News & Opinion

  • Ars Technica – Risk Assessment
    Reporters for the security section of Ars Technica tackle a wide variety of stories, including articles on the latest data breaches, the cost of cyber crime and cyber spying.
  • CIO Security
    CIO’s security section is a repository of up-to-date articles on data breaches, hacks, attacks, new research and international developments.
  • CSO Online
    Slideshows, blogs, news articles, white papers – there’s a rich olio of security and risk management resources on CSO’s site.
  • Dark Reading
    Brought to you by InformationWeek, Dark Reading covers top stories in information security. Topics include attacks/breaches, app sec, mobile and threats.
  • Guardian Information Security Hub
    One of the largest newspapers in Britain, The Guardian offers the latest on information and cyber security. Articles are usually targeted towards the layperson.
  • Homeland Security News Wire – Cybersecurity
    Cyber security merits its own extensive section in this online publication. A wide variety of topics that affect homeland security are covered.
  • Infosecurity Magazine
    A one-stop-source for the information security industry. The magazine contains news articles, white papers, a list of upcoming events & conferences and a lot of webinars.
  • MitnickSecurity
    Mitnick Security is a leading global provider of information security services and training to governments, organizations and enterprises around the world.
  • Naked Security
    Naked Security is the newsroom of Sophos, the well-known developer of computer security products. Lots of useful security news, opinions, advice and research.
  • SC Magazine
    SC supplies information security professionals with a wide range of business and technical information resources. You’ll discover news articles, product reviews, white papers, videos and more.
  • SecureList
    Funded by Kaspersky Lab – the Russian developer of secure content and threat management systems – SecureList is a heaving mass of info on viruses, hackers and spam.
  • SecurityWatch
    PCMag’s security section deals with a whole host of trending topics, including malware, mobile, threats, vulnerabilities and hacks.
  • Threat Level
    Wired’s section on privacy, crime and security online is packed with articles and resources. Many of the stories have a national/international flavor.
  • ThreatPost
    Like SecureList, ThreatPost is a news site working under the aegis of Kaspersky Lab. Here you’ll find news, videos and feature reports on every aspect of cyber security.

Blogs

  • Google Online Security Blog
    The folks on Google’s Security Team regularly cover pressing security and risk management topics.
  • InfoSec Resources
    InfoSec Institute offers information security training, and their blog is jam-packed with mini-courses, ebooks, and hands-on tutorials for students interested in cyber security.
  • Krebs on Security
    Brian Krebs earned his spurs as an investigative reporter for the Washington Post. Now he writes extensively on cyber crime, Internet security and the latest news. You’ll hear his name a lot.
  • Microsoft Malware Protection Center Blog
    Microsoft has other TechNet blogs, but for security alerts and news, this is the one you’ll probably want to follow.
  • Schneier on Security
    Bruce Schneier, aka the “security guru”, has been blogging about security issues since 2004. He’s the CTO at Co3 Systems, Inc., author of 12 books and a fellow at Harvard’s Berkman Center.
  • Security Bloggers Network
    Security Bloggers Network collects almost 300 blogs and podcasts from information security experts around the world and collates them into a single feed.
  • Terebrate
    This enjoyable book review blog is penned by Rick Howard, CSO at Palo Alto Networks. In the course of his readings, Howard decided there should be a Cyber Canon, a list of “must-read” cyber security books (fiction and non-fiction).
  • Threat Track Security Labs Blog
    Threat Track Security Labs partners with businesses to combat Advanced Persistent Threats (APTs), targeted attacks and sophisticated malware. Though the blog is company-focused, it covers a lot of security ground.
  • Veracode Blog
    Run by the team at Veracode – a company focused on cloud-based application security – this blog is a hot spot for application security research and news.
  • Zero Day Blog
    ZDNet’s blog covers the latest in software/hardware security research, vulnerabilities, threats and computer attacks.

