Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us

by Eugene Spafford, Josiah Dykstra, Leigh Metcalf

Length: 416 pages
Edition: 1
Language: English
Publisher: Addison-Wesley Professional
Publication Date: 2023-01-23
ISBN-10: 0137929234
ISBN-13: 9780137929238
Sales Rank: #691728 (See Top 100 Books)

175+ Cybersecurity Misconceptions and the Myth-Busting Skills You Need to Correct Them

Cybersecurity is fraught with hidden and unsuspected dangers and difficulties. Despite our best intentions, there are common and avoidable mistakes that arise from folk wisdom, faulty assumptions about the world, and our own human biases. Cybersecurity implementations, investigations, and research all suffer as a result. Many of the bad practices sound logical, especially to people new to the field of cybersecurity, and that means they get adopted and repeated despite not being correct. For instance, why isn’t the user the weakest link?

In
Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us
, three cybersecurity pioneers don’t just deliver the first comprehensive collection of falsehoods that derail security from the frontlines to the boardroom; they offer expert practical advice for avoiding or overcoming each myth.

Whatever your cybersecurity role or experience, Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra will help you surface hidden dangers, prevent avoidable errors, eliminate faulty assumptions, and resist deeply human cognitive biases that compromise prevention, investigation, and research. Throughout the book, you’ll find examples drawn from actual cybersecurity events, detailed techniques for recognizing and overcoming security fallacies, and recommended mitigations for building more secure products and businesses.

Read over 175 common misconceptions held by users, leaders, and cybersecurity professionals, along with tips for how to avoid them. Learn the pros and cons of analogies, misconceptions about security tools, and pitfalls of faulty assumptions. What really is the weakest link? When aren’t “best practices” best? Discover how others understand cybersecurity and improve the effectiveness of cybersecurity decisions as a user, a developer, a researcher, or a leader. Get a high-level exposure to why statistics and figures may mislead as well as enlighten. Develop skills to identify new myths as they emerge, strategies to avoid future pitfalls, and techniques to help mitigate them. “You are made to feel as if you would never fall for this and somehow this makes each case all the more memorable. . . . Read the book, laugh at the right places, and put your learning to work. You won’t regret it.”
–From the Foreword by Vint Cerf, Internet Hall of Fame Pioneer

Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

Cover Page
About This eBook
Halftitle Page
Title Page
Copyright Page
Pearson’s Commitment to Diversity, Equity, and Inclusion
Contents at a Glance
Table of Contents
List of Figures and Illustrations
Foreword
Introduction
    Who Is This Book For?
    The Origin of Myths
    Overarching Themes
    Roadmap for This Book
    Disclaimer
Acknowledgments
About the Authors
Part I: General Issues
    Chapter 1. What Is Cybersecurity?
        Everyone Knows What “Cybersecurity” Means
        We Can Measure How Secure Our Systems Are
        The Primary Goal of Cybersecurity Is Security
        Cybersecurity Is About Obvious Risks
        Sharing More Cyber Threat Intel Will Make Things Better
        What Matters to You Matters to Everyone Else
        Product X Will Make You Secure
        Macs Are Safer Than PCs, Linux Is Safer Than Windows
        Open Source Software Is More Secure Than Closed Source Software
        Technology X Will Make You Secure
        Process X Will Make You Secure
        Færie Dust Can Make Old Ideas Magically Revolutionary
        Passwords Should Be Changed Often
        Believe and Fear Every Hacking Demo You See
        Cyber Offense Is Easier Than Defense
        Operational Technology (OT) Is Not Vulnerable
        Breaking Systems Is the Best Way to Establish Yourself
        Because You Can, You Should
        Better Security Means Worse Privacy
        Further Reading
    Chapter 2. What Is the Internet?
        Everyone Knows What the “Internet” Means
        An IP Address Identifies a Unique Machine
        The Internet Is Managed and Controlled by a Central Body
        The Internet Is Largely Static
        Your Network Is Static
        Email Is Private
        Cryptocurrency Is Untraceable
        Everything Can Be Fixed with Blockchain
        The Internet Is Like an Iceberg
        A VPN Makes You Anonymous
        A Firewall Is Enough
        Further Reading
Part II: Human Issues
    Chapter 3. Faulty Assumptions and Magical Thinking
        Humans Will Behave Rationally, So Blame the User!
        We Know Everything We Need to Know About Cybersecurity Problems
        Compliance Equals (Complete) Security
        Authentication Provides Confidentiality
        I Can Never Be Secure, So Why Bother?
        I Am Too Small/Insignificant to Be a Target
        Everybody Is Out to Get Me
        I Engage Only with Trusted Websites, So My Data Is Safe from a Breach
        Security by Obscurity Is Reasonably Secure
        The Illusions of Visibility and Control
        Five 9’s Is the Key to Cybersecurity
        Everybody Has Top-of-the-Line Technology
        We Can Predict Future Threats
        Security People Control Security Outcomes
        All Bad Outcomes Are the Result of a Bad Decision
        More Security Is Always Better
        Best Practices Are Always Best
        Because It Is Online It Must Be True/Correct
        Further Reading
    Chapter 4. Fallacies and Misunderstandings
        The False Cause Fallacy: Correlation Is Causation
        Absence of Evidence Is Evidence of Absence
        The Straw Hacker Fallacy
        Ad Hominem Fallacy
        Hasty Generalization Fallacy
        Regression Fallacy
        Base Rate Fallacy
        Gambler’s Fallacy
        Fallacies of Anomalies
        Ignorance of Black Swans
        Conjunction and Disjunction Fallacies
        Valence Effect
        Endowment Effect
        Sunk Cost Fallacy
        Bonus Fallacies
        Further Reading
    Chapter 5. Cognitive Biases
        Action Bias
        Omission Bias
        Survivorship Bias
        Confirmation Bias
        Choice Affirmation Bias
        Hindsight Bias
        Availability Bias
        Social Proof
        Overconfidence Bias
        Zero Risk Bias
        Frequency Bias
        Bonus Biases
        Further Reading
    Chapter 6. Perverse Incentives and the Cobra Effect
        The Goal of a Security Vendor Is to Keep You Secure
        Your Cybersecurity Decisions Affect Only You
        Bug Bounties Eliminate Bugs from the Offensive Market
        Cyber Insurance Causes People to Take Less Risk
        Fines and Penalties Cause People to Take Less Risk
        Attacking Back Would Help Stop Cyber Crime
        Innovation Increases Security and Privacy Incidents
        Further Reading
    Chapter 7. Problems and Solutions
        Failure Is Not an Option in Cybersecurity
        Every Problem Has a Solution
        Anecdotes Are Good Leads for Cybersecurity Solutions
        Detecting More “Bad Stuff” Means the New Thing Is an Improvement
        Every Security Process Should Be Automated
        Professional Certifications Are Useless
        Further Reading
Part III: Contextual Issues
    Chapter 8. Pitfalls of Analogies and Abstractions
        Cybersecurity Is Like the Physical World
        Cybersecurity Is Like Medicine and Biology
        Cybersecurity Is Like Fighting a War
        Cybersecurity Law Is Analogous to Physical-World Law
        Tips for Analogies and Abstractions
        Further Reading
    Chapter 9. Legal Issues
        Cybersecurity Law Is Analogous to Physical-World Law
        Your Laws Do Not Apply to Me Where I Am
        That Violates My First Amendment Rights!
        Legal Code Supersedes Computer Code
        Law Enforcement Will Never Respond to Cyber Crimes
        You Can Always Hide Information by Suing
        Suing to Suppress a Breach Is a Good Idea
        Terms and Conditions Are Meaningless
        The Law Is on My Side, So I Do Not Need to Worry
        Further Reading
    Chapter 10. Tool Myths and Misconceptions
        The More Tools, The Better
        Default Configurations Are Always Secure
        A Tool Can Stop All Bad Things
        Intent Can Be Determined from Tools
        Security Tools Are Inherently Secure and Trustworthy
        Nothing Found Means All Is Well
        Further Reading
    Chapter 11. Vulnerabilities
        We Know Everything There Is to Know About Vulnerabilities
        Vulnerabilities Are Sparse
        Attackers Are Getting More Proficient
        Zero-Day Vulnerabilities Are Most Important
        All Attacks Hinge on a Vulnerability
        Exploits and Proofs of Concept Are Bad
        Vulnerabilities Happen Only in Complex Code
        First Movers Should Sacrifice Security
        Patches Are Always Perfect and Available
        Defenses Might Become Security Vulnerabilities with Time
        All Vulnerabilities Can Be Fixed
        Scoring Vulnerabilities Is Easy and Well Understood
        Because You Can, You Should—Vulnerabilities Edition
        Vulnerability Names Reflect Their Importance
        Further Reading
    Chapter 12. Malware
        Using a Sandbox Will Tell Me Everything I Need to Know
        Reverse Engineering Will Tell Me Everything I Need to Know
        Malware and Geography Are/Are Not Related
        I Can Always Determine Who Made the Malware and Attacked Me
        Malware Is Always a Complex Program That Is Difficult to Understand
        Free Malware Protection Is Good Enough
        Only Shady Websites Will Infect Me
        Because You Can, You Should—Malware Edition
        Ransomware Is an Entirely New Kind of Malware
        Signed Software Is Always Trustworthy
        Malware Names Reflect Their Importance
        Further Reading
    Chapter 13. Digital Forensics and Incident Response
        Movies and Television Reflect the Reality of Cyber
        Incidents Are Discovered as Soon as They Occur
        Incidents Are Discrete and Independent
        Every Incident Is the Same Severity
        Standard Incident Response Techniques Can Deal with Ransomware
        Incident Responders Can Flip a Few Switches and Magically Everything Is Fixed
        Attacks Are Always Attributable
        Attribution Is Essential
        Most Attacks/Exfiltration of Data Originate from Outside the Organization
        The Trojan Horse Defense Is Dead
        Endpoint Data Is Sufficient for Incident Detection
        Recovering from an Event Is a Simple and Linear Process
        Further Reading
Part IV: Data Issues
    Chapter 14. Lies, Damn Lies, and Statistics
        Luck Prevents Cyber Attacks
        The Numbers Speak for Themselves
        Probability Is Certainty
        Statistics Are Laws
        Data Is Not Important to Statistics
        Artificial Intelligence and Machine Learning Can Solve All Cybersecurity Problems
        Further Reading
    Chapter 15. Illustrations, Visualizations, and Delusions
        Visualizations and Dashboards Are Inherently and Universally Helpful
        Cybersecurity Data Is Easy to Visualize
        Further Reading
    Chapter 16. Finding Hope
        Creating a Less Myth-Prone World
        The Critical Value of Documentation
        Meta-Myths and Recommendations
        Avoiding Other and Future Traps
        Parting Thoughts
Appendix: Short Background Explanations
Acronyms
Index
Code Snippets