There have been a great many books, magazines and papers published on security in the last few years, reflecting the growing concern with the topic. Trying to keep up with even a subset of this information can be quite a chore, whether you wish to stay current as a researcher or as a practitioner. Here, we have collected information about a number of useful references that you can use as a starting point for more information, further depth, and additional assistance. We have tried to confine the list to accessible and especially valuable references that you will not have difficulty finding. We've provided annotation where we think it will be helpful.
In Appendix E we also list some online resources in which you can find other publications and discussions on security. In Appendix F, we give pointers to a number of professional organizations (including ACM , Usenix, and the IEEE Computer Society) that sponsor periodic conferences on security; you may wish to locate the proceedings of those conferences as an additional reference. We especially recommend the proceedings of the annual Usenix Security Workshop: these are generally UNIX -related and more oriented toward practice than theory.
Curry, David A. UNIX System Security: A Guide for Users and System Administrators . Reading, MA: Addison Wesley, 1992. Lots of sound advice from someone with real experience to back it up.
Farrow, Rik. UNIX System Security . Reading, MA: Addison Wesley, 1991. A reasonable overview of UNIX security, with emphasis on the DoD Orange Book and UNIX System V.
Ferbrache, David, and Gavin Shearer. Unix Installation, Security & Integrity . Englewood Cliffs, NJ: Prentice Hall, 1993. This is a comprehensive treatment of computer security issues in UNIX , although some areas are not treated in the same depth as others.
Grampp, F. T., and R. H. Morris. " UNIX Operating System Security," AT&T Bell Laboratories Technical Journal , October 1984. This is the original article on UNIX security and remains timely.
Reid, Brian. "Reflections on Some Recent Widespread Computer Break-ins." Communications of the ACM , Volume 30, Number 2, February 1987. Some interesting comments on UNIX security based on some break-ins at various sites. Still timely.
Wood, Patrick H., and Stephen G. Kochan. UNIX System Security , Carmel, IN: Hayden Books, 1986. A good but very dated treatment of UNIX System V security prior to the incorporation of TCP/IP networking. This book is of mainly historical interest.
Arkin, S. S., B. A. Bohrer, D. L. Cuneo, J. P. Donohue, J. M. Kaplan, R. Kasanof, A. J. Levander, and S. Sherizen. Prevention and Prosecution of Computer and High Technology Crime. New York, NY: Matthew Bender Books, 1989. A book written by and for prosecuting attorneys and criminologists.
BloomBecker, J. J. Buck. Introduction to Computer Crime . Santa Cruz CA: National Center for Computer Crime Data, 1988. (Order from NCCCD , 408-475-4457.) A collection of essays, news articles, and statistical data on computer crime in the 1980s.
BloomBecker, J. J. Buck. Spectacular Computer Crimes . Homewood, IL: Dow Jones-Irwin, 1990. Lively accounts of some of the more famous computer-related crimes of the past two decades.
BloomBecker, J.J. (as Becker, Jay). The Investigation of Computer Crime . Columbus, OH: Battelle Law and Justice Center, 1992.
Communications of the ACM , Volume 34, Number 3, March 1991: the entire issue. This issue has a major feature discussing issues of computer publishing, Constitutional freedoms, and enforcement of the laws. This document is a good source for an introduction to the issues involved.
Conly, Catherine H. Organizing for Computer Crime Investigation and Prosecution , Washington, DC: National Institutes of Justice, 1989. A publication intended for law-enforcement personnel.
Cook, William J. Internet & Network Law 1995. A comprehensive volume which is updated regularly; the title may change to reflect the year of publication. For further information, contact the author at:
Icove, David, Karl Seger, and William VonStorch, Computer Crime: A Crimefighter's Handbook , Sebastopol, CA: O'Reilly & Associates, 1995. A popular rewrite of an FBI training manual.
McEwen, J. Thomas. Dedicated Computer Crime Units . Washington, DC: National Institutes of Justice, 1989. Another publication intended for law-enforcement personnel.
Parker, Donn B. Computer Crime: Criminal Justice Resource Manual. Washington , DC: National Institutes of Justice, 1989. A comprehensive document for investigation and prosecution of computer-related crimes. (Order from +1-800-851-3420.)
