You are the same person today that you will be ten years from now, except for two things: the people you meet, and the books you read. — Mark Twain
How many times have you heard, “If you were stranded on a desert island, what books would you take with you?” My response would be, it depends on how long I am going to be stranded. Often I do wish I could take some time off just to read.
Initially, listed below were books that I had read or were reading. Then I found LibraryThing. To quote from the site, “LibraryThing is an online service to help people catalog their books easily. You can access your catalog from anywhere—even on your mobile phone. Because everyone catalogs together, LibraryThing also connects people with the same books, comes up with suggestions for what to read next, and so forth.” ITConversations did an interview with the founder and lead developer of LibraryThing, Tim Spalding on a show titled “Social Cataloging for Book Lovers.” If you look over to the right side of this blog, and scroll down, you will see a section titled “Random books from my library.” The widget pulls a random list of ten book covers I have recently read or I am in the process of reading. It is a nice visual addition to the blog which does not require any clicking to see.
There are a few documents listed below that are not books, but I still wanted to provide links. There are also listed a few books that look very interesting but I have yet to buy.
10th Annual Global Information Security Survey 2007 of Ernst & Young
Here is a basic description, “The 10th Annual Global Information Security Survey examines the current state of information security, and the major factors shaping the future. The report looks as how organizations are aligning information security with their business objectives, what is driving the need for and improvements in information security, how organizations are managing their information security function, and how organizations are staffing information security.”
NIST SP 800-53rev2: DRAFT Guide for Assessing the Security Controls in Federal Information Systems
Here is a basic description, “This final public draft provides comprehensive assessment procedures for all security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans.”
Mapping of NIST SP800-53 Rev 1 With COBIT 4.1
Here is a basic description, “This document contains a detailed mapping of NIST SP800-53 Rev 1 with COBIT 4.1 and also contains the classification of the standards discussed in this paper as presented in the overview document COBIT® Mapping: Overview of International IT Guidance, 2nd Edition.”
Here is a basic description, “It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers.”
Here is a basic description, “The draft revision to Volume I contains the basic guidelines for mapping types of information and information systems to security categories. The appendices contained in draft Volume II include security categorization recommendations and rationale for mission-based and management and support information types.”
Here is a basic description, “It seeks to assist organizations in planning and conducting technical information security testing, analyzing findings, and developing mitigation strategies. The publication provides practical recommendations for designing, implementing, and maintaining technical information security testing processes and procedures. SP 800-115 provides an overview of key elements of security testing, with an emphasis on technical testing techniques, the benefits and limitations of each technique, and recommendations for their use. Draft SP 800-115 is intended to replace SP 800-42, Guideline on Network Security Testing, which was released in 2003.”
Here is a basic description, “The Benchmark is a compilation of security configuration actions and settings that “harden” MySQL databases. It recommends Level 1 Benchmark guidance, representing the prudent level of minimum due care for operating system security.”
Center for Internet Security Benchmark for Apache Web Server v2.1 edited by Ryan Barnett
Here is a basic description, “The Benchmark is a compilation of security configuration actions and settings that “harden” Apache web servers.”
Here is a basic description, “ModSecurity is an Apache module that adds intrusion detection and prevention features to the Web server. In principle it is similar to an IDS you would use to analyse your network traffic, except that it works on the HTTP level and understands it really well. Because of this it allows you to do things that are normal from the HTTP point of view but are difficult to do from an classical IDS.”