Books

  • Breaking In to Information Security
    By Josh More and Anthony Stieber. This practical guide to starting a cyber security career includes a “level-up” gaming framework for career progression, with a “Learn, Do, Teach” approach through three tiers of InfoSec jobs. You’ll also find examples of specific roles and career paths in each job tier so you can identify and max out skills for the role you want.
  • CISSP All-In-One Exam Guide
    By Shon Harris. The go-to resource for CISSP exam prep. Constantly updated, the guide includes everything you will need to prepare – exam tips, practice questions, training module, in-depth explanations – and covers all 10 CISSP domains. Available in digital and print formats.
  • Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power
    By David E. Sanger. An insider’s account of the Obama administration’s foreign policy process, Confront and Conceal reveals important details about Operation Olympic Games, the U.S.’s covert cyber attack on Iran’s nuclear facilities, and the government’s thinking on cyber weapons. Named one of the Top 20 in Rick Howard’s Cyber Canon.
  • Cryptography Engineering: Design Principles and Practical Applications
    By Niels Ferguson, Bruce Schneier and Tadayoshi Kohno. A good foundational guide for those interested in practical cryptography. The authors cover many of the fundamentals – e.g. ciphers, message digests, key exchange, mathematics basics – and take a close look at the hardware, software and human issues involved in cryptography engineering. Advanced cryptographers will want to dig deeper.
  • Cyber War: The Next Threat to National Security and What to Do About It
    By Richard Clarke and Robert K. Knake. First published in 2010, Clarke and Knake’s book is a broadside against complacency in cyber defense. Clarke is the former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States, and has much to say about cyber warfare, cyber terrorism and government policy. Named one of the Top 20 in Rick Howard’s Cyber Canon.
  • Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground
    By Kevin Poulsen. Kingpin is the “made for Hollywood” story of Max Butler, a misfit and hacker who ended up gaining access to more than 1.8 million credit card accounts. A former hacker himself (he served 5 years in prison), Poulsen knows of what he speaks. Named one of the Top 20 in Rick Howard’s Cyber Canon.
  • No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State
    By Glenn Greenwald. As Howard notes in his reviewNo Place to Hide is “part exposé, part autobiography, and part screed ‘against the man.’” Greenwald is a columnist for The Guardian and was one of Snowden’s key contacts in the leaking of classified U.S. government secrets. Named one of the Top 20 in Rick Howard’s Cyber Canon.
  • The Practice of Network Security Monitoring: Understanding Incident Detection and Response
    By Richard Bejtlich. A great technical primer with step-by-step instructions on how to deploy, build and run an NSM operation using open source software and vendor-neutral tools. Many reviewers comment on how readable it is compared to other books. Named one of the Top 20 in Rick Howard’s Cyber Canon.
  • Secrets and Lies
    By Bruce Schneier. Although it was first published in 2004, Schneier’s warnings are still relevant today. “Security is a process, not a product,” he reminds us, and people are invariably the weakest link. Do we have to sacrifice privacy for better security? Read Schneier’s book to find out. Named one of the Top 20 in Rick Howard’s Cyber Canon.
  • Security Engineering: A Guide to Building Dependable Distributed Systems
    By Ross J. Anderson. A massive guide (900+ pages) that’s worth every word. As one of the top security experts in the world, Ross Anderson has seen it all. His book covers everything from high-level policy to specialized protection mechanisms to technical engineering basics. New security engineers will especially appreciate the real world case studies of success and failure. First published in 2001 and updated in 2008.
  • Security Metrics: Replacing Fear, Uncertainty, and Doubt
    By Andrew Jaquith. It is what it says – a book about how to quantify, classify and measure information security operations in modern enterprise environments. But, as Rick Howard points out in his review, it will also “help you unshackle yourself from the chains of probabilistic risk assessments. It will turn you away from the dark side and toward a more meaningful process to assess your enterprise’s security.” Named one of the Top 20 in Rick Howard’s Cyber Canon.
  • Spam Nation: The Inside Story of Organized Cybercrime – from Global Epidemic to Your Front Door
    By Brian Krebs. An entertaining and detailed look at the seamy world of organized cybercrime. Krebs focuses on the period between 2007-2013 – the rise of the Russians, the development of the spam “ecosystem” and the proliferation of botnet engines, fast-flux obfuscation and underground forums. Read Rick Howard’s review.
  • Where Wizards Stay Up Late
    By Katie Hafner and Matthew Lyon. One for the history buffs. Hafner and Lyon’s chronicle of the origins of the Internet includes interviews with some of the brilliant and eccentric minds responsible. If you don’t know the story about ARPANET and other post-WWII projects, you should. Named one of the Top 20 in Rick Howard’s Cyber Canon. Read Bob Clark’s review.

