In InfoSec, many closely held beliefs, commonly accepted best practices, and accepted ‘facts’ are just wrong. These myths and lies spread quickly. Collectively, they can point security teams in the wrong direction. They can give rise to ineffective products. They often make their way into legitimate research, clouding results.
"Sixty percent of small businesses close within 6 months of being hacked."
There's a good chance you've seen this stat before. It has no basis in reality. The available evidence suggests quite the opposite.
"Attackers only need to get it right once, defenders have to get it right every single time."
This idea has been repeated so often in InfoSec that it has become generally accepted as a true statement. It isn't just wrong, it's demotivating and encourages defeatist thinking that can sink the morale of a security team.
Most of the myths and lies in InfoSec take hold because they seem correct, or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups.
This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves.
This talk compiles some of the most interesting research I’ve done over the past decade. My goal is to convince you to treat vendor claims, commonly accepted industry statistics, and best practices with healthy skepticism. You don't need to be a data scientist or OSINT expert to test theories and discover the truth - you just need to sacrifice a bit of your time now and then. I'll show you how.
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
Editor's Notes
We're already one of the fastest growing industries
Everyone with experience in cybersecurity is guaranteed a job for life
VCs and PE firms have been dumping money in this space like crazy
Dumping money in this space... we might be on to something here...
1. Comfort myths and lies
- we *****want***** recycling to work, because the alternative is a feeling of helplessness
- we *****want***** switching to an electric car and buying carbon credits to work for the same reasons
- so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves
ethics suddenly get more flexible
2. Fake it til you make it
Theranos raised a billion dollars because we were EAGER TO BELIEVE
3. burden of proof
there are a lot of scenarios in security where's it's very difficult to measure value
people can, and will, take advantage of that
We're already one of the fastest growing industries
Everyone with experience in cybersecurity is guaranteed a job for life
VCs and PE firms have been dumping money in this space like crazy
Dumping money in this space... we might be on to something here...
1. Comfort myths and lies
- we *****want***** recycling to work, because the alternative is a feeling of helplessness
- we *****want***** switching to an electric car and buying carbon credits to work for the same reasons
- so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves
ethics suddenly get more flexible
2. Fake it til you make it
Theranos raised a billion dollars because we were EAGER TO BELIEVE
3. burden of proof
there are a lot of scenarios in security where's it's very difficult to measure value
people can, and will, take advantage of that
We're already one of the fastest growing industries
Everyone with experience in cybersecurity is guaranteed a job for life
VCs and PE firms have been dumping money in this space like crazy
Dumping money in this space... we might be on to something here...
1. Comfort myths and lies
- we *****want***** recycling to work, because the alternative is a feeling of helplessness
- we *****want***** switching to an electric car and buying carbon credits to work for the same reasons
- so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves
ethics suddenly get more flexible
2. Fake it til you make it
Theranos raised a billion dollars because we were EAGER TO BELIEVE
3. burden of proof
there are a lot of scenarios in security where's it's very difficult to measure value
people can, and will, take advantage of that
We're already one of the fastest growing industries
Everyone with experience in cybersecurity is guaranteed a job for life
VCs and PE firms have been dumping money in this space like crazy
Dumping money in this space... we might be on to something here...
1. Comfort myths and lies
- we *****want***** recycling to work, because the alternative is a feeling of helplessness
- we *****want***** switching to an electric car and buying carbon credits to work for the same reasons
- so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves
ethics suddenly get more flexible
2. Fake it til you make it
Theranos raised a billion dollars because we were EAGER TO BELIEVE
3. burden of proof
there are a lot of scenarios in security where's it's very difficult to measure value
people can, and will, take advantage of that
We're already one of the fastest growing industries
Everyone with experience in cybersecurity is guaranteed a job for life
VCs and PE firms have been dumping money in this space like crazy
Dumping money in this space... we might be on to something here...
1. Comfort myths and lies
- we *****want***** recycling to work, because the alternative is a feeling of helplessness
- we *****want***** switching to an electric car and buying carbon credits to work for the same reasons
- so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves
ethics suddenly get more flexible
2. Fake it til you make it
Theranos raised a billion dollars because we were EAGER TO BELIEVE
3. burden of proof
there are a lot of scenarios in security where's it's very difficult to measure value
people can, and will, take advantage of that
We're already one of the fastest growing industries
Everyone with experience in cybersecurity is guaranteed a job for life
VCs and PE firms have been dumping money in this space like crazy
Dumping money in this space... we might be on to something here...
