Reference books for the CISSP CBK domains

(maintained by Rob Slade)

Probably the best way to ensure you pass the CISSP exam is to take the CBK review course offered by (ISC)2. But, as I frequently point out to students, the CBK review is an excellent way to determine areas that you may be weak in. You may wish to obtain specific help in certain subjects.

You can pass the exam by reading books. I did. Mind you, I read 300 of them. (And I've read a lot more since.) Some were good, and a lot weren't. If you want to look through the whole pack, the top level menu for the security book reviews is posted at Websites hosted by Victoria TelecommunityNet (VTN). (For those to whom this list comes via email, specific reviews may be viewed by prepending the URL to the filenames given for specific books.) This "by domain" page is maintained at VTN.

For those who are taking, or have taken, the CBK seminar, do not panic at the size of this list. It is not intended to say that you need to read all of these books. This list is provided as a reference, and it is divided by the CBK domains so that you can get help with specific topics where you feel you need more information. The books are linked back to detailed reviews: it is intended that you can quickly find a domain you need help with, and then can quickly go through the reviews in order to find the book that will give you the help with your specific need for information.

I should also point out that these are the books that I recommend. There are lots more titles on most of these topics. If you want to get a more complete picture (or if you want to find out why I don't advise reading some of the others) you can check out the various topical menus under the main security menu or the full index of all reviews.

(For those who are alergic to paper, I have finally gotten around to compiling a list of Web resources. I make no warranty, express or implied, about the sites on this list. Some I use frequently. Some I use occasionally. Some I may have found interesting once. Some I may have bookmarked by mistake. Some don't exist any more. Surf at your own risk.)

First off, some general resources.

There are some guides that are written with the intent of helping you pass the exam, addressing all the domains. They are listed on a separate page at VTN or NIU.

In terms of general textbooks for the CBK review course and the CISSP exam, the best is probably the:

"Information Security Management Handbook", Harold F. Tipton/Micki Krause
referred to hereinafter as ISMH. This work has come out in different versions over the years. If your company or library has old versions, they are still worth studying, although you should look for more current versions as well. The handbook is a collection of papers in various aspects of security. Each volume of the book is structured by the CBK domains, so you can look to the table of contents and find out what particular issues are addressed for the domain you are interested in. The specific topics, papers, and authors may change with each edition. Possibly the most useful, for the current exam, is the third (1998) edition, which is actually fully available online at the CISSP Open Study Guides Web Site, and possibly also at the Network Security Library (which has other worthwhile references as well). The current version is the fourth edition, which may be referred to by various dates, since the four existing volumes (with a fifth due out late in 2003) were published in different years.

An absolutely excellent text, now in second edition, is:

"Security Engineering", Ross Anderson
particularly in regard to security architecture and models. But it also covers a lot of material that can help you in crypto, access control, database security, law, privacy, and a number of other areas. The writing is quite formal, but it is done well. This isn't exactly a fun read, but it will definitely reward your effort.

And now, you can read (and even download) the first edition at online.

Joy of joys, you can now get the

"Official (ISC)^2 Guide to the CISSP Exam", Susan Hansche/John Berti/Chris Hare
OK, it's not perfect. In fact, the writing is pretty ragged at times. But it is the best coverage that is out there, and probably a good bet for a general security textbook or reference, too.

It has frequently been noted that a security dictionary or glossary would be extremely helpful to CBK students or candidates for the CISSP exam. So I wrote one:

"Dictionary of Information Security", Robert Slade
There is also an errata page at VTN.

"Information Security: Principles and Practice", Mark Stamp
this book is not complete, but what it does deal with is very good. It is particularly helpful with crypto.

"Computer Security: Principles and Practice", William Stallings/Lawrie Brown
is an excellent text in terms of security principles. In regard to practice, it is somewhat academic in both tone and approach.