Power, Richard. Current and Future Danger: A CSI Primer on Computer Crime and Information Warfare . San Francisco, CA: Computer Security Institute, 1995. An interesting and timely summary.
Sieber, Ulrich, ed. International Review of Penal Law: Computer Crime and Other Crimes against Information Technology. Toulouse, France: 1992.
Leveson, Nancy G. Safeware: System Safety and Computers. A Guide to Preventing Accidents and Losses Caused by Technology . Reading, MA: Addison Wesley, 1995. This textbook contains a comprehensive exploration of the dangers of computer systems, and explores ways in which software can be made more fault tolerant and safety conscious.
Neumann, Peter G. Computer Related Risks . Reading, MA: Addison & Wesley, 1995. Dr. Neumann moderates the Internet RISKS mailing list. This book is a collection of the most important stories passed over the mailing list since its creation.
Weiner, Lauren Ruth. Digital Woes: Why we Should not Depend on Software . Reading, MA: Addison-Wesley, 1993. A popular account of problems with software.
Computer Virus Attacks . Gaithersburg, MD: National Computer Systems Bulletin, National Computer Systems Laboratory, National Institute for Standards and Technology. (Order from National Technical Information Service, 703-487-4650, Order number PB90-115601.) One of many fine summary publications published by NIST ; contact NTIS at 5285 Port Royal Road, Springfield, VA 22161, for a complete publication list.
Denning, Peter J. Computers Under Attack: Intruders, Worms and Viruses . Reading, MA: ACM Press/Addison-Wesley, 1990. One of the two most comprehensive collections of readings related to these topics, including reprints of many classic articles. A "must-have."
Ferbrache, David. The Pathology of Computer Viruses . London, England: Springer-Verlag, 1992. This is probably the best all-around book on the technical aspects of computer viruses.
Hoffman, Lance J., Rogue Programs: Viruses, Worms and Trojan Horses . New York, NY: Van Nostrand Reinhold, 1990. The other most comprehensive collection of readings on viruses, worms, and the like. A must for anyone interested in the issues involved.
T he Virus Bulletin . Virus Bulletin CTD . Oxon, England. A monthly international publication on computer virus prevention and removal. (U.S. orders may be placed c/o June Jordan, (203) 431-8720 for $395/year. European orders may be placed through +44 235-555139 for (£195/year.) This is an outstanding publication about computer viruses and virus prevention. It is likely to be of value only to sites with a significant PC population, however. The publication also sponsors a yearly conference that has good papers on viruses. http://www.virusbtn.com .
Denning, Dorothy E. R. Cryptography and Data Security . Reading, MA: Addison-Wesley, 1983. The classic textbook in the field.
Garfinkel, Simson. PGP: Pretty Good Privacy . Sebastopol, CA: O'Reilly & Associates, 1994. Describes the history of cryptography, the history of the program PGP , and explains the PGP 's use.
Hinsley, F.H., and Alan Stripp. Code Breakers: The Inside Story of Bletchley Park . Oxford, England: Oxford University Press, 1993.
Hodges, Andrew. Alan Turing: The Enigma . New York, NY: Simon & Schuster, Inc., 1983. The definitive biography of the brilliant scientist who broke "Enigma," Germany's deepest World War II secret; who pioneered the modern computer age; and who finally fell victim to the Cold War world of military secrets and sex scandals.
Hoffman, Lance J. Building in Big Brother: The Cryptographic Policy Debate . New York, NY: Springer-Verlag, 1995. An interesting collection of papers and articles about the Clipper Chip, Digital Telephony legislation, and public policy on encryption.
Kahn, David. The Codebreakers . New York, NY: Macmillan Company, 1972. The definitive history of cryptography prior to the invention of public key.
Kahn, David. Seizing the Enigma: The Race to Break the German U-Boat Codes, 1939-1943 . Boston, MA: Houghton Mifflin, 1991.
Merkle, Ralph. Secrecy, Authentication and Public Key Systems . Ann Arbor, MI: UMI Research Press, 1982.
Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C . Second edition. New York, NY: John Wiley & Sons, 1996. The most comprehensive, unclassified book about computer encryption and data-privacy techniques ever published.
Simmons, G.J., ed. Contemporary Cryptology: The Science of Information Integrity . New York, NY: IEEE Press, 1992.
Smith, Laurence Dwight. Cryptography: The Science of Secret Writing . New York, NY: Dover Publications, 1941.
Association for Computing Machinery. "Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy." Report of a Special Panel of the ACM U.S. Public Policy Committee location: USACM , June 1994 . ( URL : http://info.acm.org/reports/acm_crypto_study.html )
Coppersmith, Don. IBM Journal of Research and Development 38 (1994).
Diffie, Whitfield. "The First Ten Years of Public-Key Cryptography." Proceedings of the IEEE 76 (1988): 560-76. Whitfield Diffie's tour-de-force history of public key cryptography, with revealing commentaries.
Diffie, Whitfield, and M.E. Hellman. "New Directions in Cryptography." IEEE Transactions on Information Theory IT-22 (1976). The article that introduced the concept of public key cryptography.
Hoffman, Lance J., Faraz A. Ali, Heckler, Steven L. and Ann Huybrechts. "Cryptography Policy." Communications of the ACM 37 (1994): 109-17.
Lai, Xuejia. "On the Design and Security of Block Ciphers." ETH Series in Information Processing 1 (1992). The article describing the IDEA cipher.
Lai, Xuejia, and James L. Massey. "A Proposal for a New Block Encryption Standard." Advances in Cryptology-EUROCRYPT '90 Proceedings (1992): 55-70. Another article describing the IDEA cipher.
LaMacchia, Brian A. and Andrew M. Odlyzko. "Computation of Discrete Logarithms in Prime Fields." Designs, Codes, and Cryptography . (1991):, 46-62.
Lenstra, A.K., H. W. Lenstra, Jr., M.S. Manasse, and J.M. Pollard. "The Number Field Sieve." Proceedings of the 22nd ACM Symposium on the Theory of Computing . Baltimore MD: ACM Press, 1990, 564-72.
Lenstra, A.K., Lenstra, Jr., H.W., Manasse, M.S., and J.M. Pollard. "The Factorization of the Ninth Fermat Number." Mathematics of Computation 61 (1993): 319-50.
Merkle, Ralph. "Secure Communication Over Insecure Channels." Communications of the ACM 21 (1978): 294-99 (submitted in 1975). The article that should have introduced the concept of public key cryptography.
Merkle, Ralph, and Martin E. Hellman. "On the Security of Multiple Encryption." Communications of the ACM 24 (1981): 465-67.
Merkle, Ralph, and Martin E. Hellman. "Hiding Information and Signatures in Trap Door Knapsacks." IEEE Transactions on Information Theory 24 (1978): 525-30.
National Bureau of Standards. Data Encryption Standard 1987.( FIPS PUB 46-1)
Rivest, Ron. Ciphertext: The RSA Newsletter 1 (1993).
Rivest, Ron, A. Shamir, and L. Adleman. " A Method for Obtaining Digital Signatures and Public Key Cryptosystems ." Communications of the ACM 21 (1978).
Simmons, G. J. "How to Insure that Data Acquired to Verify Treaty Compliance are Trustworthy . " in "Authentication without secrecy: A secure communications problem uniquely solvable by asymmetric encryption techniques." IEEE EASCON '79 , (1979): 661-62.
Amoroso, Edward. Fundamentals of Computer Security Technology . Englewood Cliffs, NJ: Prentice-Hall, 1994. A very readable and complete introduction to computer security at the level of a college text.
Carroll, John M. Computer Security . 2nd edition, Stoneham, MA: Butterworth Publishers, 1987. Contains an excellent treatment of issues in physical communications security.
Computers & Security . This is a journal published eight times each year by Elsevier Press, Oxford, England. (Order from Elsevier Press, +44-(0) 865-512242.) It is one of the main journals in the field. This journal is priced for institutional subscriptions, not individuals. Each issue contains pointers to dozens of other publications and organizations that might be of interest, as well as referenced articles, practicums, and correspondence. The URL for the WWW page is included in "Security Periodicals."
