An Information Security Community
A friend who wants to start a career in information security asked me which books are a "must read".
It goes without saying that the one and only "must-read" is of course Jayson's book.
Since you found your way to this site, you'll probably already know that. ;-)
Up front I would like to say that I really doubt there are any real "must read" books anymore since you can learn most if not everything you need to know by sifting through the interwebs, reading free documentation, reading research papers and by just trying out stuff for yourself.
Every person can have a computer lab at home today without needing a huge machine park.
Virtualization FTW! And hardware is cheap, if you need some devices to play with.
That being said, I still think there are some books you should get, depending on your field of interest.
I guess the best advice I can give you is to get books that cover some very basic topic in depth and thus will not be outdated tomorrow. Believe me I had my share of books which I first thought are great, then set them aside for a while and when the topic became relevant to me were outdated.
Books like SuSE Linux 6.0 or KDE 2.2 or the like. Don't buy such books!
Spare the money for something with value that lasts.
For information security I think I can recommend some books. I am not sure if some of them are not kind of outdated now nevertheless but they had some lasting value for me or others.
I have not read all of them, some of them I read partly, some of them are just too in-depth for me but I still got much out of them.
But let's get started. Here's the list:
+++ Technical Books +++
1.) TCP/IP Illustrated Volume 1 - The Protocols
W. Richard Stevens
This book is *the* TCP/IP bible and whenever an admin crosses my way who has not understood TCP/IP and routing, this is still the book I recommend.
Of course you can learn TCP/IP from other books or without ever touching any book, but this is the best I have seen.
And the good news is: a new updated edition has just been announced for the end of 2011, covering IPv6 as well as IPSEC and other updated topics.
If you are interested in how TCP/IP was implemented in the original BSD stack, I can also highly recommend TCP/IP Illustrated Volume 2 - The Implementation.
I never got too deep into that but the style of the book and how sourcecode is outlined and visually presented is outstanding.
2.) The Art of Computer Virus Research and Defense
This book covers the basics of virus and anti-virus research.
You learn about infection vectors and detection and defense techniques.
Since it does all of that in an encyclopedic style, it also covers most of virus and malware research history.
This book was too high for me in many parts but this did not the least reduce its value to me.
I would say the book is almost timeless. Although there are of course newer developments in malware research and defense, everything in there is still a valid basis if you really are interested in that field of expertise.
3.) Hacker Disassembling Uncovered
Powerful Techniques To Safeguard Your Programming
Well I must admit I haven't read this book myself but many folks told me it also covers many basics if you are into malware analysis and/or reverse engineering stuff.
Not my turf though.
4.) Rootkits: Suberting The Windows Kernel
Greg Hoglund, James Butler
This book is from 2005 and I don't think it has ever been updated since then, so it might be outdated.
Many things have changed in Windows since then but on the other hand, not as many things as long as Windows XP is still around, I guess. And it has a cool cover art. ;-)
I will not comment on the author Greg Hoglund and the stories and criticism that have evolved around him and his company recently. I know too little about it and for the book, it's not of concern I guess.
5.) Windows Internals
Mark Russinovich, David A. Solomon, Alex Ionescu
Not quite sure about that one. Of course this book outdates, but its half-life is quite decent.
If you are into Windows security it's a good book to have because the name is program.
6.) Thor's Microsoft Security Bible"
This one has just come out and I haven't bought it, yet.
Give that one a shot if you are not sure about the Windows Internals book but want to go into Windows security.
7.) Unix/Linux basics
I thought about recommending the LPI study guides here (Linux Professional Institute).
Those books are great, of course but if I am to recommend something really timeless, I think I should go for some older Unix/Linux books.
Well I am German, so the classic Unix/Linux books I still have on my shelf are in german, too.
I had them for years now and still use them as a reference for many things.
So here are the books, all of them by Helmut Herold - and they are old :)
7.a) Linux/Unix Grundlagen
7.b) Linux/Unix Shells
7.c) Linux/Unix Profitools
7.d) Linux/Unix Systemprogrammierung
If you need something more up to date, read the current documentation, manpages and tutorials for your distribution. With the books mentioned above you can get some overview and historic context.
+++ EDIT 2011-12-05 +++
8.) File System Forensic Analysis
I promised to update that list of "books that last" so here is the first update.
This book by Brian Carrier is really worth reading because everything you will learn by reading this book is a foundation that you can build upon. I just started reading it so I can fill the gaps in my knowledge regarding filesystems. It's just awesome! It is old but still very helpful.
Learn more about it here.
+++ Social Engineering +++
1.) The Art of Human Hacking
This book is very new but will have lasting value unless human nature unexpectedly changes radically in the next few months, which is very unlikely.
The book covers and explains the basics of social engineering and introduces the social engineering framework which has been "developed" by the fine folks of www.social-engineer.org.
I also highly recommend their podcast.
If you have this book, you don't need any other social engineering book.
You can dig deeper into certain fields of social engineering by reading some of the research articles and books Chris refers to in his book.
2.) The Art of Deception
As stated above, you don't really need another book on social engineering other than the Human Hacking book. But of course Mitnick's book is a classic and still has value.
The books overlap very much regarding the stories but the Human Hacking book is more systematic. Both books are good to read and entertaining. Chris Hadnagy has done an excellent job to make his book entertaining and easy to read, oftentimes in a narrative style, telling stories as they happend for examples. If you want to digest your share of SE in an even more narrative style, the Mitnick book is a great read, too.
3.) Other books related to social engineering
Two authors: Paul Ekman and Joe Navarro
Look them up.
+++ Physical Security +++
There are many books covering physical security.
It all depends on what you are especially interested in.
Unfortunately I can't really recommend any physical security book, since I haven't read many.
The physical security parts in CISSP books (note: I am not a CISSP but have read large portions of the CISSP All-in-One Exam Guide, which I will not cover here) or other books are mostly - well not so good, from my point of view.
I will only recommend one lock-picking book, that I have read at least partly (as of now)
1.) Practical Lock Picking
A Physical Penetrations Tester's Training Guide
This book gives a great overview of all kinds of locks, how they work and how they can be picked.
2.) Schuyler Towne
This guy is a walking and talking lockpicking book.
I mean that guy is *better* than any book.
Watch his talks, got to his website http://www.schuylertowne.com/ and contact him on twitter.
He's just awesome and always helps folks with questions.
Hire him for a training and if he ever writes a book: buy it!
+++ Fiction +++
Sometimes technical books can be so boring. To keep up motivation I now and then need something to inspire me. There are great fictional books out there for people who are interested in information security and hacking stuff.
1.) Stealing The Network
This is not only one book but a series of books.
If you don't know them by now - those are really a must-read if you're asking me.
Those books are epic and much celebrated in the hacking community.
The story is a fictional thriller, covering multiple characters with various threads of story which are all somehow linked to each other.
The authors are kind of celebrities of the infosec community.
Just to name some of them:
FX of Phenoelit
Timothy "Thor" Mullen
The series comprises of four books:
Stealing The Network - How to Own the Box
Stealing The Network - How to Own a Continent
Stealing The Network - How to Own an Identity
Stealing The Network - How to Own a Shadow
All of them are real page-turners, which proves that folks like Fyodor et al are not only brilliant coders and researchers but also excellent story writers.
2.) "Daemon" and "FreedomTM"
I don't know what to say about this two-part book. Words fail me.
Only so much: Awesome, awesome, awesome!
Best book I ever read. Really! Thrilling, visionary page-turner.
I never read a book this fast.
Enough for tonight. Maybe I'll add more books to the list, because I have read so many great books, I can't remember them all right now.