Muutke küpsiste eelistusi

Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us [Pehme köide]

4.36/5 (67 hinnangut Goodreads-ist)
, ,
  • Formaat: Paperback / softback, 416 pages, kõrgus x laius x paksus: 232x178x22 mm, kaal: 700 g
  • Ilmumisaeg: 02-Mar-2023
  • Kirjastus: Addison Wesley
  • ISBN-10: 0137929234
  • ISBN-13: 9780137929238
Teised raamatud teemal:
Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail UsSuurem pilt
  • Formaat: Paperback / softback, 416 pages, kõrgus x laius x paksus: 232x178x22 mm, kaal: 700 g
  • Ilmumisaeg: 02-Mar-2023
  • Kirjastus: Addison Wesley
  • ISBN-10: 0137929234
  • ISBN-13: 9780137929238
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9780137929238.html
Märksõnad:

175+ Cybersecurity Misconceptions and the Myth-Busting Skills You Need to Correct Them

Cybersecurity is fraught with hidden and unsuspected dangers and difficulties. Despite our best intentions, there are common and avoidable mistakes that arise from folk wisdom, faulty assumptions about the world, and our own human biases. Cybersecurity implementations, investigations, and research all suffer as a result. Many of the bad practices sound logical, especially to people new to the field of cybersecurity, and that means they get adopted and repeated despite not being correct. For instance, why isn't the user the weakest link?

In Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us, three cybersecurity pioneers don't just deliver the first comprehensive collection of falsehoods that derail security from the frontlines to the boardroom; they offer expert practical advice for avoiding or overcoming each myth.

Whatever your cybersecurity role or experience, Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra will help you surface hidden dangers, prevent avoidable errors, eliminate faulty assumptions, and resist deeply human cognitive biases that compromise prevention, investigation, and research. Throughout the book, you'll find examples drawn from actual cybersecurity events, detailed techniques for recognizing and overcoming security fallacies, and recommended mitigations for building more secure products and businesses.

  • Read over 175 common misconceptions held by users, leaders, and cybersecurity professionals, along with tips for how to avoid them.
  • Learn the pros and cons of analogies, misconceptions about security tools, and pitfalls of faulty assumptions. What really is the weakest link? When aren't "best practices" best?
  • Discover how others understand cybersecurity and improve the effectiveness of cybersecurity decisions as a user, a developer, a researcher, or a leader.
  • Get a high-level exposure to why statistics and figures may mislead as well as enlighten.
  • Develop skills to identify new myths as they emerge, strategies to avoid future pitfalls, and techniques to help mitigate them.

"You are made to feel as if you would never fall for this and somehow this makes each case all the more memorable. . . . Read the book, laugh at the right places, and put your learning to work. You won't regret it."
--From the Foreword by Vint Cerf, Internet Hall of Fame Pioneer

Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

Arvustused

"Many security leaders are traditionally in charge of correcting misconceptions just as much as they are in charge of building up solid security practices. We have plenty of resources on practices--but this book is the crucial guide to that essential myth busting." --Phil Venables, CISO, Google Cloud

"I'm writing this on my phone, over Wi-Fi, in an airplane on my way to Black Hat, one of the world's largest security conferences. The fact that I'm able to do this at all shows how much we've really learned about cybersecurity over the decades. Now it's all collected in one place for everyone to share. Thank the wise authors, and most importantly: GET OFF THEIR LAWN." --Wendy Nather, Head of Advisory CISOs, Cisco

"This book is astounding. A true tour de force--which I have never said about any other book. Inverting the viewpoint is a stroke of genius. This is going to be on my grabbable-at-any-time shelf. What I learned, recalled, and was refreshed on with technically astute agnosticism cannot be measured; just appreciated as a profound historical compilation of security practice and theory. Bravo!" --Winn Schwartaul, Founder and Chief Visionary Officer, The Security Awareness Company

"I am happy to endorse the central idea of this book--that cybersecurity is rife with myths that are themselves part of the problem. The brain wants to understand, the world grows ever more complicated, and the sum of the two is myth-making. As the authors say, even if some understanding is true at some time, with enough change what was true becomes a myth soon enough. As such, an acquired immunity to myths is a valuable skill for the cybersecurity practitioner if no other. The paramount goal of all security engineering is No Silent Failure, but myths perpetuate if not create silent failure. Why? Because a state of security is the absence of unmitigable surprise and you cannot mitigate what you don't know is going on. Myths blind us to reality. Ignorance of them is not bliss. This book is a vaccine." --Dan Geer, CISO, In-Q-Tel

