Last Updated: 21-04-04 11:17 PM +0100
IT Security is an important subject for IT Pros, Developers who design, deploy and operate complex IT systems. It is equally as relevant to business users or knowledge workers as well as to IT Professionals and developers. The defence in depth approach to security encourages wider security appreciation and knowledge, especially for IT or IT-related staff.
The learning needed to pass CompTIA's Security+ vendor neutral security examination is a great starting point for network security. It's a minimum baseline.
The rest of this page a structured set of hyperlinks pointing to detailed information about IT security as well as to IT Security Training. The links are organised around the structure of the Security+ exam, and are aimed mainly at IT Pros and IT Pro Trainers and anyone wanted to pass the Security+ Exam. For completeness, information regarding Microsoft Security training and the wider security interest is also provided.
Suggestions, comments or whinges are most welcome by email - sec-csw@reskit.net!.
The organisation of this page is as follows:
- General Security Concepts
- Communication Security
- Infrastructure Security
- Basics of Cryptography
- Operational/Organisational Security
- Microsoft Security Courses
- The Security+ Examination
- Other Compilations of Security Links
- Other Security Sites
- Security Tools and Products
- Security Vendors and Vendor Sites
- Acknowledgements
Security+ Exam topics include: Mandatory Access Control, Discretionary Access Control, Rule Based Access Control
Access Control Models - a basic discussion of key access control models. Good overview focused on the Security+ exam. However it's description of the Bell and LaPadula model is not accurate. Why not read the original?
Multi-Level Security - notes from a lecture, part of a Systems Security course at Cornell University. Some good reading on this site.
Mandatory Access Control - an overview, with a POSIX flavour.
Mandatory Access Control - another overview.
Access Control - a PowerPoint presentation covering access control.
Security+ Exam topics include: Kerberos, CHAP, Certificates, Username/Password, Tokens, Multi-Factor, Mutual, Biometrics
Design of Secure Operating Systems - contains some good background on different types of authentication.
Designing an Authentication System - this is a truly seminal work! This page contains a fictitious account of the design of an open-network authentication system called "Charon", done as a play in several acts. As the dialogue progresses, the characters Athena and Euripides discover the problems of security inherent in an open network environment. Each problem must be addressed in the design of Charon, and the design evolves accordingly. Athena and Euripides don't complete their work until the dialogue's close. It's worth the read.
Kerberos: An Authentication Service for Computer Networks - details by Clifford Neuman and Theodore Ts'o.
LDAP Authentication - details on LDAP authentication.
Types of Authentication - details of authentication protocols supported on Windows 2000.
The Moron's Guide to Kerberos. What it says - a brief guide to Kerberos.
The Kerberos Network Authentication Service - a site devoted to Kerberos.
Understanding and Configuring PPP CHAP Authentication - a Cisco paper, but contains some good basic information on CHAP.
Myths of Multifactor authentication - an interesting article on this topic.
Computer Systems Security in an Internet Age—Authentication Beyond Passwords - a paper on multifactor authentication.
Ten Windows Password Myths - and interesting paper on password technology.
Password Recovery - a paper on this topic from Charles Miller.
Security+ Exam topics include: identify non-essential services, and how to reduce related risks
A list of Domain Controller Default Ports - these are common ports used in Windows Server Domain Controllers (WIn2k and WIn2k3).
Assigned Port Numbers - the official list of all assigned TCP and UDP port numbers.
Security+ Exam topics include: DOS/DDOS, Back Door, Spoofing, Man in the Middle, Replay, TCP/IP Hijacking, Weak Keys, Mathematical, Social Engineering, Birthday, password guessing, brute force, dictionary, software exploitation
Distributed Denial of Service attacks - Is there really a threat? Some good background from the Usenix Security Symposium 2000.
Distributed Denial of Service attacks - another paper on this issue.
Distributed Denial of Service (DDOS) Attacks - another site with details on DDOS - with some good links.
