You can pass the exam by reading books. I did. Mind you, I read 300 of them. (And I've read a lot more since.) Some were good, and a lot weren't. If you want to look through the whole pack, the top level menu for the security book reviews is posted at Websites hosted by Victoria TelecommunityNet (VTN). (For those to whom this list comes via email, specific reviews may be viewed by prepending the URL http://victoria.tc.ca/techrev/ to the filenames given for specific books.) This "by domain" page is maintained at VTN.
For those who are taking, or have taken, the CBK seminar, do not panic at the size of this list. It is not intended to say that you need to read all of these books. This list is provided as a reference, and it is divided by the CBK domains so that you can get help with specific topics where you feel you need more information. The books are linked back to detailed reviews: it is intended that you can quickly find a domain you need help with, and then can quickly go through the reviews in order to find the book that will give you the help with your specific need for information.
I should also point out that these are the books that I recommend. There are lots more titles on most of these topics. If you want to get a more complete picture (or if you want to find out why I don't advise reading some of the others) you can check out the various topical menus under the main security menu or the full index of all reviews.
(For those who are alergic to paper, I have finally gotten around to compiling a list of Web resources. I make no warranty, express or implied, about the sites on this list. Some I use frequently. Some I use occasionally. Some I may have found interesting once. Some I may have bookmarked by mistake. Some don't exist any more. Surf at your own risk.)
First off, some general resources.
There are some guides that are written with the intent of helping you pass the exam, addressing all the domains. They are listed on a separate page at VTN or NIU.
In terms of general textbooks for the CBK review course and the CISSP exam, the best is probably the:
"Information Security Management
Handbook", Harold F. Tipton/Micki Krause
referred to hereinafter as ISMH. This work has come out in different
versions over the years. If your company or library has old versions,
they are still worth studying, although you should look for more
current versions as well. The handbook is a collection of papers in
various aspects of security. Each volume of the book is structured by
the CBK domains, so you can look to the table of contents and find out
what particular issues are addressed for the domain you are interested
in. The specific topics, papers, and authors may change with each
edition. Possibly the most useful, for the current exam, is the third
(1998) edition, which is actually fully available online at the
CISSP Open
Study Guides Web Site, and possibly also at the
Network
Security Library (which has other worthwhile references as well).
The current version is the fourth edition, which may be referred to by
various dates, since the four existing volumes (with a fifth due out
late in 2003) were published in different years.
An absolutely excellent text, now in second edition, is:
"Security Engineering", Ross Anderson
particularly in regard to security architecture and models. But it
also covers a lot of material that can help you in crypto, access
control, database security, law, privacy, and a number of other areas.
The writing is quite formal, but it is done well. This isn't exactly
a fun read, but it will definitely reward your effort.
And now, you can read (and even download) the first edition at online.
Joy of joys, you can now get the
"Official (ISC)^2 Guide to the CISSP
Exam", Susan Hansche/John Berti/Chris Hare
OK, it's not perfect. In fact, the writing is pretty ragged at times.
But it is the best coverage that is out there, and probably a good bet
for a general security textbook or reference, too.
It has frequently been noted that a security dictionary or glossary would be extremely helpful to CBK students or candidates for the CISSP exam. So I wrote one:
"Dictionary of Information Security",
Robert Slade
There is also an errata page at
VTN.
"Information Security: Principles and
Practice", Mark Stamp
this book is not complete, but what it does deal with is very good.
It is particularly helpful with crypto.
"Computer Security: Principles and
Practice", William Stallings/Lawrie Brown
is an excellent text in terms of security principles. In regard to
practice, it is somewhat academic in both tone and approach.
I should also note a very frequently cited resource, the excellent CISSP and SSCP Open Study Guide. This site is particularly useful for its set of "example" exam questions. Many people want to have a try at a set of questions before they sit the actual CISSP exam, and understandably so. The exam sets in the various CISSP guides (and the set that you have to buy, from Boson) are generally too simple to give you a real feeling for the exam. The questions at "C-C-Cure," as it is called (the URL is www.cccure.org), are much closer to the real thing. (I do have to note that a very large number of questions added recently, and referring only to CISSP preparation guides, are of much lower standard than those done previously. It has gotten to the point where one does start to question the value of the practice question set, polluted as it is by these low-quality additions.)