"This is a fun read for all levels. I like their rapid fire delivery and the general light they cast on so many diverse myths. This book will change the cybersecurity industry for the better." --Michael Sikorski, Author of Practical Malware Analysis & CTO, Unit 42 at Palo Alto Networks

Foreword xxiii
Vint Cerf
Introduction xxiv
Acknowledgments xxxiii
About the Authors xxxiv
Part I General Issues
1(55)
Chapter 1 What Is Cybersecurity?
2(34)
Everyone Knows What "Cybersecurity" Means
2(3)
We Can Measure How Secure Our Systems Are
5(6)
Trust and Risk
8(1)
Threats
9(1)
Security Policy
10(1)
And So
11(1)
The Primary Goal of Cybersecurity Is Security
11(1)
Cybersecurity Is About Obvious Risks
12(2)
Sharing More Cyber Threat Intel Will Make Things Better
14(2)
What Matters to You Matters to Everyone Else
16(1)
Product X Will Make You Secure
17(1)
Macs Are Safer Than PCs, Linux Is Safer Than Windows
18(1)
Open Source Software Is More Secure Than Closed Source Software
19(1)
Technology X Will Make You Secure
20(1)
Process X Will Make You Secure
21(1)
Faerie Dust Can Make Old Ideas Magically Revolutionary
22(1)
Passwords Should Be Changed Often
23(3)
Believe and Fear Every Hacking Demo You See
26(1)
Cyber Offense Is Easier Than Defense
27(2)
Operational Technology (OT) Is Not Vulnerable
29(1)
Breaking Systems Is the Best Way to Establish Yourself
30(1)
Because You Can, You Should
30(2)
Better Security Means Worse Privacy
32(1)
Further Reading
33(3)
Chapter 2 What Is the Internet?
36(20)
Everyone Knows What the "Internet" Means
36(1)
An IP Address Identifies a Unique Machine
37(2)
The Internet Is Managed and Controlled by a Central Body
39(1)
The Internet Is Largely Static
40(1)
Your Network Is Static
41(2)
You Know Your Crown Jewels and Where They Are
43(1)
Email Is Private
43(1)
Cryptocurrency Is Untraceable
44(2)
Everything Can Be Fixed with Blockchain
46(1)
The Internet Is Like an Iceberg
46(2)
The Dark Web Is Only for Criminal Activity
47(1)
Activity on the Dark Web Is Untraceable
47(1)
A VPN Makes You Anonymous
48(1)
A Firewall Is Enough
49(2)
Further Reading
51(5)
Part II Human Issues
56(105)
Chapter 3 Faulty Assumptions and Magical Thinking
56(32)
Humans Will Behave Rationally, So Blame the User!
57(5)
We Know Everything We Need to Know About Cybersecurity Problems
62(1)
Compliance Equals (Complete) Security
63(2)
Authentication Provides Confidentiality
65(1)
I Can Never Be Secure, So Why Bother?
65(1)
I Am Too Small/Insignificant to Be a Target
66(3)
Everybody Is Out to Get Me
69(2)
I Engage Only with Trusted Websites, So My Data Is Safe from a Breach
71(1)
Security by Obscurity Is Reasonably Secure
72(2)
The Illusions of Visibility and Control
74(2)
Five 9's Is the Key to Cybersecurity
76(2)
Everybody Has Top-of-the4_ine Technology
78(2)
We Can Predict Future Threats
80(1)
Security People Control Security Outcomes
81(1)
All Bad Outcomes Are the Result of a Bad Decision
82(2)
More Security Is Always Better
84(1)
Best Practices Are Always Best
85(1)
Because It Is Online It Must Be True/Correct
86(1)
Further Reading
87(1)
Chapter 4 Fallacies and Misunderstandings
88(22)
The False Cause Fallacy: Correlation Is Causation
89(3)
Absence of Evidence Is Evidence of Absence
92(2)
The Straw Hacker Fallacy
94(1)
Ad Hominem Fallacy
95(1)
Hasty Generalization Fallacy
96(1)
Regression Fallacy
97(1)
Base Rate Fallacy
98(2)
Gambler's Fallacy
100(1)
Fallacies of Anomalies
100(1)
Ignorance of Black Swans
101(2)
Conjunction and Disjunction Fallacies
103(1)
Valence Effect
104(1)
Endowment Effect
104(1)
Sunk Cost Fallacy
105(2)
Bonus Fallacies
107(2)
External Appeals
107(1)
Questionable Evidence
107(1)
The Loaded Question
108(1)
False Choices
108(1)
Tu Quoque
108(1)
Overloading the Question
109(1)
Further Reading
109(1)
Chapter 5 Cognitive Biases
110(20)
Action Bias
112(1)
