Resources

FAQs (Frequently Asked Questions) relating to information security and computer audit

CISA (Certification Information Systems Auditor) FAQ
Computer Security FAQ
Counterpane's links to crypto & related FAQs
Cryptography FAQ
Cryptography FAQ by RSA Labs
Firewalls FAQ
Hack FAQ
ID card FAQ
Intrusion Detection Systems FAQ
JAVA security FAQ
Kerberos FAQ
Netware hack FAQ ('unofficial')
Network sniffers FAQ
Risk Management FAQ
Security compromise FAQ
Social engineering FAQ
Software testing FAQ
Solaris security FAQ
Windows 2000 FAQ (generic, not just infosec)
Windows NT hack FAQ ('unofficial')
Windows NT security FAQ
WWW security FAQ

Glossaries, dictionaries etc.

Didges' 'Infosec jargon buster'
Internet security glossary - RFC2828
IT abbreviations and acronyms
NATO glossary of IT security/PKI terminology
TechEncyclopedia - defines 14,000 IT terms
The New Hacker's Dictionary

News sites, webzines, portals etc. - good for lunchtime

Camelot knowledge center
ComputerWeekly security news
Computing magazine's information security section
Incidents.org by SANS with 'storm watch' alert status and daily infosec news
Indian 'Center for IT security'
Information Security magazine from ICSA
Infosyssec portal
Internet Magazine - UK-biased net news
IT-Audit - portal zum thema IT-audit und IT-security
LEXIS-NEXIS topical infosec news and press releases
SearchSecurity.com portal
Secure Computing magazine
Security Administrator webzine (not all free)
Security News Network
SecurityFocus general infosec site (with web interface to Bugtraq infosec newsgroups)
SecurityPortal - infosec articles, news & links
SecuritySearch.net infosec portal
The Crypt Newsletter
The McKinsey Quarterly
The Register - infosec webzine
Whitehats portal
** S A N S - excellent set of infosec resources & practical advice - our favourite infosec resource! **
CERIAS - Center for Education and Research in Information Assurance and Security
CERT® Security Improvement Modules
CERT® Security Improvement Modules - excellent set of practical recommendations
CISSP Open Study Guide website
DTI - Business Manager's Guide to Information Security
DTI - Security at Work campaign website
GIAC student papers on infosec basics
IT Security Cookbook - dynamic on-line infosec reference
Risks forum
Ten current Internet hoaxes

Information security resources. Firewalls, network & telecomms security

Checkpoint certification programme
Cisco Router security guides from the NSA
Microsoft info on TCP/IP
Microsoft introduction to TCP/IP
Network Security Professional Certification Program from Learning Tree
PROTOS - security testing of communications protocol implementations
Firewalls mailing list

Hacking, exploits, vulnerabilities (BEWARE cracker sites!)

AntiOnline - hacking news
Attrition.org
Beyond Security - securiteam.com
CERT Coordination Centre's 'Current activity' page - recent exploits
Cheating
Counterpane Systems S-MIME password cracker screensaver
Cracker suite for MS Office & other applications
Cryptome - US-based public disclosure website
DDoS attacks on GRC.COM
HackerZ Hideout
HoneyNet project - straw-man network with monitors
New Order hacking site
NT buffer overflows
Razor hacker site with infosec links and sporadic papers
Razor infosec papers
Rent-A-Hacker - 'you get exactly what it says on the label' ...
SecuriTeam.com™ infosec portal
Social engineering fundamentals, part 1
Totse hacker site
Whitehats dotcom - another penetration tester outfit with a bunch of resources
Wireless LAN defaults

Incident management & contingency planning

Article on how to design an incident response policy
Business continuity planning booklist
Computer Incident Advisory Center
Disaster Recovery Journal
DRI International professional certification for business continuity planners
Forum of Incident Response and Security Teams (FIRST)
High Tech Crime Network's certification for IT forensic specialists
Network downtime cost calculator
CERT mailing list

Information warfare, cyberterrorism

Attack news from Network World magazine
Dorothy Denning's publications
Information warfare links
National Infrastructure Protection Center (NIPC)
President's Commission on Critical Infrastructure Protection

Infosec organisations

(ISC)2 certification for infosec managers (CISSP) infosec administrators (SSCP)
American Society for Industrial Security
CESG - UK Government Communications-Electronics Security Group
Information Security Forum (formerly the European Security Forum)
ISSA - Information Systems Security Association
IT Governance Institute - new home of COBIT
National Security Institute section on computer security

Infosec policies & guidelines

Google's section on infosec policies
Human firewall infosec awareness project
Infosec policies presentation slides at SANS
Infosec policy papers at SANS
SANS security policy project

More infosec resource collections

Best Security weblinks
Computer audit and infosec links collection by Curtin University, Australia
Dave Dittrich - infosec papers & resources
Fred Cohen's infosec papers
Idaho State Uni - infosec resources
Information security links collection by the Internet Security Conference
Infosec booklist
Lance Spitzner's whitepapers on infosec topics
Links page maintained by Rik Farrow
Network/Computer Security Technology
Oxford University---Information Technology Security
S e c u r i t y w a t c h

