Rack of Ethernet switches.

Recommended Reference Books

Cybersecurity Reference Books

Springer Texts Free to Download

Change the search parameters accordingly for many other fields:
Free downloads of
security and cryptology books
and conference proceedings

General Security Concepts

Here are security reference books that I find helpful.


Beyond Fear: Thinking Sensibly About Security in an Uncertain World, by Bruce Schneier. This is an excellent discussion of security in general.

Secrets and Lies: Digital Security in a Networked World, also by Bruce Schneier. This is more narrowly focused on information security. It doesn't have much in the way of technical tips, but it's a fantastic explanation of what matters and why.

Information Warfare and Security, by Dorothy Denning, is largely a collection of anecdotes. It's a great overview of information security history. It nicely connects infosec to national security.

More in-depth and technical

Security Warrior, by Cyrus Peikari and Anton Chuvakin, is far more detailed and academic than most O'Reilly books. It gets into advanced topics such as analyzing binary executable files in order to do reverse-engineering. It provides great background for doing software vulnerability analysis.

Network Security Assessment, by Chris McNab, has an in-depth look at network scanning methods and application vulnerability detection and exploit.

The various Hacking <whatever> Exposed books are pretty good, although some people seem to think that their approach is more useful than it really is. Let's say you want to secure your web server. Assuming you want to make your systems secure, it's not all that useful to know umpteen different ways to break in. Protect the system behind a firewall if possible, turn off the unneeded services, move to a different application service implementation running on a different operating system if needed, and move on.

Linux / UNIX / Apple OS X

Anyone who wants to make a Unix system even more secure needs to realize that the work will be a speciality within system administration, and it makes no sense to try to be a system administrator without a good understanding of how to interact with the system!

So you must first get user skills. Unix in a Nutshell is the best book for that. Yes, there is also a Linux-specific book, but this general Unix title is more useful. Why? Because the Linux book wastes pages on explaining how to do things that are fairly obvious, like how to use a graphical computer interface and how to send e-mail. Unix in a Nutshell concentrates on the command-line and so it has more space to better explain crucial things like the vi text editor and the fundamental commands with which a system administrator must be comfortable.

The UNIX System Administration Handbook would be the next thing to get. Now, if the only sort of Unix you planned on using was Linux, then the more narrowly focused Linux Administration Handbook might make more sense.

Now you're ready to do meaningful security work. The best single reference for any sort of Unix (yes, including Linux) and macOS is Practical Unix and Internet Security, by Simson Garfinkel, and Gene Spafford, and Alan Schwartz. It also includes great general-purpose discussion of the basic concepts. Plus, it has checklists to follow!

Dave Curry's Unix System Security has been a more technical standard reference for ages. It is getting rather dated, but remaindered copies are available at very attractive prices! I probably shouldn't just list Spaf's book, lest I show some pro-Purdue bias. Oops, never mind, Davy's from Purdue, too....

Linux Firewalls is a good reference for building firewalls and other network security devices on a Linux platform.

SSH, The Secure Shell: The Definitive Guide explains how to really set up SSH, and how to set up SSH tunneling and do way more than just the command-line interface. No one should run telnet these days, here's what to do instead.

Finally, if you want to use the most secure desktop and general-purpose server operating system available, get Absolute OpenBSD: UNIX for the Practical Paranoid.

USENIX, The Advanced Computing Systems Association, has made all their conference proceedings available to everyone.

TCP/IP Networking

Just as with Unix system hardening, it makes no sense to try to do any network security work without first understanding how networks work!

The best single reference is Doug Comer's Internetworking with TCP/IP, Volume 1. He has written an excellent book that clearly tells the story of how the TCP/IP protocol suite works. Yes, it's a textbook and new copies of the latest edition can be pretty expensive. But investigate used copies, and remember that if you're just trying to learn the fundamentals of the main host protocols (Ethernet, ARP, IP, UDP, TCP, ICMP, and DNS), they haven't changed much in ages and an older edition may serve your needs.

Richard Stevens' TCP/IP Illustrated, Volume 1: The Protocols is another great reference, but it's more of an encyclopedia and it isn't easy reading.

Comer's book is very readable — it has a story that flows and he did a great job of technical writing.

Stevens' book is more like an encyclopedia — it's great for looking up details.

Be careful when ordering either of Comer's or Stevens' books! Both wrote a three-volume series, in which the first volume (what you probably want) is about the protocols themselves, while the second and third volumes are about how to implement those protocols in an operating system (using BSD Unix as a case study) and how to write applications using those protocols.

Building Internet Firewalls is one standard reference on firewall architecture and the function of the many components. TCP/IP protocol-based attacks, their detection and prevention. Lots of details on the application protocols and configuring both the applications and the firewalls.

Firewalls and Internet Security: Repelling the Wily Hacker is another classic reference, slightly more academic and getting further into some of the technical details. It's a second pass through the firewall material with a little more on operating system risks.

Since you rely on DNS to map human-friendly domain names to the IP addresses needed to route all data packets, make sure that you use it correctly! The standard reference is DNS and BIND.

A more recent "cookbook" volume with handy tips and tricks by the same author is the DNS & BIND Cookbook.