1. Comfort myths and lies
- we *****want***** recycling to work, because the alternative is a feeling of helplessness
- we *****want***** switching to an electric car and buying carbon credits to work for the same reasons
- so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves
ethics suddenly get more flexible
2. Fake it til you make it
Theranos raised a billion dollars because we were EAGER TO BELIEVE
3. burden of proof
there are a lot of scenarios in security where's it's very difficult to measure value
people can, and will, take advantage of that
A bit of a tease here - see if you can spot the pattern
Vendors, industry analysts, investors, even defenders...
are eager to see their suspicions confirmed...
and to get validation for what they do.
InfoSec is FULL of mission-oriented folks
that don't just do this for the money,
this is also a calling for them.
They have a deep desire to hear that what they do makes a difference;
makes the world a safer place.
Vendors and investors desire market fit;
validation that they're building the right product at the right time
to get that evasive 100x return
Lies and myths are welcomed with open arms
Sunk cost fallacy is also an issue here
how do you think someone feels when they find out
they've been spreading a myth in every sales conversation
for the past 2 years?
Some recover and stop
Others just continue
THIS is where a myth becomes a lie
People often wonder if scenarios like Theranos were always a scam,
or if there was a turning point. I believe most start out with good intentions
My theory is that the turning point is often a sunk cost decision
Cybercrime will cause $10.5 trillion in damages in 2023?
146 billion records will be stolen?
Over the last two decades,
nearly every credit card in the world was exposed in a data breach
and what was the impact?
It was impossible for carders to monetize even a tiny fraction of the data stolen
It wasn't scalable
146 records stolen
45 million credit cards exposed
$2.9 billion dollars per minute? WHY NOT
100 million port scans blocked at the firewall
it's all meaningless
What's the first thing you think when you see these numbers?
I think: what's Germany's GDP? Is it less than this?
What's the number for fraud globally?
How much in ransom payments were paid last year?
Yes, in fact, Germany's GDP is less than $6 trillion dollars.
Global fraud is less than this
Ransomware, one of the biggest issues in our industry,
hasn't topped $1B yet
in fact ransom payments decreased by 40% in 2022 compared to 2021
so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages?
there's no way! And in fact, there's absolutely no data behind stats like these
$6T is more than all the insurance premiums paid globally!
That includes ALL insurance, not just cybersecurity insurance
that's life insurance, car insurance, giant container ship insurance,
pet insurance, cancel my flight insurance best buy replacement
plan on my Dyson vacuum insurance
This is a genius business move:
Step1: understand what vendors need or want to hear
Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm
Step3: create great sound bytes - facts optional, post them everywhere
e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research
Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source
Step4: profit - create tons of "research papers" for vendors
Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
What's the first thing you think when you see these numbers?
I think: what's Germany's GDP? Is it less than this?
What's the number for fraud globally?
How much in ransom payments were paid last year?
Yes, in fact, Germany's GDP is less than $6 trillion dollars.
Global fraud is less than this
Ransomware, one of the biggest issues in our industry,
hasn't topped $1B yet
in fact ransom payments decreased by 40% in 2022 compared to 2021
so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages?
there's no way! And in fact, there's absolutely no data behind stats like these
$6T is more than all the insurance premiums paid globally!
That includes ALL insurance, not just cybersecurity insurance
that's life insurance, car insurance, giant container ship insurance,
pet insurance, cancel my flight insurance best buy replacement
plan on my Dyson vacuum insurance
This is a genius business move:
Step1: understand what vendors need or want to hear
Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm
Step3: create great sound bytes - facts optional, post them everywhere
e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research
Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source
Step4: profit - create tons of "research papers" for vendors
Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
What's the first thing you think when you see these numbers?
I think: what's Germany's GDP? Is it less than this?
What's the number for fraud globally?
How much in ransom payments were paid last year?
Yes, in fact, Germany's GDP is less than $6 trillion dollars.
Global fraud is less than this
Ransomware, one of the biggest issues in our industry,
hasn't topped $1B yet
in fact ransom payments decreased by 40% in 2022 compared to 2021
so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages?
there's no way! And in fact, there's absolutely no data behind stats like these
$6T is more than all the insurance premiums paid globally!