PC, Mac & Windows security

Apple Mac infosec papers at SANS
CERT® Security Improvement Modules on securing Windows NT
Computer virus myths & hoaxes
Eicar - European Institute for Computer Anti-Virus Research
Free auditing utilities for NT; Windows 2000
Gibson Research - PC web security guru
Home PC security advice primer from CERT
ICAT searchable database of known infosec vulnerabilities
IT Security Cookbook - Windows 2000 notes (working draft)
Microsoft Personal Security Advisor
Microsoft security checklists and other utilities
Microsoft security patch verifier tool
Microsoft security website
PatchWork tool to verify certain NT & Win2k patch levels
SecurityFocus area on Windows
UnPlug n' Pray - disable the UPnP Internet server in Windows XP
Virus Bulletin
Virus hoaxes db
WildList - viruses in the wild
Windows 2000 infosec papers at SANS
Windows 2000 installation security checklist
Windows 2000 security guides by the NSA
Windows 2000 SP2 security bug fixes

Standards, laws & regulations relating to information security e.g. BS7799

AICPA SysTrust systems security assurance model
AICPA WebTrust web system security model
ANSI electronic standards on-line store
BS 15000 Standard for IT services
BS 7799 & c:cure - official BSI-DISC website
BS 7799 controls summary
BS 7799 high level audit checklist
BS 7799 implementation by a bank
BS 7799 training courses by the British Standards Institute
CobiT: Control Objectives for Information and related Technology
Comparison between SAS 70 and SysTrust
Computer security standards
Data protection - 1995 European Directive
Data Protection Act [UK] guidance & other publications
Data Protection Act 1998 and related UK Acts - summary
Diffuse - EU Internet infosec standards
FIPS 140-1: security requirements for cryptographic modules
GASSP - Generally Accepted System Security Principles
Gatekeeper - Commonwealth PKI strategy/framework project
ISO 17799 portal
ISO 17799 service software directory
ISO TC68 committee for banking standards
ISSEA - International Systems Security Engineering Association
IT Baseline Protection Manual
PAG - PKI Assessment Guidelines
QiCA - Qualification in Computer Audit
RFC2196 Site security handbook
SAS 70 audit standard for service providers

UNIX security

CERT® Security Improvement Modules on UNIX security
Linux infosec papers at SANS
pan>List of public domain UNIX security software
Solaris benchmark and scoring/scanning tools from CIS
Sun Solaris infosec papers at SANS
UNIX infosec papers at SANS
UNIX security checklist v2
BugTraq mailing list

Web & eCommerce security including PKI & encryption

A Comparison between Java and ActiveX Security
BCS papers on topical eCommerce security issues
Bletchley Park (Station X)
Bombe rebuild project
CGI infosec tutorial
CGI infosec tutorial - shorter
Code Red worm - all you need to know
Crypto-Gram mailing list
Entercept product for securing web servers
PKI Forum
Presentation about weaknesses in file encryption
Rivest cryptography and security links
The Alice and Bob after dinner speech
The PKI page
Whois and other lookups
Why browser-based certificates are a BAD idea ...
Why installing unverified patches is not very smart either
Cypherpunks mailing list
A structured approach to computer security
Annual Computer Security Applications Conference
Forensics article in SC Magazine
Infosec pages by the curiously-named Collaborative Computational Project Number 14
Microsoft TechNet security section
Oracle security & audit info
TruSecure infosec certification for organisations, products and practitioners
Visa Cardholder Information Security Program

Things for computer auditors: workplans etc. Software development methods

BCS Business-IT Interface Specialist Group (BITISG) - group about bridging IT and non-IT worlds
DSDM - Dynamic Systems Development Method
Formal methods
Pacific Edge - Project Office 3.0
Project Management Institute
Software Engineering Institute (SEI)
Software Program Managers Network - methodology downloads
TeamShare - TeamTrack Platform
Bridging presentation

Software testing

Cem Kaner's slides about bug reporting
Glossary of terms used in software testing
STQE (Software Testing & Quality Engineering) magazine
Testing Craft
A practical model for risk assessment and prioritisation
ACL fraud toolkit
AICPA SysTrust auditor competency model
ASAP - Auditors Sharing Audit Programs - community collection of audit workplans
Audimation - distributor for IDEA
Audit checklists
AuditNet - various free resources for auditors
AuditNet-L mailing list
Business continuity planning audit checklist
CAATs - Computer Aided Audit Tools
Contingency planning audit checklist
IIA 's IT Forum website for computer auditors - with interactive bulletin board !!
IIA - Institute of Internal Auditing
ISACA - IS Audit and Control Association
Sanctum Inc's Appscan product
Spreadsheet resources
System security audit checklist
US General Accounting Office paper on information security risk assessments
Web resources for auditors

Things miscellaneous Bookshops

Amazon bookstore
Barnes & Noble bookstore
Fatbrain bookstore
[Physical] Security Magazine
Allaire Security Zone
Anonymous EMAIL software
Axent infosec vendor
BT Fraudwise - telecomms fraud
Computer Forensics - supplier of the DIBS scene-of-crime disk image copier kit
FAX your (UK) MP for free!
Ink-e-Media audit & infosec training
London Town.com - The 'official' website for old London town
Mission Statement Generator
SpamCon Foundation whose mission is to reduce spam (junk EMAIL)
The 'Lectric Law Library
Tired of filling in 'market surveys'? Fight back!
UK directory enquiries