Doshelp.com - an Intrusion and attack reporting centre. They say their mission is to: "provide assistance to users who are encountering internet abuse. Internet abuse has many forms, such as port scanning, Denial of Service, bug exploitation, spam, trojans and viruses". Their site has some great links.
Google's Directory - Denial of Service. Another up to date list of links on the subject of DOS. Much it about current attacks, rather than fundamentals of DOS/DDOS.
Hackers at work - this page contains some example of hackers and their exploits.
LC4 - a "password auditing and recovery" application (aka a password cracker). An updated version of the infamous L0phtCrack.
Security+ Exam topics include: Virus, Trojan Horse, Logic Bomb, Worm
AntiVIral Database - a database of known viruses.
Dan Muth's Anti-virus Resources page - what it says.
Security+ Exam topics include: Understand concept and how to reduce risks
Social Engineering - a paper from Vigilante on this topic.
Social Engineering FAQ - as it says!
Social Engineering and NLP - a fascinating look into how NLP can assist social engineering. Contains some good links to more on NLP. Every trainer should know more about NLP!!!
Security+ Exam topics include: Understand concepts and significance of auditing, logging and system scanning
Loganalysis.org - a volunteer, not-for profit site containing useful information on analysing logs for computer security.
Security Scanning 101 - an article about scanning.
Encyclopaedia of Security, by Mich Tulloch (Microsoft Press, 2003). What it says on the cover by a well known and widely published technical expert. Mitch also has a technical blog that is interesting - and he likes this page!
Security Engineering by Ross Anderson (John Wiley & Sons, 2001). Looks at security in the real world (e.g. in a bank, in a hospital, in the home). Would be good reading as it covers most of the key security topics. Contains a nice chapter on managing security projects.
Security+ Overview - great Security+ related PPT deck giving an overview to the examination. Part of a course at UC Davis.
Authentication - a great Security+ PPT deck. Part of a course at UC Davis.
Attacks and Malicious Code - a great Security+ PPT deck. Part of a course at UC Davis.
Technical Overview of Windows Server 2003 Security Services. Not directly related to Security+ but a good look at the security tools and services in this latest version of Windows.
Security+ Exam topics include: 802.1x, VPN, Radius, TACACS, L2TP/PTP, SSH, IPSEC
Traffic That Can--and Cannot--Be Secured by IPSec - a KB article from MS.
IPSec and L2TP Implementation in WIndows 2000 - a MS KB article.
Virtual Private Networking - a chapter from the Windows 2000 Server Resource Kit on VPNs.
Security+ Exam topics include: SMIME, PGP, SPAM, Hoaxes
Email and Executable Content Guides - security guidance from the US National Security Agency.
Keeping Email Secure - a short paper from IBM.
Security+ Exam topics include: SSL, TLS, HTTPS, Instant Messaging, Packet Sniffing, Vulnerabilities, Java Script, ActiveX, Buffer Overflows, Cookies, Signed applets, CGI, SMTP Relay
Analysis of Topical Vulnerabilities. Mark Graff and Kenneth R Van Wyk analyse and comment on topical vulnerability issues as they arise.
Secure Sockets Layer - a paper describing SSL. From Netscape, the folks who invented SSL.
Google's SSL-TLS page - an index to SSL/TLS from those nice people at Google.
Transport Layer Security (TLS) Protocol - a PDF of a slide deck explaining TLS. Fairly technical.
Transport Layer Security Protocol - a description of TLS from MS's MSDN.
The basics of Buffer Overflows - a nice paper from IBM.
Security+ Exam topics include: LDAP, SSL/TLS
RFC 2830 on LDAPv3: Extension for Transport Layer Security - an RFC describing authentication methods for LDAP.