And now, on to the domains.
ISMH is one of the major texts, particularly the online (1998) version.
"Fighting Computer Crime", Donn B.
Parker
may not always be completely reliable, but an interesting alternative
voice in the field. It's probably important to have the contrarian
view. (I often say that if you come across a great quote in the
security field it is probably from Gene Spafford or Bruce Schneier.
If you come across an outrageous quote, it is probably from
Donn Parker or Winn Schwartau.)
Speaking of Schneier, then, one has to examine
"Beyond Fear", Bruce Schneier
which has a really good explanation of the actual process of security:
what is essential, and what is window dressing. Hopefully all
candidates for the CISSP will understand these concepts, but this is
an excellent work to have on hand to explain things to your bosses, or
co-workers. You can read it for security management or for bedtime
reading, but read it.
An interesting, and practical, work is
"Effective Security Management",
Charles A. Sennewald
although it is written from a purely physical security perspective.
"Information Security and Employee
Behaviour", Angus McIlwraith
Security awareness training is a major component of securtiy
management, and McIlwraith has a number of useful and important things
to say in that regard.
"The Security Risk Assessment
Handbook", Douglas J. Landoll
is a very useful and practical guide, and has lots of good guidance
and information, but is also rather inconsistent and spotty in places.
Use it, but maybe check out some of the information he presents.
A number of very useful papers, most related to security management in some form or other, are available in the NIST Special Publications at the Computer Security Resource Center (CSRC) of the National Institute of Standards and Technology. The 800 series papers have a number of interesting documents, including a "Risk Management Guide for Information Technology Systems," and the "Security Self-Assessment Guide for Information Technology Systems," which is handy for audit and "control objectives" outlines. You may have to translate from governmentese to corporatese, but the concepts are there.
A very demanding book, but a useful guide if you stick with it is:
"Governance Guidebook", Fred Cohen
This is not a security text as you usually think of it, but a kind of
workbook to go through, slowly, again and again, reviewing what you
are doing with security. For those without a lot of background in
security, and the management of security, it may be too hard as a
study guide for the exam.
Policy creation is an important topic. The "classic" in the field is:
"Information Security Policies Made
Easy", Charles Cresson-Wood
although it tends to be used as a "cut and paste" tool which is not
appropriate in many cases. A more recent, and more general, guide is:
"Writing Information Security
Policies", Scott Barman
and it tends to be more helpful for actually going through the process
of policy creation.
A big part of the security management domain is risk management. A resource that probably belongs more in the "Bedtime Reading" section than the materials for studying for the exam is the RISKS-Forum Digest. Moderated by Peter G. Neumann (aka "PGN"), RISKS (or RISKS-L, as it is known to the old time crowd) is not only an exemplar of how moderated mailing lists should be run, but is a prime resource for all topics related to security. Probably the easiest way to get at it is via the Usenet newsgroup comp.risks which should also be accessible via the Usenet connection and archives at Yahoo and Google. You can also, of course, subscribe to the mailing list once you get instructions from any issue, and there is an archive of back issues, and now an Illustrative Risks compendium.
"Risk Management Solutions for Sarbanes-
Oxley Section 404 IT Compliance", John S.
Quarterman
This is an unusual look at risk management, but probably the more
valuable for it. Also has implications for the telecom domain.
"Liars and Outliers: Enabling the Trust that
Society Needs to Thrive", Bruce Schneier
may more properly belong in the bedtime reading section, but it does
have some useful models in terms of assessing security controls: which
ones are useful, which counterproductive, and which too expensive.
It may seem odd, but I would also like to include:
"The Human Equation", Jeffrey Pfeffer
proof that attending to your people is the road to success, a business
classic. In terms of security it has some counterintuitive things to
say, that a lot of people probably need to hear.
