Our favourite infosec books

We have a clever bunch working here at Asterisk. From directors to testers, consultants, and business development managers, everyone is passionate about information security. There may be regular debates over music, coffee vs tea, and the best place for lunch in the city, but we’re all on the same page when it comes to information security.

To share our love of all things infosec, we surveyed some of the team on their favourite books. These 11 titles have educated, enlightened and entertained and come highly recommended for anyone interested in information security…

 

I loved ‘The Cuckoo’s Egg’ by Cliff Stoll. In the 80’s Stoll was an admin for a university shared computing system and investigating a minor accounting discrepancy led to him basically uncovering a spy ring working for the Russians. True story.

Mike Loss, Senior Security Consultant

 

‘Future Crimes’ by Marc Goodman is the book that sparked my initial interest in infosec and gave me the urge to explore a career in the industry. I picked it up at an airport book store (I actually thought it was a true crime book – didn’t realise it had anything to do with infosec) but was hooked from the first few pages. It made me realise that just about everything is connected, and as a result just about everyone is vulnerable. I made a decision there and then to try and learn more/get involved in the industry. Also, I encourage anyone who assumes that information security is purely about technology to give ‘Social Engineering: The Art of Human Hacking’ by Christopher Hadnagy a read. It uses a lot of a real world examples and made me question why we so often focus on information security strategies that tend to address technology and product as opposed to people and process.

Sam Moody, Business Development Manager

 

‘Firewalls and Internet Security: Repelling The Wily Hacker’ by William R. Cheswick and Steven M. Bellovin was the book that started it all. First published in 1994, it was one of the earliest (and definitely one of the greatest) books on network security. ‘The Web Application Hacker’s Handbook’ by Marcus Pinto and Dafydd Stuttard was (is) the bible for web application security testing. It’s a little dated now (published in 2011), but still very relevant and full of some great knowledge. Another favourite is ‘The Browser Hacker’s Handbook’ by Christian Frichot, Wade Alcorn and Michele Orru – because Christian is a hipster God, and we all miss him very much.

David Taylor, Principal Security Consultant

 

I read ‘The Cathedral and the Bazaar’ by Eric S. Raymond almost 20 years ago and it was an insight into the world of monopolies and how to succeed without selling code – how Netscape survived, and the differences between top-down and bottom-up approaches to development.

Daniel Marsh, Security Consultant

 

I usually get bored of “career advice” books pretty quick but I picked up ‘Women in Tech’ by Tarah Wheeler after following Tarah and some of the other contributors on Twitter. The advice in the book is stellar, but what I loved most were the personal stories from successful women in tech like Brianna Wu and Keren Elazari woven through.

Cairo Malet, Security Consultant

 

‘Gray Hat Python: Python Programming for Hackers and Reverse Engineers’ by Justin Seitz is a good way to learn both scripting/programming and practical offensive security. Some of the content is a little dated, and for the most part better tools exist to do the tasks that are covered. However, the step-by-step approach provides a great foundation for some common offensive security tools and processes.

Clinton Carpene, Security Consultant

 

The novel ‘Neuromancer’ by William Gibson tells the story of a washed-up computer hacker hired by a mysterious employer to pull off the ultimate hack. The Matrix, cyberpunk, implants – Gibson’s dystopian future is a classic. Another novel, ‘Snow Crash’ by Neal Stephenson, presents the Sumerian language as the firmware programming language for the brainstem, which is supposedly functioning as the BIOS for the human brain. Stephenson is next level Gibson and features the Matrix (Metaverse) and cyberpunk references. Stephenson can get heavy, and satiric, but again it’s a classic for the genre.

Steve Schupp, Managing Director

 

What’s your favourite infosec book?

 

Book covers image source – Booktopia

 

Notifiable Data Breach Scheme

What is it?

The Notifiable Data Breach (NDB) Scheme is an amendment to the Privacy Act 1988 that comes into effect from 22 February 2018. The NDB scheme sets out the obligations of organisations to notify individuals after a data breach has disclosed their personal information and that disclosure is likely to cause serious harm to the individual. Notification of the breach must also be provided to the Office of the Australian Information Commissioner (OAIC).

Who does it apply to?

The scheme applies to all entities that are currently subject to the Privacy Act – as a general rule, this includes all Australian government, business or not-for-profit organisations with an annual turnover of $3 million or more.

What needs to be addressed?

To ensure that applicable organisations are able to respond appropriately in the event of a breach, the following needs to be addressed:

• The ability to identify and respond to security incidents in a timely manner;
• Implement processes to assess if a breach is likely to cause serious harm to individuals;
• Develop a communication plan for notifying relevant parties;
• Ensure your notifications meet minimum requirements as defined by the OAIC;
• Implement remediation activities to avoid the incident reoccurring in the future.

How to notify?

When an organisation suspects or has confirmed that a data breach has occurred, it will need to promptly notify individuals that are likely at risk of serious harm. The Commissioner must also be notified as soon as practicable with a statement outlining the data breach.

Notifications must include the following information:

• The identity and contact details of the organisation;
• A description of the data breach;
• What personal information has been breached;
• Steps that individuals should take in response to the data breach.

How to comply?

General guidance is provided by the OAIC and can be found here: https://oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

If you need assistance with meeting your notification obligations, Asterisk can assist with implementing incident detection and response procedures and communications plans to ensure your organisation is ready to take action should a breach occur.*

* If you have not yet sought legal advice on your organisation’s exact eligibility and obligations under the Privacy Act, Asterisk recommends consulting an appropriate legal professional to ensure all legal requirements have been considered.