Security+ Exam topics include: WTLS, 802.11x, WEP/WAP, Site Surveys
Wireless LANs Q&A - a FAQ on wireless
An Introduction to WAP Security at the Network Protocol Layer -- WTLS - an article describing WTLS
Architecting Your 802.1x-Based WLAN Deployment - a paper from FunkSoftare looking at how to design a WLAN solution
Security of the WEP algorithm - WEP stands for Wired Equivalent Privacy and was meant to suggest a wireless protocol as secure as wired networks - which this article shows is nonsense. There are ways to secure wireless traffic, WEP is a very poor one as this paper explains.
SSL and TLS: Designing and Building Secure Systems by Eric Rescorla (Addison-Wesley. 2001). A good book describing the evolution of SSL.
Web Security, Privacy and Commerce by Simson Garfinkel, with Gene Spafford (O'Reiley November 2001). This book looks at web security risks and how to minimise them. The book coves topics including cryptography, SSL, the Public Key Infrastructure, digital signatures, digital certificates, privacy threats (cookies, log files, web logs, web bugs), hostile mobile code, and web publishing (intellectual property, P3P, digital payments, client-side digital signatures, code signing, PICS).
Ethereal - a free network protocol analyser for Unix/Linux and Windows. Can read traces produced by MS's network monitor.
NMAP for NT - an NT (2k, 2k3) port of this popular Unix tool. From eEye, this is perhaps the most customizable network scanner ever. This tool works well and can provide you with a tremendous amounto of intelligence about your network.
NMapWin - this is a GUI front end to Nmap. You can use a GUI to select every possibly Nmap parameter, then send it on it's way.
Security Scanners - a general purpose list of scanning services from those great people at Google.
Remote Access - a great Security+ PPT deck. Part of a course at UC Davis.
Email Security - a great Security+ PPT deck. Part of a course at UC Davis.
Web Security - a great Security+ PPT deck. Part of a course at UC Davis.
Directory and File Transfer Services - - a great Security+ PPT deck. Part of a course at UC Davis.
Wireless and Instant Messaging - a great Security+ related PPT deck. Part of a course at UC Davis.
Security+ Exam topics include: Firewalls, routers, switches, wireless, modems, RAS, VPNs, IDS, Workstation/Servers, mobile devices
Firewall Product Overview - a good set of links to all major firewall products.
Devices, Media, and Topology Security - a nice Security+ focused page on this topic.
Security+ Exam topics include: Coaxial Cable, UTP, STP, Fiber Optic Cable, Removable Media, smartcards
Cable Types - this page explains the four major cable types. A related page discussed Twisted Pair Connectors, Terminators, and Cable topologies.
Media Security - a nice Security+ focused page on this topic.
Security+ Exam topics include: Security Zones, DMZ, Intranet, Extranet, VLANs, NAT, Tunnelling
How Network Address Translation Works - a good article on NAT from howstuffworks.
Windows 2000 NAT - an article from Windows &.NET Magazine from Feb 2000.
Understanding the Concepts of Security Topologies - a nice Security+ focused page on this topic.
Security+ Exam topics include: Network Based, Active Detection, Passive Detection, Host Based, Honey pots, incident response
Intrusion Detection - a PowerPoint slide deck on this topic by Tom Casey. Presented to the CTO Forum in November 2001.
Security+ Exam topics include: concept of security baselines, OS/NOS Hardening, File System, Updates, Network Hardening, Application Hardening
Security Baselines - a sample chapter on this topic from Security+ Certification MS Press book.
A list of Domain Controller Default Ports - these are common ports used in Windows Server Domain Controllers (WIn2k and WIn2k3).
Windows Server 2003 Security Guide. Provides guidance to help you to harden Domain Controllers, Infrastructure servers, File servers, Print servers, IIS servers, IAS servers, Certificate Services, and bastion hosts.
Windows 2000 Security Hardening Guide - A Microsoft guide to server hardening Windows 2000. You can also download the full guide.
Software Update Services - SUS is a set of components that allow administrators to distribute Windows client and server patches. See the Microsoft SUS home page for more details on SUS, or the page on reskit.net for some additional resources. Also, see www.susserver.com for more cool SUS stuff.