"Computer Ethics", Deborah Johnson
the basic work in the field, thorough coverage and good discussion
starter.
"Ethics and Technology", Herman T.
Tavani
is somewhat more academic, but still practical, providing more of a
background to the study of ethics.
"Better Ethics Now", Christopher
Bauer
is a fairly simple (possibly even simplistic) examination of the
topic, but would probably be very useful for training and
security/ethics awareness programs.
"Internet and Computer Ethics for
Kids", Winn Schwartau
not perfect, but probably good and useful, and certainly needed.
ISMH, again. And this time I think I have to say that the online version is *better* than the current one. "Security Engineering" will definitely help you in this domain.
There is currently lots of interest in, and no lack of confusion about, the Common Criteria. There is an official web page, which does have documentation. A version of the full CC is available at NIST.
Also, possibly oddly:
"Practical UNIX and Internet
Security", Simson Garfinkel/Gene Spafford
still practical and reliable, and now a classic. UNIX (operations)
and net stuff is there, but it also does very well in presenting a
model and comprehensive architecture, even for non-UNIX systems.
The same applies to the more brief
"Linux Security Cookbook", Daniel J. Barrett/Richard E. Silverman/Robert G. Byrnes.
ISMH, "Security Engineering," and "Practical UNIX" again.
"Authentication: From Passwords to Public
Keys", Richard E. Smith
is slightly unfocussed, but a good overview of the topic.
ISMH and the Software Engineering Body Of Knowledge (SWEBOK). There is also a good chapter in Barman's "Writing Information Security Policies." "Security Engineering" really applies to any kind of systems design work.
A great resource is:
"Software Engineering", Ian
Sommerville
a textbook for a systems development course, but very clear and
readable, and with lots of good, detailed information.
More directly, there is:
"Software Security: Building Security
In", Gary McGraw
useful, and practical, advice on steps to take in the development
process.
"How to Break Web Software", Mike
Andrews/James A. Whittaker
specialized to the Web, but notes a variety of known, but not well
understood, attacks.
"Java Security", Scott Oaks
rather specialized, but some good material.
"High Integrity Software", John
Barnes
again, specialized, in that it only deals with the SPARK language.
However, it also gives some pracitical examples of the formal methods
disucssed in security architecture.
"Applied Software Project
Management", Andrew Stellman/Jennifer
Greene
is very practical and useful, since much of application development
security involves project management issues.
Viruses come under the App Dev domain. The two texts listed on the (ISC)2 reference page happen to be:
"Viruses Revealed", Robert M. Slade/David
Harley/Urs Gattiker
and
"Robert Slade's Guide to Computer
Viruses", Robert Slade
However, I feel it only fair to say that I found some of the virus
related questions on the exam to be a bit odd.
"AVIEN Malware Defense Guide for the
Enterprise", David Harley et al
excellent overview of the current threat environment.
There are more titles in the programming and viruses topics.
"Geekonomics: The Real Cost of Insecure
Software", David Rice
Maybe I should have put this in the "beside reading" section, since it
doesn't deal with the technology, but it seems so important in terms
of the drivers of lousy software that I felt it needed a higher
priority.
ISMH and "Practical UNIX." Maybe also:
"Computer Security Basics," by Russell and Gangemi, has been "updated" by Lehtinen, and can no longer be recommended.
"Computer Security for the Home and Small
Office", Thomas C. Greene
may be considered odd, since it is addressed to the home user, but it
contains a wealth of Windows configuration information that many
system administrators do not know, and should.
"Corporate Espionage", Ira Winkler
not quite specialist material, but a good, readable guide.
While not directly related, some of the titles under the platforms menus might be useful.
As previously noted, there is Security magazine.
"Effective Physical Security",
Lawrence J. Fennelly
Excellent review of everything except fire protection and personnel
safety.
"Security", Neil Cumming
good information on evaluating equipment.
"Security, ID Systems and Locks",
Joel Konicek/Karen Little
easy and fun read that covers electronic access systems and a lot
more. Keep it around to hand to managers when they need to know about
physical security, or loan it to your physical security colleagues.