Computer Security Requirements - Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments , Fort George G. Meade, MD: National Computer Security Center, 1985. (Order number CSC - STD -003-85.) (The Yellow Book)
Datapro Reports on Computer Security . Delran, NJ: McGraw-Hill. (Order from Datapro, 609-764-0100.) An ongoing (and expensive) series of reports on various issues of security, including legislation trends, new products, items in the news, and more. Practitioners are divided on the value of this publication, so check it out carefully before you buy it to see if it is useful in your situation.
Department of Defense Password Management Guideline . Fort George G. Meade, MD: National Computer Security Center, 1985. (Order number CSC - STD -002-85.) (The Green Book)
Department of Defense Trusted Computer System Evaluation Criteria . Fort George G. Meade, MD: National Computer Security Center, 1985. (Order number DoD 5200.28- STD .) (The Orange Book)
Fites, P. E., M. P. J. Kratz, and A. F. Brebner. Control and Security of Computer Information Systems . Rockville, MD: Computer Science Press, 1989. A good introduction to the administration of security policy and not techniques.
Gasser, Morrie. Building a Secure Computer System . New York, NY: Van Nostrand Reinhold, 1988. A solid introduction to issues of secure system design.
Hunt, A. E., S. Bosworth, and D. B. Hoyt, eds. Computer Security Handbook, 3rd edition. New York, NY: Wiley, 1995. A massive and thorough collection of essays on all aspects of computer security.
National Research Council, Computers at Risk: Safe Computing in the Information Age . Washington, DC: National Academy Press, 1991. (Order from NRC , 1-800-624-6242.) This book created considerable comment. It's a report of a panel of experts discussing the need for national concern and research in the areas of computer security and privacy. Some people think it is a significant publication, while others believe it has faulty assumptions and conclusions. Either way, you should probably read it.
Pfleeger, Charles P. Security in Computing . Englewood Cliffs, NJ: Prentice-Hall, 1989. Another good introduction to computer security.
Russell, Deborah, and G. T. Gangemi, Sr. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, 1991. An excellent introduction to many areas of computer security and a summary of government security requirements and issues.
Thompson, Ken. "Reflections on Trusting Trust" Communications of the ACM , Volume 27, Number 8, August (1984). This is a "must-read" for anyone seeking to understand the limits of computer security and trust.
Wood, Charles Cresson, et al. Computer Security: A Comprehensive Controls Checklist , New York, NY: John Wiley & Sons, 1987. Contains many comprehensive and detailed checklists for assessing the state of your own computer security and operations.
Wood, Charles Cresson. Information Security Policies Made Easy. Sausalito, CA: Baseline Software, 1994. This book and accompanying software allow the reader to construct a corporate security policy using hundreds of components listed in the book. Pricey, but worth it if you need to write a comprehensive policy:
Bellovin, Steve and Cheswick, Bill. Firewalls and Internet Security . Reading, MA: Addison-Wesley, 1994. The classic book on firewalls. This book will teach you everything you need to know about how firewalls work, but it will leave you without implementation details unless you happen to have access to the full source code to the UNIX operating system and a staff of programmers who can write bug-free code.
Chapman, D. Brent, and Elizabeth D. Zwicky. Building Internet Firewalls . Sebastopol, CA: O'Reilly & Associates, 1995. A good how-to book that describes in clear detail how to build your own firewall.
Comer, Douglas E. Internetworking with TCP/IP . 3rd Edition. Englewood Cliffs, NJ: Prentice Hall, 1995. A complete, readable reference that describes how TCP/IP networking works, including information on protocols, tuning, and applications.
Frey, Donnalyn, and Rick Adams. !%@:: A Directory of Electronic Mail Addressing and Networks , Sebastopol, CA: O'Reilly & Associates, 1990. This guide is a complete reference to everything you would ever want to know about sending electronic mail. It covers addressing and transport issues for almost every known network, along with lots of other useful information to help you get mail from here to there. Highly recommended.
Hunt, Craig. TCP/IP Network Administration. Sebastopol, CA: O'Reilly & Associates, 1992. This book is an excellent system administrator"s overview of TCP/IP networking (with a focus on UNIX systems), and a very useful reference to major UNIX networking services and tools such as BIND (the standard UNIX DNS Server) and sendmail (the standard UNIX SMTP Server).
