October 26, 2006

Top 20 Books Every IT Security Professional Should Own (and READ!)

Security WarriorI recently was asked by some colleagues how an IT admin can get into infosec. It’s a tough question for 3 reasons: 1) Most administrators are not wired to be security professionals. The goal of admins is to provide services to users. The goal of infosec is to limit services to only authorized users. These goals often conflict. 2) Most admins specialize in a single technology; good security pros need to be fluent in a wide range of technologies. 3) Security requires a deep knowledge of computing and networking theory, which many admins lack. Modern operating systems provide a high level of abstraction from issues such as the proper format of TCP headers. I know some very skilled systems engineers who do not fully understand a 3-way handshake, nor do they need to. But for a security engineer, understanding this process, how to exploit it, and how to recognize when someone else is exploiting it is critical.

My best advice for those crazy enough to desire a career in infosec is always to start with the technology they already know, learn how it works at a low level and how to break it, and then learn how to protect it. After that, security is a non-stop learning process. The best security guys I know spend hours reading, surfing, and studying every night. Sleep is for the weak!

I compiled the list of books below as a representative sample of the books on my shelf that I reach for regularly. In my (never) humble opinion, every infosec professional should own (and read) each of these, or others in the same category. Originally, I intended this to be a Top 10 list, but I had too many books on my list. 20 is the shortest I could get it and still be representative.

  1. Business and Finance for IT People – First on the list is a non-technical business book. Security management is 100% about risk management. To succeed, you need to be able to talk to the CEO and CIO in their language. Give them reasonable solutions that calculate business risk and true return on investment (ROI) and you’ll go far.
  2. Technical Writing: Principals, Strategies & Readings – Surprise, the 2nd book is also non-technical. In security, communication is key. You must be able to convey technical subjects to both technical and non-technical audiences.
  3. Protect Your Windows Network – Occasionally, Microsoft produces good security products, such as this book. I’ve mentioned it before in previous articles. This book covers a broad range of security topics, and does it in an entertaining manner. For Windows admins, this should be your first security related book. For everyone else, it is still a fine place to start.
  4. Internetworking Technologies Handbook – The original Cisco networking bible is still the best. This is a great starting reference for networking theory.
  5. DNS on Windows Server 2003 – Break DNS and you break everything. Understanding DNS and how to protect it is vital. If you have a Windows domain (and these days, who doesn’t?), you have Windows DNS. This book is also a good general DNS reference, and is much more readable than O’Reilly’s DNS and BIND.
  6. Gray Hat Hacking: The Ethical Hacker’s Handbook – “Hacking” is the thing most non-security guys think of when considering a change to infosec. It seems exciting and cool, and let’s face it: it is! If you want a career in security, rather than a stint in prison, then ethical hacking is the way to go. This book explains the difference and teaches you how to start playing security offense.
  7. Google Hacking – Google knows more about your company than you do. The bad guys already know this and are using it against you while you read this. This book will teach you how to find out what Google knows.
  8. Unix in a Nutshell – This book covers Linux, Solaris and BSD. It’s a great resource for ‘nix info.
  9. Windows Security Resource Kit – Like I said before, Microsoft occasionally produces good security products. This book is a checklist for how to improve your server and domain security.
  10. Auditing & Security: AS/400, NT, UNIX & Disaster Recovery – Like it or not, homogenous networks are rare these days. That big black box in the corner is not going away anytime soon, and chances are it contains some of your company’s most valuable information. Buy this book for the AS/400 (iSeries) reference and learn to embrace the dark side.
  11. Windows 2000 Commands Pocket Reference – Who says Windows can’t be managed from a command line? I have long maintained that most problems in Windows can be solved with a 3-line script. There are more complete Windows scripting books but none that will fit in your back pocket. I use this book almost daily. The upcoming release of MONAD will replace many of these commands with a new language. Hopefully, O’Reilly will put out a new pocket reference soon. Until then, this handy little book is priceless.
  12. Sarbanes-Oxley Guide for Finance & IT Professionals – If you work for a public company, SOX is a fact of life. Compliance is a huge problem for most companies and security managers must be well versed in the SOX obligations.
  13. Writing Information Security Policies – Policy writing is another less-than-glamorous task for infosec pros. This book provides you sample language and the reasoning behind it.
  14. Cisco Wireless LAN Security – If you have a wireless LAN, you’ve got a security problem. Learn why and what to do about it. Although this is a Cisco Press book, it covers general 802.11 theory including new standards such as EAP, 802.1x & NAC.
  15. UML: A Beginner’s Guide – Companies that do in-house development should include the security team in their Software Development Life Cycle (SDLC). Although you don’t need to learn every language they use, you should understand their processes and documentation. Many developers (especially those using Agile or Extreme programming techniques) use UML to document their code designs. UML is good for documenting use cases and process flows.
  16. Nessus Network Auditing – Nessus is a great tool for performing vulnerability assessments, and it’s free! There are a lot of good books on Nessus, but this is by far the best.
  17. Penetration Tester’s Open Source Toolkit – This book covers a lot of different tools, but you should buy it for the chapters on MetaSploit.
  18. Incident Response and Computer Forensics – Eventually, you will have a system compromised. Planning in advance will help you minimize the damage. This will help you devise a response strategy and give you the tools necessary to determine what happened.
  19. CISSP Certification Passport – If you’ve read the 1st 18 books on this list, you are ready to prove it. The CISSP is the gold standard for IT security management. Certification should never replace experience, but for skilled practitioners, a couple of certs will show your dedication to your craft. CISSPs are in heavy demand, so you’ll likely earn more with it than without it. If you know your stuff, this book is a quick study guide that will prepare you for the test.
  20. Security Warrior – If Gray Hat Hacking (above) is the introduction to playing offense, this book is the Masters program. This is a great read, but it is not for beginners. Of the books on this list, buy it last.

For those trying to break into infosec, this list should give you guidance for the breadth of knowledge you must attain to succeed. Buying these books isn’t cheap. On Amazon, this list will cost you close to $800, but the investment is well worth it. Most of the information in these books is available for free on the Internet, but nothing replaces a full bookshelf. Curl up with one of these books every night and you’ll be on your way to becoming an infosec superstar. If you think I missed any books that have been critical to your success, drop me a comment. I’m always looking for something new to read. Thanks for stopping by.


Digg! Digg This Story!

Thanks for stopping by.
If you found this article useful, please leave a tip.

1 Comment »

  1. Jyrki Arpiainen said,

    May 13, 2012 @ 2:30 am

    I would add Brian Komar’s PKI book to the list.


    Especially as there was few books that were not directly related to security in this list.. like that w2k command line book or those business books.
    Surely cmd and run commands are useful, i use them all the time but there is LOTS of good security books out there that deserves to be on the list too.

RSS feed for comments on this post · TrackBack URI

Leave a Comment