The best cyber security books out there, chosen by over 20 experts
Here’s what the cybersecurity pros read
Books are the best way to go about learning in-depth knowledge, and this applies to cybersecurity as well. To this end, we’ve decided to approach these 21 experts about what is the best educational cybersecurity book out there.
Of course, we know there is no such thing, and each book is good in its own way. The endgame is to create a go-to resource of curated books you, as a user, can read to take your online security knowledge to the next level.
The experts we’ve included in this roundup are leading figures in the industry, and are frequently the first ones to learn about a new kind of malware or cyber threat.
To help you better navigate the list, we’ve internal links so you can zip along from one expert’s recommendation to another.
- Inbar Raz
- Pierluigi Paganini
- Alexandru Stoian
- Lawrence Abrams
- Claus Houmann
- Alexandre Campos
- Thomas Callahan
- Adam Shostack
- Dave Waterson
- Ilya Kolmanovich
- Joe Shenouda
- Martijn Grooten
- Troy Hunt
- Xavier Mertens
- Raj Samani
- Liviu Arsene
- Pavel Pohorelsky
- John E. Dunn
- David Bisson
- Mădălin Dogaru
- Daniel Cid
- David Harley
Inbar Raz | Twitter | Principal researcher at PerimeterX
Inbar’s choice is “ A Bug Hunter’s Diary ”, by Tobias Klein. In a few words, Inbar summarizes the highlights of the book, and also a caveat:
I really liked it because the author did a great job at taking something that is technically sophisticated and hard, and socially admired [bug hunting, vulnerability exploitation] – and making it accessible and understandable. I think that people who want to understand what vulnerability research is, without having to learn to do it themselves, will find it the perfect book for them. The caveat, though, is that you have to be able to read programming languages in order to fully understand the gravity of what he does.
A book for the technically minded user, who doesn’t mind delving into code to understand cyber threats.
Pierluigi Paganini | Twitter | Founder at Security Affairs
The book of choice for him is “ The Art of Deception ” by Kevin Mitnick.
It is a must read, the book explains the importance of social engineering in any attack.
The book shows that human is the weakest link in the cyber security chain, and the art of social engineering allows to exploit it. The book includes real stories and social engineering cases and demonstrates how to chain them in real hacking scenarios.
The reading of the book is suggested also to not tech-savvy people, it can teach them how to avoid being a potential victim of attacks.
Alexandru Stoian | Cybersecurity researcher for the Romanian CERT
His list of recommended book are technical in nature and written for a technically-savvy person who wants to dive into the intricacies of cybersecurity.
- Practical Malware Analysis – Michael Sikorksi and Andrew Honig
- Windows Internals – Mark Russinovich, David A. Solomon, Alex Ionescu
- IDA Pro Book – Chris Eagle
- Black Hat Python – Justin Seitz
Lawrence Abrams | Founder and chief editor of Bleeping Computer | Twitter
Practical Malware Analysis by Michael Sikorksi and Andrew Honig is a frequently cited book in this roundup, and for good reason. It’s a go-to guide for many in learning both basic and advanced malware analysis and dissection techniques.
Understanding Cryptography by Christof Paar and Jan Pelzl is book oriented towards more advanced readers who want to improve their education in the technical basics of cryptography.
His recommendations isn’t one book, but instead a treasury of free books that cover the most important aspects of cybersecurity. You can find books for just about any level, from cybersecurity beginner who wants to learn the ropes, to advanced users who want to improve their technical expertise.
Here’s the full list of free books which includes titles such as Car hackers Handbook and Reverse Engineering for Beginners.
He also recommended three useful ebooks written in collaboration by members of Peerlyst’s community of information security experts. The first one is The Beginner’s guide to Information Security , the second ebook is on the Essentials of Cybersecurity, while the third one talks about the Essentials of Enterprise Network Security.
Alexandre Campos | Profile page | Professor and IT Security team member
Here’s his answer when asked what is the best educational cybersecurity book out there:
There are lots of books I could mention here but since you ask me for only one, I can’t let aside “ Hacking Exposed 7 “, by Stuart McClure, Joel Scambray and George Kurtz. These security experts show us, in a nice way, how to understand what hackers do during an attack and how to protect us from their actions. They show us concepts and how they can be applied in practice, also telling us about several countermeasures against a wide variety of tools avaiable for hackers to use. It worths it each page you read.