Kaufman, Charles, Radia Perlman, and Mike Speciner. Network Security: Private Communications in a Public World . Englewood Cliffs, NJ: Prentice-Hall, 1995.
Liu, Cricket, Jerry Peek, Russ Jones, Bryan Buus, and Adrian Nye. Managing Internet Information Services, Sebastopol, CA: O'Reilly & Associates, 1994. This is an excellent guide to setting up and managing Internet services such as the World Wide Web, FTP , Gopher, and more, including discussions of the security implications of these services.
Stallings, William. Network and Internetwork Security: Principles and Practice . Englewood Cliffs, NJ: Prentice Hall, 1995. A good introductory textbook.
Stevens, Richard W. TCP/IP Illustrated . The Protocols, Volume 1. Reading, MA: Addison-Wesley, 1994. This is a good guide to the nuts and bolts of TCP/IP networking. Its main strength is that it provides traces of the packets going back and forth as the protocols are actually in use, and uses the traces to illustrate the discussions of the protocols.
Quarterman, John. The Matrix: Computer Networks and Conferencing Systems Worldwide . Bedford, MA: Digital Press, 1990. A dated but still insightful book describing the networks, protocols, and politics of the world of networking.
Computer Security Buyer's Guide . Computer Security Institute, San Francisco, CA. (Order from CSI , 415-905-2626.) Contains a comprehensive list of computer security hardware devices and software systems that are commercially available. The guide is free with membership in the Institute. The URL is at http://www.gocsi.com .
Brunner, John. Shockwave Rider. New York, NY: A Del Ray Book, published by Ballantine, 1975. One of the first descriptions of a computer worm.
Gibson, William. Burning Chrome, Count Zero, Mona Lisa Overdrive, and Neuromancer New York, NY: Bantam Books These four cyberpunk books by the science fiction author who coined the term "cyberspace."
Hafner, Katie and John Markoff, Cyberpunk: Outlaws and Hackers on the Computer Frontier. New York, NY: Simon and Schuster, 1991. Tells the stories of three hackers - Kevin Mitrick, Pengo, and Robert T. Morris.
Levy, Steven. Hackers: Heroes of the Computer Revolution . New York, NY: Dell Books, 1984. One of the original publications describing the "hacker ethic."
Littman, Jonathan, The Fugitive Game: Online with Kevin Mitnick . Boston, MA: Little, Brown, 1996. A year prior to his capture in 1995, Jonathan Littman had extensive telephone conversations with Kevin Mitnick and learned what it is like to be a computer hacker on the run. This is the story.
Shimomura, Tsutomu, with John Markoff. Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw---By the Man Who Did it. New York, NY: Hyperion, 1995. On Christmas Day, 1994, an attacker broke into Tsutomu Shimomura's computer. A few weeks later, Shimomura was asked to help out with a series of break-ins at two major Internet service providers in the San Fransisco area. Eventually, the trail led to North Carolina, where Shimomura participated in the tracking and capture of Kevin Mitnick. This is the story, written by Shimomura and Markoff. Markoff is the journalist with The New York Times who covered the capture.
Sterling, Bruce. The Hacker Crackdown: Law and Disorder on the Electronic Frontier . This book is available in several places on the WWW ; http://www-swiss.ai.mit.edu/~bal/sterling/contents.html is one location; other locations can be found in the COAST hotlist.
Stoll, Cliff. The Cuckoo's Egg , Garden City, NY: Doubleday, 1989. An amusing and gripping account of tracing a computer intruder through the networks. The intruder was later found to be working for the KGB and trying to steal sensitive information from U.S. systems.
Varley, John. Press Enter. Reprinted in several collections of science fiction, including Blue Champagne, Ace Books, 1986; Isaac Asimov's Science Fiction Magazine, 1984 ; and Tor SF Doubles, October, Tor Books, 1990.
Vinge, Vernor. True Names and Other Dangers. New York, NY: Baen, distributed by Simon & Schuster, 1987.