I should also note a very frequently cited resource, the excellent CISSP and SSCP Open Study Guide. This site is particularly useful for its set of "example" exam questions. Many people want to have a try at a set of questions before they sit the actual CISSP exam, and understandably so. The exam sets in the various CISSP guides (and the set that you have to buy, from Boson) are generally too simple to give you a real feeling for the exam. The questions at "C-C-Cure," as it is called (the URL is, are much closer to the real thing. (I do have to note that a very large number of questions added recently, and referring only to CISSP preparation guides, are of much lower standard than those done previously. It has gotten to the point where one does start to question the value of the practice question set, polluted as it is by these low-quality additions.)

And now, on to the domains.

Security Management Practices

ISMH is one of the major texts, particularly the online (1998) version.

"Fighting Computer Crime", Donn B. Parker
may not always be completely reliable, but an interesting alternative voice in the field. It's probably important to have the contrarian view. (I often say that if you come across a great quote in the security field it is probably from Gene Spafford or Bruce Schneier. If you come across an outrageous quote, it is probably from Donn Parker or Winn Schwartau.)

Speaking of Schneier, then, one has to examine

"Beyond Fear", Bruce Schneier
which has a really good explanation of the actual process of security: what is essential, and what is window dressing. Hopefully all candidates for the CISSP will understand these concepts, but this is an excellent work to have on hand to explain things to your bosses, or co-workers. You can read it for security management or for bedtime reading, but read it.

An interesting, and practical, work is

"Effective Security Management", Charles A. Sennewald
although it is written from a purely physical security perspective.

"Information Security and Employee Behaviour", Angus McIlwraith
Security awareness training is a major component of securtiy management, and McIlwraith has a number of useful and important things to say in that regard.

"The Security Risk Assessment Handbook", Douglas J. Landoll
is a very useful and practical guide, and has lots of good guidance and information, but is also rather inconsistent and spotty in places. Use it, but maybe check out some of the information he presents.

A number of very useful papers, most related to security management in some form or other, are available in the NIST Special Publications at the Computer Security Resource Center (CSRC) of the National Institute of Standards and Technology. The 800 series papers have a number of interesting documents, including a "Risk Management Guide for Information Technology Systems," and the "Security Self-Assessment Guide for Information Technology Systems," which is handy for audit and "control objectives" outlines. You may have to translate from governmentese to corporatese, but the concepts are there.

A very demanding book, but a useful guide if you stick with it is:

"Governance Guidebook", Fred Cohen
This is not a security text as you usually think of it, but a kind of workbook to go through, slowly, again and again, reviewing what you are doing with security. For those without a lot of background in security, and the management of security, it may be too hard as a study guide for the exam.

Policy creation is an important topic. The "classic" in the field is:

"Information Security Policies Made Easy", Charles Cresson-Wood
although it tends to be used as a "cut and paste" tool which is not appropriate in many cases. A more recent, and more general, guide is:

"Writing Information Security Policies", Scott Barman
and it tends to be more helpful for actually going through the process of policy creation.

A big part of the security management domain is risk management. A resource that probably belongs more in the "Bedtime Reading" section than the materials for studying for the exam is the RISKS-Forum Digest. Moderated by Peter G. Neumann (aka "PGN"), RISKS (or RISKS-L, as it is known to the old time crowd) is not only an exemplar of how moderated mailing lists should be run, but is a prime resource for all topics related to security. Probably the easiest way to get at it is via the Usenet newsgroup comp.risks which should also be accessible via the Usenet connection and archives at Yahoo and Google. You can also, of course, subscribe to the mailing list once you get instructions from any issue, and there is an archive of back issues, and now an Illustrative Risks compendium.

"Risk Management Solutions for Sarbanes- Oxley Section 404 IT Compliance", John S. Quarterman
This is an unusual look at risk management, but probably the more valuable for it. Also has implications for the telecom domain.

"Liars and Outliers: Enabling the Trust that Society Needs to Thrive", Bruce Schneier
may more properly belong in the bedtime reading section, but it does have some useful models in terms of assessing security controls: which ones are useful, which counterproductive, and which too expensive.

It may seem odd, but I would also like to include:

"The Human Equation", Jeffrey Pfeffer
proof that attending to your people is the road to success, a business classic. In terms of security it has some counterintuitive things to say, that a lot of people probably need to hear.

