Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us

Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us

by Eugene H. Spafford, Leigh Metcalf, Josiah Dykstra
Released February 2023
Publisher(s): Addison-Wesley Professional
ISBN: 9780137929214

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

175+ Cybersecurity Misconceptions and the Myth-Busting Skills You Need to Correct Them

Cybersecurity is fraught with hidden and unsuspected dangers and difficulties. Despite our best intentions, there are common and avoidable mistakes that arise from folk wisdom, faulty assumptions about the world, and our own human biases. Cybersecurity implementations, investigations, and research all suffer as a result. Many of the bad practices sound logical, especially to people new to the field of cybersecurity, and that means they get adopted and repeated despite not being correct. For instance, why isn't the user the weakest link?

In Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us, three cybersecurity pioneers don't just deliver the first comprehensive collection of falsehoods that derail security from the frontlines to the boardroom; they offer expert practical advice for avoiding or overcoming each myth.

Whatever your cybersecurity role or experience, Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra will help you surface hidden dangers, prevent avoidable errors, eliminate faulty assumptions, and resist deeply human cognitive biases that compromise prevention, investigation, and research. Throughout the book, you'll find examples drawn from actual cybersecurity events, detailed techniques for recognizing and overcoming security fallacies, and recommended mitigations for building more secure products and businesses.

  • Read over 175 common misconceptions held by users, leaders, and cybersecurity professionals, along with tips for how to avoid them.

  • Learn the pros and cons of analogies, misconceptions about security tools, and pitfalls of faulty assumptions. What really is the weakest link? When aren't "best practices" best?

  • Discover how others understand cybersecurity and improve the effectiveness of cybersecurity decisions as a user, a developer, a researcher, or a leader.

  • Get a high-level exposure to why statistics and figures may mislead as well as enlighten.

  • Develop skills to identify new myths as they emerge, strategies to avoid future pitfalls, and techniques to help mitigate them.

"You are made to feel as if you would never fall for this and somehow this makes each case all the more memorable. . . . Read the book, laugh at the right places, and put your learning to work. You won't regret it."

