book

Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us

Name: Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us
ISBN: 9780137929214

by Eugene H. Spafford, Leigh Metcalf, Josiah Dykstra

February 2023

Intermediate to advanced

416 pages

13h 34m

English

Addison-Wesley Professional

Read now

Unlock full access

Cover Page
About This eBook
Halftitle Page
Title Page
Copyright Page
Humans are born to learn
Contents at a Glance
Table of Contents
List of Figures and Illustrations
Foreword

Introduction
Who Is This Book For?The Origin of MythsOverarching ThemesRoadmap for This BookDisclaimer
Acknowledgments
About the Authors
Part I: General Issues
Chapter 1. What Is Cybersecurity?
Everyone Knows What “Cybersecurity” MeansWe Can Measure How Secure Our Systems AreThe Primary Goal of Cybersecurity Is SecurityCybersecurity Is About Obvious RisksSharing More Cyber Threat Intel Will Make Things BetterWhat Matters to You Matters to Everyone ElseProduct X Will Make You SecureMacs Are Safer Than PCs, Linux Is Safer Than WindowsOpen Source Software Is More Secure Than Closed Source SoftwareTechnology X Will Make You SecureProcess X Will Make You SecureFærie Dust Can Make Old Ideas Magically RevolutionaryPasswords Should Be Changed OftenBelieve and Fear Every Hacking Demo You SeeCyber Offense Is Easier Than DefenseOperational Technology (OT) Is Not VulnerableBreaking Systems Is the Best Way to Establish YourselfBecause You Can, You ShouldBetter Security Means Worse PrivacyFurther Reading
Chapter 2. What Is the Internet?
Everyone Knows What the “Internet” MeansAn IP Address Identifies a Unique MachineThe Internet Is Managed and Controlled by a Central BodyThe Internet Is Largely StaticYour Network Is StaticEmail Is PrivateCryptocurrency Is UntraceableEverything Can Be Fixed with BlockchainThe Internet Is Like an IcebergA VPN Makes You AnonymousA Firewall Is EnoughFurther Reading
Part II: Human Issues
Chapter 3. Faulty Assumptions and Magical Thinking
Humans Will Behave Rationally, So Blame the User!We Know Everything We Need to Know About Cybersecurity ProblemsCompliance Equals (Complete) SecurityAuthentication Provides ConfidentialityI Can Never Be Secure, So Why Bother?I Am Too Small/Insignificant to Be a TargetEverybody Is Out to Get MeI Engage Only with Trusted Websites, So My Data Is Safe from a BreachSecurity by Obscurity Is Reasonably SecureThe Illusions of Visibility and ControlFive 9’s Is the Key to CybersecurityEverybody Has Top-of-the-Line TechnologyWe Can Predict Future ThreatsSecurity People Control Security OutcomesAll Bad Outcomes Are the Result of a Bad DecisionMore Security Is Always BetterBest Practices Are Always BestBecause It Is Online It Must Be True/CorrectFurther Reading
Chapter 4. Fallacies and Misunderstandings
The False Cause Fallacy: Correlation Is CausationAbsence of Evidence Is Evidence of AbsenceThe Straw Hacker FallacyAd Hominem FallacyHasty Generalization FallacyRegression FallacyBase Rate FallacyGambler’s FallacyFallacies of AnomaliesIgnorance of Black SwansConjunction and Disjunction FallaciesValence EffectEndowment EffectSunk Cost FallacyBonus FallaciesFurther Reading
Chapter 5. Cognitive Biases
Action BiasOmission BiasSurvivorship BiasConfirmation BiasChoice Affirmation BiasHindsight BiasAvailability BiasSocial ProofOverconfidence BiasZero Risk BiasFrequency BiasBonus BiasesFurther Reading
Chapter 6. Perverse Incentives and the Cobra Effect
The Goal of a Security Vendor Is to Keep You SecureYour Cybersecurity Decisions Affect Only YouBug Bounties Eliminate Bugs from the Offensive MarketCyber Insurance Causes People to Take Less RiskFines and Penalties Cause People to Take Less RiskAttacking Back Would Help Stop Cyber CrimeInnovation Increases Security and Privacy IncidentsFurther Reading
Chapter 7. Problems and Solutions
Failure Is Not an Option in CybersecurityEvery Problem Has a SolutionAnecdotes Are Good Leads for Cybersecurity SolutionsDetecting More “Bad Stuff” Means the New Thing Is an ImprovementEvery Security Process Should Be AutomatedProfessional Certifications Are UselessFurther Reading
Part III: Contextual Issues
Chapter 8. Pitfalls of Analogies and Abstractions
Cybersecurity Is Like the Physical WorldCybersecurity Is Like Medicine and BiologyCybersecurity Is Like Fighting a WarCybersecurity Law Is Analogous to Physical-World LawTips for Analogies and AbstractionsFurther Reading
Chapter 9. Legal Issues
Cybersecurity Law Is Analogous to Physical-World LawYour Laws Do Not Apply to Me Where I AmThat Violates My First Amendment Rights!Legal Code Supersedes Computer CodeLaw Enforcement Will Never Respond to Cyber CrimesYou Can Always Hide Information by SuingSuing to Suppress a Breach Is a Good IdeaTerms and Conditions Are MeaninglessThe Law Is on My Side, So I Do Not Need to WorryFurther Reading
Chapter 10. Tool Myths and Misconceptions
The More Tools, The BetterDefault Configurations Are Always SecureA Tool Can Stop All Bad ThingsIntent Can Be Determined from ToolsSecurity Tools Are Inherently Secure and TrustworthyNothing Found Means All Is WellFurther Reading
Chapter 11. Vulnerabilities
We Know Everything There Is to Know About VulnerabilitiesVulnerabilities Are SparseAttackers Are Getting More ProficientZero-Day Vulnerabilities Are Most ImportantAll Attacks Hinge on a VulnerabilityExploits and Proofs of Concept Are BadVulnerabilities Happen Only in Complex CodeFirst Movers Should Sacrifice SecurityPatches Are Always Perfect and AvailableDefenses Might Become Security Vulnerabilities with TimeAll Vulnerabilities Can Be FixedScoring Vulnerabilities Is Easy and Well UnderstoodBecause You Can, You Should—Vulnerabilities EditionVulnerability Names Reflect Their ImportanceFurther Reading
Chapter 12. Malware
Using a Sandbox Will Tell Me Everything I Need to KnowReverse Engineering Will Tell Me Everything I Need to KnowMalware and Geography Are/Are Not RelatedI Can Always Determine Who Made the Malware and Attacked MeMalware Is Always a Complex Program That Is Difficult to UnderstandFree Malware Protection Is Good EnoughOnly Shady Websites Will Infect MeBecause You Can, You Should—Malware EditionRansomware Is an Entirely New Kind of MalwareSigned Software Is Always TrustworthyMalware Names Reflect Their ImportanceFurther Reading
Chapter 13. Digital Forensics and Incident Response
Movies and Television Reflect the Reality of CyberIncidents Are Discovered as Soon as They OccurIncidents Are Discrete and IndependentEvery Incident Is the Same SeverityStandard Incident Response Techniques Can Deal with RansomwareIncident Responders Can Flip a Few Switches and Magically Everything Is FixedAttacks Are Always AttributableAttribution Is EssentialMost Attacks/Exfiltration of Data Originate from Outside the OrganizationThe Trojan Horse Defense Is DeadEndpoint Data Is Sufficient for Incident DetectionRecovering from an Event Is a Simple and Linear ProcessFurther Reading
Part IV: Data Issues
Chapter 14. Lies, Damn Lies, and Statistics
Luck Prevents Cyber AttacksThe Numbers Speak for ThemselvesProbability Is CertaintyStatistics Are LawsData Is Not Important to StatisticsArtificial Intelligence and Machine Learning Can Solve All Cybersecurity ProblemsFurther Reading
Chapter 15. Illustrations, Visualizations, and Delusions
Visualizations and Dashboards Are Inherently and Universally HelpfulCybersecurity Data Is Easy to VisualizeFurther Reading
Chapter 16. Finding Hope
Creating a Less Myth-Prone WorldThe Critical Value of DocumentationMeta-Myths and RecommendationsAvoiding Other and Future TrapsParting Thoughts
Appendix: Short Background Explanations
Acronyms
Index
Code Snippets