Omission Bias
113(2)
Survivorship Bias
115(1)
Confirmation Bias
116(1)
Choice Affirmation Bias
117(1)
Hindsight Bias
117(2)
Availability Bias
119(2)
Social Proof
121(1)
Overconfidence Bias
122(1)
Zero Risk Bias
123(1)
Frequency Bias
124(1)
Bonus Biases
125(3)
Outcome Bias
125(1)
Discounting Bias
125(1)
Locality Bias
125(3)
Denomination Bias
128
Denial or Ostrich Bias
126(1)
Aura or Halo Bias
126(1)
One Upmanship
126(1)
Anchoring Bias
126(1)
Priming
127(1)
Knowledge Bias
127(1)
Status Quo Bias
127(1)
"Ism" Biases
127(1)
Self-Serving Bias
128(1)
Further Reading
128(2)
Chapter 6 Perverse Incentives and the Cobra Effect
130(10)
The Goal of a Security Vendor Is to Keep You Secure
131(1)
Your Cybersecurity Decisions Affect Only You
132(2)
Bug Bounties Eliminate Bugs from the Offensive Market
134(1)
Cyber Insurance Causes People to Take Less Risk
135(1)
Fines and Penalties Cause People to Take Less Risk
136(1)
Attacking Back Would Help Stop Cyber Crime
137(1)
Innovation Increases Security and Privacy Incidents
138(1)
Further Reading
139(1)
Chapter 7 Problems and Solutions
140(21)
Failure Is Not an Option in Cybersecurity
141(1)
Every Problem Has a Solution
142(5)
We Can Solve All Our Problems with Big Data
144(2)
There Is One, and Only One, Correct Solution
146(1)
Everyone Should Solve a Given Cybersecurity Problem in the Same Way
147(1)
Anecdotes Are Good Leads for Cybersecurity Solutions
147(1)
Detecting More "Bad Stuff" Means the New Thing Is an Improvement
148(1)
Every Security Process Should Be Automated
149(2)
Professional Certifications Are Useless
151(7)
To Work in Cybersecurity Does (Not) Require a College Degree in Computing
151(3)
Cybersecurity Certifications Are (Not) Valuable
154(1)
There Is a Shortage of Cybersecurity Talent
155(1)
There Is a Disconnect Between Study and Practice
156(2)
Further Reading
158(3)
Part III Contextual Issues
161(126)
Chapter 8 Pitfalls of Analogies and Abstractions
162(18)
Cybersecurity Is Like the Physical World
165(5)
Cybersecurity Is Like Defending a Castle
166(1)
Digital Theft Is Like Physical Theft
167(1)
Users Are the "Weakest Link"
167(3)
Cybersecurity Is Like Medicine and Biology
170(2)
Cybersecurity Is Like Fighting a War
172(3)
"Cyber Pearl Harbor"
173(1)
Cyber Weapons
173(1)
Cyber Terrorism
174(1)
Cybersecurity Law Is Analogous to Physical-World Law
175(1)
Tips for Analogies and Abstractions
175(3)
Further Reading
178(2)
Chapter 9 Legal Issues
180(18)
Cybersecurity Law Is Analogous to Physical-World Law
181(1)
Your Laws Do Not Apply to Me Where I Am
182(2)
That Violates My First Amendment Rights!
184(2)
Ignorance of the Law
184(1)
Jurisdictional Differences
185(1)
Legal Code Supersedes Computer Code
186(5)
Laws Can Simply Be Converted to Computer Code
187(1)
Legislators/Regulators/Courts Know Enough About Technology to Regulate It
188(1)
Laws and Courts Unduly Constrain Developers
189(2)
Law Enforcement Will Never Respond to Cyber Crimes
191(2)
You Can Always Hide Information by Suing
193(1)
Suing to Suppress a Breach Is a Good Idea
194(1)
Terms and Conditions Are Meaningless
194(1)
The Law Is on My Side, So I Do Not Need to Worry
195(1)
Further Reading
196(2)
Chapter 10 Tool Myths and Misconceptions
198(16)
The More Tools, The Better
199(2)
Every New Threat Needs a New Tool
200(1)
Default Configurations Are Always Secure
201(2)
A Tool Can Stop All Bad Things
203(2)
Intent Can Be Determined from Tools
205(2)
Security Tools Are Inherently Secure and Trustworthy
207(2)
Nothing Found Means All Is Well
209(3)
Nothing Found by the Scanners Means We Are Secure
209(1)
No Alarms Means We Are Secure
210(2)
No Vulnerability Reports Means No Vulnerabilities
212(1)
Further Reading
212(2)
Chapter 11 Vulnerabilities
214(30)
We Know Everything There Is to Know About Vulnerabilities
215(3)
Vulnerabilities Are Sparse