--From the Foreword by Vint Cerf, Internet Hall of Fame Pioneer

Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

Table of contents

  1. Cover Page
  2. About This eBook
  3. Halftitle Page
  4. Title Page
  5. Copyright Page
  6. Pearson’s Commitment to Diversity, Equity, and Inclusion
  7. Contents at a Glance
  8. Table of Contents
  9. List of Figures and Illustrations
  10. Foreword
  11. Introduction
    1. Who Is This Book For?
    2. The Origin of Myths
    3. Overarching Themes
    4. Roadmap for This Book
    5. Disclaimer
  12. Acknowledgments
  13. About the Authors
  14. Part I: General Issues
    1. Chapter 1. What Is Cybersecurity?
      1. Everyone Knows What “Cybersecurity” Means
      2. We Can Measure How Secure Our Systems Are
      3. The Primary Goal of Cybersecurity Is Security
      4. Cybersecurity Is About Obvious Risks
      5. Sharing More Cyber Threat Intel Will Make Things Better
      6. What Matters to You Matters to Everyone Else
      7. Product X Will Make You Secure
      8. Macs Are Safer Than PCs, Linux Is Safer Than Windows
      9. Open Source Software Is More Secure Than Closed Source Software
      10. Technology X Will Make You Secure
      11. Process X Will Make You Secure
      12. Færie Dust Can Make Old Ideas Magically Revolutionary
      13. Passwords Should Be Changed Often
      14. Believe and Fear Every Hacking Demo You See
      15. Cyber Offense Is Easier Than Defense
      16. Operational Technology (OT) Is Not Vulnerable
      17. Breaking Systems Is the Best Way to Establish Yourself
      18. Because You Can, You Should
      19. Better Security Means Worse Privacy
      20. Further Reading
    2. Chapter 2. What Is the Internet?
      1. Everyone Knows What the “Internet” Means
      2. An IP Address Identifies a Unique Machine
      3. The Internet Is Managed and Controlled by a Central Body
      4. The Internet Is Largely Static
      5. Your Network Is Static
      6. Email Is Private
      7. Cryptocurrency Is Untraceable
      8. Everything Can Be Fixed with Blockchain
      9. The Internet Is Like an Iceberg
      10. A VPN Makes You Anonymous
      11. A Firewall Is Enough
      12. Further Reading
  15. Part II: Human Issues
    1. Chapter 3. Faulty Assumptions and Magical Thinking
      1. Humans Will Behave Rationally, So Blame the User!
      2. We Know Everything We Need to Know About Cybersecurity Problems
      3. Compliance Equals (Complete) Security
      4. Authentication Provides Confidentiality
      5. I Can Never Be Secure, So Why Bother?
      6. I Am Too Small/Insignificant to Be a Target
      7. Everybody Is Out to Get Me
      8. I Engage Only with Trusted Websites, So My Data Is Safe from a Breach
      9. Security by Obscurity Is Reasonably Secure
      10. The Illusions of Visibility and Control
      11. Five 9’s Is the Key to Cybersecurity
      12. Everybody Has Top-of-the-Line Technology
      13. We Can Predict Future Threats
      14. Security People Control Security Outcomes
      15. All Bad Outcomes Are the Result of a Bad Decision
      16. More Security Is Always Better
      17. Best Practices Are Always Best
      18. Because It Is Online It Must Be True/Correct
      19. Further Reading
    2. Chapter 4. Fallacies and Misunderstandings
      1. The False Cause Fallacy: Correlation Is Causation
      2. Absence of Evidence Is Evidence of Absence
      3. The Straw Hacker Fallacy
      4. Ad Hominem Fallacy
      5. Hasty Generalization Fallacy
      6. Regression Fallacy
      7. Base Rate Fallacy
      8. Gambler’s Fallacy
      9. Fallacies of Anomalies
      10. Ignorance of Black Swans
      11. Conjunction and Disjunction Fallacies
      12. Valence Effect
      13. Endowment Effect
      14. Sunk Cost Fallacy
      15. Bonus Fallacies
      16. Further Reading
    3. Chapter 5. Cognitive Biases
      1. Action Bias
      2. Omission Bias
      3. Survivorship Bias
      4. Confirmation Bias
      5. Choice Affirmation Bias
      6. Hindsight Bias
      7. Availability Bias
      8. Social Proof
      9. Overconfidence Bias
      10. Zero Risk Bias
      11. Frequency Bias
      12. Bonus Biases
      13. Further Reading
    4. Chapter 6. Perverse Incentives and the Cobra Effect
      1. The Goal of a Security Vendor Is to Keep You Secure
      2. Your Cybersecurity Decisions Affect Only You
      3. Bug Bounties Eliminate Bugs from the Offensive Market
      4. Cyber Insurance Causes People to Take Less Risk
      5. Fines and Penalties Cause People to Take Less Risk
      6. Attacking Back Would Help Stop Cyber Crime
      7. Innovation Increases Security and Privacy Incidents
      8. Further Reading
    5. Chapter 7. Problems and Solutions
      1. Failure Is Not an Option in Cybersecurity
      2. Every Problem Has a Solution
      3. Anecdotes Are Good Leads for Cybersecurity Solutions