"Computer Ethics", Deborah Johnson
the basic work in the field, thorough coverage and good discussion starter.

"Ethics and Technology", Herman T. Tavani
is somewhat more academic, but still practical, providing more of a background to the study of ethics.

"Better Ethics Now", Christopher Bauer
is a fairly simple (possibly even simplistic) examination of the topic, but would probably be very useful for training and security/ethics awareness programs.

"Internet and Computer Ethics for Kids", Winn Schwartau
not perfect, but probably good and useful, and certainly needed.

Security Architecture and Models

ISMH, again. And this time I think I have to say that the online version is *better* than the current one. "Security Engineering" will definitely help you in this domain.

There is currently lots of interest in, and no lack of confusion about, the Common Criteria. There is an official web page, which does have documentation. A version of the full CC is available at NIST.

Also, possibly oddly:

"Practical UNIX and Internet Security", Simson Garfinkel/Gene Spafford
still practical and reliable, and now a classic. UNIX (operations) and net stuff is there, but it also does very well in presenting a model and comprehensive architecture, even for non-UNIX systems.

The same applies to the more brief

"Linux Security Cookbook", Daniel J. Barrett/Richard E. Silverman/Robert G. Byrnes.

Access Control

ISMH, "Security Engineering," and "Practical UNIX" again.

"Authentication: From Passwords to Public Keys", Richard E. Smith
is slightly unfocussed, but a good overview of the topic.

Applications and Systems Development

ISMH and the Software Engineering Body Of Knowledge (SWEBOK). There is also a good chapter in Barman's "Writing Information Security Policies." "Security Engineering" really applies to any kind of systems design work.

A great resource is:

"Software Engineering", Ian Sommerville
a textbook for a systems development course, but very clear and readable, and with lots of good, detailed information.

More directly, there is:

"Software Security: Building Security In", Gary McGraw
useful, and practical, advice on steps to take in the development process.

"How to Break Web Software", Mike Andrews/James A. Whittaker
specialized to the Web, but notes a variety of known, but not well understood, attacks.

"Java Security", Scott Oaks
rather specialized, but some good material.

"High Integrity Software", John Barnes
again, specialized, in that it only deals with the SPARK language. However, it also gives some pracitical examples of the formal methods disucssed in security architecture.

"Applied Software Project Management", Andrew Stellman/Jennifer Greene
is very practical and useful, since much of application development security involves project management issues.

Viruses come under the App Dev domain. The two texts listed on the (ISC)2 reference page happen to be:

"Viruses Revealed", Robert M. Slade/David Harley/Urs Gattiker

"Robert Slade's Guide to Computer Viruses", Robert Slade
However, I feel it only fair to say that I found some of the virus related questions on the exam to be a bit odd.

"AVIEN Malware Defense Guide for the Enterprise", David Harley et al
excellent overview of the current threat environment.

There are more titles in the programming and viruses topics.

"Geekonomics: The Real Cost of Insecure Software", David Rice
Maybe I should have put this in the "beside reading" section, since it doesn't deal with the technology, but it seems so important in terms of the drivers of lousy software that I felt it needed a higher priority.

Operations Security

ISMH and "Practical UNIX." Maybe also:

"Computer Security Basics," by Russell and Gangemi, has been "updated" by Lehtinen, and can no longer be recommended.

"Computer Security for the Home and Small Office", Thomas C. Greene
may be considered odd, since it is addressed to the home user, but it contains a wealth of Windows configuration information that many system administrators do not know, and should.

"Corporate Espionage", Ira Winkler
not quite specialist material, but a good, readable guide.

While not directly related, some of the titles under the platforms menus might be useful.

Physical Security

As previously noted, there is Security magazine.

"Effective Physical Security", Lawrence J. Fennelly
Excellent review of everything except fire protection and personnel safety.

"Security", Neil Cumming
good information on evaluating equipment.