A number of excellent resources for physical security (and also for investigations) are available in the free, downloadable publications from the RCMP Technical Security Branch.
I'm glad that I can finally present a decent fire protection work:
"Fire Suppression and Detection Systems", John L. Bryan
"Applied Cryptography", Schneier
excellent and thorough text, intro or reference for professional or
serious hobbyist. And *I* say it's readable, too, as is pretty much
anything Schneier writes. (I find the simpler texts do not have
sufficient depth in one area or another.)
"Decrypted Secrets", F. L. Bauer
good general coverage, and I suspect that this is where all the
(unnecessary) history of crypto stuff comes from.
One general cryptography textbook, "The Handbook of Applied Cryptography," by Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, is available online (with another copy here), but it is heavily into mathematics, with very little in the way of general explanations.
"Information Security: Principles and
Practice", Mark Stamp
again.
Most of the "easy" books on cryptography are so simplistic that they will actually get you into trouble on a number of exam questions. Two, however, provide almost enough to get you through:
"Internet Cryptography", Richard E.
Smith
and
"Cryptography Decrypted", H. X. Mel/Doris Baker
Other references are:
"Cryptography and Network Security",
William Stallings
able reference and tutorial, also:
"Network and Internetwork Security",
William Stallings
another classic from Stallings, primarily on encryption.
"SSL and TLS: Theory and Practice",
Rolf Oppliger
SSL is a bit specialized, but it is widely used and important. More
significantly, however, Oppliger's work is exemplary in both
explaining the technology, and dealing with the practicalities and
implementations. (In fact, I'm not sure whether this should be here
or in telecom, but that is next, anyway.)
"Cryptanalysis", Helen Fouche Gaines
was written in 1939, so it will NOT help you through the
exam, but it's an intriguing look at the various ciphers developed
over the years, and the great ways people have created to break them.
This domain is a bit odd, because you are expected to know a fair bit about communications technology as well as the security aspects, so you'll need to cover a wider range.
"Practical UNIX and Internet" is helpful, plus "Security Engineering" in places, Stallings, again, plus:
"Network Security", Charlie
Kaufman/Radia Perlman/Mike Speciner
the communications security text.
A quick, but detailed, overview of TCP/IP operations is provided by the TCP/IP Fundamentals tutorial.
"The TCP/IP Guide", Charles M.
Kozierok
excellent guide, and eminently readable.
"Internetworking with TCP/IP",
Comer/Stevens
good overview, also good basic network communications concepts.
"TCP/IP Illustrated, Volume 1",
Stevens
great text for the protocols of TCP/IP ("illustrated" by examples from
a real network).
"VPNs: A Beginner's Guide", John
Mairs
is, oddly, not very good on VPNs, but is quite nice at presenting the
basics of TCP/IP and the security problems in the stack.
A book that really is good at explaining VPNs is
"Building Linux Virtual Private Networks (VPNs)", Oleg Kolesnikov/Brian Hatch
"Computer Networks, Fourth Edition",
Andrew S. Tanenbaum
most up to date of the classic texts, good awareness of security.
"Data and Computer Communications, 8th
ed.", William Stallings
another of the classic texts, fairly demanding.
"Web Security and Commerce", Simson
Garfinkel/Gene Spafford
recently updated to
"Web Security, Privacy and Commerce",
Simson Garfinkel/Gene Spafford
specialized but valuable.
"Web Security Sourcebook", Aviel D.
Rubin/Daniel Geer/Marcus J. Ranum
another good one.
"Intrusion Detection", Rebecca Gurley Bace
"Intrusion Detection", Edward G.
Amoroso
same title, different approaches, both great.
Telecom and networking is a huge field, and there are many more titles, under a variety of subtopics, in both the communications and Internet menus.
ISMH, again. Also a bit in van Wyk/Forna. Some good reminders in RISKS.
It ends weaker than it starts, but the best that I've found so far is:
"Disaster Recovery Planning", Jon Toigo
Other titles are listed in the BCP and DRP menu.
