English

Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us ,1st edition::9780137929153

Access educator resources

Published by Addison-Wesley Professional (March 22, 2023) © 2023

Eugene Spafford | Leigh Metcalf | Josiah Dykstra
    VitalSource eTextbook (Lifetime access)
    €29,99
    Adding to cart… The item has been added
    ISBN-13: 9780137929153

    Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us ,1st edition

    Published 2023

    Language: English

    175+ Cybersecurity Misconceptions and the Myth-Busting Skills You Need to Correct Them

    Elected into the Cybersecurity Canon Hall of Fame!

    Cybersecurity is fraught with hidden and unsuspected dangers and difficulties. Despite our best intentions, there are common and avoidable mistakes that arise from folk wisdom, faulty assumptions about the world, and our own human biases. Cybersecurity implementations, investigations, and research all suffer as a result. Many of the bad practices sound logical, especially to people new to the field of cybersecurity, and that means they get adopted and repeated despite not being correct. For instance, why isn't the user the weakest link?

    In Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us, three cybersecurity pioneers don't just deliver the first comprehensive collection of falsehoods that derail security from the frontlines to the boardroom; they offer expert practical advice for avoiding or overcoming each myth.

    Whatever your cybersecurity role or experience, Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra will help you surface hidden dangers, prevent avoidable errors, eliminate faulty assumptions, and resist deeply human cognitive biases that compromise prevention, investigation, and research. Throughout the book, you'll find examples drawn from actual cybersecurity events, detailed techniques for recognizing and overcoming security fallacies, and recommended mitigations for building more secure products and businesses.

    • Read over 175 common misconceptions held by users, leaders, and cybersecurity professionals, along with tips for how to avoid them.
    • Learn the pros and cons of analogies, misconceptions about security tools, and pitfalls of faulty assumptions. What really is the weakest link? When aren't "best practices" best?
    • Discover how others understand cybersecurity and improve the effectiveness of cybersecurity decisions as a user, a developer, a researcher, or a leader.
    • Get a high-level exposure to why statistics and figures may mislead as well as enlighten.
    • Develop skills to identify new myths as they emerge, strategies to avoid future pitfalls, and techniques to help mitigate them.

    "You are made to feel as if you would never fall for this and somehow this makes each case all the more memorable. . . . Read the book, laugh at the right places, and put your learning to work. You won't regret it."
    --From the Foreword by Vint Cerf, Internet Hall of Fame Pioneer

    Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

    Foreword by Vint Cerf xxiii
    Introduction xxiv
    Acknowledgments xxxiii
    About the Authors xxxiv

    Part I: General Issues 1

    Chapter 1: What Is Cybersecurity? 2
    Everyone Knows What "Cybersecurity" Means 2
    We Can Measure How Secure Our Systems Are 5
    The Primary Goal of Cybersecurity Is Security 11
    Cybersecurity Is About Obvious Risks 12
    Sharing More Cyber Threat Intel Will Make Things Better 14
    What Matters to You Matters to Everyone Else 16
    Product X Will Make You Secure 17
    Macs Are Safer Than PCs, Linux Is Safer Than Windows 18
    Open Source Software Is More Secure Than Closed Source Software 19
    Technology X Will Make You Secure 20
    Process X Will Make You Secure 21
    Færie Dust Can Make Old Ideas Magically Revolutionary 22
    Passwords Should Be Changed Often 23
    Believe and Fear Every Hacking Demo You See 26
    Cyber Offense Is Easier Than Defense 27
    Operational Technology (OT) Is Not Vulnerable 29
    Breaking Systems Is the Best Way to Establish Yourself 30
    Because You Can, You Should 30
    Better Security Means Worse Privacy 32
    Further Reading 33

    Chapter 2: What Is the Internet? 36
    Everyone Knows What the "Internet" Means 36
    An IP Address Identifies a Unique Machine 37
    The Internet Is Managed and Controlled by a Central Body 39
    The Internet Is Largely Static 40
    Your Network Is Static 41
    Email Is Private 43
    Cryptocurrency Is Untraceable 44
    Everything Can Be Fixed with Blockchain 46
    The Internet Is Like an Iceberg 46
    A VPN Makes You Anonymous 48
    A Firewall Is Enough 49
    Further Reading 51

