Republished with permission from WatchGuard Technologies, Inc.

WatchGuard LiveSecurity


Geek Lit: Top Security Reads for 2000

by Dave Piscitello, President, Core Competence, Inc.

December is as much a celebratory and gift-giving month for some people as it is a religious celebration for others. Thoughtful gift giving is high on the Emily Post list of suitable and well-mannered behavior. The personal touch of investing time and thought into selecting a gift (instead of opting for the gift certificates you purchase online and e-mail to your loved ones the night before) shows you care. 

O.K., enough of the Hallmark moment. The truth is, technology people are difficult to purchase for. We are typically avid consumers of high-tech gadgets, and these are generally expensive items. So what can you buy a network security wonk or wannabe for $25.00 to $50.00? Not music CDs -- most folks with dedicated bandwidth are burning CDRs as fast as they can find MP3s of the music they want on the 'Net. Blank CDRs are as impersonal as gift certificates. How about a book on the subject of network security?

A book? How geeky is that? Exactly my point. Geek is chic, honest. Aren’t you more popular at parties now that Internet and Security are soooo cool? Buy your fellow geeks a book, and suggest this gift genre when friends, relatives, and spouses ask you what they should buy a fellow geek. Yes, it’s personal, especially when the book is one you’ve read or has come recommended. Inscribe something inside it (warm and fuzzy is in, too): It might be the only time all year long when you actually write someone more than a note on a sticky.

Fred Avolio, Rik Farrow, and I will even save you surfing time. Here’s an annotated list of security books we have read and reviewed. These can all be purchased online from The Internet Security Conference Bookstore. As an added incentive, TISC will donate its Amazon partner revenue for the month of December to Deep Well, a South Carolina charity that assists needy families year-round with food, clothing, and emotional support.

The List

#  1 Hacking Exposed
by Stuart McClure, Joel Scambray, and George Kurtz

If you want to understand hacking in intimate detail, this is the book for you. It’s an excellent read by three talented computer scientists who are adept writers. The best place to read Hacking Exposed is in front of your PC. Whether you are a *NIX or Windows user, you’ll be able to download the same tools script-kiddies and more sophisticated attackers use, and experiment (responsibly, of course). I read the book first on a plane, then in my office with both LINUX and NTWS so I could try out as many of the tools as possible. Look for the more recent second edition.

#  2 Windows 2000 Security Handbook
by Tom Sheldon (Editor), Phil Cox

Phil Cox, an outstanding consultant and instructor of many security courses, explains the security considerations when configuring a Windows 2000 host or server. He also does a commendable job of explaining how to use complementing security technology—firewalls, VPNs, proxy servers—to further harden your intranet, extranet, or e-business networks. You can sample Phil’s writing style by reading a TISC Insight column he wrote on Windows 2000 Vulnerabilities, September 8, 2000.

#  3 Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace
by Richard Power

This is one of Rik Farrow’s favorites. He admits to some prejudice because he wrote the forward, but why would Rik write a forward for a book he wouldn’t whole-heartedly endorse? Tangled Web contains summaries of the CSI/FBI annual surveys in the second chapter, and stories about prominent hacker criminal cases, with sometimes unpublished information about various well-known hacks, their investigation (including both sides), the plea or court outcome, and more.

#  4 Information Warfare and Security
by Dorothy E. Denning

Fred Avolio’s top pick. Fred wrote a thorough review on this book, which concludes by stating, “Information Warfare and Security so thoroughly covers the space of information warfare theory, measures, and countermeasures, … because it was written as a text for a course that had to cover all of this material. What may be surprising … is that such complete coverage could be done in such an easy-to-read way.”

#  5 Applied Cryptography: Protocols, Algorithms, and Source Code in C
by Bruce Schneier

If you care about security, you'll eventually need to understand cryptography. This is the most comprehensive source on cryptography you will ever need or find. From a chronology of cryptographic systems to actual C source code of algorithms, Bruce’s coverage is nothing less than encyclopedic. Again, look for the second edition.

Not New, but Classic 
Judging from the e-mail exchange conducted before I wrote this column, Fred and Rik seem to be technology book junkies as much as I am. Some additional “must read” security books on our shelves include:
  • Practical Unix and Internet Security, by Simson Garfinkel, Gene Spafford. This is not a new book but an awfully good book that covers fundamentals.

  • Firewalls and Internet Security: Repelling the Wily Hacker, by William R. Cheswick, and Steven M. Bellovin. A second edition to this 1994 classic becomes available February 2, 2001. Read "An Evening with Berferd, in which a Hacker is Lured, Endured, and Studied" and you’re certain to buy this book for yourself, perhaps even for a friend.

  • Three books we agree are “must have” references are TCP/IP Illustrated: Volumes 1-3, by the late and wonderfully talented Richard Stevens. Volume One is essential, and like Hacking Exposed, is a terrific read in front of a *NIX system. 

And on the Wish List ...

  • Secrets and Lies: Digital Security in a Networked World, by Bruce Schneier. Here’s a big surprise. Fred, Rik and I all have this book on our wish lists. Whereas Applied Cryptography is intense and exhaustive, Secrets and Lies promises to be insightful, humorous, and practical.

  • Spooked: Espionage in Corporate America, by Adam L. Penenberg, Marc Barry. Rik commented that Spooked is non-technical, but looks very interesting, on the basis of an abstract that appeared at I agree.

Season's Greetings
On behalf of Fred and Rik, I wish you a safe and happy holiday season. We hope you can spend lots of time on activities you find meaningful, and we look forward to writing for you in 2001. ##

Was this article useful to you? Is there a security topic you want our experts to tackle? Let us know at

Copyright © 1996 - 2001 WatchGuard Technologies, Inc. All rights reserved.