That includes ALL insurance, not just cybersecurity insurance
that's life insurance, car insurance, giant container ship insurance,
pet insurance, cancel my flight insurance best buy replacement
plan on my Dyson vacuum insurance
This is a genius business move:
Step1: understand what vendors need or want to hear
Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm
Step3: create great sound bytes - facts optional, post them everywhere
e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research
Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source
Step4: profit - create tons of "research papers" for vendors
Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
What's the first thing you think when you see these numbers?
I think: what's Germany's GDP? Is it less than this?
What's the number for fraud globally?
How much in ransom payments were paid last year?
Yes, in fact, Germany's GDP is less than $6 trillion dollars.
Global fraud is less than this
Ransomware, one of the biggest issues in our industry,
hasn't topped $1B yet
in fact ransom payments decreased by 40% in 2022 compared to 2021
so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages?
there's no way! And in fact, there's absolutely no data behind stats like these
$6T is more than all the insurance premiums paid globally!
That includes ALL insurance, not just cybersecurity insurance
that's life insurance, car insurance, giant container ship insurance,
pet insurance, cancel my flight insurance best buy replacement
plan on my Dyson vacuum insurance
This is a genius business move:
Step1: understand what vendors need or want to hear
Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm
Step3: create great sound bytes - facts optional, post them everywhere
e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research
Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source
Step4: profit - create tons of "research papers" for vendors
Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
What's the first thing you think when you see these numbers?
I think: what's Germany's GDP? Is it less than this?
What's the number for fraud globally?
How much in ransom payments were paid last year?
Yes, in fact, Germany's GDP is less than $6 trillion dollars.
Global fraud is less than this
Ransomware, one of the biggest issues in our industry,
hasn't topped $1B yet
in fact ransom payments decreased by 40% in 2022 compared to 2021
so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages?
there's no way! And in fact, there's absolutely no data behind stats like these
$6T is more than all the insurance premiums paid globally!
That includes ALL insurance, not just cybersecurity insurance
that's life insurance, car insurance, giant container ship insurance,
pet insurance, cancel my flight insurance best buy replacement
plan on my Dyson vacuum insurance
This is a genius business move:
Step1: understand what vendors need or want to hear
Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm
Step3: create great sound bytes - facts optional, post them everywhere
e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research
Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source
Step4: profit - create tons of "research papers" for vendors
Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
What's the first thing you think when you see these numbers?
I think: what's Germany's GDP? Is it less than this?
What's the number for fraud globally?
How much in ransom payments were paid last year?
Yes, in fact, Germany's GDP is less than $6 trillion dollars.
Global fraud is less than this
Ransomware, one of the biggest issues in our industry,
hasn't topped $1B yet
in fact ransom payments decreased by 40% in 2022 compared to 2021
so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages?
there's no way! And in fact, there's absolutely no data behind stats like these
$6T is more than all the insurance premiums paid globally!
That includes ALL insurance, not just cybersecurity insurance
that's life insurance, car insurance, giant container ship insurance,
pet insurance, cancel my flight insurance best buy replacement
plan on my Dyson vacuum insurance
This is a genius business move:
Step1: understand what vendors need or want to hear
Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm
Step3: create great sound bytes - facts optional, post them everywhere
e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research
Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source
Step4: profit - create tons of "research papers" for vendors
Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
Let's take a closer look at one of these stats.
First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating.
In 2017, I set out to document every company that had ever been destroyed by a breach.
How many did I find?
Only 23 over a 20 year period.
All small businesses; maybe 4 had over 100 employees, but all less than 500
Is it possible I missed some, or some didn't get reported? Sure!
Is it possible I'm missing 150 PER YEAR? Probably not.
This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies
Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle.
He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim.
And that's at the core of what we're talking about here:
there are a lot of folks out there that won't let the truth get in the way of a good sound byte
Let's take a closer look at one of these stats.
First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating.
In 2017, I set out to document every company that had ever been destroyed by a breach.
How many did I find?
Only 23 over a 20 year period.
All small businesses; maybe 4 had over 100 employees, but all less than 500
Is it possible I missed some, or some didn't get reported? Sure!
Is it possible I'm missing 150 PER YEAR? Probably not.
This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies
Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle.
He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim.
And that's at the core of what we're talking about here:
there are a lot of folks out there that won't let the truth get in the way of a good sound byte
Let's take a closer look at one of these stats.
First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating.
In 2017, I set out to document every company that had ever been destroyed by a breach.
How many did I find?
