Julien Vehent on 19 May 2012 15:37:07 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] I need a book recommendation


Computer and Network security is mostly about using the existing tools the right way. As a security engineer myself, I see a lot of people walking into the field with high hopes to be build complex cryptography system, highly firewalled networks, triple biometric access control on every door, etc...  Those people usually become terrible security professionals.

As much as I like those topics myself, they don't serve the purpose of good security all that well. Simple stuff, but applied to the size of a large environment, with severals hundreds servers talking to each other constantly, is what works best. Most of the time, computer security is about not giving read permission to the entire world for the credentials file (yep, that's a simple chmod 400), or opening the firewall for one IP only instead of a full ip range. That kind of thing.

My point is: being an excellent sysadmin is key to become an excellent security professional. Don't take shortcuts when you build a system, study every aspect of it until your understand how to break it and how to secure it.  Also, be as much of a dev as you are a sysadmin, you cannot separate the code from the system it runs on when you look at security.

That's why I think this "Handbook" is a great read.

Now, yes, there are some stuff to learn in crypto, pentest and so on to really do security the right way. Passwords should be salted and hashed using bcrypt or the like, SSL should use Ephemeral Diffie-Hellman key exchange, you need to know about XSS, CSS, SQL Injections, etc... Here's a set of books that I find useful and well written:

Schneier's classic "Cryptography Engineering" http://www.schneier.com/book-ce.html

Metasploit http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X

NMAP http://nmap.org/book/

Risk Analysis methods can also be useful to learn how to categorize information. We usually rate information in 4 category Availability, Integrity, Confidentiality & Traceability, and on a scale from 1 (low risk) to 4 (critical).

But once again all of the above will be useless if you don't know your sysadmin and networking by heart. Security is hard. Pick a system (Linux, Windows, Solaris, ...) or a domain (Web Security, Databases, ...) and focus on that for a while until you can show real expertise.

 

Hope that help, and doesn't sound too patronizing... :/

- Julien

 

On 2012-05-18 22:27, jazzman@exdomain.org wrote:

Excellent! Thank you! I should specify that I want to get more 
knowledgable about general security stuff, not just Linux, but I would 
guess most the skills/knowledge is transferable.

Thanks!

On Fri, 18 May 2012, Julien Vehent wrote:
That:http://www.amazon.com/Linux-System-Administration-Handbook-Edition/dp/01314 80057/ref=dp_ob_image_bk A computer. A Coffee Machine. And unplug the phone for the rest of the weekend ;) -- Julien Vehent - http://1nw.eu/!j
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

-- 
Julien Vehent - http://1nw.eu/!j
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug