freemode.net

Security Basics    [ Geekiness ]

Every so often, people ask me where they can find more info on IT security.   I had put this list together a little bit ago, but hadn't posted it.   It includes links for reading material, organizations, tools and newsletters.

Reading material

About.com's "Computer Security 101: 10-Part Series" - good basic material,
even if the site's rather ad-heavy:
http://netsecurity.about.com/cs/compsecurity101/

SANS - one of the most important security organizations on the 'net,
they have a LOT of material on their site. They also hold seminars,
training sessions and employ/work with some really sharp people. Good
place to get started:
http://www.sans.org/

SANS reading room has fantastic amounts of info on all sorts of issues
written by people in the field. Good resource for brushing up on areas
that you're not familiar with, or teaching yourself more about a topic.
Fairly in-depth technical coverage, mid- to high-level stuff:
http://www.sans.org/rr/

Internet Storm Center - run by SANS, has up-to-date info on what's
hitting the 'net and technical details on network attacks/worms. Think
about it as The Weather Channel for network security:
http://isc.sans.org/

SecurityFocus - a bit corporate-minded, not always bleeding-edge, but
good mid-level material in the articles:
http://www.securityfocus.com/

SecurityFocus hosts the BugTraq mailing list, the largest/most popular
security list on the 'net. Well worth browsing through the archives,
most security folks keep track of this to stay on top of what's going on.
There's a lot of in-depth technical discussion, some policy discussion,
and a fair amount of posturing and geektalk:
http://www.securityfocus.com/archive/1

Secunia is a newer site which lists current threat level, vulnerability
news (much like other major security sites), but is another news resource:
http://www.secunia.com

Books

Hacking Exposed is one of the better series of books on real computer
security (technical nuts'n'bolts with examples, compared to more dry
academic treatments of "what makes a system secure?"). Plus they have
a good collection of links to other resources:
http://www.hackingexposed.com/

Articles and Newsletters

Smashing the Stack for Fun and Profit - Aleph One wrote this some
years back, but it's still one of the best treatments of buffer overflow
attacks written so far.
http://www.insecure.org/stf/smashstack.txt

Hobbit's NetCat documentation should be required reading for anyone
playing around with networking and security. I should probably just post
the docs rather than rely on an external site, but here's one place to
read it.
http://www.zoran.net/wm_resources/netcat_hobbit.asp

I'd be remiss if I didn't mention Phrack here, one of the oldest and
best-known "underground" security newsletters. Highly variable quality
of articles, ranges from the almost silly to scarily good, but well worth
reading.
http://www.phrack.org/

And 2600. Couldn't not mention 2600. Any 3l33t h4Ck3r type needs
to have some dog-eared back issues of 2600 magazine from 1992
sitting around somewhere. No articles here, since it's a pay-to-read
quarterly publication, but go out to your local Barnes and Noble or Borders and
grab one.
http://www.2600.com/

Vendors

Symantec - Norton AV/Symantec AV (consumer vs corporate), plus lots of
security products. Also distributes a lot of useful antivirus tools:
http://www.symantec.com (main site)
http://securityresponse.symantec.com/ (AV site)

McAfee - McAfee AV, personal firewall, etc. etc. etc. 'Nother big AV
vendor (part of NAI):
http://us.mcafee.com/default.asp

ISS - Big corporate security vendor, sells both software + security
services + hardware. I have mixed feelings about 'em, but they're a
big player in the field:
http://www.iss.net/

eEYE - Smaller outfit, Microsoft-centered, but getting a lot of good
press with its freely-available tools, high-quality analysis and
contributions to the community:
http://www.eeye.com/html/

Organizations

FEDCIRC, the central CIRC for the Feds, also works closely with DODCERT
and other agencies. Part of DHS, has some good info on incident reporting,
prevention and other .gov-specific info.
http://www.fedcirc.gov/

CERT-CC (CMU CERT) is the grandpappy of CERTs/CIRCs. Has news, vuln
announcements, plus some good resources for best practices and common
security problems. Somewhat "slower" and more conservative than other
commercial/opensource org's, but very important:
http://www.cert.org/

Tools

Fyodor's site, home of Nmap security scanner plus the ever-popular
"Top XX Security Tools" list. Nmap is probably the widest-used and one
of the most flexible port scanners in existence:
http://www.insecure.org

[Top 75 Security Tools, May 2003]
http://www.insecure.org/tools.html

Ethereal packet sniffer, open-source network protocol analyzer, insanely
useful if you're doing network troubleshooting:
http://www.ethereal.com/

OpenSSH, open-source Secure Shell client/server software. Most widely-
used security software, well, ever. Available for almost all Unixes and
Windows, plus Mac OS X and others. If you're not using SSH instead of
telnet/rlogin/rsh for remote command-line logins, you're a bad bad person.
http://www.openssh.com/

General info

Good security is ultimately more about policy and the people involved
than nifty, shiny, sexy security exploits, tools and software. All the
tools and resources listed above won't make a network or a system or a
site more secure if they're not used carefully, diligently and with
patience and care. It's an interesting field with lots of potential
(one of the few areas of IT that's actually getting funding and showing
growth, along with gov't-related IT) in a wide variety of areas. There's
network security (firewalls/IPS, IDS, wireless, proxies), forensics
(examination/investigation, criminal law), policy, host security,
antivirus/malware, physical security and more.

One of the best "real security" resources is Bruce Schneier's Crypto-Gram.
His books make great reading, and trace the evolution of the security
industry. Most importantly, he looks at security as a whole:
http://www.schneier.com/crypto-gram.html

Another good "real security" resource is the Risks Digest, which focuses
on real-world applications of security and what problems exist with
computers and people:
http://catless.ncl.ac.uk/Risks/

Hope this helps!

Posted by edobbs at November 5, 2003 11:01 AM