      4. Detecting More “Bad Stuff” Means the New Thing Is an Improvement
      5. Every Security Process Should Be Automated
      6. Professional Certifications Are Useless
      7. Further Reading
  16. Part III: Contextual Issues
    1. Chapter 8. Pitfalls of Analogies and Abstractions
      1. Cybersecurity Is Like the Physical World
      2. Cybersecurity Is Like Medicine and Biology
      3. Cybersecurity Is Like Fighting a War
      4. Cybersecurity Law Is Analogous to Physical-World Law
      5. Tips for Analogies and Abstractions
      6. Further Reading
    2. Chapter 9. Legal Issues
      1. Cybersecurity Law Is Analogous to Physical-World Law
      2. Your Laws Do Not Apply to Me Where I Am
      3. That Violates My First Amendment Rights!
      4. Legal Code Supersedes Computer Code
      5. Law Enforcement Will Never Respond to Cyber Crimes
      6. You Can Always Hide Information by Suing
      7. Suing to Suppress a Breach Is a Good Idea
      8. Terms and Conditions Are Meaningless
      9. The Law Is on My Side, So I Do Not Need to Worry
      10. Further Reading
    3. Chapter 10. Tool Myths and Misconceptions
      1. The More Tools, The Better
      2. Default Configurations Are Always Secure
      3. A Tool Can Stop All Bad Things
      4. Intent Can Be Determined from Tools
      5. Security Tools Are Inherently Secure and Trustworthy
      6. Nothing Found Means All Is Well
      7. Further Reading
    4. Chapter 11. Vulnerabilities
      1. We Know Everything There Is to Know About Vulnerabilities
      2. Vulnerabilities Are Sparse
      3. Attackers Are Getting More Proficient
      4. Zero-Day Vulnerabilities Are Most Important
      5. All Attacks Hinge on a Vulnerability
      6. Exploits and Proofs of Concept Are Bad
      7. Vulnerabilities Happen Only in Complex Code
      8. First Movers Should Sacrifice Security
      9. Patches Are Always Perfect and Available
      10. Defenses Might Become Security Vulnerabilities with Time
      11. All Vulnerabilities Can Be Fixed
      12. Scoring Vulnerabilities Is Easy and Well Understood
      13. Because You Can, You Should—Vulnerabilities Edition
      14. Vulnerability Names Reflect Their Importance
      15. Further Reading
    5. Chapter 12. Malware
      1. Using a Sandbox Will Tell Me Everything I Need to Know
      2. Reverse Engineering Will Tell Me Everything I Need to Know
      3. Malware and Geography Are/Are Not Related
      4. I Can Always Determine Who Made the Malware and Attacked Me
      5. Malware Is Always a Complex Program That Is Difficult to Understand
      6. Free Malware Protection Is Good Enough
      7. Only Shady Websites Will Infect Me
      8. Because You Can, You Should—Malware Edition
      9. Ransomware Is an Entirely New Kind of Malware
      10. Signed Software Is Always Trustworthy
      11. Malware Names Reflect Their Importance
      12. Further Reading
    6. Chapter 13. Digital Forensics and Incident Response
      1. Movies and Television Reflect the Reality of Cyber
      2. Incidents Are Discovered as Soon as They Occur
      3. Incidents Are Discrete and Independent
      4. Every Incident Is the Same Severity
      5. Standard Incident Response Techniques Can Deal with Ransomware
      6. Incident Responders Can Flip a Few Switches and Magically Everything Is Fixed
      7. Attacks Are Always Attributable
      8. Attribution Is Essential
      9. Most Attacks/Exfiltration of Data Originate from Outside the Organization
      10. The Trojan Horse Defense Is Dead
      11. Endpoint Data Is Sufficient for Incident Detection
      12. Recovering from an Event Is a Simple and Linear Process
      13. Further Reading
  17. Part IV: Data Issues
    1. Chapter 14. Lies, Damn Lies, and Statistics
      1. Luck Prevents Cyber Attacks
      2. The Numbers Speak for Themselves
      3. Probability Is Certainty
      4. Statistics Are Laws
      5. Data Is Not Important to Statistics
      6. Artificial Intelligence and Machine Learning Can Solve All Cybersecurity Problems
      7. Further Reading
    2. Chapter 15. Illustrations, Visualizations, and Delusions
      1. Visualizations and Dashboards Are Inherently and Universally Helpful
      2. Cybersecurity Data Is Easy to Visualize
      3. Further Reading
    3. Chapter 16. Finding Hope
      1. Creating a Less Myth-Prone World
      2. The Critical Value of Documentation
      3. Meta-Myths and Recommendations
      4. Avoiding Other and Future Traps
      5. Parting Thoughts
  18. Appendix: Short Background Explanations
  19. Acronyms
  20. Index
  21. Code Snippets

Product information

  • Title: Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us
  • Author(s): Eugene H. Spafford, Leigh Metcalf, Josiah Dykstra
  • Release date: February 2023
  • Publisher(s): Addison-Wesley Professional
  • ISBN: 9780137929214