Honeypots: Tracking Hackers, by Lance Spitzner (Addison-Wesley, September 2002). The first ever book dedicated to honey pot technology.
Eraser - a secure data removal tool. Enables you to really, really remove data from a hard drive. The tool is free, and source code is provided.
ISA Server - The MS Home Page for ISA Server.
Key Interceptor a keystroke recording program which runs under windows.
OWASP - this is an open source community project aimed at building tools and documentation to help people secure web applications and web services.
Snort - possibly the ultimate tool for intrusion detection. Open source as well, with a port for windows.
Specter - a smart honeypot program. It's not freeware, but it looks pretty cool.
Devices - a Security+ focused PPT deck.
Firewalls - a Security+ focused PPT deck.
Media and Medium - details about transmission medium.
Network Security Topologies - a Security+ focused PPT deck.
Intrusion Detection - a Security+ focused PPT deck.
Security Baselines - a Security+ focused PPT deck.
Assigned Port Numbers - the official list of all assigned TCP and UDP port numbers.
The Twenty Most Critical Internet Security Vulnerabilities. Interesting Reading from the Sans Institute.
ISAserver.org - Tom Shinder's outstanding resource on ISA server.
Security+ Exam topics include: Hashing, symmetric, asymmetric
Introduction to Cryptography - a white paper from RSA.
Introduction to Cryptography - a 74 page paper on this subject from the folks at PGP Corporation.
Cryptography A-Z - a set of pages on crypto from SSH corporation. A good overview to crypto terms and approaches.
Digital Signatures & Digital Envelopes - a white paper from RAS on digital signatures.
Research Papers on Strong Password Authentication - some interesting background material. Heavy going for the most part!
Security+ Exam topics include: Confidentiality, Integrity, Digital signatures, authentication, non-repudiation, digital signatures, access control
What are digital signatures? - a page from DigitalSignature.be a English-language Belgian site that provides information about digital signatures. This page shows how digital signatures can be used to provide some of these key security objectives.
George Mason University Course slides - these provide some detail on the concepts.
Security+ Exam topics include: Certificates, Certificate Policies, Cert Practice Statements, Revocation, Trust Models
Public key Cryptography standards. This set started in 1991.
Ten Risks of PKI - a white paper from Counterpane - co-written by Bruce Schneier.
Digital Signature Law Survey - this site presents an overview of existing and proposed legislation with respect to electronic authentication and more specifically digital signatures
Security+ Exam topics include: Identify and differentiate different cryptographic standards and protocols
Elliptic Curve Cryptosystems - an overview of how elliptic curves can be used in crypto systems. I don't understand it either, but you might.
Security+ Exam topics include: Centralised vs decentralised, software vs hardware, private key protection, escrow, expiration, revocation, status checking, suspension, etc
The Risks of Key Recovery - and interesting report.
Handbook of Applied Cryptography, by Alfred Menezes, Paul van Oorschot, and Scott Vanstone (CRC Press, 1997). The book is available for free download in PDF or Postscript format, from Alfred Menezes's website
Applied Cryptography 2nd Edition by Bruce Schneier (John Wiley & Sons, 1996). One of the better books. Provides a good introduction to cryptography as well as general security.
Cryptography Theory and Practice by Douglas Stinson (CRC Press, 1995). At one time the text book for MIT's Theory of Cryptography course.
Cryptography - a good Security+ focused deck.
Graduate Course on Cryptography - from The University of Washington Computer Science Dept
Remote Access - a great Security+ focused PPT deck on remote access.
Cryptology ePrint Archive - a site setup to provide provides rapid access to recent research in cryptology.
Encrypting File System for Windows 2000 - a TechNet white paper on this topic.
Security+ Exam topics include: Access control, Physical barriers, biometrics, social engineering, environment, location, shielding, fire suppression
The Significance of Crosscutting Challenges and Technologies. A report discussing the impact of potential terrorist attacks on major systems.