Bach, Maurice. The Design of the UNIX Operating System . Englewood Cliffs, NJ: Prentice-Hall, 1986. Good background about how the internals of UNIX work. Basically oriented toward older System V UNIX , but with details applicable to every version.
Bolsky, Morris I., and David G. Korn. The New Kornshell Command and Programming Language . Englewood Cliffs, NJ: Prentice-Hall, 1995. This is a complete tutorial and reference to the 1992 ksh - the only shell some of us use when given the choice.
Costales, Bryan, with Eric Allman and Neil Rickert. sendmail . Sebastopol, CA: O'Reilly & Associates, 1993. Rightly or wrongly, many UNIX sites continue to use the sendmail mail program. This huge book will give you tips on configuring it more securely.
Goodheart, B. and J. Cox. The Magic Garden Explained: The Internals of UNIX SVR4. Englewood Cliffs, N.J.: Prentice-Hall, 1994
Harbison, Samuel P. and Guy L. Steele Jr., C, a Reference Manual. Englewood Cliffs, NJ: Prentice Hall, 1984.
Hu, Wei. DCE Security Programming . Sebastopol, CA: O'Reilly & Associates, 1995.
Kernighan, Brian, Dennis Ritchie and Rob Pike. The UNIX Programming Environment. Englewood Cliffs, NJ: Prentice-Hall, 1984. A nice guide to the UNIX philosophy and how to build shell scripts and command environments under UNIX .
Leffler, Samuel, Marshall Kirk McKusick, Michael Karels, and John Quarterman. The Design and Implementation of the 4.3 BSD UNIX Operating System . Reading, MA: Addison Wesley, 1989. This book can be viewed as the BSD version of Maurice Bach's book. It is a readable and detailed description of how and why the BSD UNIX system is designed the way it is. (An updated version covering BSD 4.4 is rumored to be in production, to appear after publication of this edition.)
Nemeth, Evi, Garth Snyder, Scott Seebass, and Trent R. Hein. UNIX System Administration Handbook . 2nd Edition. Englewood Cliffs, NJ: Prentice-Hall, 1995. An excellent reference on the various ins and outs of running a UNIX system. This book includes information on system configuration, adding and deleting users, running accounting, performing backups, configuring networks, running sendmail, and much more. Highly recommended.
O'Reilly, Tim, and Grace Todino. Managing UUCP and Usenet . Sebastopol CA: O'Reilly & Associates, 1992. If you run UUCP on your machine, you need this book. It discusses all the various intricacies of running the various versions of UUCP . Included is material on setup and configuration, debugging connections, and accounting. Highly recommended.
Peek, Jerry et al. UNIX Power Tools , Sebastopol, CA: O'Reilly & Associates, 1993.
Ramsey, Rick. All About Administering NIS+ . Englewood Cliffs, NJ: Prentice-Hall, 1994.
Rochkind, Marc. Advanced UNIX Programming . Englewood Cliffs, NJ: Prentice-Hall, 1985. This book has easy-to-follow introduction to various system calls in UNIX (primarily System V) and explains how to use them from C programs. If you are administering a system and reading or writing system-level code, this book is a good way to get started, but keep in mind that this is rather dated.
Stevens, W. Richard. A dvanced Programming in the UNIX Environment . Reading, MA: Addison-Wesley, 1992.
Hawking, Stephen W. A Brief History of Time: From the Big Bang to Black Holes, New York, NY: Bantam Books, 1988. Want to find the age of the universe? It's in here, but UNIX is not.
Miller, Barton P., Lars Fredriksen, and Bryan So. "An Empirical Study of the Reliability of UNIX Utilities," Communications of the ACM, Volume 33, Number 12, December 1990, 32-44. A thought-provoking report of a study showing how UNIX utilities behave when given unexpected input.
Wall, Larry, and Randal L. Schwartz. Programming perl, Sebastopol, CA: O'Reilly & Associates, 1991. The definitive reference to the Perl scripting language. A must for anyone who does much shell, awk , or sed programming or would like to quickly write some applications in UNIX .
Wall, Larry and Randal L. Schwartz. Learning perl, Sebastopol, CA: O'Reilly & Associates, 1993.