# Security

{{< snippet "old" >}}

## Information Security Portals & Resource Centers

### Portals

  - *[SecurityFocus](http://www.securityfocus.com/)*
  - The *[Razor](http://razor.bindview.com/)* Team
  - *[PacketStorm](http://www.packetstormsecurity.com/)*
  - *[SecuriTeam](http://www.securiteam.com/)*
  - *[The Shmoo Group](http://www.shmoo.com/)*
  - *[Ernst & Young Security News](http://www.esecurityonline.com/)*
  - *[Searchsecurity.techtarget.com](http://searchsecurity.techtarget.com/)*

### Resource Centers

  - *[SANS](http://www.sans.org/)* -- System Administration, Networking,
    and Security Institute
  - *[CERT](http://www.cert.org/)* -- The CMU Computer Emergency
    Response Team
  - *[FIRST](http://www.first.org/)* -- Forum of Incident Response and
    Security Teams
  - *[CERIAS](http://www.cerias.purdue.edu/)* -- Center for Education
    and Research in Information Assurance and Security (was COAST)
  - *[NIST - CSRC](http://csrc.ncsl.nist.gov/)* -- National Institute of
    Standards and Technology Computer Security Resource Clearinghouse
  - *[CISecurity](http://www.cisecurity.org/)* -- The Center for
    Internet Security Security

-----

## Information Security Links

### Trade Publications

  - *[Information Security Magazine](http://www.infosecuritymag.com/)*
  - *[SC Magazine](http://www.scmagazine.com/)*
  - *[Network Computing](http://www.networkcomputing.com/)* -- Not
    strictly about Information Security, but they usually have a few
    good security articles, and the rest of the magazine is good too.
  - *[MCP Magazine](http://www.mcpmag.com/)* -- Even less about
    security, since this is about Microsoft products and certification,
    but *[Roberta
    Bragg's](http://www.misti.com/northamerica.asp?disp=instruc&nav2=10&region=1)*
    columns are always interesting, though I don't always agree with her
    100%.

### Other Links

  - [JP's Information Security Tools](sec-tools.html)
  - *[Information Security Links from
    Intiss](http://www.intiss.com/islinks.html)*
  - *[ISC²](https://www.isc2.org/cgi-bin/index.cgi)*
    *[Security Links](http://www.intiss.com/intisslinks.html)*

-----

## Information Security Books

There are an awful lot of security books out there. This list covers
only books that I own and have read and found useful. Some may have
newer editions than are listed here, so look for those too. I highly
recommend all of them, but if you only read a few, read the first three.
Also, see the links above for various trade magazines and web sites.

Also, *[Information Security Magazine](http://www.InfoSecurityMag.com/)*
(for which I am a Technical Editor) has an excellent piece on starting a
career in Information Security called " *[Breaking into
InfoSec](http://www.infosecuritymag.com/articles/may01/features_career_advice.shtml)*."
It has many more references than below, including degree programs in
InfoSec, and books (some of which are on my list too).

### Introduction

  - *Secrets and Lies*, by Bruce Schneier, from Wiley \[ISBN
    0-471-25311-1\]. Excellent read -- accessible and very interesting.
    Mostly non-technical, from a business perspective. A must read for
    any executive or risk manager from a company that uses the Internet
    (and who doesn't). Also very valuable for technical people, to get
    more of a sense of the business side of things. Quite entertaining.
  - *Computer Security Basics*, Deborah Russell and G.T. Gangemi Sr,
    from O'Reilly \[ISBN 0-937175-71-4\]. One of the seminal
    introductory works on the subject, but there is a lot of material
    for the experienced InfoSec person as well.
  - *Hacking Exposed*, N'th Edition, by Joel Scambray, Stuart McClure
    and George Kurtz, from Osborne McGraw-Hill. A very interesting and
    scary read, this details innumerable exploits or hacks, and how to
    protect against them. A must for any system or network
    administrator. (Note I have the 1st and 2nd editions, but who knows
    what it's up to now.)
  - *Building Internet Firewalls, Second Edition*, by Elizabeth D.
    Zwicky, Simon Cooper and D. Brent Chapman, from O'Reilly \[ISBN
    1-56592-871-7\]. The updated version of the classic and seminal
    work, and a must for any firewall administrator.
  - *The NCSA Guide to Enterprise Security: Protecting Information
    Assets*, by Michel E. Kabay, Ph.D. from McGraw-Hill \[ISBN
    0-07-033147-2\]. This one reads more like a text-book that the
    others above. It has a lot to offer, especially references to other
    literature and products, though they are getting quite dated.
  - *White Hat Security Arsenal: Tackling the Threats*, by Aviel D.
    Rubin, from Addison-Wesley \[ISBN 0201711141\]. This is different
    than most security books in that it tries to be more practical,
    presenting "case studies" and solutions to every day needs. It's a
    good read.
  - *Know your Enemy*, by *[The HoneyNet
    Project](http://project.honeynet.org/)* \[ISBN 0-201-74613-1\] is a
    really cool book that talks about how the HoneyNet Project is
    researching hacking tools and techniques. See also the "*[Know Your
    Enemy](http://project.honeynet.org/papers/)*" white papers from
    Lance Spitzner and the *[Honeypots: Tracking
    Hackers](http://www.tracking-hackers.com/)* site.

