Recommended books on Security and Cryptography

Some of these are quite old, but they can still make good starting points in finding the book you need.

Charles P. Pfleeger, Shari Lawrence Pfleeger, Prentice Hall , 2003

This is a good undergraduate text which is also be useful for anyone wishing to acquire a broad overview of the computer security area. Computer security is defined broadly (as it should be), so the subject matter is not limited to malicious hackers, worms, and viruses, but includes physical threats, practical security, and the legal, and privacy issues in computing. The writing is clear and thankfully steers clear of the hyperbole associated with less academic texts on the subject. It's not cheap, but is still a highly recommended introductory text.

Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper, Que , 2001

Really for computer and network intrusion specialists, this book describes in detail attacks on many kinds of system. By examining the details of attacks, it reveals interesting insights into hacker strategies and possible defenses.

F.H. Hinsley & Elan Stripp (Editors), Oxford University Press , 1993

Too many books about Bletchley Park in World War II give the impression that the only cipher of any significance was the German Enigma cipher, and that once this was broken (and a machine constructed to search for each day's keys) a continuous flow of high level intelligence resulted.

This book corrects that impression. There were many variants of the Enigma machine in use, with different complications being added for army, navy, and air force machines. Messages sent using Enigma were deliberately kept short — the dangers of key re-use during a day were well recognized — and improvements (such as additional or modifiable encoding wheels) were introduced at various points to increase security. There were therefore times when traffic could not be read, and the attempted decryption of intercepted traffic had to be prioritized according to its expected intelligence value.

The effort involved in repeatedly breaking the cipher was massive.

Nor was not the only cipher in use.

The Lorenz teleprinter ciphers were also broken. These were used on a few major communication links, and yielded longer messages with more strategic intelligence. (Throughout the war traffic was where possible sent by landline, which was more secure from interception.)

In addition many hand-ciphers in use. These were frequently variants of the Playfair cipher (used by the British and broken by the Germans during World War I). Sometimes this was because the danger of a cipher machine falling into enemy hands; sometimes due to the logistics and costs of distributing cipher machines to every unit; sometimes, in the case of spies, because of a need for concealment. Breaking these hand ciphers was a key task performed by Bletchley staff. When the same message was sent using multiple encryption methods, these would provide a crib (known plaintext) which could then be used to attack the daily Engima keys.

This book consists of a collection of essays written by personnel working at Bletchley. It is the only book I've encountered which mentions the wider range of codes and ciphers in use and some of the methods used in their cryptanalysis. It's also one of the better books for giving an idea of the sheer size of the organization and its scale of operations. It lacks a lot of detail on the Lorenz ciphers — possibly because the details were still classified when the book was written. There are also some other points where the chapter author is clearly holding back classified information. It doesn't have the best description of how Enigma was broken, but it does describe very well how the wheel settings could be broken independently of the steckering (plugboard) — the key cryptographic weakness that allowed the bombe decryption machines to work.

I've always thought it's a pity there is no corresponding book describing the Abwehr analysis of Allied ciphers. What was the German assessment of the British Typex machine? Were the Allied hand ciphers as badly broken as they were in World War I? Unfortunately it seems unlikely that there will ever be an Axis book like this one.

Lincoln D. Stein, Addison-Wesley , 1998

Aimed at a general audience (administrators, developers, and end users) this is an expansion of Stein's excellent WWW Security FAQ. Good advice on hardening Unix and NT servers.

Sadly, as with so many books in this field, beginning to date.

Michael Howard, David LeBlanc, John Vega, McGraw Hill , 2010

Most books about hacking and software vulnerabilities are terrible. This one is actually quite good.

The reason most books are terrible is that they concentrate on specific vulnerabilities and don't draw general lessons. The information they give therefore relates to very specific vulnerabilities which are generally long-fixed by the time the book appears in print. They offer little of interest either for the hacker, or for the software designer or programmer who must design a secure system. You can probably find a dozen such books discarded in your local thrift store.

This book is actually one worth having.

