Reading List

Reading List

Many people have asked me to put together a list of links to things to read that may help them become a security expert. I am not sure I can do that, but doing some reading is not a bad starting point. What you read out of this really depends on your interests. As I have said elsewhere, I do not believe you can be an expert on security without being an expert on some domain that security is being applied to. However, there are also some fundamentals that are important.

This list is somewhat skewed toward network and Windows security, because it is what I do. It is also woefully incomplete because I could not think of everything that would be useful. If you can, let me know. I will keep adding to it as I come up with more things. At any rate, here are some of the things that have informed my thinking.

General Info and Info Sec

  • Microsoft Corporation, The Security Risk Management Guide, 2004
    Everything we do in security is, or at least should be, guided by risk management. Yet, this, and a few of the better books, are the only resources on how to really do risk management for information security!

  • Johansson, Jesper, M. How A Criminal Might Infiltrate Your Network, TechNet Magazine, Winter 2005
    Basically a shorter version of chapter 2 from
    Protect Your Windows Network, this is a good overview of how a modern attack might unfold, looking in particular at the ways the attacker can use the operational practices against you.
  • Cheswick, Bill, An Evening with Berferd in Which A Cracker is Lured, Endured, and Studied, AT&T Bell Laboratories, 1992
    This is Bill Cheswick's classic account of how he watched an attacker through an entire attack. It is a fascinating study in what attackers do, and how they do it. It is getting old now, but while the tools have gotten better and the targets have changed, the core ideas of attacks is still the same.

  • Bishop, Matt, " Computer Security: Art and Science", Addison-Wesley Professional, 2002
    Matt Bishop is one of the more well-known professors working in computer security, and has been doing it longer than most. His "Computer Security: Art and Science" gives a great, albeit lengthy, detailed, and very, esoteric, introduction to security in computing. It is a good read if you want to understand where the field comes from, what the fundamental models are upon which the field is based, and how that impacts what we do today.

  • Schneier, Bruce, " Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd. Ed", Wiley, 1995
    OK, let's not kid ourselves, you won't be reading this. Most people do not need to. If you are one of the few people who need to actually build a cryptographic sub-system, as opposed to use one like the rest of us, then this would be essential. If you are one of the remaining 99% of us, it is a very interesting reference work for how crypto works and if you ever need to use it you will find out from here which mechanisms are available.

  • Ranum, Marcus The Six Dumbest Ideas in Computer Security,, 2005
    As with much of what Marcus writes, it is witty, to the point, and mostly valuable, correct, and important. In fact, surfing over to can be a fun way to spend an afternoon.
  • Miller, George, A., The Magical Number Seven, Plus or Minus Two: Some Limits on our Capacity for Processing Information, Psychological Review, 63, pp. 81-97., 1956
    I don't know how I could have forgotten to put Miller's classic on here in the first draft. This paper is very important because it is one of the first to recognize that there are severe limits on human's ability to process information. The actual limits are much less important (and fixed) than the fact that they exist, however. These concepts need to guide a lot of what we do in information processing and security as it limits how much complexity we can deal with. It is, of course, important to recognize that these are simultaneous processing limits, which do not necessarily serve to guide design. Edward Tufte has a lot to say about that.

Software Engineering (SE) and SE Security

  • Brooks, Frederick, P., Essence and Accidents of Software Engineering, IEEE Computer, April 1987.
    Only by understanding the complexities of software engineering can you fully appreciate the complexities of secure software engineering. Fred Brooks is one of the undisputed luminaries in that field and this is one of his great overview articles. This article was also reprinted in the second edition of Brooks' famous book "
    The Mythical Man Month".
  • Howard, Michael, LeBlanc, David, " Writing Secure Code, 2nd. Ed", Microsoft Press, 2002
    Howard and LeBlancs classic bestseller on code security is probably the most important book ever written on how to write secure software. It belongs on the shelves of all software engineers.

