Rack of Ethernet switches.

Recommended Reference Books

Cybersecurity Reference Books

It is difficult to recommend cybersecurity books because the field evolves so rapidly. There have been many true classics, essential in their time. But the books haven't kept up with the technology. Frankly, where is the motivation for an author and a publisher to spend their time and money, respectively, on a book that will be outdated soon after its first release? And especially when they are competing with a Google-first mindset that immediately leads readers to what they hope are useful and reasonably recent on-line how-to articles.

Here's my best effort at a useful list. Some of these are evergreen titles that, despite their age, are still useful for people new to the field.

TL;DR

General concepts:
Secrets and Lies: Digital Security in a Networked World

Networking:
Internetworking with TCP/IP, Volume 1

Introduction to cryptography:
The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography

And maybe:
Unix in a Nutshell

Now, in detail:

General Security Concepts

First, some books on the concepts of security in the broad sense. Bruce Schneier started out as a cryptographer, and still works in the field, but he has become interested in psychological issues of how humans perceive and react to risk.

Beyond Fear: Thinking Sensibly About Security in an Uncertain World is an excellent discussion of security in general.

Secrets and Lies: Digital Security in a Networked World is more narrowly focused on information security. It doesn't have much in the way of technical tips, which means it hasn't become outdated. It's a great explanation of what matters and why.

Information Warfare and Security, by Dorothy Denning, is largely a collection of anecdotes. It was a great overview of information security history. Now however, it has become meta-historical. Written in 1998, it tells us what people in the distant past (in Internet terms) thought about their distant past. If someone used a web browser in 1998, it was probably Netscape Navigator. The Mozilla organization was founded in 1998, but the Firefox browser didn't appear until 2002.

All the same, it nicely connects information security to national security in a careful way, and not the "Pundit of Panic" approach all too common in the field. (e.g., Ted Koppel, self-appointed sudden expert in electrical power grids)

Linux / UNIX / Apple macOS

Anyone who wants to make a Unix system even more secure needs to realize that the work will be a specialty within system administration, and it makes no sense to try to be a system administrator without a good understanding of how to interact with the system!

So you must first get user skills. Unix in a Nutshell is the best book for that. Yes, there is also a Linux-specific book, but this general Unix-family title is more useful. Why? Because the Linux book wastes pages on explaining how to do things that are fairly obvious, like how to use a graphical computer interface and how to send e-mail. Unix in a Nutshell concentrates on the command line and so it has more space to better explain crucial things like the vi text editor and the fundamental commands with which a system administrator must be comfortable.

The UNIX & Linux System Administration Handbook might be the next thing to consider. However, Linux distributions mostly go their own ways, a real herd of cats, while most of them are reasonably self-documenting. Becoming a Linux power user will probably be a better use of your effort. Log analysis and other tasks need a good understanding of fundamental tools like grep, sed, awk, regular expressions, and so on, as explained in UNIX Power Tools.

For free overviews, see my pages:

Getting Started with Linux
Linux/UNIX Command Fundamentals and the File System
Linux System Administration — the Core Set of Commands
Linux Package Management

USENIX, The Advanced Computing Systems Association, has made all their conference proceedings available to everyone.

The classics are getting awfully old. Practical Unix and Internet Security was last revised in 2003. Dave Curry's Unix System Security is from 1992.

TCP/IP Networking

Just as with Unix system hardening, it makes no sense to try to do any network security work without first understanding how networks work!

The best single reference is Doug Comer's Internetworking with TCP/IP, Volume 1. He has written an excellent book that clearly tells the story of how the TCP/IP protocol suite works. Yes, it's a textbook and new copies of the latest edition can be pretty expensive. But investigate used copies, and remember that if you're just trying to learn the fundamentals of the main host protocols (Ethernet, ARP, IP, UDP, TCP, ICMP, and DNS). They haven't changed much in ages and an older edition may serve your needs. Comer's book is very readable — it has a story that flows and he did a great job of technical writing.

Richard Stevens' TCP/IP Illustrated, Volume 1: The Protocols is another great reference, but it's more of an encyclopedia and it isn't easy reading.

Be careful when ordering either of Comer's or Stevens' books! Both wrote a three-volume series, in which the first volume (what you probably want) is about the protocols themselves, while the second and third volumes are about how to implement those protocols in an operating system kernel (using BSD Unix as a case study) and how to write applications using those protocols.

You want Volume 1.

To learn more than you need to know about IP addresses and subnet design, download the great paper Understanding IP Addressing: Everything You Ever Wanted To Know. It starts at the beginning, and 76 pages later you understand CIDR and VLSM, Classless Interdomain Routing address notation and Variable Length Subnet Mask design.

Network Security Assessment, by Chris McNab, describes network scanning methods and application vulnerability detection and exploit.

And there are more books that were great in their day, but haven't been revised in ages. Building Internet Firewalls from 2000, Firewalls and Internet Security: Repelling the Wily Hacker from 2003, and more.

Since you rely on DNS to map human-friendly domain names to the IP addresses needed to route all data packets, make sure that you use it correctly! The standard reference is DNS and BIND, and the same authoritative author has also written a "cookbook" with handy tips and tricks, DNS & BIND Cookbook. They're from the early-to-mid 2000s, but the narrow focus means they have aged much better than broad topics like firewalls and UNIX-family operating systems.

Finally, the RFCs define the Internet protocols, and many of them discuss security. Find the RFCs at: www.ietf.org or www.rfc-editor.org.