Performance Measurement Guide for Information Security
Here is a basic description, “NIST Draft SP 800-55 Rev1 is a guide for the development, selection, and implementation of measures to be used at the information system and program levels. This draft guideline indicates the effectiveness of security controls applied to information systems and supporting information security programs. Draft SP 800-55 Rev1 supersedes Draft SP 800-80, Guide for Developing Performance Metrics for Information Security. Comments on draft 800-55 Revision 1 will be accepted through November 16, 2007. ”
Incident Management Capability Metrics by Audrey Dorofee, Georgia Killcrece, Robin Ruefle, and Mark Zajicek
Here is a basic description, “Successful management of incidents that threaten an organization’s computer security is a complex endeavor. Frequently an organization’s primary focus on the response aspects of security incidents results in its failure to manage incidents beyond simply reacting to threatening events. The metrics presented in this document are intended to provide a baseline or benchmark of incident management practices. The incident management functions—provided in a series of questions and indicators—define the actual benchmark. The questions explore different aspects of incident management activities for protecting, defending, and sustaining an organization’s computing environment in addition to conducting appropriate response actions. This benchmark can be used by an organization to assess how its current incident management capability is defined, managed, measured, and improved. This will help assure the system owners, data owners, and operators that their incident management services are being delivered with a high standard of quality and success, and within acceptable levels of risk.”
Computer Security Incident Handling Guide
Here is a basic description, “Computer Security Incident Handling Guide, is available for public comment. It seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents.
Guide to Integrating Forensic Techniques into Incident Response by Karen Kent, Suzanne Chevalier, Tim Grance, and Hung Dang.
Here is a basic description, “The guide presents forensics from an IT view, not a law enforcement view. It is written for incident response teams; forensic analysts; system, network, and security administrators; and computer security program managers who are responsible for performing forensics for investigative, incident response, or troubleshooting purposes.”
Guide to Intrusion Detection and Prevention (IDP) Systems by Karen Scarfone and Peter Mell.
Here is a basic description, “SP 800-94 seeks to assist organizations in understanding intrusion detection system and intrusion prevention system technologies and in designing, implementing, configuring, securing, monitoring, and maintaining intrusion detection and prevention system (IDPS) solutions. It provides practical, real-world guidance for each of four classes of IDPS products: network-based, wireless, network behavior analysis software, and host-based. The publication also provides an overview of complementary technologies that can detect intrusions, such as security information and event management software. It focuses on enterprise IDPS solutions, but most of the information in the publication is also applicable to standalone and small-scale IDPS deployments. This publication replaces NIST SP 800-31, Intrusion Detection Systems.”
Defense-in-Depth: Foundations for Secure and Resilient Enterprises by Christopher J. May, Josh Hammerstein, Jeff Mattson, and Kristopher Rush
Here is a basic description, “The Defense-in-Depth Foundational Curriculum is designed for students, ranging from system administrators to CIOs, who have some technical understanding of information systems and want to delve into how technical assurance issues affect their entire organizations. The course material takes a big-picture view while also reinforcing concepts presented with some details about implementation. Therefore, this course can be a useful pursuit for system administrators and IT security personnel who would like to step up to the management level. It also can provide a refresher for IT managers and executives who want to stay up to date on the latest technological threats facing their enterprises.”
Conditions for Achieving Network-Centric Operations in Systems of Systems by David A. Fisher, B. Craig Meyers, and Pat Place
Here is a basic description, “The advantages of systems of systems—such as the ability to adapt to unanticipated and unforeseen situations, eliminate single points of failure, and remain continuously operational while being dynamically updated—guarantee their increasing importance to military and commercial environments. The advent of network-centric systems has served only to accelerate the already prevalent move toward systems of systems. At the same time, network-centric systems and systems of systems are proving difficult to acquire, develop, test, and operate. Many of them are abandoned before they can be fielded, and fielded systems often fail to satisfy their objectives—demonstrating cost and schedule overruns in their development and sometimes catastrophic failures in operation. The increasing disparity between the normative (but nonfactual) assumptions that underlie current practices and tools used in the acquisition, development, evolution, and operation of systems and the realities of actual systems of systems contributes to those problems. Effective practices and tools for the acquisition, development, and operation of systems of systems have not yet been developed. Suggesting a context in which those practices and tools can be developed, this technical note proposes necessary conditions—statements of what the desired future state should be—in six areas that influence the effectiveness of network-centric systems and systems of systems: (1) social and cultural environment, (2) legal and regulatory framework, (3) management practices, (4) governance procedures, (5) engineering practices, and (6) technology base.”