The authors provide general observations of classes of errors, along with examples of when these errors have been made in the past, and how to identify such errors in a design or source code. It's not a perfect book: too much of the early chapters are spent demonstrating particular coding errors in a variety of computer languages , and perhaps some of the later chapters are too cursory as a result — but it's one of the few books on the topic that I expect to be worth keeping and re-reading in more than a year's time.

Ed Tittel, Mike Chapple, James M Stewart, Sybex , 2003

Even if you're not a security professional studying for CISSP exams, this study guide gives a broad overview of computer security ("a mile wide and an inch deep") which is useful background for anyone concerned with business continuity or disaster recovery planning.

Michal Zalewski, No Starch Press , 2022

I'm not normally a fan of "prepping" books. The scenarios described are too unlikely and the proposed mitigations are often unrealistic and disproportionate.

A Mad Max style dystopian future won't occur next week, and before you prepare to fend off gangs of armed marauders attacking your underground nuclear bunker there are more mundane risks you should be prepared to survive.

Zalweski takes a wide view of risk, looking at disasters from personal to global. He assesses their likelihoods, and looks at what the practical measures are that we can take to prepare for them. I like the coverage here. There's everything from unexpected unemployment and falling off a ladder to hyperinflation and nuclear war. Each is treated thoughtfully with the respect it deserves.

In risk management everything is about trade-offs, and this book covers some trade-offs I had never considered. For example, every emergency plan suggests stockpiling some food to cope with disruption to supply. Food doesn't last forever, and whether its a one week supply or a one year supply your stockpile needs to be managed so that it is still edible when you need it. One approach is to continually eat through and replenish your stockpile, thus ensuring it has a certain level of freshness; the other is to eat nicer (but more perishable) and food discard your stockpile at regular intervals. I've tried both by accident rather than design, and when the presented as a choice, I know which I prefer.

Ultimately how likely you believe various threats are and what efforts you should personally take to mitigate them is your own decision. This book provides a good basis for clarifying those risks and making that decision.

Kevin Mandia, Chris Prosise, Matt Pepe, McGraw-Hill , 2003

So someone just hacked your system and stole $1,000,000... What do you do now?

This book covers the forensic techniques required to analyze a computer crime - from sniffing networks to analyzing slack space on disk. If you think your computer usage isn't leaving tell-tale signs on hard disk or in log files somewhere, think again. Also covered are the imporant requirements for collecting and handling evidence if it must stand up in court. Packed with real case histories and examples, this book will be useful both for the aspiring investigator and the computer criminal:-)

Bruce Schneier, John Wiley & Sons , 1996

A must have book for the amateur cryptographer. Useful if you need to implement your own cryptographic algorithms or protocols, or just understand why cryptographic systems work the way they do.

Simon Singh, Doubleday , 1999

A comprehensive (and very readable) history of code breaking. One of the few references which actually explains how the World War II Enigma code was broken in detail. A useful reminder that calculations about the infeasibility of breaking a cipher are often wrong.

Kevin D. Mitnick, William L. Simon, Wiley , 2002

Kevin Mitnick is unquestionably an expert in the field of social engineering — obtaining information or access using deception. You won't find much about computer hacking per se in this book: as the author all to clearly points out, if you can persuade an insider to give you the information you need, why waste any time or take any risks?

What you will find here is a good set of fictionalized case histories showing just how subtle and ingenious social engineers can be in reaching their goals. You'll also develop a healthy distrust of the phone system, Caller Id, and requests to fax documents internally.

Could someone get your system administrators to allow them access to your website? Can your website be attacked from your intranet using some of the techniques describe here? You will have to read the book and decide for yourself. But from what's written here, if your organization is of any size, I suspect the answer is yes.

Jonathan Littman, Little, Brown and Company , 1997

There can't be many other hackers that have appeared on America's Most Wanted. Poulsen penetrated the security at Pac Bell so completely that ultimately he knew which telephones were going to be tapped before the taps were installed. Poulsen used both physical and network intrusion to get the access he wanted. A useful reminder that website security requires physical security to be truly effective.

Relevant Books
If you purchase a book using one of these links, we receive a small payment from Amazon, which helps pay for this site.

See Also