"Security, ID Systems and Locks", Joel Konicek/Karen Little
easy and fun read that covers electronic access systems and a lot more. Keep it around to hand to managers when they need to know about physical security, or loan it to your physical security colleagues.

A number of excellent resources for physical security (and also for investigations) are available in the free, downloadable publications from the RCMP Technical Security Branch.

I'm glad that I can finally present a decent fire protection work:

"Fire Suppression and Detection Systems", John L. Bryan


"Applied Cryptography", Schneier
excellent and thorough text, intro or reference for professional or serious hobbyist. And *I* say it's readable, too, as is pretty much anything Schneier writes. (I find the simpler texts do not have sufficient depth in one area or another.)

"Decrypted Secrets", F. L. Bauer
good general coverage, and I suspect that this is where all the (unnecessary) history of crypto stuff comes from.

One general cryptography textbook, "The Handbook of Applied Cryptography," by Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, is available online (with another copy here), but it is heavily into mathematics, with very little in the way of general explanations.

"Information Security: Principles and Practice", Mark Stamp

Most of the "easy" books on cryptography are so simplistic that they will actually get you into trouble on a number of exam questions. Two, however, provide almost enough to get you through:

"Internet Cryptography", Richard E. Smith

"Cryptography Decrypted", H. X. Mel/Doris Baker

Other references are:

"Cryptography and Network Security", William Stallings
able reference and tutorial, also:

"Network and Internetwork Security", William Stallings
another classic from Stallings, primarily on encryption.

"SSL and TLS: Theory and Practice", Rolf Oppliger
SSL is a bit specialized, but it is widely used and important. More significantly, however, Oppliger's work is exemplary in both explaining the technology, and dealing with the practicalities and implementations. (In fact, I'm not sure whether this should be here or in telecom, but that is next, anyway.)

"Cryptanalysis", Helen Fouche Gaines
was written in 1939, so it will NOT help you through the exam, but it's an intriguing look at the various ciphers developed over the years, and the great ways people have created to break them.

Telecommunications and Networking

This domain is a bit odd, because you are expected to know a fair bit about communications technology as well as the security aspects, so you'll need to cover a wider range.

"Practical UNIX and Internet" is helpful, plus "Security Engineering" in places, Stallings, again, plus:

"Network Security", Charlie Kaufman/Radia Perlman/Mike Speciner
the communications security text.

A quick, but detailed, overview of TCP/IP operations is provided by the TCP/IP Fundamentals tutorial.

"The TCP/IP Guide", Charles M. Kozierok
excellent guide, and eminently readable.

"Internetworking with TCP/IP", Comer/Stevens
good overview, also good basic network communications concepts.

"TCP/IP Illustrated, Volume 1", Stevens
great text for the protocols of TCP/IP ("illustrated" by examples from a real network).

"VPNs: A Beginner's Guide", John Mairs
is, oddly, not very good on VPNs, but is quite nice at presenting the basics of TCP/IP and the security problems in the stack.

A book that really is good at explaining VPNs is

"Building Linux Virtual Private Networks (VPNs)", Oleg Kolesnikov/Brian Hatch

"Computer Networks, Fourth Edition", Andrew S. Tanenbaum
most up to date of the classic texts, good awareness of security.

"Data and Computer Communications, 8th ed.", William Stallings
another of the classic texts, fairly demanding.

"Web Security and Commerce", Simson Garfinkel/Gene Spafford
recently updated to

"Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford
specialized but valuable.

"Web Security Sourcebook", Aviel D. Rubin/Daniel Geer/Marcus J. Ranum
another good one.

"Intrusion Detection", Rebecca Gurley Bace

"Intrusion Detection", Edward G. Amoroso
same title, different approaches, both great.

Telecom and networking is a huge field, and there are many more titles, under a variety of subtopics, in both the communications and Internet menus.

Business Continuity Planning/DRP

ISMH, again. Also a bit in van Wyk/Forna. Some good reminders in RISKS.

It ends weaker than it starts, but the best that I've found so far is:

"Disaster Recovery Planning", Jon Toigo

Other titles are listed in the BCP and DRP menu.