Governing for Enterprise Security (GES) Implementation Guide by Jody R. Westby and Julia H. Allen
Here is a basic description, “ Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business. If an organization’s management does not establish and reinforce the business need for effective enterprise security, the organization’s desired state of security will not be articulated, achieved, or sustained. To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at a governance level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance. This implementation guide builds upon prior publications by providing prescriptive guidance for creating and sustaining an enterprise security governance program. It is geared for senior leaders, including those who serve on boards of directors or the equivalent. Throughout the implementation guide, we describe the elements of an enterprise security program (ESP) and suggest how leaders can oversee, direct, and control it, and thereby exercise appropriate governance. Elevating security to a governance-level concern fosters attentive, security-conscious leaders who are better positioned to protect an organization’s digital assets, operations, market position, and reputation. This document presents a roadmap and practical guidance that will help business leaders implement an effective security governance program.”
Information System Security Reference Data Model by Elizabeth Chew, Kevin Stine, and Marianne Swanson.
This not a long document. I plan on pulling a few sources and do a posting on the Information System Security Reference Data Model. Here is a basic description, “Managing an organization’s information security program is complex and resource-intensive. The numerous reports, documents, and day-to-day security-related events that must be handled can keep the most organized information security officer overburdened. Automating many of the programmatic functions involved in information security can aid organizations to spend more time on securing systems, and less time on the required paperwork activities. There are many automated tools available to assist organizations, yet many of the tools cannot share data. This document will assist in managing an information security program by standardizing data fields to depict information systems and the status of information system security controls. A taxonomy and high-level XML schema is provided for software tool developers and federal agencies that wish to develop automated processes to support management of an information security program.”
Here is a basic description, “As threats proliferate, organizations have a choice: They can scramble to fix vulnerabilities one by one, or they can increase their overall resilience so that even unexpected threats have less impact on their ability to fulfill their business mission. It can seem daunting to embark on an enterprise-wide business resiliency project, however. The CERT® Resiliency Engineering Framework doesn’t replace your organization’s best practices—it provides a process structure into which these practices can be inserted and managed. Using the resiliency engineering process definition as a guide, your organization can select the right practices to achieve the intended result and to ensure optimized resource deployment. In turn, your organization can measure the achievement of process goals to validate that the implemented practices are providing results.”
Guide to Industrial Control Systems (ICS) Security
Here is a basic description, “The purpose of this document is to provide guidance for securing industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other systems performing control functions. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Because there are many different types of ICS with varying levels of potential risk and impact, the document provides a list of many different methods and techniques for securing ICS.”
IT Control Objectives for Sarbanes-Oxley
Here is a basic description, “The Sarbanes-Oxley Act provides new corporate governance rules, regulations, and standards for public companies including the registrants of the Securities and Exchange Commission (SEC). The SEC has proposed the use of internal control framework to check the fraudulent working of the organizations. The paper focuses on the provisions laid down in the Section 404 of the Sarbanes-Oxley Act that assesses the effectiveness of the organization’s internal control.”
COBIT Security Baseline: An Information Security Survival Kit, 2nd Edition
Here is a basic description, “This guide, based on COBIT 4.1, consists of a comprehensive set of resources that contains the information organizations need to adopt an IT governance and control framework. COBIT covers security in addition to all the other risks that can occur with the use of IT. COBIT Security Baseline focuses on the specific risk of IT security in a way that is simple to follow and implement for the home user or the user in small to medium enterprises, as well as executives and board members of larger organizations.”
COBIT Mapping: Mapping of ITIL with COBIT 4.0
Here is a basic description, “The Information Technology Infrastructure Library (ITIL), released by the OGC, consists of 10 processes—more commonly understood as service support (operational) and service delivery (tactical) processes—that comprise
one function, effective IT service management. This mapping document contains a detailed mapping of ITIL with COBIT
4.0.”