Networking and Network Security

  • Stevens, W., Richard, " TCP/IP Illustrated, volume 1, the Protocols", Addison-Wesley Professional, 1993
    You cannot be a network security expert without understanding TCP/IP and it will be awful difficult to understand TCP/IP without going back to Stevens. This is the seminal work on how TCP/IP works. Unfortunately, it will now never be updated since Steven's passed away a few years back. The book is still critical though, and ideally, you should get volume 2, "The Implementation" as well.

  • Bellovin, Steven, M., Security Problems in the TCP/IP Protocol Suite, Computer Communication Review, Vol. 19, No. 2, p. 32-48, April 1989
    Steve Bellovin is one of the greatest contributors to security theory and networking as a field. This article provides a wonderful overview of TCP/IP problems, which are the root of many of the security issues we have today.

  • Davies, Joseph, " Understanding IPv6", Microsoft Press, 2002.
    IPv6 is the future of networking and it is a good idea to start boning up on it now. This book provides a very good overview and is a great starting point.

  • Johansson, Jesper, M., & Riley, Steve, " Protect Your Windows Network", Addison-Wesley, 2005.
    This book is about Windows security, but more than that, it is about how to run networks securely. It covers topics you will not find elsewhere, such as network threat modeling, avoiding attacks by security dependencies, small business security, how to secure users, and other things that all contribute to the security of the eco-system as a whole.

  • Microsoft Corporation, Domain Isolation with IPsec, 2005
    Technical, detailed, specific to Windows, and arguably the best overview of the most important security technologies Microsoft has ever produced.

  • Microsoft Corporation, Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network Server2003
    A documentary of how Microsoft used IPsec to secure its own corporate network

People Security

  • Mitnick, Kevin, et al. " The Art Of Deception: Controlling The Human Element Of Security", Wiley, 2002
    In a way it really pains me to put this book on here, because Mitnick did not learn about social engineering by studying it; he learned social engineering by doing it, defrauding his victims of millions of dollars in the process. However, there is almost nothing else out there about what is arguably the most important aspect of information security today, save for a chapter in
    Protect Your Windows Network.

Windows Security

  • Russinovich, Mark E., & Solomon, David, A., " Microsoft Windows Internals, 4th Ed.", Microsoft Press, 2004.
    It is not completely essential, but certainly very helpful for a security professional to have a really solid understanding of how the operating system they are securing works. This book is better than most at it.

  • McClure, Stuart, et. al, " Hacking Exposed, 5th Ed.", McGraw-Hill, 2005
    The favorite security book that almost nobody needs – Hacking Exposed has been a best seller from day one. Unfortunately, it is very light on how to stop the attacks, but gives great insight into how to exploit unpatched systems.

  • Hoglund, Greg, & Butler, Jamie, " Rootkits, Subverting the Windows Kernel", Addison-Wesley Professional, 2005
    To be 100% honest, I have not read this one yet. However, rootkits are getting to be a bigger problem by the day, and Greg's knowledge of them is legendary. If it is as good as his papers, it is worth reading.

  • Microsoft Corporation, Windows Server 2003 Security Guide, 2005
    The authoritative guide on how to harden Windows Server 2003

  • Microsoft Corporation, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, 2005
    The threats and countermeasures guide has just about all the information you ever wanted to know about how to counteract specific threats against a Windows machine and what the impact of the mitigation might be.

  • Microsoft Corporation, Windows 2000 Security Hardening Guide, 2004
    The only fully supported hardening guide for Windows 2000

  • Microsoft Corporation, Windows XP Security Guide, 2005
    The only fully supported hardening guide for Windows XP.