    Part II: Human Issues 55

    Chapter 3: Faulty Assumptions and Magical Thinking 56
    Humans Will Behave Rationally, So Blame the User! 57
    We Know Everything We Need to Know About Cybersecurity Problems 62
    Compliance Equals (Complete) Security 63
    Authentication Provides Confidentiality 65
    I Can Never Be Secure, So Why Bother? 65
    I Am Too Small/Insignificant to Be a Target 66
    Everybody Is Out to Get Me 69
    I Engage Only with Trusted Websites, So My Data Is Safe from a Breach 71
    Security by Obscurity Is Reasonably Secure 72
    The Illusions of Visibility and Control 74
    Five 9's Is the Key to Cybersecurity 76
    Everybody Has Top-of-the-Line Technology 78
    We Can Predict Future Threats 80
    Security People Control Security Outcomes 81
    All Bad Outcomes Are the Result of a Bad Decision 82
    More Security Is Always Better 84
    Best Practices Are Always Best 85
    Because It Is Online It Must Be True/Correct 86
    Further Reading 87

    Chapter 4: Fallacies and Misunderstandings 88
    The False Cause Fallacy: Correlation Is Causation 89
    Absence of Evidence Is Evidence of Absence 92
    The Straw Hacker Fallacy 94
    Ad Hominem Fallacy 95
    Hasty Generalization Fallacy 96
    Regression Fallacy 97
    Base Rate Fallacy 98
    Gambler's Fallacy 100
    Fallacies of Anomalies 100
    Ignorance of Black Swans 101
    Conjunction and Disjunction Fallacies 103
    Valence Effect 104
    Endowment Effect 104
    Sunk Cost Fallacy 105
    Bonus Fallacies 107
    Further Reading 109

    Chapter 5: Cognitive Biases 110
    Action Bias 112
    Omission Bias 113
    Survivorship Bias 115
    Confirmation Bias 116
    Choice Affirmation Bias 117
    Hindsight Bias 117
    Availability Bias 119
    Social Proof 121
    Overconfidence Bias 122
    Zero Risk Bias 123
    Frequency Bias 124
    Bonus Biases 125
    Further Reading 128

    Chapter 6: Perverse Incentives and the Cobra Effect 130
    The Goal of a Security Vendor Is to Keep You Secure 131
    Your Cybersecurity Decisions Affect Only You 132
    Bug Bounties Eliminate Bugs from the Offensive Market 134
    Cyber Insurance Causes People to Take Less Risk 135
    Fines and Penalties Cause People to Take Less Risk 136
    Attacking Back Would Help Stop Cyber Crime 137
    Innovation Increases Security and Privacy Incidents 138
    Further Reading 139

    Chapter 7: Problems and Solutions 140
    Failure Is Not an Option in Cybersecurity 141
    Every Problem Has a Solution 142
    Anecdotes Are Good Leads for Cybersecurity Solutions 147
    Detecting More "Bad Stuff" Means the New Thing Is an Improvement 148
    Every Security Process Should Be Automated 149
    Professional Certifications Are Useless 151
    Further Reading 158

    Part III: Contextual Issues 161

    Chapter 8: Pitfalls of Analogies and Abstractions 162
    Cybersecurity Is Like the Physical World 165
    Cybersecurity Is Like Medicine and Biology 170
    Cybersecurity Is Like Fighting a War 172
    Cybersecurity Law Is Analogous to Physical-World Law 175
    Tips for Analogies and Abstractions 175
    Further Reading 178