Thomas Callahan | Cybrary
Thomas hails from Cybrary, an online library of courses in various subfields of cybersecurity, such as penetration testing, or malware analysis.
In no particular order, these are his recommended list of cybersec books:
General knowledge and awareness:
- Blue Team Handbook – Don Murdoch
- Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare
- Cybersecurity and Cyberwar – P.W. Singer and Allan Friedman
- TCP/IP Illustrated – Kevin R. Fall and W. Richard Stevens
- Subnetting: A Comprehensive Beginner’s Guide-From A to Z – Darryl Barton
- Web Application Vulnerabilities: Detect, Exploit, Prevent – Steven Palmer
Adam Shostack, author of Threat Modeling | Blog Profile
“I’m going to say that Steven Bellovin’s “ Thinking Security ” is my favorite antidote to jumping to conclusions. Recently, I’ve seen lots of extreme responses to both the Intel management issue and the Windows Defender script engine. Both are bad, but jumping to “you will be working the weekend” doesn’t help. Bellovin’s book will.”
Dave Waterson | Personal Blog |CEO and founder of SentryBay
His recommended cybersecurity book is Countdown to Zero Day by Kim Zetter. It’s accessible to users without a technical background, and goes over the destructive power of Stuxnet, the malware responsible for sabotaging Iranian centrifuges used in their nuclear program.
Ilya is cybersec Threat Engineer and is part of IBMs Security Intelligence team.
His book of choice when it comes to cybersecurity education is Practical Malware Analysis by Michael Sikorski.
Joe Shenouda | LinkedIn | Principal Cyber Analyst at Verizon
The three books that he recommends are:
- Cyber War: The Next Threat to National Security and What to Do About It – Richard Clarke, Robert Knake
- Cyberspies: The Secret History of Surveillance, Hacking, and Digital Espionage By Gordon Corera
- Cybersecurity and human rights in the age of cyberveillance , edited by Joanna Klesza & Roy Balleste
Martijn Grooten | Editor of Virus Bulletin | Twitter
“My favourite book on cybersecurity is Countdown To Zero Day , by Kim Zetter.
If it is specifically about educational cybersecurity books, my favourite would be Bulletproof SSL and TLS , by Ivan Ristic.”
Troy Hunt | Personal Blog |Creator of HaveIBeenPwned.com
We Are Anonymous by Parmy Olson offers in inside view into the worksings of shadowy hacking groups such as Lulz Sec, Anonymous and the Global Cyber Insurgency.
Xavier Mertens | Personal Blog | Handler for the ISC Initiative
His go to book is Practical Malware Analysis . It’s safe to say that this book has fairly widespread endorsement by now.
Raj Samani | Computer Security Expert and Chief Scientist at McAfee
The Cuckoo’s Egg by Cliff Stoll details the story of how the author managed to discover a computer espionage ring infiltrated in the Lawrence Berkeley Lab. The operation eventually led to the involvement of the CIA, and exposed the role of the KGB in the entire operation.
Liviu Arsene | Twitter | Senior E-Threat Analyst at Bitdefender
His recommended book is Ghost in the Wires , a biography of Kevin Mitnick, a malicious hacker who broke into numerous companies, such as Motorola and Sun Microsystem, all while ducking and dodging the FBI.
Pavel Pohorelsky | Twitter | CTO at Lamantine
Future Crimes by Marc Goodman is a New York Times best seller, which dives into the underground world of blackhat hackers, and explores their motivations, methods and purposes, as viewed by a man working in law enforcement on a mission to stop them.
Move Fast and Break Things by Jonathan Taplin is an exploration of how the Internet started to change in the vision of the world greatest technology entrepreneurs such as Mark Zuckerber and Larry Page.
David Bisson | Twitter | Security Journalist and Associate Editor at Tripwire | Contributing Editor for Graham Cluley Security News
Worm by Mark Bowden traces the history of the Conficker worm, one of the first major threats against the Internet, and which put into perspective how important online security would be in the new technological world.
Spam Nation by Brian Krebs explores the world of spam, unmasking criminal groups responsible for flooding the email inboxes of tens of millions of users with scam offers, malware and ransomware.
Mădălin Dogaru | CEO and Founder and SentientChip
If you want to learn how to (ethically!) hack a computer, you’re going to need to know Python, and Black Hat Python by Justin Seitz teaches you the most important aspects.