Physical Security - a powerpoint deck.
Security+ Exam topics include: Backups, off site storage, secure recovery, alternate sites, disaster recovery plan
Sample Disaster Recovery Project Plan Outline - a project plan outline for a disaster recovery plan. A nice look at what a DR plan might include.
Security+ Exam topics include: Utilities, high availability, fault tolerance, backups
Disaster Recovery and Business Continuity - a PowerPoint Deck
Business Continuity Planning - another powerpoint deck.
Security+ Exam topics include: Security Policy, Acceptable Use, Care, Privacy, Separation of Duties, Need to know, Password Management, SLAs, HR Policy, Termination, Hiring, Code of Ethics, Incident Response Policy
Security Testing Methodology Manual - an open source manual containing a professional standard for security testing in any environment from the outside to the inside
Disaster Recovery and Business Continuity - a PowerPoint Deck.
University of Iowa Information Security Policy - a good starting point.
Security+ Exam topics include: User/Group Role Management, Single sign-on, auditing, MAC/DAC/BAC
Security+ Exam topics include: concepts of computer forensics, including chain of custody, preservation of evidence and collection of evidence.
An Explanation of Computer Forensics - by Judd Robbins a computer forensic expert.
Computer Forensic Analysis - more on this subject from two security Researchers: Dan Farmer (Earthlink) and Wietse Vinema (IBM).
International Association of Computer Investigative Specialists - this is the home page of IACIS, a world wide non-profit corporate dedicated to education in the field of forensic computer science.
Top Ten Things to do when Collecting Electronic Evidence - a nice paper on collecting evidence with some good checklists.
Security+ Exam topics include: Asset identification, risk assessment, risk and vulnerability identification
Handbook of Information Security Management. What it says!
Security+ Exam topics include: Communication, user awareness, education, on-line resources
Security+ Exam topics include: Standards and guidelines, change documentation, logs and inventories.
Secrets and Lies by Bruce Schnier (John Wiley & Sons, 14 August 2000). A look at security in the real world (published on my birthday too!)
Network Security: Private Communication in a Public World by Charlie Kaufman, Radia Perlman, and Mike Speciner (Prentice Hall PTRR 2002). A good reference to network security.
Computer-Related Risks by Peter G Neumann (Addison and Wesley, 1995). A bit dated, but still largely relevant.
Physical Security - - a Security+ Deck.
Disaster Recovery and Business Continuity - a Security+ Deck.
Computer Forensics and other Advanced Topics - a Security+ Deck.
Cert - centre of Internet security expertise located at Carnegie-Mellon University in the US.
Microsoft has created a number of new security courses. These are as follows:
Additional Microsoft security training courses include:
If/when I get time to do detailed pages regarding these courses, I'll add them.
CompTIA Security+ Exam Objectives - details on the skills and knowledge being measured by the Security+ exam.
Security+ FAQs - from the Comptia site.
Exam Tips from ExamNotes.net
Introduction to Security+ - an article on the MCMCSE Security+ site.
Security+ Guide to Network Security Fundamentals. A Cisco Institute introduction to the topics covered in the Security+ exam. Course Textbook on the IT 417 Network Administration and Security Course at UC Davis.
Bennet Yee's Security-Related Net Pointers - a list of pointers to security related information.
Cryptolog - the site says it's "the Internet Guide to Cryptography". An English language site from the University of Mannheim in Germany.
Gene Spafford's Hotlist on Computer Security, Law, Privacy at CERIAS - what it says.
Google's Security Directory - another great portal page from the guys at Google!
Histor of Computer Society. This is a set of papers regarded as seminal works in computer security.
Peter Guntman's links. Guntman's site is in from New Zealand, and contains a bunch of security and encryption related links. For speed, it has a UK mirror (there are others too).
Ron Rivest's MIT site. Ron is the 'R' in RSA and now teaches at MIT. This is a useful set of links (some of which are already on this page!).