Law and Investigation

I'm really kind of disappointed in this domain, overall. However, I know it is a difficult one.

"Internet and Online Privacy", Andrew Frackman/Rebecca C. Martin/Claudia Ray
is a recent breath of fresh air, albeit in a limited area. The book is short and easily readable, and, while it is still US-centric, it does concentrate on analysis based on legal principles that may be more broadly applicable.

"Cyberlaw: National and International Perspectives", Roy J. Girasa
is a very comprehensive review of US, and some international, law related to computers, and particularly the Internet. However, it is definitely written for law students, and can be extremely frustrating for people without a legal background.

"Borders in Cyberspace", Brian Kahin/Charles Nesson
has an excellent collection of essays on law and/in the net.

"Cyberspace and the Law", Edward A. Cavazos/Gavino Morin
does net law for the common person.

"Personal Medical Information", Ross Anderson
uneven quality in this collection of papers on medical ethics, but good range. I include it only because of the strong interest in health info in the US.

"Protect Your Digital Privacy", Glee Harrah Cady/Pat McGregor
is written by a couple of mothers, so it has some weak areas and rough spots, but, oddly, they do as good a job as the professionals in many areas, and sometimes better.

In the area of forensics, an excellent overall introduction is

"Scene of the Cybercrime: Computer Forensics Handbook", Debra Littlejohn Shinder

"Computer Forensics", Warren G. Kruse II/Jay G. Heiser
concentrates on data recovery and chain of evidence, but is not bad in those areas.

"Computer Forensics and Privacy", Michael A. Caloyannides
has better technical information on data recovery, but it flips between looking at recovering data, and avoiding data recovery.

"Computer and Intrusion Forensics", George Mohay et al
is probably the best overview so far, including some network forensics and touching on software forensics, but it lacks technical depth at times.

"Challenges to Digital Forensic Evidence", Fred Cohen
There are a number of works that address specifics of file systems and storage devices: this isn't one of them. A few texts even address some aspects of the investigative process and management: Cohen addresses some of those issues. However, I have not seen any other guides that will tell you, clearly and plainly, how to avoid the most common failings of technical experts trying to provide evidence in a decidedly non-technical legal system.

"Software Forensics", Robert M. Slade
is the finest available book dedicated to the topic (since it's the onlyavailable book dedicated to the topic).

"Incident Response", Kenneth R. van Wyk/Richard Forna
is a reasonable start on the topic, but unfortunately lacking in detail. I'd hoped for better from Ken, but it has some good points.

There are many more books listed in the pages on ethics and law, privacy, and investigation.

Bedtime Reading

Not necessarily technical, and so they don't fit into the domains, but well worth reading, are:

"Secrets and Lies: Digital Security in a Networked World", Bruce Schneier
excellent introduction to security, and more. Schneier is a good writer, and always worth reading: if you find a really good security quote it tends to be from either Bruce or from Gene Spafford. Another source of material from Schneier is the monthly Crypto-Gram newsletter. The site linked to here provides information about subscriptions as well as an archive of back issues.

"The Transparent Society", David Brin
an intriguing counter-take on privacy. Exercise your mind.

"Information Warfare and Security", Dorothy Denning
doesn't really fit a domain, but good. And similarly:

"Internet Besieged: Countering Cyberspace Scofflaws", Dorothy E. Denning/Peter J. Denning

Some people would think that

"Know Your Enemy", Honeynet Project
belongs in telecom, but it doesn't really give you a lot of information about network attacks. It is, however, a really interesting read about the blackhat community, and what the project is finding out about them.

"Frauds, Spies, and Lies", Fred Cohen
an unusual book, but the normal security texts have not been that successful at dealing with this particular topic.

"The Codebreakers", David Kahn
you won't find anything about crypto here that you'll need for the exam, but this is a terrific overview of the history of crypto up until the mid-twentieth century. It also points out (in example after example) some basic truths of crypto, like don't keep using the same key forever ...

HyperText version Book Review Index (may take a while to load)

Book reviews main topic menu