Information Security Reading List

May 19, 2015 · 3 minute read

I read quite a bit (probably a book a week or so) and one of the topics I’ve been reading on for a while is information security. In a recent conversation someone asked for some book suggestions, so I thought I’d write that up in a blog post rather than an email.

Most of this list isn’t particularly technical. It’s not a developers list of software engineering tomes. If you’re a developer or operator then I’d recommend reading some of the more policy or journalistic pieces as well for context. And if you’re just interested in the topic but nor particularly technical I’d skip the security engineering suggestions.

Note that I make no claims about this being a particularly balanced list, it’s biased towards what I find interesting to read. Hopefully you’ll find it interesting too.

Journalism

Understanding why Information Security is important tends to require some context. The following books provide that, with detailed real-world stories of criminal and government activities.

• The Dark Net - Jamie Bartlett - an excellent personal tale of investigating the hidden side of the internet.
• Spam Nation - Brian Krebs - everything you wanted to know about how and why Spam works.
• Countdown to Zero Day - Kim Zetter - a detailed and fast paced description of the Stuxnet attack, and it’s implications.
• Future Crimes - Marc Goodman - a focus on the criminal possibilities of the modern internet and the internet of things.
• Worm - Mark Bowden - similar to the excellent tale of Stuxnet above, this is the story of Conficker and how it was discovered

Policy and context

These books are focused more on government policy and nation state threats, and the debate about the rules of war and the internet.

• Cyber War - Richard Clarke - probably the best description of what cyber war is and isn’t, and some of the geopolitical problems emerging.
• Cyber War Will Not Take Place - Thomas Rid - a good counter to the above book, with lots more detailed discussion of policy and definition.
• Inside Cyber Warfare - Jeffrey Carr - really just a run through of current threats, especially organised crime.

Security engineering

• Security Engineering - Ross Anderson - highly technical and quite epic, but definitely the best security engineering book around.
• Threat Modelling - Adam Shostack - details descriptions of how and why to conduct threat moddelling, with lots of examples.
• Data Driven Security - Jay Jacobs and Bob Rudis - nice examples, including code samples, of applying data and statistics tools and practices to security problems.
• Cloud Security and Privacy - Tim Mather, Subra Kumaraswamy, Shahed Latif - a good book to read for anyone working in AWS, Azure or similar. Good discussion of concerns and compliance approaches in third party environments.
• The Tangled Web - Michal Zalewski - everything you ever wanted to know about the browser security model
• Silence on the Wire - Michal Zalewski - described as a field guide to passive reconnaissance and indirect attacks. Good for starting to think about non-obvious security threats

On my reading list

I’ve not read these books yet so can’t recommend them as such, but they both look good additions to the list above.

• Data and Goliath - Bruce Schneier - a look at the large scale data collection programmes of governments and their implications for everyone.
• Black Code - Ronald J. Deibert - the story of the Citizen Lab and it’s front line cyber researchers