Many people have asked me to put together a list of links to things to read that may help them become a security expert. I am not sure I can do that, but doing some reading is not a bad starting point. What you read out of this really depends on your interests. As I have said elsewhere, I do not believe you can be an expert on security without being an expert on some domain that security is being applied to. However, there are also some fundamentals that are important.
This list is somewhat skewed toward network and Windows security, because it is what I do. It is also woefully incomplete because I could not think of everything that would be useful. If you can, let me know. I will keep adding to it as I come up with more things. At any rate, here are some of the things that have informed my thinking.
General Info and Info Sec
- Microsoft Corporation, The Security Risk Management Guide, 2004
Everything we do in security is, or at least should be, guided by risk management. Yet, this, and a few of the better books, are the only resources on how to really do risk management for information security!
- Johansson, Jesper, M. How A Criminal Might Infiltrate Your Network, TechNet Magazine, Winter 2005
Basically a shorter version of chapter 2 from Protect Your Windows Network, this is a good overview of how a modern attack might unfold, looking in particular at the ways the attacker can use the operational practices against you.
- Cheswick, Bill, An Evening with Berferd in Which A Cracker is Lured, Endured, and Studied, AT&T Bell Laboratories, 1992
This is Bill Cheswick's classic account of how he watched an attacker through an entire attack. It is a fascinating study in what attackers do, and how they do it. It is getting old now, but while the tools have gotten better and the targets have changed, the core ideas of attacks is still the same.
- Bishop, Matt, " Computer Security: Art and Science", Addison-Wesley Professional, 2002
Matt Bishop is one of the more well-known professors working in computer security, and has been doing it longer than most. His "Computer Security: Art and Science" gives a great, albeit lengthy, detailed, and very, esoteric, introduction to security in computing. It is a good read if you want to understand where the field comes from, what the fundamental models are upon which the field is based, and how that impacts what we do today.
- Schneier, Bruce, " Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd. Ed", Wiley, 1995
OK, let's not kid ourselves, you won't be reading this. Most people do not need to. If you are one of the few people who need to actually build a cryptographic sub-system, as opposed to use one like the rest of us, then this would be essential. If you are one of the remaining 99% of us, it is a very interesting reference work for how crypto works and if you ever need to use it you will find out from here which mechanisms are available.
- Ranum, Marcus The Six Dumbest Ideas in Computer Security, http://www.ranum.com/security/computer_security/editorials/dumb/index.html, 2005
As with much of what Marcus writes, it is witty, to the point, and mostly valuable, correct, and important. In fact, surfing over to http://www.ranum.com/security/computer_security/index.html can be a fun way to spend an afternoon.
- Miller, George, A., The Magical Number Seven, Plus or Minus Two: Some Limits on our Capacity for Processing Information, Psychological Review, 63, pp. 81-97., 1956
I don't know how I could have forgotten to put Miller's classic on here in the first draft. This paper is very important because it is one of the first to recognize that there are severe limits on human's ability to process information. The actual limits are much less important (and fixed) than the fact that they exist, however. These concepts need to guide a lot of what we do in information processing and security as it limits how much complexity we can deal with. It is, of course, important to recognize that these are simultaneous processing limits, which do not necessarily serve to guide design. Edward Tufte has a lot to say about that.
Software Engineering (SE) and SE Security
- Brooks, Frederick, P., Essence and Accidents of Software Engineering, IEEE Computer, April 1987.
Only by understanding the complexities of software engineering can you fully appreciate the complexities of secure software engineering. Fred Brooks is one of the undisputed luminaries in that field and this is one of his great overview articles. This article was also reprinted in the second edition of Brooks' famous book " The Mythical Man Month".
- Howard, Michael, LeBlanc, David, " Writing Secure Code, 2nd. Ed", Microsoft Press, 2002
Howard and LeBlancs classic bestseller on code security is probably the most important book ever written on how to write secure software. It belongs on the shelves of all software engineers.
Networking and Network Security
- Stevens, W., Richard, " TCP/IP Illustrated, volume 1, the Protocols", Addison-Wesley Professional, 1993
You cannot be a network security expert without understanding TCP/IP and it will be awful difficult to understand TCP/IP without going back to Stevens. This is the seminal work on how TCP/IP works. Unfortunately, it will now never be updated since Steven's passed away a few years back. The book is still critical though, and ideally, you should get volume 2, "The Implementation" as well.
- Bellovin, Steven, M., Security Problems in the TCP/IP Protocol Suite, Computer Communication Review, Vol. 19, No. 2, p. 32-48, April 1989
Steve Bellovin is one of the greatest contributors to security theory and networking as a field. This article provides a wonderful overview of TCP/IP problems, which are the root of many of the security issues we have today.
- Davies, Joseph, " Understanding IPv6", Microsoft Press, 2002.
