• Information Security Portals & Resource Centers
• Information Security Links
• Information Security Books
• Information Security Training
• What is a CISSP?

Information Security Portals & Resource Centers

Portals

• SecurityFocus
• The Razor Team
• PacketStorm
• SecuriTeam
• The Shmoo Group
• Ernst & Young Security News
• Searchsecurity.techtarget.com

Resource Centers

• SANS -- System Administration, Networking, and Security Institute
• CERT -- The CMU Computer Emergency Response Team
• FIRST -- Forum of Incident Response and Security Teams
• CERIAS -- Center for Education and Research in Information Assurance and Security (was COAST)
• NIST - CSRC -- National Institute of Standards and Technology Computer Security Resource Clearinghouse
• CISecurity -- The Center for Internet Security Security

Information Security Links

Trade Publications

• Information Security Magazine
• SC Magazine
• Network Computing -- Not strictly about Information Security, but they usually have a few good security articles, and the rest of the magazine is good too.
• MCP Magazine -- Even less about security, since this is about Microsoft products and certification, but Roberta Bragg's columns are always interesting, though I don't always agree with her 100%.

Other Links

• JP's Information Security Tools
• Information Security Links from Intiss
• (ISC)² Security Links

Information Security Books

There are an awful lot of security books out there. This list covers only books that I own and have read and found useful. Some may have newer editions than are listed here, so look for those too. I highly recommend all of them, but if you only read a few, read the first three. Also, see the links above for various trade magazines and web sites.

Also, Information Security Magazine (for which I am a Technical Editor) has an excellent piece on starting a career in Information Security called " Breaking into InfoSec." It has many more references than below, including degree programs in InfoSec, and books (some of which are on my list too).

Introduction

• Secrets and Lies, by Bruce Schneier, from Wiley [ISBN 0-471-25311-1]. Excellent read -- accessible and very interesting. Mostly non-technical, from a business perspective. A must read for any executive or risk manager from a company that uses the Internet (and who doesn't). Also very valuable for technical people, to get more of a sense of the business side of things. Quite entertaining.
• Computer Security Basics, Deborah Russell and G.T. Gangemi Sr, from O'Reilly [ISBN 0-937175-71-4]. One of the seminal introductory works on the subject, but there is a lot of material for the experienced InfoSec person as well.
• Hacking Exposed, N'th Edition, by Joel Scambray, Stuart McClure and George Kurtz, from Osborne McGraw-Hill. A very interesting and scary read, this details innumerable exploits or hacks, and how to protect against them. A must for any system or network administrator. (Note I have the 1st and 2nd editions, but who knows what it's up to now.)
• Building Internet Firewalls, Second Edition, by Elizabeth D. Zwicky, Simon Cooper and D. Brent Chapman, from O'Reilly [ISBN 1-56592-871-7]. The updated version of the classic and seminal work, and a must for any firewall administrator.
• The NCSA Guide to Enterprise Security: Protecting Information Assets, by Michel E. Kabay, Ph.D. from McGraw-Hill [ISBN 0-07-033147-2]. This one reads more like a text-book that the others above. It has a lot to offer, especially references to other literature and products, though they are getting quite dated.
• White Hat Security Arsenal: Tackling the Threats, by Aviel D. Rubin, from Addison-Wesley [ISBN 0201711141]. This is different than most security books in that it tries to be more practical, presenting "case studies" and solutions to every day needs. It's a good read.
• Know your Enemy, by The HoneyNet Project [ISBN 0-201-74613-1] is a really cool book that talks about how the HoneyNet Project is researching hacking tools and techniques. See also the "Know Your Enemy" white papers from Lance Spitzner and the Honeypots: Tracking Hackers site.

Intermediate

• Handbook of Information Security Management 1999, edited by Micki Krause and Harold F. Tipton, from Auerbach [0-8493-9974-2]. This is a typical "handbook" with ten chapters very roughly following the ISC² ten CBK (Common Body of Knowledge) domains. Each chapter is written by a recognized expert in the field, so they all have a different style and perspective.
• Computer Security Handbook: Third Edition, edited by Arthur E. Hutt, Seymour Bosworth and Douglas B. Hoyt, from Wiley [ISBN 0-471-11854-0]. There is a 1997 supplement to my edition of this as well. This is a very dense and difficult read. I use it more for lookups and reference than cover-to-cover. There is a lot of material to covered!
• Essential Check Point Firewall-1(TM): An Installation, Configuration, and Troubleshooting Guide, by Dameon D. Welch-Abernathy (AKA Phoneboy), from Addison-Wesley [ISBN 0201699508]. There is also Essential Check Point FireWall-1 NG in the works, probably available in early 2004.
• Intrusion Detection, by Rebecca (Becky) Gurley Bace from MacMillan Technical Press [ISBN 1-57870-185-6]. This book should be required reading for anyone who even thinks about Intrusion Detection Systems (IDS). I thought I knew quite a bit about IDS until I read this book.