Reversing: Secrets of Reverse Engineering by Eldad Eilam breaks down the processes required to reverse engineer software and computer internals.
Rtfm: Red Team Field Manual by Ben Clark contains all of the most important basic syntax in Windows and Linux command lines. Useful when Google doesn’t seem to be able to handle your search query.
Linux Shell Scripting Cookbook is a useful resource in learning how to use simple commands for complex tasks in the Linux shell.
Peter Kruse | Twitter | eCrime Specialist at CSIS Security
Countdown to Zero Day by Kim Zetter. By now, this is the third endorsement of this book, and highlights its quality,
Daniel Cid | Profile page | Founder/CTO of Sucuri, Inc
Stealing the Network: How to Own a Continent details how major hackings are accomplished from a technical point of view. A more interesting take on this book comes from review Amar Pai:
This is basically a Tom Clancy novel, but with PHP exploits, nmap console logs, IDA debugger sessions, and other info-sec-porn in place of the usual war-nerdy stats about submarines, missile launchers, Apache gunships, etc.
David Harley | Twitter | Anti-malware researcher and author
Since ‘true’ computer viruses occupy only a tiny corner of the current malware threatscape, it may seem strange to refer back to a groundbreaking book on viruses from 1990, but I really have to mention Dr. Frederick B. Cohen’s book ‘A Short Course on Computer Viruses ’. Not just because Cohen literally ‘wrote the book’ on viruses and is therefore a significant historical figure. Not just because of what it tells us about the threat as it was seen at that time, though as a fairly abstract overview it does have interest. (If you want exhaustive discussion of specific historical malware, I have a few suggestions below.) But because if you absorb his analyses of technical defenses, you will be in a position to make certain vendors uncomfortable by asking questions about their magic algorithms.
Wearing my security manager’s hat (well, I would, but I haven’t occupied that particular vocational niche for many years, so I don’t have one), I also found Cohen’s ‘Protection and Security on the Information Superhighway ’ a useful resource (especially as a source of useful citations), if less groundbreaking.
There are, of course, many books intended for the edification of security managers, not all of which are terribly good. It might be a bit naughty to mention a book of which I was lead author and technical editor, but I really do think that the ‘AVIEN Malware Defense Guide for the Enterprise ’ (Syngress), though it too suffers from obsolescent technical assumptions, is still worth a look in that it offers a (probably unique) selection of chapters contributed by enterprise security professionals, security vendors, and researchers.
Long before I ever met Stephen Cobb, now a friend and colleague at ESET, one of my go-to resources for management-oriented information was his book ‘ The NCSA Guide to PC and LAN Security ’ (McGraw-Hill). That book was actually based on an earlier book, ‘Cobb’s Guide to PC and LAN Security’ which is available for download from Stephen’s blog at https://scobbs.blogspot.co.uk/ and as he says himself, ‘A lot of what I wrote about privacy principles is still relevant.’
I don’t claim to have more than the basic knowledge of cryptology, but if I needed to dig a little bit deeper, my first port of call would still be Bruce Schneier’s ‘Applied Cryptography: Protocols, Algorithms and Source Code in C ’ (Wiley), even though the 2nd edition goes back to 1996. However, ‘Cryptography Engineering: Design Principles and Practical Applications ’ (Wiley: by Niels Ferguson, Schneier, and Tadayoshi Kohno) and is much more recent, though I’m afraid I haven’t got around to reading it yet. For a more historical, less technical consideration, Simon Singh’s ‘The Code Book ’ (Doubleday) is a pleasant enough read.
And since I mentioned historical malware, I should mention ‘The Art of Computer Virus Research and Defense ’ (Addison-Wesley), by the much-missed researcher Peter Szor. It came out in 2005, so it’s not, of course, up to date, but it contains a great deal of information about early malware and detection technology. There are, in fact, a few books that cover the history of viruses and anti-virus technology accurately and in detail, but they’re not generally available now. For instance, Robert Slade’s Guide to Computer Viruses (and I won’t mention the book Rob and I wrote together a little later.)
The listed books here cover almost every aspect of cybersecurity, across all levels of skill. From the highly technical to the easy, literary reads anyone can enjoy. Hopefully, one or more of these books will help you out in becoming hack proof.
What book would you add to the list? Submit your proposals in the comments below.