### Intermediate

  - *Handbook of Information Security Management 1999*, edited by Micki
    Krause and Harold F. Tipton, from Auerbach \[0-8493-9974-2\]. This
    is a typical "handbook" with ten chapters very roughly following the
    ISC² ten CBK (Common Body of Knowledge) domains.
    Each chapter is written by a recognized expert in
    the field, so they all have a different style and perspective.
  - *Computer Security Handbook: Third Edition*, edited by Arthur E.
    Hutt, Seymour Bosworth and Douglas B. Hoyt, from Wiley \[ISBN
    0-471-11854-0\]. There is a 1997 supplement to my edition of this as
    well. This is a very dense and difficult read. I use it more for
    lookups and reference than cover-to-cover. There is a **lot** of
    material to covered\!
  - *Essential Check Point Firewall-1(TM): An Installation,
    Configuration, and Troubleshooting Guide*, by Dameon D.
    Welch-Abernathy (AKA Phoneboy), from Addison-Wesley \[ISBN
    0201699508\]. There is also *Essential Check Point FireWall-1 NG* in
    the works, probably available in early 2004.
  - *Intrusion Detection*, by Rebecca (Becky) Gurley Bace from MacMillan
    Technical Press \[ISBN 1-57870-185-6\]. This book should be
    **required** reading for anyone who even thinks about Intrusion
    Detection Systems (IDS). I thought I knew quite a bit about IDS
    until I read this book.

### Advanced

  - *Securing Windows NT/2000 Servers for the Internet*, by Stefan
    Norberg, from O'Reilly \[ISBN 1-56592-768-0\]. Excellent book on
    hardening NT/2000. Does not cover details of IIS that much, but
    really focuses on the OS. Under 200 pages, very readable, and it
    assumes you already know quite a lot about InfoSec and Windows. Has
    the **best** description of the totally counter-intuitive way
    Windows "TCP/IP Security" works (and I use the last term loosely).
    Also has excellent info on why IIS is such an amazing security risk.
  - *Network Intrusion Detection: An Analyst's Handbook, N'th Edition*,
    by Stephen Northcutt and Judy Novak, from New Riders. A very dense
    and technical book, with really great material about decoding
    various network traces (a lot of focus on
    [tcpdump](sec-tools.html) and similar tools).

I suggest looking for these books on
*[Bookpool](http://www.bookpool.com/)*, as they have far cheaper prices
than *[Amazon](http://www.amazon.com/)* or *[Barnes and
Nobel](http://www.bn.com/)*. *[Fatbrain](http://www.fatbrain.com/)* is
also good.

Finally, *[Sabernet](http://www.sabernet.net/)* has a large collection
of links for security *[books](http://www.sabernet.net/books/)*,
*[papers](http://www.sabernet.net/papers/)*,
*[links](http://www.sabernet.net/links/)* and
*[tools](http://www.sabernet.net/tools/)*, but I take no responsibility
for their quality.

-----

## Information Security Training

I have only attended CSI and ISC² classes. I hope to attend
some SANS and MISTI classes soon.

  - *[CSI](http://www.gocsi.com/)* -- The Computer Security Institute.
    Holds a yearly seminar and exposition, with various classes that
    "travel" around the country. Usually focused more on concepts, and
    less on specific products and/or technology.
  - *[SANS](http://www.sans.org/)* -- System Administration, Networking,
    and Security Institute. Holds a yearly seminar and exposition, with
    various classes that "travel" around the country. Focused more on
    specific products and/or technologies than CSI.
  - *[MISTI](http://www.misti.com/)* -- MIS Training Institute. A little
    of everything.
  - *[Information Security Magazine](http://www.infosecuritymag.com/)*,
    October 1, 2001, "*[Pay Your
    Dues](http://www.infosecuritymag.com/articles/october01/columns_curmudgeon.shtml)*."
  - *[The Honeynet Project](http://project.honeynet.org/)*, " *[How do I
    get started in the Security
    Field](http://project.honeynet.org/misc/faq.html#faq12)*?"
  - Also see below information about ISC² and the CISSP
    certification.

-----

## What is a CISSP

A brochure I received from the International Information Systems
Security Certifications Consortium or
*[ISC²](https://www.isc2.org/cgi-bin/index.cgi)* defined
the CISSP (Certified Information Systems Security Professional)
designation as follows :

> "The CISSP certification is an independent and objective measurement
> of professional expertise and knowledge within the information
> security profession."

I would further add that it denotes an individual who has the following
qualifications:

1.  Three or more years of direct professional experience in one or more
    areas of Information Security.
2.  Has read, understood and agreed to abide by the *[ISC²
    code of ethics](http://www.isc2.org/cgi/content.cgi?category=12)*
3.  Demonstrated a comprehensive understanding of the common body of
    knowledge of the Information Security field. This body of knowledge
    is divided into *[ten
    domains](http://www.isc2.org/cgi/content.cgi?category=8)* or areas,
    and understanding of the material is demonstrated by a rigorous
    *[test](http://www.isc2.org/cgi/exam_schedule.cgi)* administered
    once a quarter all over the world.
4.  Demonstrates a commitment to stay up-to-date in the field by earning
    120 *[Continuing Professional Education
    (CPE)](http://www.isc2.org/cgi/content.cgi?category=24)* credits
    every three years.
5.  Was one of a group of only 4,000 individuals world-wide by end of
    2000. (See below for details, but the number of CISSPs has
    skyrocketed since I wrote this.)

According to an e-mail message I received from James E. Duffy, CISSP
(ISC² VP) on 9/12/2000, "there are approximately 3000 CISSPs.
The number is up from just under 2000 at the end of 1999. Based on the
number of exams scheduled for the rest of the year, on 12/31/00 we will
be very close to the 4000 number. This will mark the 3rd consecutive
year that we have doubled our base." And according to *[SECURITY WIRE
DIGEST](http://www.infosecuritymag.com/digest_intro.shtml)*, *[VOL. 4,
NO.74,
OCTOBER 3, 2002](http://www.infosecuritymag.com/2002/oct/digest03.shtml)*,
"The ISC² Monday honored its 10,000th Certified Information Systems
Security Professional (CISSP)... According to ISC², the number of
CISSPs, one of the security industry's most coveted certifications, has
grown from 2,000 in 1999 and is expected to hit 15,000 by the end of the
year \[2002\]."

Formed in mid-1989, the International Information Systems Security
Certification Consortium or ISC² was established as a nonprofit
corporation to develop a certification program for information systems
security practitioners. There is a 10 day *review* class that helps you
understand what material will be covered on the exam. Note this is
simply an outline of the material to be covered -- it does not *teach*
the material\! It is well worth it, just for the discussions with the
other students and instructors. The class materials are also helpful.

Here is some other information as well:

  - *[The CISSP receives international
    standardization](http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci989901,00.html)*,
    "The security professional credential got a big boost today when it
    became part of ISO/IEC 17024."
  - *[Revisiting the security certification
    landscape](http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci762690,00.html)*
      - "Demonstrates knowledge of network and systems security
        principles, safeguards and practices. Of primary interest to
        full-time IT security professionals who work in internal
        security positions, or who consult with third parties on
        security matters. CISSPs are capable of analyzing security
        requirements, auditing security practices and procedures,
        designing and implementing security policies and managing and
        maintaining an ongoing and effective security infrastructure."
  - SC Magazine's take on the CISSP certification -- *[April 1998 Last
    word](http://www.scmagazine.com/scmagazine/1998_04/lastword/lastword.html)*.
  - *[Stephen
    Cobb's](http://informationsecurity.net/about/prof-cobb.htm)*
    definition of *[what a CISSP
    is](http://informationsecurity.net/articles/art-cissp.html)*.
  - *[ISC² "Article About The CISSP
    Certification".](http://www.isc2.org/cgi-bin/content.cgi?page=14)*

{{< snippet "old" >}}