Cybersecurity Myths and Misconceptions

# Cybersecurity Myths and Misconceptions ![rw-book-cover](https://m.media-amazon.com/images/I/61TbqcJM+CL._SY160.jpg) ## Metadata - Author: [[Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra]] - Full Title: Cybersecurity Myths and Misconceptions - Category: #books ## Highlights - Many students over-generalize and form misconceptions by assuming that encryption achieves additional properties beyond confidentiality: preventing manipulation, protecting against theft, and ensuring availability.” ([Location 622](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=622)) - Thus, when we talk about defeating attacks on computing or protecting computing, it is more than computers and networks: It is fundamentally about protecting society and civilized life. ([Location 666](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=666)) - One expert on domain name use, Paul Vixie, has suggested that if we block all new domains for 24 hours after they are created, the amount of spam we see will drop significantly. ([Location 1831](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=1831)) - we discussed how Microsoft had achieved a C2 security rating of its Windows NT system, while at the same time, security researchers showed it was unsecure. ([Location 2323](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=2323)) - Risk management is a spectrum, remember? Every time we walk down the street, we risk tripping on the sidewalk or being hit by a bus, so pedestrians must exercise appropriate caution every time. We can never be entirely safe on the sidewalk, but that does not mean we should be careless or reckless. ([Location 2358](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=2358)) - Targeting is time- and labor-intensive for criminals, so many instead choose to use “spray and pray” techniques, such as indiscriminately sending phishing emails to millions of addresses and hoping that some victims will open them. ([Location 2398](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=2398)) - In 2019, the RAND Corporation looked at how underwriters price cyber risk in insurance policies.18 One of the policies included a calculation of premiums using a frequency of 0.20% for a “computer attack” event. Given the market’s infancy, RAND also pointed out that other research had shown the probability of a cyber incident across the top 10 most risky industries as around 0.6%. 18. Romanosky, Sasha, et al., “Content Analysis of Cyber Insurance Policies: How Do Carriers Price Cyber Risk?” Journal of Cybersecurity, Vol. 5, No. 1 (2019). ([Location 2466](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=2466)) - Shodan,22 for example, crawls the entire Internet collecting and indexing service banners. If someone launches a secret web server and tells nobody about it, Shodan will still find it in under a week. 22. www.shodan.io/ “Security through obscurity ([Location 2543](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=2543)) - might not actually represent what is going on in the system but look great in sales presentations. (Some people refer to this as the “blinkenlights effect.”) ([Location 2594](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=2594)) - First, the security staff has little control over unknown bugs in software. They trust that vendors are performing due diligence and that patches will be available, but the security team mostly cannot control if, when, or how other people discover bugs. ([Location 2761](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=2761)) - Spaf’s First Law of System Administration in an interview: “If your position in an organization includes responsibility for security, but does not include corresponding authority, then your role in the organization is to take the blame when something happens. You should make sure your resume is up-to-date.”14 ([Location 3143](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3143)) - Either way, math is like a honey badger: It does not care what your feelings on the matter are. ([Location 3335](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3335)) - Also, employees transition from “gruntled” to “disgruntled” more often than some employers believe. Bad things happen. It’s best to be prepared for that. As the old Russian proverb goes (in English) “Trust, but verify.” ([Location 3347](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3347)) - Tu Quoque A classic fallacy is engaging in tu quoque (Latin for “you also”): accusing the other side of something similar to the issue under discussion, but that is unrelated. This often happens in political and familial arguments (and should definitely be avoided). For example, “You are blaming me for not installing the patch on the file server? How about the fact that you use the same password for all your accounts?” ([Location 3438](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3438)) - The proper solution was to reinforce the parts of the planes that did not have the same bullet holes as the survivors. If we only look at the survivors, we overlook an important piece of information. We are ignoring the question, “For those that did not survive, why?” The vulnerable parts of the plane needed more reinforcement because that is why those planes did not return. ([Location 3616](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3616)) - is desirable—not only in cybersecurity but also in other fields—to be willing to reconsider past choices in light of new evidence. We need to be willing to admit to making incorrect choices and be ready to fix them; obstinacy and haughtiness are viewed as unattractive and are disadvantageous qualities. ([Location 3665](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3665)) - Popularity makes something attractive to us. 11. The others are reciprocity, commitment/consistency, authority, liking, and scarcity. ([Location 3753](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3753)) - In Star Trek: The Next Generation, we learned that Scotty’s trick for looking like a miracle worker was to multiply all estimates by four.15 ([Location 3784](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3784)) - recall one method for estimating software development time as “double, add 1, and promote to the next unit of measure.” Thus, an estimate of two hours would be quoted to management as five days; our experience has shown this is often a reasonable estimate. ([Location 3787](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3787)) - Do not be fooled: The primary goal of cybersecurity vendors is to increase profits. ([Location 3960](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=3960)) - Unlike encrypted email, a paper envelope can be easily opened and inspected. (In the United States, first-class mail contents are protected by the Fourth Amendment—a court-issued warrant is required to read it.) ([Location 5042](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=5042)) - During the 2022 invasion of Ukraine, for example, Russia attacked satellite modems of tens of thousands of people inside and outside of Ukraine. ([Location 5046](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=5046)) - In 1996, John Perry Barlow authored A Declaration of the Independence of Cyberspace12 in which he wrote (in part): 12. www.eff.org/cyberspace-independence We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear. This was a rallying cry for many in the Internet community for quite a few years but could never be more than aspirational. Today, it has about as much weight as Sovereign Citizens’ statements about not being subject to any “made-up” government. Neither will get someone out of legal difficulties, and trying to assert either might complicate things (for the worse) if they find themselves in trouble. ([Location 5253](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=5253)) - Even the most fundamental principle—thou shalt not kill—is subject to thousands of interpretations, justifications, and debates and is not absolute (e.g., issues of war, self-defense, justified actions of law enforcement, capital punishment, treatment of gravely ill people). ([Location 5273](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=5273)) - These restrictions are often shared across other countries via treaty obligations. EAR and FACR are consistent with an international agreement, the Wassenaar Arrangement, with 42 member countries. ([Location 5363](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=5363)) - The word tool is an abstract catch-all for software, algorithms, services, and various methods for performing a task or achieving a goal. Some military environments use the word “capability” as a similar concept for the ability to achieve a desired objective. ([Location 5526](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=5526)) - The UNIX philosophy included the maxim of making each program do one thing well. This led naturally to a collection of many single-purpose utilities that can be combined to perform more complex operations. The UNIX tool grep is a powerhouse for cybersecurity to find patterns in data.2 In contrast is an approach of “one tool to rule them all.” Some call this the single pane of glass strategy where users can interact, manipulate, analyze, and visualize disparate data sources on one screen. ([Location 5541](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=5541)) - Imagine a bad actor has decided to steal our traffic and cause havoc by announcing to the world that they are the owners of our network. As a result, they can intercept our mail, pretend to be us and send bad things out, harming our reputation, and generally do naughty things. ([Location 5749](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=5749)) - Watts Humphrey, one of the fathers of software quality, found in surveys that a typical developer accidentally introduces, on average, one defect per 10 lines of code.6 ([Location 6022](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=6022)) - Mandiant, for instance, considers a zero-day to be anything without a patch available, even if it is known to the public. ([Location 6063](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=6063)) ## New highlights added April 17, 2023 at 9:27 AM - The good news is that a study found only 5% of vulnerabilities published in the CVE database had published exploits.18 The 5% that do have exploits can cause no end of trouble, and we do not know that the other 95% of the vulnerabilities do not have exploits. We only know they are not published. ([Location 6240](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=6240)) - study in 2016 showed that 20% of the companies that paid the ransom failed to get their data back.37 In 2021, the results were much worse.38 That study showed that only 8% of those that paid the ransom got their data back. ([Location 7096](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=7096)) - A group project named No More Ransom39 collects keys and tools to help you retrieve your data. Ransomware authors are like all software authors; some are good at it, and some are not. ([Location 7106](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=7106)) - Signing is a good thing—it is not malware if it is signed, right? Nothing to worry about. Except when there is. ([Location 7142](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=7142)) - The incident responders sit in the dark room, undergoing a joust of wills with the other side for their entire workday. ([Location 7261](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=7261)) - Recommendation #1: Do not overgeneralize. ([Location 8627](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=8627)) - Recommendation #2: Prioritize people first. ([Location 8631](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=8631)) - Recommendation #3: Slow down. ([Location 8641](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=8641)) - Recommendation #4: Keep learning. We ([Location 8645](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=8645)) - Focus on respected publications, seminars, and classes held by professional nonprofit associations such as ACM, USENIX, and ISSA. Note that the mark of good science and engineering is the willingness to change approaches based on new evidence; politics and religion are where people claim to have the absolute, immutable facts, not cybersecurity! ([Location 8648](https://readwise.io/to_kindle?action=open&asin=B0BMPN72HR&location=8648))