Useful Websites

Organizations

  • ACM SIGSAC: Special Interest Group on Security, Audit and Control
    SIGSAC’s mission is to foster the information security profession by sponsoring high-quality research conferences and workshops.
  • ASIS International
    Established in 1955, the venerable ASIS offers a wide variety of educational programs, certifications and materials on security topics. ASIS also advocates the value of security management to business, the media, government entities and the public.
  • CSA: Cloud Security Alliance
    CSA is a non-profit organization focused on best practices for security assurance within Cloud computing and education on using the Cloud to help secure all other forms of computing.
  • DC3: Defense Cyber Crime Center
    DC3 is a U.S. Department of Defense agency that supplies digital forensics, cyber investigative services and cyber analysis capabilities to the DoD and law enforcement agencies.
  • HTCIA: High Technology Crime Investigation Association
    Founded in 1989, HTCIA is a global non-profit organization dedicated to promoting education and collaboration for the prevention and investigation of high tech crimes.
  • ISF: Information Security Forum
    Headquartered in London, ISF is a global non-profit organization focused on investigating, clarifying and resolving key issues in information security and risk management.
  • ISSA: Information Systems Security Association
    ISSA is an international non-profit organization of IT security professionals and practitioners. It provides educational forums, publications and a wide variety of networking opportunities.
  • NICCS: National Initiative for Cybersecurity Careers and Studies
    Run under the auspices of the DHS’s Office of Cybersecurity and Communications, NICCS is a useful one-stop-shop for info on cyber security careers and study. It has extensive listings of scholarship and internship opportunities, training options, competitions and much, much more.
  • NSI: National Security Institute
    Founded in 1985, the NSI was created to protect some of the nation’s most sensitive technology and business secrets. It is now the leading organization dedicated to assisting cleared defense contractors in understanding threats to national security.
  • NW3C: National White Collar Crime Center
    NW3C is a non-profit U.S. organization committed to supporting the efforts of state and local law enforcement to prevent, investigate and prosecute economic and high-tech crime.
  • OWASP: Open Web Application Security Project
    OWASP is a global not-for-profit charitable organization focused on improving the security of software. Its mission is to make software security visible and inform individuals and organizations about software security risks.
  • SANS
    The SANS Institute was established in 1989 as a cooperative research and education organization for IT security professionals. It provides information security training and security certification, maintains a free library of research documents and operates the Internet Storm Center.
  • Science of Security Virtual Organization
    The Science of Security Virtual Organization is dedicated to creating a “science of security,” meaning developing the first principles and the fundamental building blocks for system security. The group offers a number of helpful resources, including a survey of current research, online networking, news and events, and much more.

Training

  • Damn Vulnerable Web Application (DVWA)
    DVWA is a PHP/MySQL web application that is, you guessed it, vulnerable. It’s designed as a teaching aid for security professionals, web developers and educators.
  • Evolve Security Academy
    Evolve Security Academy is a cyber security bootcamp that helps students break into the field. The immersive training includes direct work with not-for-profit companies, helping students to gain real world experience.
  • HackThisSite (HTS)
    HTS is an online hacking and security website with a user base of over 1.8 million. Here you can tackle basic and advanced hacking challenges in a legal environment.
  • Metasploitable
    This virtual machine is an intentionally vulnerable version of Ubuntu Linux designed to be hacked by metasploit and other hacking tools.
  • Mutillidae
    Mutillidae is a free, open source web application that you can use to pen-test and hack a vulnerable web app.
  • NATAS
    Created by OverTheWire, NATAS is a wargame intended to teach the basics of serverside web-security.
  • National Institute of Building Sciences
    The National Institute of Building Sciences offers monthly cybersecurity workshops for building owners and managers. Current workshops include Introduction to Cybersecuring Building Control Systems and Advanced Cybersecuring Building Control Systems.
  • SecureSet
    SecureSet provides educational training to anyone interested in beginning or advancing their cyber security career. Offerings include bootcamps, certifications, and courses. They are located in Denver, Colorado Springs, and Tampa.
  • SlaveHack
    SlaveHack is a virtual hack simulation game. Defend your virtual PC against intruders while trying to hack as many other players and webservers as possible.