IPv6 is the future of networking and it is a good idea to start boning up on it now. This book provides a very good overview and is a great starting point.
- Johansson, Jesper, M., & Riley, Steve, " Protect Your Windows Network", Addison-Wesley, 2005.
This book is about Windows security, but more than that, it is about how to run networks securely. It covers topics you will not find elsewhere, such as network threat modeling, avoiding attacks by security dependencies, small business security, how to secure users, and other things that all contribute to the security of the eco-system as a whole.
- Microsoft Corporation, Domain Isolation with IPsec, 2005
Technical, detailed, specific to Windows, and arguably the best overview of the most important security technologies Microsoft has ever produced.
- Microsoft Corporation, Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network Server, 2003
A documentary of how Microsoft used IPsec to secure its own corporate network
- Mitnick, Kevin, et al. " The Art Of Deception: Controlling The Human Element Of Security", Wiley, 2002
In a way it really pains me to put this book on here, because Mitnick did not learn about social engineering by studying it; he learned social engineering by doing it, defrauding his victims of millions of dollars in the process. However, there is almost nothing else out there about what is arguably the most important aspect of information security today, save for a chapter in Protect Your Windows Network.
- Russinovich, Mark E., & Solomon, David, A., " Microsoft Windows Internals, 4th Ed.", Microsoft Press, 2004.
It is not completely essential, but certainly very helpful for a security professional to have a really solid understanding of how the operating system they are securing works. This book is better than most at it.
- McClure, Stuart, et. al, " Hacking Exposed, 5th Ed.", McGraw-Hill, 2005
The favorite security book that almost nobody needs – Hacking Exposed has been a best seller from day one. Unfortunately, it is very light on how to stop the attacks, but gives great insight into how to exploit unpatched systems.
- Hoglund, Greg, & Butler, Jamie, " Rootkits, Subverting the Windows Kernel", Addison-Wesley Professional, 2005
To be 100% honest, I have not read this one yet. However, rootkits are getting to be a bigger problem by the day, and Greg's knowledge of them is legendary. If it is as good as his papers, it is worth reading.
- Microsoft Corporation, Windows Server 2003 Security Guide, 2005
The authoritative guide on how to harden Windows Server 2003
- Microsoft Corporation, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, 2005
The threats and countermeasures guide has just about all the information you ever wanted to know about how to counteract specific threats against a Windows machine and what the impact of the mitigation might be.
- Microsoft Corporation, Windows 2000 Security Hardening Guide, 2004
The only fully supported hardening guide for Windows 2000
- Microsoft Corporation, Windows XP Security Guide, 2005
The only fully supported hardening guide for Windows XP.
Interesting Web Sites and Blogs
- 2600 – The original hacker magazine. 2600 refers to the frequency used for certain control signals on the US telephone system. By sending a signal at that frequency the hacker was able to control the telephone switch.
- Phrack – An intensely technical hacker mag that sometimes has really insightful articles, often lots of noise and posturing. Still worth keeping up on though.
- Security Focus – Now owned by Symantec, Security Focus appears to still be operating largely independently providing good value. They host the biggest security mailing list, BugTraq, which, frankly, is not nearly as good as it used to be. Too much of the traffic now seems to be just posturing and advertising by security bug finders.
- TechNet Security – Contains just about all of Microsoft's technical security documentation
- MSDN Security – Microsoft's developer security center, contains, among other things, the famous Microsoft Security Development Lifecycle.
- Microsoft Security Notifications – Anyone who runs Microsoft systems should sign up to get notified of new security issues.
- Security Management Columns Archive – This is the archive for the Security Management Column on Microsoft TechNet. Many, although not all, of Steve Riley's and Jesper Johansson's articles are listed there.
- Bruce Schneier's blog – Bruce Schneier is an opinionated pundit. He is also one of the worlds leading cryptographers. His blog has all kinds of odd things in it. Worth looking at every now and then.
- Michael Howard's blog – Michael has forgotten more about writing secure software than most of us will ever know. Luckily, he wrote a lot of it in his blog before he forgot it.
- Aaron Margosis' blog – Aaron speaks more about least privilege than just about anyone around. His blog has great information about how to do it for real.
- Mark Russinovich's blog – Mark knows more about the Windows operating system than most of the people who actually work on it. He also is starting to get really good at security and of course has written some of the best tools out there. His blog is usually full of articles that he should have been paid for by some magazine.
- Steve Riley's blog – Steve travels the world and teaches people how to be more secure and how to use Microsoft products more securely. He pontificates in many places, but all of them are usually listed in the blog.
- Jesper Johansson's blog – One of the few people who is more opinionated than Steve Riley, or was that the other way around? In any case, I also have a blog now, and also spend most of my time talking to Microsoft customers about security, or on a plane on the way to do so.