Things have changed little in the world of network security support from 2001. (Yes, that is not a "typo"—little.) I still think many of us are transitioned from "network support person" to "security guru" fairly quickly. Sometimes, we seek this ourselves, wanting something more "interesting to do." And sometimes we seek glory and honor. At the end of the day, people will still hate you. What people? It depends. Whoever is trying to do something "vital to the mission," and who forgot to talk to you about security until the last minute. This list can include software product developers, sales executives, program managers, product managers, network engineers, etc. But, you did ask for it, now didn't you?
Before I get to updating my old column, a warning: you, dear reader, want to hear new, exciting, interesting, and jazzy things to learn. And, indeed, there is some of that. But, I fear you will be disappointed that I will point to some old books and papers and old things to learn. Take heart. If this was a theology course, we would still look at old texts. As Paul Simon reminds us, in his song "Old," "God is old." (I lost some of you by mentioning Paul Simon, right? "Avolio is old," you thought.) Let me put it another way: If you study and use calculus or Boolean algebra, you don't only look at breakthroughs in those disciplines from the past few years. So, you'll have to trust me. You'll want to jump to the new and jazzy. You will do yourself a great favor by studying some old things, as well as new. You'd do it in physics or mathematics. You should also do so here.
One more warning: if your employer will send you to "CISSP school," in which you get trained to pass the CISSP exam, take them up on it. But, you will still need to do more. I know CISSPs who, by definition, passed the exam, but also clearly have no practical knowledge or experience.
First Steps.As I said a few years back, "first off, you will have to exert some effort. You'll have to work. My idea is to give you work you can do in a reasonable amount of time, while still employed. ... You need to do some basic reading. Not all at once, and not in every area. Some excellent books and papers will provide a good start. I am only going to point to a few of these, because you are supposed to be able to do this without taking six months off."
You'll need to learn terminology around security, but that will come as you peruse the Internet, making use of Google and Wikipedia. Start with learning the technology in your current area of responsibility.
For security basics, let's start with WatchGuard, and not just because they asked me to do this. Their education page is easy to navigate and has information for Jedi masters as well as the padawan learner. Bookmark their "Network Security Glossary." Spend some time reading their White Papers. (They are free with a registration. They will not spam you. Scott promises.) Most of what they have--papers, podcasts, and videos--are 99% unbiased with 1% advertising. (Scott has to eat, too, you know.) Their "IT Managers' Security Resources" are for anyone wanting to come learn more about network and computer security, not just for IT folks and certainly not just for managers. These provide practical advice for securing the corporate network from user to servers, along with an occasional technical "deep dive" piece. As you move towards Master from Learner, you will want to try your skills in "The Dustin Barnes Mystery Series," also found on their web page. Check out their instructional videos (fun but no fluff, I promise), and, of course, subscribe to their Radio Free Security podcasts. (You might find their case studies of interest, but these do seem to have the look and feel of marketing communication glossies.)
Next stop, Techtarget's SearchSecurity site. They also have excellent whitepapers and reports. Their main page is a "security portal" of sorts, gathering infosec news as well as security papers grouped topically. (Most of these papers are produced or sponsored by vendors and require registering.) While there, you should also subscribe to some of their RSS newsfeeds, such as Security Wire Daily News (or Weekly) and Network Security Tactics. Also, there, you can subscribe to Information Security Magazine. You can also read some of the articles in the latest issue here.
Next steps.In addition to the "portals" mentioned above, we can drill down a bit into these particular areas.
This includes antivirus and spyware. Really, there aren't many books to recommend to come up to speed on Spyware. For antivirus I recommend Hacking Exposed 5th Edition (Hacking Exposed), though it covers a great deal more than that. Otherwise, peruse the malware topic area in the Searchsecurity papers (with the warning of vendor sponsorship I previously made). Actually, I'd go to WatchGuard's education area and watch the "Malware Analysis Video: Drive-by Downloads"
As for other things, the National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database
Oh, and for goodness sake, read about the Morris Worm..
For firewalls, I believe the early papers are still the best, and the technology has not changed substantially since their authors wrote them. Three of the first and best papers are:
- " The Design of a Secure Internet Gateway," by Bill Cheswick (1990)
- " There Be Dragons," by Steve Bellovin (1992)
- " An Evening with Berferd, In Which a Cracker is Lured, Endured, and Studied," by Bill Cheswick (1992).
- "Thinking About Firewalls," by Marcus Ranum (1993).
The best books on the subject are also the earliest ones:
- Firewalls and Internet Security: Repelling the Wily Hacker (2nd Edition), by Cheswick and Bellovin.
- Building Internet Firewalls (2nd Edition), Zwicky, Cooper, and Chapman.
If you need to come up to speed on "intrusion detection," start with An Introduction to IDS. If you need something more in-depth, see Rebecca Bace's whitepaper, "An Introduction to Intrusion Detection and Assessment." She also wrote the book Intrusion Detection (MTP). Another excellent book is Terry Escamilla's Intrusion Detection: Network Security Beyond the Firewall.
This list has not changed since 2001. The best books on the subject of cryptography for computers and the Internet are:
- Internet Cryptography by Richard Smith.
- Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition This detailed volume might be too much to handle in your "spare time," but if you have the need and the interest, it is both excellent and thorough.
- The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. This book gives valuable background on the history that has led up to encryption, useful more for context than for direct practical application.
You need to learn about virtual private networks, and, again, one of the best introductions is an "old" book, from 2001, Virtual Private Networks: Technologies and Solutions, by Ruixi Yuan and W. Timothy Strayer.
If you need to learn about e-mail security:
- Start with my secure e-mail collection, which includes columns, articles, and some old product reviews.
- Then try the book Internet Messaging: From the Desktop to the Enterprise
And just for fun, check out some famous attacks.
- Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It, by Tsutomu Shimomura and John Markoff. Decent read, though a very long book title.
- The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, by Cliff Stoll.
- Scott Pinzon recommends a different take on Mitnick's capture in The Fugitive Game: Online with Kevin Mitnick
OngoingHow in the world will you keep up to date on changing technologies and events while still keeping your job (and maybe even having a life)? The answer is "automate." Sign up to an RSS news service (mentioned earlier). Spend a half hour of each day checking news items and bulletins.
Start poking around NIST's Computer Security Division's Computer Security Resource Center. There are some useful papers and guidelines here. There are also things that look surprisingly like they were written by someone getting paid by the word. (They were not. But, one of the mottos of big government agencies seems to be, "Never say in 10 words what you can say in 100.") Their "Guide to NIST Information Security Documents" is 36 pages.
There are security-related magazines to read, and my favorites both have electronic and print versions:
Even without having six months to take off, you might be able to get some outside training for on-going growth and development. My favorite security-related conferences are:
- CSI (the Computer Security Institute), which runs national conferences and regional and on-site training
- Security conferences (in particular) run by the USENIX Association.
- And security conferences by The MIS Training Institute