Finally, the RFCs define the Internet protocols, and many of them discuss security. Find the RFCs at: www.ietf.org or www.rfc-editor.org.


Popular Introductions

"The Gold Bug", by Edgar Allan Poe, is probably the most readable explanation of how to break monoalphabetic substitution ciphers. But be warned: it's a good story with a useful illustration of early cryptanalysis, but it does contain some unfortunately racist language...

"The Adventure of the Dancing Men", by Arthur Conan Doyle, is another late 1800s detective story in which a monoalphabetic substitution cipher is broken, although Poe's explanation is a more accurate and complete of fundamental cryptanalysis.

Simon Singh's The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, is an excellent overview of cryptography. It covers the topic from ancient history to cutting-edge research. It has excellent descriptions of asymmetric algorithms, Diffie-Hellman key exchange, key management, etc.

PGP & GPG: Email for the Practical Paranoid, by Michael Lucas, explains how to secure your electronic mail and downloaded files with Pretty Good Privacy and the GNU Privacy Guard.

Fundamentals / Basics

Cryptanalysis, by Helen Gaines, is s probably the best place to start if you're interested in how learning to break crypto systems. It's also an important thing to read if you actually think you can design a crypto system! It shows you how to break combined substitution and transposition ciphers using pencil and paper.

Basic Cryptanalysis, U.S. Department of the Army Field Manual FM 34-40-2, is available for free downloading.

But beware — the files you get from the download site, either the individual files or the tar archive, all have 5 lines of HTML header inserted before the actual PDF data! It's no problem to fix this with the following trick in Linux/UNIX/macOS:

$ for F in *.pdf
> do 
>       tail +6 $F > tmp.pdf
>       mv -f tmp.pdf $F 
> done 

Further Details / Advanced

The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet, by David Kahn, is enormous and fairly expensive, but it is the authoritative reference.

Applied Cryptography: Protocols, Algorithms, and Source Code in C, by Bruce Schneier, is used as the text for a graduate-level cryptography course at many universities. It contains detailed analysis of cryptographic theory. It also has practical calculations of the expected time to break various systems on reasonable hardware platforms.

Handbook of Applied Cryptography, by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, is more academic than Schneier's book. It's available for free download as a large collection of PDF files.

Network Security with OpenSSL, by J. Viega et al, describes OpenSSL. The OpenSSL package provides what applications need for SSL/TLS connections between web servers and clients. But the package also provides a very wide range of command-line and C/C++ library functions for cryptography — encryption, decryption, cryptographic hashes, creation of digital signatures, and more.

Practical Cryptography is by Niels Ferguson and Bruce Schneier. I think that the greatest benefit of this book is that it should convince the reader that yes, this is extremely difficult to really get right, and you do have to be obsessively careful with the entire system design, and it would be easy to make some bold plans up front that are then difficult to fully carry through. Don't write your own code, get a good open-source system that has been checked out by many smart people. Read this book if you aren't convinced yet.


My CompTIA Security+
exam prep suggestions

I have both CISSP and CompTIA Security+ certifications.

The study books are of very limited value. If they're written by the group that produces the exam, they're intentionally incomplete and filled with distracting irrelevant material. If they're written by a third party, they're incomplete and disagree with the exam over what the right answer is.

Learning Tree's
CompTIA Security+
exam prep course

I teach some courses for Learning Tree, International, including their Security+ test-prep course. In order to teach that course, I have to pass the test annually. The Security+ exam is getting more difficult every year as they include more obscure and outdated content and make the question wording more misleading and unclear. I now rely on that course material to prepare me.

The quiz software you use in that course, and which you can use on your own, is an excellent simulation of the real exam. It is not a literal "brain-dump" of verbatim questions, as that is not allowed. But it is very close to the real exam, including its confusing wording and CompTIA's insistence that you select "right" answers that are outdated and incorrect. Seriously, take that course.

Do not waste your time and money on material purporting to be "brain dump" literal questions. I have had a number of students take the Security+ test-prep course because they used what claimed to be literal questions and found that it had very little in common with the real exam. Plus, if CompTIA even suspects that you have looked at that material, they may simply ban you for life from having one of their certifications. If you work for the U.S. Department of Defense, one of their contractors, or another organization requiring CompTIA certification for certain positions, there goes your job.

All that being said, the best reference for the CompTIA Security+ exam is CompTIA Security+ Study Guide: Exam SY0-501, by Emmett A. Dulaney.

Why is that book so much better than the others?

Let's be realistic, no test preparation book is going to be perfect. But this one comes the closest to covering what is in the current exam while not distracting you with irrelevant details. As an example, I browsed through another supposed Security+ test-prep and found myself distracted by the chapter about lock. It had fascinating cross-section diagrams of dead-bolt locks and dial locks for safes. It also had a section on fire sprinkler systems and the distinctions between dry-pipe, wet-pipe, pre-action, and deluge sprinkler systems. But wait — those topics are not on the CompTIA Security+ exam!

For the CISSP, I found Mike Meyers' CISSP Certification Passport very useful.


As this page is overly long already, I have split the books about the history of information security into a separate list.

That page also has my suggestions of INFOSEC sights for your next vacation — the NSA museum, Bletchley Park, etc.

To the main Security Page