218(1)
Attackers Are Getting More Proficient
218(1)
Zero-Day Vulnerabilities Are Most Important
219(4)
Zero-Days Are the Scariest
219(3)
Zero-Days Mean Persistence
222(1)
All Attacks Hinge on a Vulnerability
223(3)
Exploits and Proofs of Concept Are Bad
226(2)
Vulnerabilities Happen Only in Complex Code
228(2)
First Movers Should Sacrifice Security
230(1)
Patches Are Always Perfect and Available
231(5)
Defenses Might Become Security Vulnerabilities with Time
236(1)
All Vulnerabilities Can Be Fixed
237(2)
Scoring Vulnerabilities Is Easy and Well Understood
239(1)
Because You Can, You Should--Vulnerabilities Edition
240(1)
Vulnerability Names Reflect Their Importance
241(1)
Further Reading
242(2)
Chapter 12 Malware
244(22)
Using a Sandbox Will Tell Me Everything I Need to Know
246(3)
Reverse Engineering Will Tell Me Everything I Need to Know
249(2)
Malware and Geography Are/Are Not Related
251(2)
I Can Always Determine Who Made the Malware and Attacked Me
253(1)
Malware Is Always a Complex Program That Is Difficult to Understand
254(2)
Free Malware Protection Is Good Enough
256(1)
Only Shady Websites Will Infect Me
257(1)
Because You Can, You Should--Malware Edition
258(1)
Ransomware Is an Entirely New Kind of Malware
259(2)
Signed Software Is Always Trustworthy
261(2)
Malware Names Reflect Their Importance
263(1)
Further Reading
264(2)
Chapter 13 Digital Forensics and Incident Response
266(21)
Movies and Television Reflect the Reality of Cyber
267(2)
Incidents Are Discovered as Soon as They Occur
269(1)
Incidents Are Discrete and Independent
270(1)
Every Incident Is the Same Severity
271(1)
Standard Incident Response Techniques Can Deal with Ransomware
272(1)
Incident Responders Can Flip a Few Switches and Magically Everything Is Fixed
273(3)
Attacks Are Always Attributable
276(2)
Attribution Is Essential
278(2)
Most Attacks/Exfiltration of Data Originate from Outside the Organization
280(1)
The Trojan Horse Defense Is Dead
281(1)
Endpoint Data Is Sufficient for Incident Detection
282(2)
Recovering from an Event Is a Simple and Linear Process
284(1)
Further Reading
285(2)
Part IV Data Issues
287(49)
Chapter 14 Lies, Damn Lies, and Statistics
288(24)
Luck Prevents Cyber Attacks
289(1)
The Numbers Speak for Themselves
290(1)
Probability Is Certainty
290(3)
Statistics Are Laws
293(10)
We Need Context
294(1)
Forecasting an Inference with Statistics
295(2)
Correlation Implies Causation
297(4)
Errors in Classification Are Insignificant
301(2)
Data Is Not Important to Statistics
303(3)
Artificial Intelligence and Machine Learning Can Solve All Cybersecurity Problems
306(4)
Further Reading
310(2)
Chapter 15 Illustrations, Visualizations, and Delusions
312(14)
Visualizations and Dashboards Are Inherently and Universally Helpful
313(6)
Cybersecurity Data Is Easy to Visualize
319(5)
Visualizing Internet Geolocation Is Useful
320(3)
Visualizing IPs and Ports Is Clear and Understandable
323(1)
Further Reading
324(2)
Chapter 16 Finding Hope
326(10)
Creating a Less Myth-Prone World
328(1)
The Critical Value of Documentation
329(2)
Meta-Myths and Recommendations
331(3)
Meta-Myths
332(1)
Meta Recommendations
333(1)
Avoiding Other and Future Traps
334(1)
Parting Thoughts
334(2)
Appendix: Short Background Explanations 336(8)
Acronyms 344(6)
Index 350
Eugene H. Spafford, PhD, is a professor in Computer Science at Purdue University. In his 35-year career, Spaf has been honored with every major award in cybersecurity. Leigh Metcalf, PhD, is a Senior Network Security Research Analyst at the Carnegie Mellon University Software Engineering Institute's cybersecurity-focused CERT® division. Josiah Dykstra, PhD, is a cybersecurity practitioner, researcher, author, and speaker. He is the owner of Designer Security and has worked at the US National Security Agency for 18 years.