COBIT Mapping: Mapping of PRINCE2 with COBIT 4.0
Here is a basic description, “This document enables IT governance practitioners to better interface between the IT audience and the board and executive levels. It contains a detailed mapping of PRINCE2 with COBIT 4.0. It also contains the classification of the standards discussed in this paper as presented in COBIT Mapping: Overview of International IT Guidance, 2nd Edition.”
COBIT Mapping: Mapping of ISO/IEC 17799:2005 With COBIT 4.0
Here is a basic description, “The Code of Practice for Information Security Management is an international standard based on BS 7799-1/ISO/IEC 17799:2000. It is presented as best practice for implementing information security management. This mapping document contains a detailed mapping of ISO/IEC 17799:2005 with COBIT 4.0.”
This is the state-of-the-art report (SOAR) on Software Security Assurance published by the Information Assurance Technology Analysis Center (IATAC). Here is a basic description, “The objective of software assurance is to establish a basis for gaining justifiable confidence that software will consistently demonstrate one or more desirable properties. These include such properties as quality, reliability, correctness, dependability, usability, interoperability, safety, fault tolerance, and-of most interest for purposes of this document-security.“
Here is a basic description, “The OWASP Testing Guide includes a best practice penetration testing framework which users can implement in their own organizations and a low level penetration testing guide that describes techniques for testing most common web application and web service security issues. ”
A Guide to Building Secure Web Applications and Web Services
Here is a basic description, “This guide carefully explains many common web security issues, such as cross site scripting and SQL injection vulnerabilities. It provides information about securing most forms of web applications and services, along with real world guidance using J2EE, ASP.NET, and PHP samples. It also discusses Microsoft’s Threat Risk Modeling strategy, as well as several other security methodologies, such as Trike, CVSS, AS4360, and Octave.”
Guide to Secure Web Services by Anoop Singhal, Theodore Winograd, and Karen Scarfone.
Here is a basic description, “SP 800-95 seeks to assist organizations in understanding the challenges in integrating information security practices into Service Oriented Architecture (SOA) design and development based on Web services. The publication also provides practical, real-world guidance on current and emerging standards applicable to Web services, as well as background information on the most common security threats to SOAs based on Web services. SP 800-95 presents information that is largely independent of particular hardware platforms, operating systems, and applications. Supplementary security devices (i.e., perimeter security appliances) are considered outside the scope of this publication. Interfaces between Web services components and supplementary controls are noted as such throughout this publication on a case-by-case basis.”
Guidelines on Securing Public Web Servers
Here is a basic description, “The guide explains current and emerging standards that have been developed for Web services and provides background information on the most common security threats to SOAs. The information presented can be applied to many different hardware platforms, operating systems, and applications. Other topics discussed in the guide include Web portals, the human user’s entry point into the SOA based on Web services; the challenges associated with making legacy applications secure; and secure implementation tools and technologies. ”
Understanding SOA Security Design and Implementation
Here is a basic description, “Securing access to information is important to any business. Security becomes even more critical for implementations structured according to Service Oriented Architecture (SOA) principles, due to loose coupling of services and applications, and their possible operations across trust boundaries. To enable a business so that its processes and applications are flexible, you must start by expecting changes – both to process and application logic, as well as to the policies associated with them. Merely securing the perimeter is not sufficient for a flexible on demand business. In this redbook security is factored into the SOA life cycle reflecting the fact that security is a business requirement, and not just a technology attribute. We discuss a SOA security model that captures the essence of security services and securing services. These approaches to SOA security are discussed in the context of some scenarios, and observed patterns. We also discuss a reference model to address the requirements, patterns of deployment, and usage, and an approach to an integrated security management for SOA. This book is a valuable resource to senior security officers, architects, and security administrators.”
