“How much you spend on security relates very little to the quality of that security.”

Twitter: @erratarob • Website: blog.erratasec.com

Created: [BlackICE, IPS, sidejacking, masscan]. Doing: [blog, code, cyber-rights, internet-scanning]. Unethical coder, according to the EFF.

If there is one myth that you could debunk in cybersecurity, what would it be?

That it’s some magic power that can be wielded without much training. As a well-known hacker for two decades, I regularly get queries asking to be taught “how to hack without all that unnecessarily complicated stuff.” The queriers are looking for some button to press to instantly grant access to somebody’s Facebook account, for example. That’s not how hacking works. If it were that easy, then everyone would already be doing it. Instead, the ability to hack comes from studying that “unnecessarily complicated stuff.” It’s the very fact that people avoid the complicated bits that enable the few who actually study it to have extraordinary power.

What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

There is none. That’s the “magic pill” fallacy that there exists this one thing that can be done to defend yourself. It’s a variation on my answer to the previous question—that there is no easy path (to either attack or defense) that avoids all the ...