For anyone else who's keen to keep up with information security and related events as they happen, I thought I'd list the hit parade - my top ten favourite Web resources.
Starting with the chart-toppers, here are the six big hits I use practically every single day:
1. ISN (Information Security News) - a handful of relevant infosec news items to my inbox every day, each one supplied as plain text email with a URL in case I need to reference the original source. Always relevant and on-topic. No wasted bits. Moderator William Knowles does a fantastic job.
2. SANS ISC (Internet Storm Center) - a continuous blog/diary of what's hot from the people who are constantly scanning Internet traffic for new attack vectors. Generally first to identify and publish info on emerging malware and vulnerabilities. Makes a great browser home page. SANS Newsbites is not bad either - twice weekly email digests with informed commentary.
3. CISSPforum - a professional community of over 4,000 CISSPs and SSCPs from around the globe. A virtual locker room, ideal for lonely infosec professionals who don't have several hundred qualified peers in the office with whom to pass the time of day.
4. Gigalaw - similar style to ISN but focuses on legal IT-related news such as IPR issues and new privacy legislation. Supplied as one email per day with about 6 headlines leading to short summaries on the Gigalaw site and URLs to the original sources.
5. Blogs like this one - way too many to list. When I have a quiet moment, I use a blog reader to catch up with what other infosec pro's are saying and generally browse through for interesting leads. Good for discovering alternative perspectives on everyday issues and interesting items from obscure places. Bad for time management.
6. Google. 'Nuff said. Well almost: Google's Alerts are a handy way to run those searches that I always run, delivering daily email digests again (yes, you're starting to see a pattern).
Other sources to complete the top ten, used as and when necessary:
7. CERIAS and CERT-CC - a wealth of cool information but you need to set aside time to browse the libraries.
8. ISO, NIST etc. - for security standards
9. ISACA, ISSA, ITGI, CCcure, ITPI and various other professional membership bodies.
10. Selected infosec magazines such as [In]security, CSO/CIO and of course The Register, always good for a laugh.
11 (bonus item). RISKS-List is a long-running source of news and insightful commentary on IT risks.
Conspicuous by their absense from the hitlist are:
- Myriad "portals" that pad out far too many intrusive adverts with "news" (mostly vendor press releases) and "articles" that are also thinly disguised adverts. More biased than a capsizing supertanker.
- Vendor websites and newsletters. At least they admit their bias but I value independence and objectivity over marketing fluff any day. Used selectively to gather information on new and updated infosec products, critical patches etc.
- Podcasts, online seminars, eSymposia and similar. Unless I'm having trouble sleeping, I don't generally have the time to waste listening to some sales machine droning on for hours about how their particular hammer cracks all known nuts, or to waste time listening to cheesy royalty-free muzak from amateur producers who love the sound of their own voices and can't even get the audio levels right [/rant]. The accompanying presentation slides are sometimes worth a quick browse, taking a few minutes to skim not an hour or more. A few online speakers are worth the effort but I'm very choosy. Life's too short.
OK there we are. What about you? What's in your top ten? If there were just one or two resources you'd persuade me to add to my list, what would they be? Please either add a comment here or write your own blog post and send me a link.