Local Security Groups

  • AFCEA Chapters
    AFCEA is concerned with cyber security as it relates to defense, homeland security and intelligence communities. Chapters are spread throughout the world, but, as you might expect, there are a lot of groups in the Virginia and Maryland regions.
  • CSA Chapters
    As CSA puts it, members are usually composed of a credible group of cloud security experts for the region. Chapters are located around the globe and must have a minimum of 20 CSA members.
  • IEEE Technical Chapters
    Focused on the advancement of technology, IEEE Technical Chapters contain members from one or more IEEE Societies/Technical Councils who share technical interests and geographical proximity. Chapter events include guest speakers, workshops, seminars and social functions.
  • InfraGard Local Chapters
    InfraGard is a non-profit, public-private partnership between U.S. businesses and the FBI. The idea is to share intelligence to prevent hostile acts against the country. Members of local chapters meet to exchange info on the latest threats and listen to talks from security experts.
  • ISACA Local Chapters
    ISACA is one of the biggest networking organizations, with 200+ chapters worldwide. Chapters sponsor local educational seminars and workshops, conduct IT research projects and provide members with a number of leadership training opportunities.
  • (ISC)² Chapter Program
    (ISC)² puts a lot of effort into its program. Chapter members can receive special discounts on (ISC)² products and programs, earn CPEs by participating in professional activities and participate in local community outreach projects (e.g. cyber security education).
  • ISSA Chapter Directory
    Like ISACA and (ISC)², ISSA has a strong chapter network. In addition to regular chapter activities, ISSA has created a Chapter Leaders Summit and a number of Special Interest Groups (Women in Security, Security Awareness and Healthcare).
  • OWASP Chapters Program
    Unlike other programs which require membership, OWASP chapters are free, open to all and managed by a set of universal guidelines. Many OWASP presentations are available for everyone to use at meetings. OWASP Community Members can request funding for a variety of chapter initiatives on the Funding page.