Overview

175+ Cybersecurity Misconceptions and the Myth-Busting Skills You Need to Correct Them

Cybersecurity is fraught with hidden and unsuspected dangers and difficulties. Despite our best intentions, there are common and avoidable mistakes that arise from folk wisdom, faulty assumptions about the world, and our own human biases. Cybersecurity implementations, investigations, and research all suffer as a result. Many of the bad practices sound logical, especially to people new to the field of cybersecurity, and that means they get adopted and repeated despite not being correct. For instance, why isn't the user the weakest link?

In Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us, three cybersecurity pioneers don't just deliver the first comprehensive collection of falsehoods that derail security from the frontlines to the boardroom; they offer expert practical advice for avoiding or overcoming each myth.

Whatever your cybersecurity role or experience, Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra will help you surface hidden dangers, prevent avoidable errors, eliminate faulty assumptions, and resist deeply human cognitive biases that compromise prevention, investigation, and research. Throughout the book, you'll find examples drawn from actual cybersecurity events, detailed techniques for recognizing and overcoming security fallacies, and recommended mitigations for building more secure products and businesses.

Read over 175 common misconceptions held by users, leaders, and cybersecurity professionals, along with tips for how to avoid them.
Learn the pros and cons of analogies, misconceptions about security tools, and pitfalls of faulty assumptions. What really is the weakest link? When aren't "best practices" best?
Discover how others understand cybersecurity and improve the effectiveness of cybersecurity decisions as a user, a developer, a researcher, or a leader.
Get a high-level exposure to why statistics and figures may mislead as well as enlighten.
Develop skills to identify new myths as they emerge, strategies to avoid future pitfalls, and techniques to help mitigate them.

"You are made to feel as if you would never fall for this and somehow this makes each case all the more memorable. . . . Read the book, laugh at the right places, and put your learning to work. You won't regret it."

--From the Foreword by Vint Cerf, Internet Hall of Fame Pioneer

Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780137929214

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills