Reference Books, Journals

Modified 04 April 2007

OK, so what's on my bookshelf? Some of the below ISBN numbers may refer to older editions, make sure to get the latest one!

• General Security — non-technical
  • Beyond Fear, Bruce Schneier, Copernicus Books, ISBN 0-387-02620-7. Excellent, about security in general.
  • Secrets and Lies, Bruce Schneier, John Wiley and Sons, ISBN 0-471-25311-1. More narrowly focused on information security. It doesn't have much in the way of technical tips, but it's a fantastic explanation of what matters and why.
  • Information Warfare and Security, Dorothy Denning, Addison-Wesley, ISBN 0-201-43303-6. Largely a collection of anecdotes, a great overview of information security history concentrating on maybe mid-1980's through 1999. Nicely connects infosec to national security.
• General Security — in-depth and more technical
  • Security Warrior, Cyrus Peikari and Anton Chuvakin, O'Reilly, ISBN 0-596-00545-8. Far more detailed and academic than most O'Reilly books, it gets into analyzing binary executable files for reverse-engineering, and other advanced topics. Great background for doing software vulnerability analysis.
  • Network Security Assessment, Chris McNab, O'Reilly, ISBN 0-596-00611-X. In-depth look at network scanning methods and application vulnerability detection and exploit.
  • The various Hacking <whatever> Exposed books are pretty good, although some people seem to think that their approach is more useful than it really is. Let's say you want to secure your web server. Assuming you want to secure systems, it's not all that useful to know umpteen different ways to break in. Protect the system behind a firewall if possible, turn off the unneeded services, move to a different application service implementation running on a different operating system if needed, and move on.
• UNIX
  • Practical Unix and Internet Security, Simson Garfinkel and Gene Spafford, O'Reilly and Associates, ISBN 1-56592-148-8. If I could only have one reference, this would be it. While it pays more attention to Unix and TCP/IP than any other operating systems and networking protocols, there is some great general-purpose discussion on the basic concepts. Plus checklists to follow!
  • Unix Security, Dave Curry, Addison-Wesley. I probably shouldn't just list Spaf's book, lest I show some pro-Purdue bias. Oops, never mind, Davy's from Purdue, too.... Oh well, there's some great stuff in here, particularly if you're using Sun workstations. Have you considered the risks of physical access to a Sun console? That and many other topics are discussed.
  • Linux Firewalls, Robert Ziegler, New Riders, ISBN 0-7357-1099-6. The standard reference on the topic.
  • Solaris 8 Security, Edgar Danielyan, New Riders, ISBN 1-57870-270-4. Not the entire story, but good.
  • UNIX System Administration Handbook, Evi Nemeth, Garth Snyder, Scott Seebass, and Trent Hein, Prentice Hall, ISBN 0-13-151051-7. If you've got UNIX, administer it correctly in the first place. The standard reference work for sysadmins. Also known as "The Purple Book," or "The Red Book", depending on vintage.
  • SSH — The Secure Shell, D.J. Barrett & R.E. Silverman, O'Reilly, ISBN 0-596-00011-1. No one should run telnet these days, here's what to do instead. Not just a UNIX topic, there are SSH clients and servers for other operating systems.
  • USENIX, The Advanced Computing Systems Association, has made all their conference proceedings available to everyone: http://www.usenix.org/publications/library/proceedings/
• TCP/IP
  • Building Internet Firewalls, D. Brent Chapman and Elizabeth D. Zwicky, O'Reilly and Associates, ISBN 1-56592-124-0. TCP/IP protocol-based attacks, their detection, and prevention. Plus the design, configuration, and use of firewalls. Lots of details on the application protocols and configuring both the applications and the firewalls.
  • Firewalls and Internet Security, Bill Cheswick and Steve Bellovin, Addison-Wesley, ISBN 0-201-63357-4. A second pass through the firewall material, with a little more on operating system risks.
  • Internetworking with TCP/IP, Volume 1, Douglas Comer, Prentice Hall, ISBN 0-13-216987-3. A very readable description of the major components (and many minor bits) of the TCP/IP internetworking protocol suite. Comer's book is a better place to start, it's written like a novel, with a plot you can follow.
  • TCP/IP Illustrated, Volume 1, W. Richard Stevens, Addison-Wesley, ISBN 0-201-63346-9. A bit tough for an introduction, but a good one to follow Comer's book with lots more details. If Comer's book is a novel, this is an encyclopedia.
  • DNS and BIND, Paul Albitz and Cricket Liu, O'Reilly and Associates, ISBN 1-56592-236-0. If you use DNS, use it correctly!
  • Managing IP Networks with Cisco Routers, Scott M. Ballew, O'Reilly and Associates, ISBN 1-56592-320-0. And use those routers correctly, too!
  • The Victorian Internet, Tom Standage, 1999, Berkley, ISBN 0425171698. A nearly instantaneous communications network that had huge changes on governments, business, and personal lives. It also had a lot of communications security issues, and led to a revolution in cryptography. All this greatly agitated governments, which tried and largely failed to control it to their advantage. And it happened in the 1800's. A great book for people who think that today's Internet is somehow completely different and not subject to the same rules as the rest of the universe.
• Cryptography
  • "The Gold Bug" by Edgar Allan Poe is probably the most readable explanation of how to break monoalphabetic substitution ciphers. Be warned, there is unfortunately racist language...
    "The Dancing Men" by Arthur Conan Doyle is another late 1800s detective story in which a monoalphabetic substitution cipher is broken, although Poe's explanation is more accurate and complete.
  • Cryptanalysis, Helen Gaines, Dover, ISBN 0486200973. Yes, it's pre-WWII, but it's probably the best place to start if you're interested in how to break crypto systems. And an important thing to read if you actually think you can design a crypto system! It shows you how to break combined substitution and transposition ciphers using pencil and paper.
  • Basic Cryptanalysis, U.S. Department of the Army Field Manual FM 34-40-2, 13 September 1990, is available here: http://www.umich.edu/~umich/fm-34-40-2/
    Beware — the files you get from there, either the individual files or the tar archive, all have 5 lines of HTML header inserted before the actual PDF data! It's no problem to fix this with the following trick UNIX/Linux/MacOS:
    $ for F in *.pdf
    > do
    >    tail +6 $F > tmp
    >    mv -f tmp $F
    > done
    
  • Applied Cryptography: Protocols, Algorithms, and Source Code in C, Bruce Schneier, John Wiley and Sons, Inc., http://www.counterpane.com/. Text for a graduate-level cryptography course at Purdue, with detailed analysis of cryptographic theory. There are also practical calculations of expected time to break various codes, given reasonable hardware platforms.
  • Handbook of Applied Cryptography, Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, 1996, CRC Press, ISBN: 0-8493-8523-7. More academic than Schneier's book. US$ 80 from Amazon, or free if you want to download and print the PDF files: http://www.cacr.math.uwaterloo.ca/hac/
  • The Codebreakers, David Kahn, 1996, Scribner, ISBN 0-684-83130-9. Enormous, and enormously expensive (get it from the used/remaindered dealers on Amazon), but the authoritative story.
  • The Code Book, Simon Singh, 1999, Fourth Estate Ltd., ISBN 1-85702-889-9. An excellent overview of cryptography, from ancient history to cutting-edge research. Has excellent descriptions of asymmetric algorithms, Diffie-Hellman key exchange, key management, etc.
  • Network Security with OpenSSL, J. Viega et al, O'Reilly, June 2002, ISBN 0-596-00270-X. The OpenSSL package does provide what you need for SSL/TLS connections between web servers and clients. But it also provides a very wide range of command-line and C/C++ library functions for cryptography — encryption, decryption, and cryptographic hashes.
  • Practical Cryptography, Niels Ferguson and Bruce Schneier, 2003, John Wiley & Sons, ISBN 047122894X. Its greatest benefit is in convincing the reader that yes, this is extremely difficult to really get right, and you do have to be obsessively careful with the entire system design, and it would be easy to make some bold plans up front that are then difficult to fully carry through. Don't write your own code, get a good open-source system that has been checked out by many smart people. Read this book if you aren't convinced yet.
  • PGP: Pretty Good Privacy,, Simson Garfinkel, O'Reilly and Associates, ISBN 1-56592-098-8. All the history and politics of Phil Zimmerman's struggles to provide military-grade cryptography to the common man. Plus how to obtain, install, and use PGP.

For keeping up to date, follow some trade magazines covering your operating system(s) and your network's particular emphasis:

• Network World always has this week's networking news, which often includes security news. See http://www.nwfusion.com
• Information Security is a good publication: http://www.infosecuritymag.com/
• You might find Information Security News useful: http://www.infosecnews.com/
• The people at SC Info Security Magazine seem to inhabit a universe containing nothing but Windows desktops — no servers, no routers, no non-Windows systems, but at least you can keep up on the virus-scanner news: http://www.scmagazine.com/

For the history, in addition to Kahn's The Codebreakers:

• World War II and before:
  • The American Black Chamber, Herbert O. Yardley, 1931. The classic work. Tough to find these days, but worthwhile.
  • Seizing the Enigma: The Race to Break the German U-Boat Codes 1939-1943, David Kahn. Strategic importance of anti-submarine warfare in the Atlantic, and how the Allies broke the German codes.
  • Enigma — The Battle for the Code, Hugh Sebag-Montefiore. Including naval operations to seize Axis crypto gear and code books.
  • The Secret in Building 26, Jim Debrosse and Colin Burke. How Joe Desch led the project by NCR (National Cash Register) in Dayton, Ohio to build the hardware used to attack the Axis crypto systems.
  • The Hut Six Story, Gordon Welchman. One of the first books to describe the work done at Bletchley Park.
  • Cryptonomicon, Neal Stephenson. It's fiction, but with clear explanations of various components of information security, and references to actual cryptology of 1935-1945. For "Electric Till Company" read "National Cash Register", and so on. Alan Turing and other significant figures appear as characters.
• Post World War II:
  • The Puzzle Palace, James Bamford, Houghton Mifflin. Dated, with some obvious blunders, but it was the best book on the NSA by being about the only one.
  • Body of Secrets, James Bamford. After about 20 years, he updated and improved his study of the NSA.
  • Deep Black, William E. Burrows, Berkley. The sensor platforms.

See my information security page for suggestions of INFOSEC sights for your next vacation — the NSA museum, Bletchley Park, etc.

Finally, the RFC's define the Internet protocols, and many discuss security. Find them at: http://www.cis.ohio-state.edu/hypertext/information/rfc.html and http://ds1.internic.net/rfc/ and http://nic.ddn.mil/rfc/.

Security Page

© Bob Cromwell Jul 2008. Created with /bin/vi, hosted on OpenBSD with Apache.    Root password available here