    Chapter 9: Legal Issues 180
    Cybersecurity Law Is Analogous to Physical-World Law 181
    Your Laws Do Not Apply to Me Where I Am 182
    That Violates My First Amendment Rights! 184
    Legal Code Supersedes Computer Code 186
    Law Enforcement Will Never Respond to Cyber Crimes 191
    You Can Always Hide Information by Suing 193
    Suing to Suppress a Breach Is a Good Idea 194
    Terms and Conditions Are Meaningless 194
    The Law Is on My Side, So I Do Not Need to Worry 195
    Further Reading 196

    Chapter 10: Tool Myths and Misconceptions 198
    The More Tools, The Better 199
    Default Configurations Are Always Secure 201
    A Tool Can Stop All Bad Things 203
    Intent Can Be Determined from Tools 205
    Security Tools Are Inherently Secure and Trustworthy 207
    Nothing Found Means All Is Well 209
    Further Reading 212

    Chapter 11: Vulnerabilities 214
    We Know Everything There Is to Know About Vulnerabilities 215
    Vulnerabilities Are Sparse 218
    Attackers Are Getting More Proficient 218
    Zero-Day Vulnerabilities Are Most Important 219
    All Attacks Hinge on a Vulnerability 223
    Exploits and Proofs of Concept Are Bad 226
    Vulnerabilities Happen Only in Complex Code 228
    First Movers Should Sacrifice Security 230
    Patches Are Always Perfect and Available 231
    Defenses Might Become Security Vulnerabilities with Time 236
    All Vulnerabilities Can Be Fixed 237
    Scoring Vulnerabilities Is Easy and Well Understood 239
    Because You Can, You Should--Vulnerabilities Edition 240
    Vulnerability Names Reflect Their Importance 241
    Further Reading 242

    Chapter 12: Malware 244
    Using a Sandbox Will Tell Me Everything I Need to Know 246
    Reverse Engineering Will Tell Me Everything I Need to Know 249
    Malware and Geography Are/Are Not Related 251
    I Can Always Determine Who Made the Malware and Attacked Me 253
    Malware Is Always a Complex Program That Is Difficult to Understand 254
    Free Malware Protection Is Good Enough 256
    Only Shady Websites Will Infect Me 257
    Because You Can, You Should--Malware Edition 258
    Ransomware Is an Entirely New Kind of Malware 259
    Signed Software Is Always Trustworthy 261
    Malware Names Reflect Their Importance 263
    Further Reading 264

    Chapter 13: Digital Forensics and Incident Response 266
    Movies and Television Reflect the Reality of Cyber 267
    Incidents Are Discovered as Soon as They Occur 269
    Incidents Are Discrete and Independent 270
    Every Incident Is the Same Severity 271
    Standard Incident Response Techniques Can Deal with Ransomware 272
    Incident Responders Can Flip a Few Switches and Magically Everything
    Is Fixed 273
    Attacks Are Always Attributable 276
    Attribution Is Essential 278
    Most Attacks/Exfiltration of Data Originate from Outside the Organization 280
    The Trojan Horse Defense Is Dead 281
    Endpoint Data Is Sufficient for Incident Detection 282
    Recovering from an Event Is a Simple and Linear Process 284
    Further Reading 285

    Part IV: Data Issues 287

    Chapter 14: Lies, Damn Lies, and Statistics 288
    Luck Prevents Cyber Attacks 289
    The Numbers Speak for Themselves 290
    Probability Is Certainty 290
    Statistics Are Laws 293
    Data Is Not Important to Statistics 303
    Artificial Intelligence and Machine Learning Can Solve All
    Cybersecurity Problems 306
    Further Reading 310

    Chapter 15: Illustrations, Visualizations, and Delusions 312
    Visualizations and Dashboards Are Inherently and Universally Helpful 313
    Cybersecurity Data Is Easy to Visualize 319
    Further Reading 324

    Chapter 16: Finding Hope 326
    Creating a Less Myth-Prone World 328
    The Critical Value of Documentation 329
    Meta-Myths and Recommendations 331
    Avoiding Other and Future Traps 334
    Parting Thoughts 334

    Appendix: Short Background Explanations 336

    Acronyms 344
    Index 350

    !