Many people have asked me to put together a list of links to things to read that may help them become a security expert. I am not sure I can do that, but doing some reading is not a bad starting point. What you read out of this really depends on your interests. As I have said elsewhere, I do not believe you can be an expert on security without being an expert on some domain that security is being applied to. However, there are also some fundamentals that are important.
This list is somewhat skewed toward network and Windows security, because it is what I do. It is also woefully incomplete because I could not think of everything that would be useful. If you can, let me know. I will keep adding to it as I come up with more things. At any rate, here are some of the things that have informed my thinking.
Jesper, with the importance of "People Security" and the useful things that Steve Riley and yourself have presented on this topic in the last few years I think it would be a great contribution to the security community for Steve and yourself to consider publishing more on this topic. Another book would be highly appropriate on this topic since this seems to be the hardest aspect of security to bring across to a business.
Jesper, about Mitnick: "..defrauding his victims of millions of dollars in the process..". As far as I know, I think it has never been proved in court or otherwise that there ever was any great financial loss for the victims or any economic gain for Mitnick himself at the time. True, there was cost in cleaning up after his security breaches, but Mitnick never to my knowledge deprived his victims of revenue by illigally obtaining their software for personal review or use. I understand your point about not really feeling comfortable about recommending his book as he is in fact now gaining from his past criminal activities (he did it, not study it), but I think it's inappropriate to label him wrongfully as having defrauded his victims of huge costs if he did not.
Otherwise, I'm a great fan of you and Steve, love your way of getting down to the real security issues as seen in your webcasts and your book.
All the best,
One blog that is for sure on my must reads (besides yours and Mr. Riley's of course) is http://blogs.technet.com/msrc
The MSRC blog will have late breaking security issues posted long before it's on the official channels.
Another one of interest is the Swiss Security blog
The Antimalware blog (which always looks like you are typing animalware)
Brian, I wish I knew enough about people security, but I really do not feel like I do. I am trying to study it though.
Lars, I don't recall all the details about what exactly Mitnick profited from, but the legal and clean-up costs should not be overlooked. Regardless of whether the criminal profited from the crime, the victims lost.
Susan, good pointers, but I was mostly looking for learning opportunities, not merely keeping up on new events. I may have to add those though. It is very hard to draw the line in this business. As we see above, sometimes learning means you have to go study things you would rather not.
I just finished reading Marcus Ranum's list and now I'm going back to read over the rest of that site. There's a lot of good information in there and he's really made it approachable. Thanks for the heads-up on this, Jesper.