Security Reading

From MyWiki

Contents 1 General Papers and Articles 2 General Books 3 Email Lists 4 Tutorials 5 Important Web Sites 6 Web Applications 7 NIST Standards 8 Forensics 9 Historical

General Papers and Articles

• Wikipedia on Computer Security - a good place to start.
• Ross Anderson, How to Cheat at the Lottery Paper discussing issues of security design.
• Bruce Schneier, Cryptography: The Importance of Not Being Different - why not rolling your own security is a good thing.
• Security ROI, Bruce Schneier, September 2, 2008.

General Books

• Ross Anderson, Security Engineering - Good book on design and implementation.
  • Now available online
  • Second editor also available.
• Secrets & Lies by Bruce Schneier - Very good book which covers a majority of topics in security.
• Beyond Fear by Bruce Schneier - Covers five steps that should be taken when designing or evaluating security systems. Has many examples outside of computer security which can give interesting insights.
• Bruce Schneier, Applied Cryptography - While heavily oriented towards cryptography, has good basics on design and implementation.
• Handbook of Applied Cryptography - Online encyclopedic description of applied modern cryptography.

Email Lists

• Bruce Scheier publishes Crypto-Gram, a free monthly email letter that is worth reading.
• IEEE Cipher is another great monthly letter.

Tutorials

• Dartmouth' s Institute for Security Technology Studies: http://www.ists.dartmouth.edu/cybersecurity-classroom.php
• GIAC Secure Software Programmer (GSSP) Certification Exam: http://www.sans.org/gssp/
• UIUC's FERPA Tutorial: http://www.oar.uiuc.edu/staff/ferpa_tutorial/index.html
• Practical Aspects of Modern Cryptography, taught by Josh Benaloh, Brian LaMacchia, and John Manferdelli at the University of Washington. The page includes links to lecture notes and video of the classes.

Important Web Sites

• For security news, you should read SecurityFocus News. I suggest using an RSS reader to keep up2date.
• These sites provide good lists of security related conferences: Site 1 and Site 2

• Computer Forensics, Cybercrime and Steganography Resources. This site has everything forensics, book suggestions, tools, mail lists, links, papers, etc.
  • http://www.forensics.nl/

Web Applications

• Know your Enemy: Web Application Threats Using Honeypots to learn about HTTP-based attacks http://www.honeynet.org/papers/webapp/index.html

NIST Standards

• Guide to Secure Web Services: http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf

Forensics

• File System Forensic Analysis by Brian Carrier (author of The Sleuthkit)
  • http://www.digital-evidence.org/fsfa/
  • http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=pd_sim_b_title_1
• Windows Forensic Analysis by Harlan Carvey
  • http://www.amazon.com/Windows-Forensic-Analysis-Including-Toolkit/dp/159749156X
• Digital Investigation
  • http://www.sciencedirect.com available from an NCSA/UIUC IP address
  • Or you can proxy thru the UI Library Gateway http://www.library.uiuc.edu/proxy/

Historical

• A History of U.S. Communications Security (Volumes I and II); the David G. Boak Lectures, National Security Agency (NSA), 1973
• National Security Agency Releases History of Cold War Intelligence Activities, NSARCHIVE, November 14, 2008