Conferences

  • ACM CCS: ACM Conference on Computer and Communications Security
    This popular annual conference is the flagship event of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM).
  • ACSAC: Annual Computer Security Applications Conference
    Founded in 1984, ACSAC is the oldest information security conference in the U.S. It brings together security professionals from academia, government and industry who are interested in applied security.
  • Asiacrypt/Crypto/Eurocrypt
    Sponsored by the International Association for Cryptologic Research, these annual conferences cover all aspects of cryptology.
  • Black Hat
    Launched in 1997 by Jeff Moss (the founder of DEF CON), Black Hat has morphed from a single conference in Las Vegas to an extensive series of annual information security events and training camps in the U.S., Europe and Asia.
  • BSides
    Billed as the “conference by the community for the community”, BSides events are more intimate affairs than DEF CON or Blackhat. They’re also usually free. BSides are held in many cities – San Francisco is a popular venue.
  • CanSecWest
    Held in Canada, CanSecWest is a popular three-day conference focusing on applied digital security. It’s the original host of Pwn2Own, a computer hacking contest with prizes of over $100,000.
  • CSAW: Cyber Security Awareness Week Conference
    Managed by students of the Information Systems and Internet Security (ISIS) Laboratory at the NYU Polytechnic School of Engineering, CSAW is currently the largest student-run cyber security event in the U.S. There are talks, events and contests.
  • DeepSec
    DeepSec is an annual European conference on computer, network and application security that takes place in Vienna, Austria.
  • DEF CON
    Held annually in Las Vegas, DEF CON is one of the largest and most notorious hacking conferences in the world.  In addition to talks, there are a huge variety of social events and contests.
  • DerbyCon
    Founded in 2011, DerbyCon is an annual hacker conference based in Louisville, Kentucky. You’ll find talks, workshops, games (e.g. scavenger hunts, hardware hacking, capture the flag) and more than a few parties.
  • Hack.lu
    Held in Luxembourg, this annual convention/conference addresses computer security, privacy, information technology and its implication on society.
  • Hacker Halted
    Hacker Halted is a global series of IT security conferences presented by EC-Council, the International Council of Electronic Commerce Consultants.
  • The Hackers Conference
    Held in India, this conference brings together industry leaders, government representatives, academics and underground black-hat hackers to share leading-edge ideas about information security.
  • Hackito Ergo Sum
    Paris in the springtime – Hackito is an annual open conference for hacking and security research.
  • HITBSecConf: Hack In The Box Security Conference
    Held in Kuala Lumpur, Malaysia and Amsterdam, HITBSecConf provides an annual platform for security researchers and IT professionals to discuss next generation computer security issues.
  • ICMC: International Cryptographic Module Conference
    ICMC brings together experts from around the world to discuss cryptographic modules, with emphasis on their secure design, implementation, assurance, and use. Held annually in the U.S.
  • IEEE Symposium on Security and Privacy
    Sponsored by the IEEE Computer Society Technical Committee on Security and Privacy, in cooperation with the International Association for Cryptologic Research, this annual symposium addresses the latest issues in computer security and electronic privacy.
  • NDSS (Network and Distributed System Security) Symposium
    The annual NDSS Symposium is a three-day conference bringing together researchers and professionals who design, develop, exploit and deploy technologies that define network and distributed system security.
  • NSPW: New Security Paradigms Workshop
    NSPW is a small, invitation-only workshop for researchers in information security and related disciplines. Proceedings are published by the ACM.
  • Nullcon
    Founded in 2010, Nullcon provides a platform for exchanging information on the latest attack vectors, zero day vulnerabilities and unknown threats. Held annually in Delhi and Goa.
  • RSA Security Conference
    Founded by RSA in 1991, this conference is intended to serve as a forum for cryptographers to share the latest knowledge and advancements in the area of Internet security. Annual industry events in the U.S., Europe and Asia.
  • SANS CDI: Cyber Defense Initiative
    Thanks to SANS’s position as one of the biggest players in information security training and certification, the CDI conference draws a healthy crowd. This is where the Netwars Tournament of Champions takes place.
  • S4: SCADA Security Scientific Symposium
    Hosted by Digital Bond, S4 addresses advanced ICS security topics. It’s a technical event geared towards thought-leaders in the ICS security community.
  • Secure 360
    The banner child for the Midwest, Secure 360 is an educational conference for the information risk management and security industry. It is held annually in St. Paul, Minnesota.
  • SecureWorld Expo
    Held in New England, SecureWorld Expo is an annual conference providing globally relevant education, training and networking for cyber security professionals.
  • ShmooCon
    Based on the East Coast, ShmooCon is a popular hacker convention organized by a non-profit security think tank. It annually attracts 1000+ attendees interested in computer security and cryptography.
  • SIN: International Conference on Security of Information and Networks
    Founded in 2007, SIN Conf is a well-respected international forum for the presentation of research and applications of security in information and networks.
  • SOURCE Conference
    Hosted in Boston, Dublin and Seattle, this annual computer security conference attracts technology security experts, analysts, hackers, educators and business professionals.
  • Swiss Cyber Storm
    Held annually in Lucerne, Swiss Cyber Storm is an international IT security conference attended by researchers from around the world.
  • Thotcon
    Chicago’s single-day hacking conference is held at a different top secret location every year. There are talks, workshops and live mixed hacker music.
  • TROOPERS IT Security Conference
    TROOPERS is an IT security conference held annually in Germany. Leading IT security experts and professionals present their latest research and findings.
  • USENIX Security Symposium
    The Advanced Computing Systems Association hosts this popular annual event in a variety of U.S. and Canadian cities. Researchers, practitioners, system administrators, system programmers and others interested in the latest advances in the security and privacy of computer systems and networks are invited to attend.
  • VB: Virus Bulletin Conference
    Sponsored by the publication Virus Bulletin, the VB conference has been in operation since 1990. The program caters for both technical and corporate audiences, covering a wide range of security-related subjects.