Saturday, March 24, 2007

Books on Security Assessment

I'm building the course material for my upcoming UCLA Extension class on security assessment. After searching the reviews at Amazon, Slashdot articles, and archives of the pen test mailing list, I've come up with the following:

These are all good books and each would be an excellent addition to the library of an IT auditor, security analyst, or penetration tester.

Gregg and Kim's book is the best introduction to the subject. It gives an overview of the risk assessment process. It focuses on security essentials, then describes the components of a assessment methodology. It is really a management overview, a good text for an intro class or for an IT manager considering hiring an assessment consultant.

Sudhanshu Kairab's book goes into more detail on the business process behind performing an assessment. This is a more detailed methodology for a senior security analyst. The nuts and bolts of managing an assessment project are described, including hints on how to gather information via interviews and how to structure the final report. A good third of the book is appendices covering various security checklists that can guide an assessment project.

The remaining books provide a more in-depth look at technical aspects of security assessment. These include the techniques used in performing a penetration test. Their shelf life is much shorter than the process-based guides, as techniques for security analysis have a very short lifespan. New techniques are developed very quickly, and older vulnerabilites often die just a s quickly. A vulnerability testing tool only needs to be neglected for at most two years before it becomes useless.

Chris McNab's book is part of the O'Reilly family of technical publications. It is well written, easy to follow, and tends to focus on examining UNIX-like systems. Hacking Exposed is the latest of a long dynasty of books from the former E&Y guys. It is very detailed, with chapters on current topics like VoIP hacking, phishing, and browser client attacks. An older version I had (2nd) seemed to be rather Windows-centric in its choice of tools. This current version does not suffer from such an emphasis. Finally, Whitaker and Newman's book, published by Cisco Press, also has a good technical emphasis. It does not seem as up-to-date as Hacking Exposed v5, though becoming out-of-date is a hazard of the genre. Any technical "how to hack" book should be regarded as only a starting point. Once you have mastered the basics, the professional pen tester should attend conferences and use mailing lists such as the pen test list.