Cryptography

Popular Introductions

"The Gold Bug", by Edgar Allan Poe, is probably the most readable explanation of how to break monoalphabetic substitution ciphers. But be warned: it's a good story with a useful illustration of early cryptanalysis, but it contains racist language.

"The Adventure of the Dancing Men", by Arthur Conan Doyle, is another 1800s detective story in which a monoalphabetic substitution cipher is broken, although Poe's explanation is a far more accurate and complete description of fundamental cryptanalysis.

Simon Singh's The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, is an excellent overview of cryptography. It covers the topic from ancient history to research underway when it was written. It has excellent descriptions of asymmetric algorithms, Diffie-Hellman key exchange, key management, etc.

Fundamentals / Basics

Cryptanalysis, by Helen Gaines, is probably the best place to start if you're interested in how learning to break crypto systems. More importantly, read it if you actually think you could design a crypto system. It shows you how to break combined substitution and transposition ciphers using pencil and paper. Written in the 1930s, it demonstrates Poe's observation from almost a century before.

"Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis."

— Bruce Schneier, 1998

"Few false ideas have more firmly gripped the minds of so many intelligent men than the one that, if they just tried, they could invent a cipher that no one else could break."

— David Kahn, 1967
The Codebreakers

"Few persons can be made to believe that it is not quite an easy thing to invent a method of secret writing which shall baffle investigation. Yet it may be roundly asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve."

— Edgar Allan Poe, 1841
"A Few Words on Secret Writing"

Basic Cryptanalysis, U.S. Department of the Army Field Manual FM 34-40-2, is available for free downloading. But beware — the files you get from the download site, either the individual files or the tar archive, all have 5 lines of HTML header inserted before the actual PDF data! Your PDF viewer may not handle this. It's no problem to fix this with the following trick in Linux/UNIX/macOS: 

$ for F in *.pdf
> do 
>       tail -n +6 $F > tmp.pdf
>       mv -f tmp.pdf $F 
> done

History

The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet, by David Kahn, is enormous and fairly expensive, but it is the authoritative reference.

More Advanced

Applied Cryptography: Protocols, Algorithms, and Source Code in C, by Bruce Schneier, has been used as the text for a graduate-level cryptography course at many universities. Yes, it's a snapshot of mid-1990s cryptography, but it's a good explanation of the fundamentals of cipher algorithms, their building blocks, and overall designs.

Handbook of Applied Cryptography, by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, is more academic than Schneier's book. Theorems! Lemmas! Proofs! It's available for free download as a large collection of PDF files.

Practical Cryptography is by Niels Ferguson and Bruce Schneier. I think that the greatest benefit of this book is that it should convince the reader that yes, this is extremely difficult to really get right, and you do have to be obsessively careful with the entire system design, and it would be easy to make some bold plans up front that are then difficult to fully carry through. Don't write your own code, get a good open-source system that has been checked out by many smart people. Read this book if you still disbelieve Edgar Allan Poe.

Certification

Be aware that certification, especially in cybersecurity, does not mean that you know how to do the hands-on work. It means that you have learned how to carefully use a mutant dialect of English preferred by the certifying organization.

At best, the (ISC)2 certifications indicate that you are qualified to advise senior management on issues related to cybersecurity, supporting their money-based decisions about how best to manage risk. With CompTIA Security+, you can serve as a go-between for lower to middle management communicating with the technical people running the servers and the networks. Or perhaps be one of those technical people doing your own communicating.

I have (ISC)2 CISSP and CCSP, and CompTIA Security+ certifications. The standard study books are of very limited value. If they're written by the group that produces the exam, they're intentionally incomplete and filled with distracting irrelevant material. If they're written by a third party, they're accidentally incomplete and disagree with the exam over what the right answer is.

I teach the corresponding test-prep courses for Learning Tree International. Their Security+ course uses custom material and practice test software, and it's the best Security+ test-prep material I know of. And meanwhile, official CompTIA course content is rubbish.

The quiz software you use during that course and then on your own is an excellent simulation of the real exam. It is not a literal "brain-dump" of verbatim questions, as that is not allowed. But it is very close to the real exam, including its intentionally confusing wording and CompTIA's insistence that you select "right" answers that sometimes are outdated and incorrect.

Do not waste your time and money on material purporting to be "brain dump" literal questions. I have had a number of students take the Security+ test-prep course because they had used what claimed to be literal questions; they had failed the exam, finding that the "brain dump" material had very little in common with the real exam. Plus, if CompTIA even suspects that you have looked at that material, they may simply ban you for life from having one of their certifications. If you work for the U.S. Department of Defense, one of their contractors, or another organization requiring CompTIA certification for certain positions, there goes your job.

All that being said, the best reference for the CompTIA Security+ exam is CompTIA Security+ Study Guide: Exam SY0-501, by Emmett Dulaney and Chuck Easttom.

Let's be realistic, no test preparation book is going to be perfect. But this one comes the closest to covering what is in the current exam while not distracting you with irrelevant details. As an example, I browsed through another supposed Security+ test-prep and found myself distracted by the chapter about locks. It had fascinating cross-section diagrams of dead-bolt locks and dial locks for safes. It also had a section on fire sprinkler systems and the distinctions between dry-pipe, wet-pipe, pre-action, and deluge sprinkler systems. But wait — those topics are not on the CompTIA Security+ exam!

As for CISSP or CCSP, make sure to get the practice exam book, possibly in a bundle with their study guide.

History

As this page is overly long already, I have split the books about the history of information security into a separate list.

That page also has my suggestions of INFOSEC sights for your next vacation — the NSA museum, Bletchley Park, etc.

To the main Security Page