Interesting Web Sites and Blogs

  • 2600 – The original hacker magazine. 2600 refers to the frequency used for certain control signals on the US telephone system. By sending a signal at that frequency the hacker was able to control the telephone switch.
  • Phrack – An intensely technical hacker mag that sometimes has really insightful articles, often lots of noise and posturing. Still worth keeping up on though.
  • Security Focus – Now owned by Symantec, Security Focus appears to still be operating largely independently providing good value. They host the biggest security mailing list, BugTraq, which, frankly, is not nearly as good as it used to be. Too much of the traffic now seems to be just posturing and advertising by security bug finders.
  • TechNet Security – Contains just about all of Microsoft's technical security documentation
  • MSDN Security – Microsoft's developer security center, contains, among other things, the famous Microsoft Security Development Lifecycle.
  • Microsoft Security Notifications – Anyone who runs Microsoft systems should sign up to get notified of new security issues.
  • Security Management Columns Archive – This is the archive for the Security Management Column on Microsoft TechNet. Many, although not all, of Steve Riley's and Jesper Johansson's articles are listed there.
  • Bruce Schneier's blog – Bruce Schneier is an opinionated pundit. He is also one of the worlds leading cryptographers. His blog has all kinds of odd things in it. Worth looking at every now and then.
  • Michael Howard's blog – Michael has forgotten more about writing secure software than most of us will ever know. Luckily, he wrote a lot of it in his blog before he forgot it.
  • Aaron Margosis' blog – Aaron speaks more about least privilege than just about anyone around. His blog has great information about how to do it for real.
  • Mark Russinovich's blog – Mark knows more about the Windows operating system than most of the people who actually work on it. He also is starting to get really good at security and of course has written some of the best tools out there. His blog is usually full of articles that he should have been paid for by some magazine.
  • Steve Riley's blog – Steve travels the world and teaches people how to be more secure and how to use Microsoft products more securely. He pontificates in many places, but all of them are usually listed in the blog.
  • Jesper Johansson's blog – One of the few people who is more opinionated than Steve Riley, or was that the other way around? In any case, I also have a blog now, and also spend most of my time talking to Microsoft customers about security, or on a plane on the way to do so.

Comments (5)

  1. Brian says:

    Jesper, with the importance of "People Security" and the useful things that Steve Riley and yourself have presented on this topic in the last few years I think it would be a great contribution to the security community for Steve and yourself to consider publishing more on this topic.  Another book would be highly appropriate on this topic since this seems to be the hardest aspect of security to bring across to a business.

  2. lars says:

    Jesper, about Mitnick: "..defrauding his victims of millions of dollars in the process..". As far as I know, I think it has never been proved in court or otherwise that there ever was any great financial loss for the victims or any economic gain for Mitnick himself at the time. True, there was cost in cleaning up after his security breaches, but Mitnick never to my knowledge deprived his victims of revenue by illigally obtaining their software for personal review or use. I understand your point about not really feeling comfortable about recommending his book as he is in fact now gaining from his past criminal activities (he did it, not study it), but I think it’s inappropriate to label him wrongfully as having defrauded his victims of huge costs if he did not.

    Otherwise, I’m a great fan of you and Steve, love your way of getting down to the real security issues as seen in your webcasts and your book.

    All the best,



  3. susan says:

    One blog that is for sure on my must reads (besides yours and Mr. Riley’s of course) is

    The MSRC blog will have late breaking security issues posted long before it’s on the official channels.

    Another one of interest is the Swiss Security blog

    The Antimalware blog (which always looks like you are typing animalware)

  4. Brian, I wish I knew enough about people security, but I really do not feel like I do. I am trying to study it though.

    Lars, I don’t recall all the details about what exactly Mitnick profited from, but the legal and clean-up costs should not be overlooked. Regardless of whether the criminal profited from the crime, the victims lost.

    Susan, good pointers, but I was mostly looking for learning opportunities, not merely keeping up on new events. I may have to  add those though. It is very hard to draw the line in this business. As we see above, sometimes learning means you have to go study things you would rather not.

  5. Jonathan says:

    I just finished reading Marcus Ranum’s list and now I’m going back to read over the rest of that site.  There’s a lot of good information in there and he’s really made it approachable.  Thanks for the heads-up on this, Jesper.

Skip to main content