Tom Dunigan's Security Pointers. A long list of links.
Vince Cates Cryptorebel/Cypherpunk Page. A page of links that might interest cryptorebels/cypherpunks.
Yahoo's link page to Security and Encryption. A set of more links to various security and crypto related items.
AntiOnline - a security portal with links to security related news and products. Has a set of forums that seem vaguely active.
Center for Internet Security - an independent organisation aimed at helping "around the world effectively manage the risks related to information security. CIS provides methods and tools to improve, measure, monitor, and compare the security status of your Internet-connected systems and appliances, plus those of your business partners."
Cryptome - an interesting site which: "welcomes documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and blast protection -- open, secret and classified documents -- but not limited to those."
Network Security Library - A sub-site of www.windowsecurity.com. The library contains links to "large numbers of articles, FAQs, white papers and books on network security, gathered from various sources throughout the industry".
NTSecurity.Com - a security portal for Windows NT/2000. Contains reviews and comparisons of a number firewall products.
Packet Storm - a hacker site.
Security Administrator - independent technical security information. From Windows and .NET Magazine
Security Focus - another security site. Security Focus is owned by Symantec.
TECS Library of Information Security Papers. What it says - lots and lots of papers!
Kerberos Utilities - from MIT.
Microsoft's Security Tools and Check lists - a set of tools to help get and stay secure.
Systems Administration Guidance for Windows 2000 Professional - Produced by National Institute of Standards and Technology, this guide only a guide contains recommended security settings for Windows 2000 Professional.
Security Research tools - from @Stake - these include LC4 password cracker and WebProxy web testing tool.
Top 75 Security Tools - a set of cool security tools - some free, some not free. Some of the tools run on Linux and some run on Windows.
Windows 2000 Security Recommendation Guides - Guidance from US National Security Agency.
Windows XP Security Recommendation Guides - Guidance from US National Security Agency.
BlackIce - the new online home for the Black Ice software firewall. BlackICE is now owned by ISS.
Checkpoint - The FireWall-1 people who sort of invented the idea of stateful inspection in firewalls. Their website is http://www.checkpoint.com.
eEye Digital Security - a firm who provides enterprise security software. Also responsible for publishing expliots.
Foundstone - another security company selling 'Enterprise Risk Solutions'. They have some great free tools, including a great scanner (Superscan). Their corporate website is http://www.foundstone.com.
Internet Security Systems - leader in information protection solutions dedicated to protecting its customers from today's and tomorrow's threats.
Microsoft Security Home Page - MS's home page for security.
PGP Corporation - a firm best known for PGP. Their web site is http://www.pgp.com/.
Sans Institute - a good source of computer security training.
Tiny Software Inc - this is the firm that produces the Tiny Firewall product. Their Home page is at http://www.tinysoftware.com/home/tiny2?la=EN
TrueSecure - a security company. Publishes the NTBugtraq Windows bug list and owns ICSA labs. Their website is http://www.trusecure.com/
Verisign - the certificates people. They also do Security and Payments services (SSL certs, payment processing, etc), provide naming and directory services (Digital brand management, domain names, etc) as well as ofering telecommunications services such as network and database services. Their website is http://www.verisign.com
Zone Labs - the folks who make Zone Alarm. The firm produces personal a distributed firewall products. THey provide a basic free firewall product, Zone Alarm, as well as non-free products such as Zone Alarm Pro, and has a corporate web site at http://www.zonelabs.com.
This page was developed by Thomas Lee (tfl@psp.co.uk). Input was provided from a number of people, including Ben Smith, Brian McCann, Erik Rozman, Jim McBee, Allessandro Perilli, Chuck Cook, Jim Galvin, Tatjana Aggoussi, Ionut Boldizsar, Owen Rees, and others! Thanks too to the kind words of Mitch Tulloch. And finally - Google sure was helpful too.
Last Updated: 21-04-04 11:17 PM +0100