Only 23 over a 20 year period.
All small businesses; maybe 4 had over 100 employees, but all less than 500
Is it possible I missed some, or some didn't get reported? Sure!
Is it possible I'm missing 150 PER YEAR? Probably not.
This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies
Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle.
He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim.
And that's at the core of what we're talking about here:
there are a lot of folks out there that won't let the truth get in the way of a good sound byte
Let's take a closer look at one of these stats.
First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating.
In 2017, I set out to document every company that had ever been destroyed by a breach.
How many did I find?
Only 23 over a 20 year period.
All small businesses; maybe 4 had over 100 employees, but all less than 500
Is it possible I missed some, or some didn't get reported? Sure!
Is it possible I'm missing 150 PER YEAR? Probably not.
This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies
Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle.
He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim.
And that's at the core of what we're talking about here:
there are a lot of folks out there that won't let the truth get in the way of a good sound byte
Let's take a closer look at one of these stats.
First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating.
In 2017, I set out to document every company that had ever been destroyed by a breach.
How many did I find?
Only 23 over a 20 year period.
All small businesses; maybe 4 had over 100 employees, but all less than 500
Is it possible I missed some, or some didn't get reported? Sure!
Is it possible I'm missing 150 PER YEAR? Probably not.
This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies
Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle.
He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim.
And that's at the core of what we're talking about here:
there are a lot of folks out there that won't let the truth get in the way of a good sound byte
Let's take a closer look at one of these stats.
First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating.
In 2017, I set out to document every company that had ever been destroyed by a breach.
How many did I find?
Only 23 over a 20 year period.
All small businesses; maybe 4 had over 100 employees, but all less than 500
Is it possible I missed some, or some didn't get reported? Sure!
Is it possible I'm missing 150 PER YEAR? Probably not.
This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies
Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle.
He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim.
And that's at the core of what we're talking about here:
there are a lot of folks out there that won't let the truth get in the way of a good sound byte
Let's take a closer look at one of these stats.
First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating.
In 2017, I set out to document every company that had ever been destroyed by a breach.
How many did I find?
Only 23 over a 20 year period.
All small businesses; maybe 4 had over 100 employees, but all less than 500
Is it possible I missed some, or some didn't get reported? Sure!
Is it possible I'm missing 150 PER YEAR? Probably not.
This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies
Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle.
He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim.
And that's at the core of what we're talking about here:
there are a lot of folks out there that won't let the truth get in the way of a good sound byte
Let's take a closer look at one of these stats.
First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating.
In 2017, I set out to document every company that had ever been destroyed by a breach.
How many did I find?
Only 23 over a 20 year period.
All small businesses; maybe 4 had over 100 employees, but all less than 500
Is it possible I missed some, or some didn't get reported? Sure!
Is it possible I'm missing 150 PER YEAR? Probably not.
This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies
Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle.
He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim.
And that's at the core of what we're talking about here:
there are a lot of folks out there that won't let the truth get in the way of a good sound byte
This is demotivating rhetoric at its worst.
Many defenders are all too happy to accept that they're powerless.
Humans the weakest link?
Uh, no - whoever fails to build a human-safe environment is the weakest link!
This is demotivating rhetoric at its worst.
Many defenders are all too happy to accept that they're powerless.
Humans the weakest link?
Uh, no - whoever fails to build a human-safe environment is the weakest link!
This is demotivating rhetoric at its worst.
Many defenders are all too happy to accept that they're powerless.
Humans the weakest link?
Uh, no - whoever fails to build a human-safe environment is the weakest link!
I learned many things from Wendy Nather, but one of the most important and useful lessons was to slow down, check my claims and statements, and make sure everything I'm saying was DEFENSIBLE.When we worked as analysts, everyone loved writing up a hot take on a topic, but it needed to be examined from multiple perspectives. It needed to be clearly stated as opinion or fact. It needed receipts, attributions, and references to back it up in case there's anger, blowback, or whatever else. Wendy would always back me up, as long as I wasn't talking out my ass and gave her something DEFENSIBLE to defend.This is all I'm asking here, and the main thing I want you to take away from this talk. Posting to twitter, writing a blog, working with marketing - take a little bit of extra time to make sure what you're sharing is true and defensible.And if you're feeling really spicy, help me out in challenging all the indefensible myths and lies out there.
This is my conclusion cassowary
He wants you to factor in some extra time for fact checks