Evaluating a Service-Oriented Architecture
Here is a basic description, “The emergence of service-oriented architecture (SOA) as an approach for integrating applications that expose services presents many new challenges to organizations resulting in significant risks to their business. Particularly important among those risks are failures to effectively address quality attribute requirements such as performance, availability, security, and modifiability. Because the risk and impact of SOA is distributed and pervasive across applications, it is critical to perform an architecture evaluation early in the software life cycle. This report contains technical information about SOA design considerations and tradeoffs that can help the architecture evaluator to identify and mitigate risks in a timely and effective manner. The report provides an overview of SOA, outlines key architecture approaches and their effect on quality attributes, establishes an organized collection of design-related questions that an architecture evaluator may use to analyze the ability of the architecture to meet quality requirements, and provides a brief sample evaluation.”
SOA Security by Ramarao Kanneganti and Prasad A. Chodavarapu
Here is a basic description, “Anyone seeking to implement SOA Security is forced to dig through a maze of inter-dependent specifications and API docs that assume a lot of prior security knowledge on the part of readers. Getting started on a project is proving to be a huge challenge to practitioners. This book seeks to change that. It provides a bottom-up understanding of security techniques appropriate for use in SOA without assuming any prior familiarity with security topics.”
Process Improvement Should Link to Security: SEPG 2007 Security Track Recap by Carol Woody, PhD
Here is a basic description, “Security is a very visible issue these days for software. New software products are continuously reported to be vulnerable to attack and compromise; organizations must support an expensive unending update-and-upgrade cycle. Process improvement has been proposed as a mechanism for addressing security challenges, but the Capability Maturity Model Integration (CMMI) approach does not specifically address security, so the linkages for the Software Engineering Process Group (SEPG) community are unclear. The security track at the SEPG 2007 conference was developed to provide a forum for identifying the appropriate ties between process improvement and security. This document summarizes the content shared at the conference and identifies several subsequent steps underway toward strengthening those ties.”
Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process by Richard A. Caralli, James. F. Stevens, Lisa R. Young, and William R. Wilson
Here is a basic description, “This technical report introduces the next generation of the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology, OCTAVE Allegro. OCTAVE Allegro is a methodology to streamline and optimize the process of assessing information security risks so that an organization can obtain sufficient results with a small investment in time, people, and other limited resources. It leads the organization to consider people, technology, and facilities in the context of their relationship to information and the business processes and services they support. This report highlights the design considerations and requirements for OCTAVE Allegro based on field experience with existing OCTAVE methods and provides guidance, worksheets, and examples that an organization can use to begin performing OCTAVE Allegro-based risk assessments.”
The art of software security assessment : identifying and preventing software vulnerabilities by Mark Dowd; John McDonald; Justin Schuh
Dave Aitel writes, “Unlike many books with multiple authors, this is an extremely well put together book that flows naturally from chapter to chapter. The chapters on C auditing are amazing. The chapters on web assessment, while not the most in-depth chapters in the book, still contain a lot of information that is covered nowhere else (servlet race conditions, for example). In fact, almost everything in this book is, if not new, covered more expertly than anywhere I’ve seen. For anyone doing software security assessment, this book is required reading. All 1200 pages of it..”
Managing Risk from Information Systems: An Organizational Perspective by Ron Ross, Stu Katzke, Arnold Johnson, Marianne Swanson, and Gary Stoneburner
Here is a basic description, “NIST Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a disciplined, structured, flexible, extensible, and repeatable approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of the organization. ”
IT Security Essential Body of Knowledge
Here is a basic description, “The EBK contains the key terms and concepts from all of those competencies that NCSD officials feel individuals in at least some IT security roles should know. The EBK is not an additional set of guidelines that DHS believes organizations should follow, said Greg Garcia, DHS’ assistant secretary for cybersecurity and communications, in comments included with the recent Federal Register announcement of the EBK draft. It is also not intended to represent a directive from DHS, he said. The intent is for the document “to help advance the IT security training and certification landscape as we strive to ensure that we have the most qualified and appropriately trained IT security workforce possible,” he said.