I'm really kind of disappointed in this domain, overall. However, I know it is a difficult one.
"Internet and Online Privacy", Andrew
Frackman/Rebecca C. Martin/Claudia Ray
is a recent breath of fresh air, albeit in a limited area. The book
is short and easily readable, and, while it is still US-centric, it
does concentrate on analysis based on legal principles that may be
more broadly applicable.
"Cyberlaw: National and International
Perspectives", Roy J. Girasa
is a very comprehensive review of US, and some international, law
related to computers, and particularly the Internet. However, it is
definitely written for law students, and can be extremely frustrating
for people without a legal background.
"Borders in Cyberspace", Brian
Kahin/Charles Nesson
has an excellent collection of essays on law and/in the net.
"Cyberspace and the Law", Edward A.
Cavazos/Gavino Morin
does net law for the common person.
"Personal Medical Information", Ross
Anderson
uneven quality in this collection of papers on medical ethics, but
good range. I include it only because of the strong interest in
health info in the US.
"Protect Your Digital Privacy", Glee
Harrah Cady/Pat McGregor
is written by a couple of mothers, so it has some weak areas and rough
spots, but, oddly, they do as good a job as the professionals in many
areas, and sometimes better.
In the area of forensics, an excellent overall introduction is
"Scene of the Cybercrime: Computer Forensics Handbook", Debra Littlejohn Shinder
"Computer Forensics", Warren G. Kruse
II/Jay G. Heiser
concentrates on data recovery and chain of evidence, but is not bad in
those areas.
"Computer Forensics and Privacy",
Michael A. Caloyannides
has better technical information on data recovery, but it flips
between looking at recovering data, and avoiding data recovery.
"Computer and Intrusion Forensics",
George Mohay et al
is probably the best overview so far, including some network forensics
and touching on software forensics, but it lacks technical depth at
times.
"Challenges to Digital Forensic
Evidence", Fred Cohen
There are a number of works that address specifics of file systems and
storage devices: this isn't one of them. A few texts even address
some aspects of the investigative process and management: Cohen
addresses some of those issues. However, I have not seen any other
guides that will tell you, clearly and plainly, how to avoid the most
common failings of technical experts trying to provide evidence in a
decidedly non-technical legal system.
"Software Forensics", Robert M. Slade
is the finest available book dedicated to the topic (since it's the
onlyavailable book dedicated to the topic).
"Incident Response", Kenneth R. van
Wyk/Richard Forna
is a reasonable start on the topic, but unfortunately lacking in
detail. I'd hoped for better from Ken, but it has some good points.
There are many more books listed in the pages on ethics and law, privacy, and investigation.
Not necessarily technical, and so they don't fit into the domains, but well worth reading, are:
"Secrets and Lies: Digital Security in a
Networked World", Bruce Schneier
excellent introduction to security, and more. Schneier is a good
writer, and always worth reading: if you find a really good security
quote it tends to be from either Bruce or from Gene Spafford. Another
source of material from Schneier is the monthly
Crypto-Gram
newsletter. The site linked to here provides information about
subscriptions as well as an archive of back issues.
"The Transparent Society", David Brin
an intriguing counter-take on privacy. Exercise your mind.
"Information Warfare and Security",
Dorothy Denning
doesn't really fit a domain, but good. And similarly:
"Internet Besieged: Countering Cyberspace Scofflaws", Dorothy E. Denning/Peter J. Denning
Some people would think that
"Know Your Enemy", Honeynet Project
belongs in telecom, but it doesn't really give you a lot of
information about network attacks. It is, however, a really
interesting read about the blackhat community, and what the project is
finding out about them.
"Frauds, Spies, and Lies", Fred Cohen
an unusual book, but the normal security texts have not been that
successful at dealing with this particular topic.
"The Codebreakers", David Kahn
you won't find anything about crypto here that you'll need for the
exam, but this is a terrific overview of the history of crypto up
until the mid-twentieth century. It also points out (in example after
example) some basic truths of crypto, like don't keep using the same
key forever ...
HyperText version Book Review Index (may take a while to load)