Foreword by Vint Cerf xxiiiIntroduction xxivAcknowledgments xxxiiiAbout the Authors xxxiv Part I: General Issues 1 Chapter 1: What Is Cybersecurity? 2Everyone Knows What "Cybersecurity" Means 2We Can Measure How Secure Our Systems Are 5The Primary Goal of Cybersecurity Is Security 11Cybersecurity Is About Obvious Risks 12Sharing More Cyber Threat Intel Will Make Things Better 14What Matters to You Matters to Everyone Else 16Product X Will Make You Secure 17Macs Are Safer Than PCs, Linux Is Safer Than Windows 18Open Source Software Is More Secure Than Closed Source Software 19Technology X Will Make You Secure 20Process X Will Make You Secure 21Færie Dust Can Make Old Ideas Magically Revolutionary 22Passwords Should Be Changed Often 23Believe and Fear Every Hacking Demo You See 26Cyber Offense Is Easier Than Defense 27Operational Technology (OT) Is Not Vulnerable 29Breaking Systems Is the Best Way to Establish Yourself 30Because You Can, You Should 30Better Security Means Worse Privacy 32Further Reading 33 Chapter 2: What Is the Internet? 36Everyone Knows What the "Internet" Means 36An IP Address Identifies a Unique Machine 37The Internet Is Managed and Controlled by a Central Body 39The Internet Is Largely Static 40Your Network Is Static 41Email Is Private 43Cryptocurrency Is Untraceable 44Everything Can Be Fixed with Blockchain 46The Internet Is Like an Iceberg 46A VPN Makes You Anonymous 48A Firewall Is Enough 49Further Reading 51 Part II: Human Issues 55 Chapter 3: Faulty Assumptions and Magical Thinking 56Humans Will Behave Rationally, So Blame the User! 57We Know Everything We Need to Know About Cybersecurity Problems 62Compliance Equals (Complete) Security 63Authentication Provides Confidentiality 65I Can Never Be Secure, So Why Bother? 65I Am Too Small/Insignificant to Be a Target 66Everybody Is Out to Get Me 69I Engage Only with Trusted Websites, So My Data Is Safe from a Breach 71Security by Obscurity Is Reasonably Secure 72The Illusions of Visibility and Control 74Five 9's Is the Key to Cybersecurity 76Everybody Has Top-of-the-Line Technology 78We Can Predict Future Threats 80Security People Control Security Outcomes 81All Bad Outcomes Are the Result of a Bad Decision 82More Security Is Always Better 84Best Practices Are Always Best 85Because It Is Online It Must Be True/Correct 86Further Reading 87 Chapter 4: Fallacies and Misunderstandings 88The False Cause Fallacy: Correlation Is Causation 89Absence of Evidence Is Evidence of Absence 92The Straw Hacker Fallacy 94Ad Hominem Fallacy 95Hasty Generalization Fallacy 96Regression Fallacy 97Base Rate Fallacy 98Gambler's Fallacy 100Fallacies of Anomalies 100Ignorance of Black Swans 101Conjunction and Disjunction Fallacies 103Valence Effect 104Endowment Effect 104Sunk Cost Fallacy 105Bonus Fallacies 107Further Reading 109 Chapter 5: Cognitive Biases 110Action Bias 112Omission Bias 113Survivorship Bias 115Confirmation Bias 116Choice Affirmation Bias 117Hindsight Bias 117Availability Bias 119Social Proof 121Overconfidence Bias 122Zero Risk Bias 123Frequency Bias 124Bonus Biases 125Further Reading 128 Chapter 6: Perverse Incentives and the Cobra Effect 130The Goal of a Security Vendor Is to Keep You Secure 131Your Cybersecurity Decisions Affect Only You 132Bug Bounties Eliminate Bugs from the Offensive Market 134Cyber Insurance Causes People to Take Less Risk 135Fines and Penalties Cause People to Take Less Risk 136Attacking Back Would Help Stop Cyber Crime 137Innovation Increases Security and Privacy Incidents 138Further Reading 139 Chapter 7: Problems and Solutions 140Failure Is Not an Option in Cybersecurity 141Every Problem Has a Solution 142Anecdotes Are Good Leads for Cybersecurity Solutions 147Detecting More "Bad Stuff" Means the New Thing Is an Improvement 148Every Security Process Should Be Automated 149Professional Certifications Are Useless 151Further Reading 158 Part III: Contextual Issues 161 Chapter 8: Pitfalls of Analogies and Abstractions 162Cybersecurity Is Like the Physical World 165Cybersecurity Is Like Medicine and Biology 170Cybersecurity Is Like Fighting a War 172Cybersecurity Law Is Analogous to Physical-World Law 175Tips for Analogies and Abstractions 175Further Reading 178 Chapter 9: Legal Issues 180Cybersecurity Law Is Analogous to Physical-World Law 181Your Laws Do Not Apply to Me Where I Am 182That Violates My First Amendment Rights! 184Legal Code Supersedes Computer Code 186Law Enforcement Will Never Respond to Cyber Crimes 191You Can Always Hide Information by Suing 193Suing to Suppress a Breach Is a Good Idea 194Terms and Conditions Are Meaningless 194The Law Is on My Side, So I Do Not Need to Worry 195Further Reading 196 Chapter 10: Tool Myths and Misconceptions 198The More Tools, The Better 199Default Configurations Are Always Secure 201A Tool Can Stop All Bad Things 203Intent Can Be Determined from Tools 205Security Tools Are Inherently Secure and Trustworthy 207Nothing Found Means All Is Well 209Further Reading 212 Chapter 11: Vulnerabilities 214We Know Everything There Is to Know About Vulnerabilities 215Vulnerabilities Are Sparse 218Attackers Are Getting More Proficient 218Zero-Day Vulnerabilities Are Most Important 219All Attacks Hinge on a Vulnerability 223Exploits and Proofs of Concept Are Bad 226Vulnerabilities Happen Only in Complex Code 228First Movers Should Sacrifice Security 230Patches Are Always