Advanced

• Securing Windows NT/2000 Servers for the Internet, by Stefan Norberg, from O'Reilly [ISBN 1-56592-768-0]. Excellent book on hardening NT/2000. Does not cover details of IIS that much, but really focuses on the OS. Under 200 pages, very readable, and it assumes you already know quite a lot about InfoSec and Windows. Has the best description of the totally counter-intuitive way Windows "TCP/IP Security" works (and I use the last term loosely). Also has excellent info on why IIS is such an amazing security risk.
• Network Intrusion Detection: An Analyst's Handbook, N'th Edition, by Stephen Northcutt and Judy Novak, from New Riders. A very dense and technical book, with really great material about decoding various network traces (a lot of focus on tcpdump and similar tools).

I suggest looking for these books on Bookpool, as they have far cheaper prices than Amazon or Barnes and Nobel. Fatbrain is also good.

Finally, Sabernet has a large collection of links for security books, papers, links and tools, but I take no responsibility for their quality.

Information Security Training

I have only attended CSI and ISC² classes. I hope to attend some SANS and MISTI classes soon.

• CSI -- The Computer Security Institute. Holds a yearly seminar and exposition, with various classes that "travel" around the country. Usually focused more on concepts, and less on specific products and/or technology.
• SANS -- System Administration, Networking, and Security Institute. Holds a yearly seminar and exposition, with various classes that "travel" around the country. Focused more on specific products and/or technologies than CSI.
• MISTI -- MIS Training Institute. A little of everything.
• Information Security Magazine, October 1, 2001, "Pay Your Dues."
• The Honeynet Project, " How do I get started in the Security Field?"
• Also see below information about ISC² and the CISSP certification.

What is a CISSP

A brochure I received from the International Information Systems Security Certifications Consortium or (ISC)² defined the CISSP (Certified Information Systems Security Professional) designation as follows :

"The CISSP certification is an independent and objective measurement of professional expertise and knowledge within the information security profession."

I would further add that it denotes an individual who has the following qualifications:

1. Three or more years of direct professional experience in one or more areas of Information Security.
2. Has read, understood and agreed to abide by the ISC² code of ethics
3. Demonstrated a comprehensive understanding of the common body of knowledge of the Information Security field. This body of knowledge is divided into ten domains or areas, and understanding of the material is demonstrated by a rigorous test administered once a quarter all over the world.
4. Demonstrates a commitment to stay up-to-date in the field by earning 120 Continuing Professional Education (CPE) credits every three years.
5. Was one of a group of only 4,000 individuals world-wide by end of 2000. (See below for details, but the number of CISSPs has skyrocketed since I wrote this.)

According to an e-mail message I received from James E. Duffy, CISSP (ISC² VP) on 9/12/2000, "there are approximately 3000 CISSPs. The number is up from just under 2000 at the end of 1999. Based on the number of exams scheduled for the rest of the year, on 12/31/00 we will be very close to the 4000 number. This will mark the 3rd consecutive year that we have doubled our base." And according to SECURITY WIRE DIGEST, VOL. 4, NO.74, OCTOBER 3, 2002, "The (ISC)2 Monday honored its 10,000th Certified Information Systems Security Professional (CISSP)... According to (ISC)2, the number of CISSPs, one of the security industry's most coveted certifications, has grown from 2,000 in 1999 and is expected to hit 15,000 by the end of the year [2002]."

Formed in mid-1989, the International Information Systems Security Certification Consortium or (ISC)² was established as a nonprofit corporation to develop a certification program for information systems security practitioners. There is a 10 day review class that helps you understand what material will be covered on the exam. Note this is simply an outline of the material to be covered -- it does not teach the material! It is well worth it, just for the discussions with the other students and instructors. The class materials are also helpful.

Here is some other information as well:

• The CISSP receives international standardization, "The security professional credential got a big boost today when it became part of ISO/IEC 17024."
• Revisiting the security certification landscape
  • "Demonstrates knowledge of network and systems security principles, safeguards and practices. Of primary interest to full-time IT security professionals who work in internal security positions, or who consult with third parties on security matters. CISSPs are capable of analyzing security requirements, auditing security practices and procedures, designing and implementing security policies and managing and maintaining an ongoing and effective security infrastructure."
• SC Magazine's take on the CISSP certification -- April 1998 Last word.
• Stephen Cobb's definition of what a CISSP is.
• (ISC)² "Article About The CISSP Certification".