch on what each of these nine habits are, but this will not do justice to the level of detail that Finney goes into in his book.

Literacy

Finney describes how important it is to have a detailed understanding of what specifically is at risk in your environment. This includes knowing how your alarms and privacy settings are set up, and what other types of tricks could be used by threat actors to gain a foothold into your systems. It can also include things on a more personal level, such as what systems you have access to and where the logins are stored. Bottom line: what do you and your organization look like to a potential attacker?

Also in this chapter, Finney covers the concept of tactical literacy. This concept is twofold: first creating a foundation of knowledge on the topic and, second, knowing how and when to get more information about it. Specifically, Finney says: “Cybersecurity literacy comes when you know how, where and when to look for the answer to a problem and when you recognize the solution.”

Skepticism

Skepticism is the mentality of not believing something until you’ve seen it, even if it takes a while. This is good for when you need to make sure a scenario isn’t a one-off or a shadow event, and you also need to take the time to be patient and let the event fully occur to ensure you understand the full picture. Trust, but verify!

Vigilance

Vigilance is the process of applying skepticism and literacy to a specific situation. These habits work together to reduce distractions, and to build high-fidelity alerts from monitoring systems and automation. This habit can be the difference between spending hours chasing down a false positive alert versus applying targeted knowledge and information to a situation and using that to make decisions.

Secrecy

Secrecy is one component to cybersecurity that should be obvious, but sometimes is so obvious that people can’t see the forest for the trees. It is important for both organizations and individuals to identify what is secret to them, and how long they should protect this information for.

Finney goes one step further and includes empathy in his description of this habit. The number of times that people have left IDs and passwords out on their desks is frightening, so until it is actually pointed out to everyone what is at stake and how their actions impact the organization, change cannot occur. Finney writes that if we empower our employees and encourage empathy amongst them, the company will have a greater chance of success to protect its secrets.

Culture

Culture is another factor that is very hard to force upon a company. Finney hit this point home with this quote: “One person can’t create a culture, nor can one person acting alone change a culture that already exists.” You can hire as many cybersecurity professionals as you want, but until a company realizes as a whole that cybersecurity is everyone’s responsibility, then you’ll never be truly secure. Finney provides some great insight on how to change your cybersecurity culture, including “random acts of security.” (You’ll have to read the book to find out what that means!)

Diligence

Right along with culture, diligence is just as important. If Mary gets a phishing email and deletes it without telling anyone, how can the cybersecurity team learn why the email got through their anti-phishing rules? How can they improve their system to prevent future messages like this if Mary doesn’t follow processes and be diligent in letting them know this occurred?

Mary needs to be empowered and prepared to react. She needs access to the plans, processes and the procedures necessary for this situation. It is also important to have empathy and not blame Mary if something goes wrong, but rather to take steps to improve those processes for next time. She should also be made aware that it isn’t her fault that she received the message. Her email is just one of many that was most likely targeted, so an employee should never feel like they are the problem. Rather, they need to feel that they are part of the solution by bringing it to the cybersecurity team’s attention.

Community

While you may think Finney already covered this in the chapter on culture, the seventh habit, community, is slightly different. In fact, he believes that community is the most important habit to adopt. Community is individuals banding together to provide safety and security to each other. As humans, we learn from each other. Each time we comment on a blog (like here at Fuel!), chat about an email, discuss a book or reveal tactics, techniques and procedures (TTPs) regarding a common adversary, we are participating and furthering our craft — security.

Fuel is a community. Your work colleagues are a community. Any place we trade information for the benefit of the whole is a community. Using the collective knowledge and experience of a community allows us to make better decisions and react more quickly.

Mirroring

The eighth habit, mirroring, is a term that might seem confusing until you look at one of Finney’s examples: penetration testing. Through penetration testing, you get to see what your organization looks like through an attacker’s eyes. By doing so, you can take steps to dramatically improve your security posture.

Deception

With penetration testing comes the final of the nine habits: deception. Ever see a WWII spy movie where the Americans are in the prisoners of war camps and the enemy tries to sneak a spy into their midst? Well, the Americans will distrust any new guy for a while and then will test them with questions like “Hey, did you know old Sgt. Jones with the 121st?” and the spy replies with “Oh yeah! He was a really mean, old guy!” The Americans know there was no Sgt. Jones and the spy has just revealed himself. That’s what is meant by the deception technique.

The authors of this article use this same technique whenever we get messages from “friends” on Facebook when we think those accounts have been hacked. We’ll ask them odd questions about family members that make no sense to see how they answer. If they don’t answer correctly, we know the account has been hacked. That is another way to use deception. As Finney says in the introduction of his book, deception is “both a preventive and detective habit.”

Our Take on the Book

This was a very enjoyable read, from introduction to conclusion. With each chapter of this book, Finney goes into fantastic example scenarios where each habit either helped an individual improve professionally, helped an organization improve or where there was room for improvement. Finney demonstrates throughout the book how security is not a new or purely technical concept. There are security lessons learned from a printmaker in the 15th century that are still valid today!

We also really enjoyed how Finney writes that cybersecurity is a continuing education experience, and that failure is a part of success. We as a community learn so much from each other from our own failures.

Needless to say, we think that the book has many things going for it. Being well under 200 pages, it doesn’t have the normal “weight” of a standard cybersecurity manual and is filled with anecdotes and stories, making it much easier to read. Additionally, the book is very well cited, should anyone want to read further on the situations detailed in each chapter. Lastly, Finney himself is such an engaging individual; it is obvious that this book was a work of passion and it shines through in each page that he vastly enjoyed this project as he worked on it.       

 

Charles Buege is the senior DevOps engineer for Temeda, an Industrial IoT company out of Naperville, Illinois. He currently holds a PCNSA certification and is working towards his PCNSE. He also runs an IT-based Meetup group called “The IT Crowd."

Laura Penhallow is a security engineer for a trading firm based in London, United Kingdom. She is passionate about security and loves to engage with other like-minded individuals in the security community.


More to Explore

Check out these Fuel blog posts for further reading:

Topics: Charles Buege, Laura Penhallow, George Finney, book review, Well Aware

Posts by Topic

see all

Subscribe to Blog Updates

Recent Posts

Posts by Topic

see all