Perfect and Available 231Defenses Might Become Security Vulnerabilities with Time 236All Vulnerabilities Can Be Fixed 237Scoring Vulnerabilities Is Easy and Well Understood 239Because You Can, You Should--Vulnerabilities Edition 240Vulnerability Names Reflect Their Importance 241Further Reading 242 Chapter 12: Malware 244Using a Sandbox Will Tell Me Everything I Need to Know 246Reverse Engineering Will Tell Me Everything I Need to Know 249Malware and Geography Are/Are Not Related 251I Can Always Determine Who Made the Malware and Attacked Me 253Malware Is Always a Complex Program That Is Difficult to Understand 254Free Malware Protection Is Good Enough 256Only Shady Websites Will Infect Me 257Because You Can, You Should--Malware Edition 258Ransomware Is an Entirely New Kind of Malware 259Signed Software Is Always Trustworthy 261Malware Names Reflect Their Importance 263Further Reading 264 Chapter 13: Digital Forensics and Incident Response 266Movies and Television Reflect the Reality of Cyber 267Incidents Are Discovered as Soon as They Occur 269Incidents Are Discrete and Independent 270Every Incident Is the Same Severity 271Standard Incident Response Techniques Can Deal with Ransomware 272Incident Responders Can Flip a Few Switches and Magically EverythingIs Fixed 273Attacks Are Always Attributable 276Attribution Is Essential 278Most Attacks/Exfiltration of Data Originate from Outside the Organization 280The Trojan Horse Defense Is Dead 281Endpoint Data Is Sufficient for Incident Detection 282Recovering from an Event Is a Simple and Linear Process 284Further Reading 285 Part IV: Data Issues 287 Chapter 14: Lies, Damn Lies, and Statistics 288Luck Prevents Cyber Attacks 289The Numbers Speak for Themselves 290Probability Is Certainty 290Statistics Are Laws 293Data Is Not Important to Statistics 303Artificial Intelligence and Machine Learning Can Solve AllCybersecurity Problems 306Further Reading 310 Chapter 15: Illustrations, Visualizations, and Delusions 312Visualizations and Dashboards Are Inherently and Universally Helpful 313Cybersecurity Data Is Easy to Visualize 319Further Reading 324 Chapter 16: Finding Hope 326Creating a Less Myth-Prone World 328The Critical Value of Documentation 329Meta-Myths and Recommendations 331Avoiding Other and Future Traps 334Parting Thoughts 334 Appendix: Short Background Explanations 336 Acronyms 344Index 350

"Many security leaders are traditionally in charge of correcting misconceptions just as much as they are in charge of building up solid security practices. We have plenty of resources on practices--but this book is the crucial guide to that essential myth busting."--Phil Venables, CISO, Google Cloud "I'm writing this on my phone, over Wi-Fi, in an airplane on my way to Black Hat, one of the world's largest security conferences. The fact that I'm able to do this at all shows how much we've really learned about cybersecurity over the decades. Now it's all collected in one place for everyone to share. Thank the wise authors, and most importantly: GET OFF THEIR LAWN."--Wendy Nather, Head of Advisory CISOs, Cisco "This book is astounding. A true tour de force--which I have never said about any other book. Inverting the viewpoint is a stroke of genius. This is going to be on my grabbable-at-any-time shelf. What I learned, recalled, and was refreshed on with technically astute agnosticism cannot be measured; just appreciated as a profound historical compilation of security practice and theory. Bravo!"--Winn Schwartaul, Founder and Chief Visionary Officer, The Security Awareness Company "I am happy to endorse the central idea of this book--that cybersecurity is rife with myths that are themselves part of the problem. The brain wants to understand, the world grows ever more complicated, and the sum of the two is myth-making. As the authors say, even if some understanding is true at some time, with enough change what was true becomes a myth soon enough. As such, an acquired immunity to myths is a valuable skill for the cybersecurity practitioner if no other. The paramount goal of all security engineering is No Silent Failure, but myths perpetuate if not create silent failure. Why? Because a state of security is the absence of unmitigable surprise and you cannot mitigate what you don't know is going on. Myths blind us to reality. Ignorance of them is not bliss. This book is a vaccine."--Dan Geer, CISO, In-Q-Tel "This is a fun read for all levels. I like their rapid fire delivery and the general light they cast on so many diverse myths. This book will change the cybersecurity industry for the better."--Michael Sikorski, Author of Practical Malware Analysis & CTO, Unit 42 at Palo Alto Networks

Escape the myths and misconceptions that are compromising your cybersecurity right now Uncover dangerous folk wisdom surrounding vulnerabilities, malware, digital forensics, incident response, machine learning, and more – and discover what to do insteadRecognize and avoid logical fallacies and cognitive biases that make it harder to design and operate secure systemsImprove your everyday security choices and decisions as a practitioner, researcher, leader, or userIllustrations throughout to help learn and remember the conceptsBy three of the world's leading cybersecurity pioneers: Eugene Spafford (Cybersecurity Hall of Fame), Leigh Metcalf (CMU SEI/CERT), and Josiah Dykstra (NSA)