PPTX, PDF72 views

Lies and Myths in InfoSec - 2023 Usenix Enigma

In InfoSec, many closely held beliefs, commonly accepted best practices, and accepted ‘facts’ are just wrong. These myths and lies spread quickly. Collectively, they can point security teams in the wrong direction. They can give rise to ineffective products. They often make their way into legitimate research, clouding results. "Sixty percent of small businesses close within 6 months of being hacked." There's a good chance you've seen this stat before. It has no basis in reality. The available evidence suggests quite the opposite. "Attackers only need to get it right once, defenders have to get it right every single time." This idea has been repeated so often in InfoSec that it has become generally accepted as a true statement. It isn't just wrong, it's demotivating and encourages defeatist thinking that can sink the morale of a security team. Most of the myths and lies in InfoSec take hold because they seem correct, or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups. This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves. This talk compiles some of the most interesting research I’ve done over the past decade. My goal is to convince you to treat vendor claims, commonly accepted industry statistics, and best practices with healthy skepticism. You don't need to be a data scientist or OSINT expert to test theories and discover the truth - you just need to sacrifice a bit of your time now and then. I'll show you how.

Data & Analytics◦

Editor's Notes

#4 We're already one of the fastest growing industries Everyone with experience in cybersecurity is guaranteed a job for life VCs and PE firms have been dumping money in this space like crazy Dumping money in this space... we might be on to something here... 1. Comfort myths and lies - we *****want***** recycling to work, because the alternative is a feeling of helplessness - we *****want***** switching to an electric car and buying carbon credits to work for the same reasons - so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves ethics suddenly get more flexible 2. Fake it til you make it Theranos raised a billion dollars because we were EAGER TO BELIEVE 3. burden of proof there are a lot of scenarios in security where's it's very difficult to measure value people can, and will, take advantage of that
#5 We're already one of the fastest growing industries Everyone with experience in cybersecurity is guaranteed a job for life VCs and PE firms have been dumping money in this space like crazy Dumping money in this space... we might be on to something here... 1. Comfort myths and lies - we *****want***** recycling to work, because the alternative is a feeling of helplessness - we *****want***** switching to an electric car and buying carbon credits to work for the same reasons - so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves ethics suddenly get more flexible 2. Fake it til you make it Theranos raised a billion dollars because we were EAGER TO BELIEVE 3. burden of proof there are a lot of scenarios in security where's it's very difficult to measure value people can, and will, take advantage of that
#6 We're already one of the fastest growing industries Everyone with experience in cybersecurity is guaranteed a job for life VCs and PE firms have been dumping money in this space like crazy Dumping money in this space... we might be on to something here... 1. Comfort myths and lies - we *****want***** recycling to work, because the alternative is a feeling of helplessness - we *****want***** switching to an electric car and buying carbon credits to work for the same reasons - so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves ethics suddenly get more flexible 2. Fake it til you make it Theranos raised a billion dollars because we were EAGER TO BELIEVE 3. burden of proof there are a lot of scenarios in security where's it's very difficult to measure value people can, and will, take advantage of that
#7 We're already one of the fastest growing industries Everyone with experience in cybersecurity is guaranteed a job for life VCs and PE firms have been dumping money in this space like crazy Dumping money in this space... we might be on to something here... 1. Comfort myths and lies - we *****want***** recycling to work, because the alternative is a feeling of helplessness - we *****want***** switching to an electric car and buying carbon credits to work for the same reasons - so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves ethics suddenly get more flexible 2. Fake it til you make it Theranos raised a billion dollars because we were EAGER TO BELIEVE 3. burden of proof there are a lot of scenarios in security where's it's very difficult to measure value people can, and will, take advantage of that
#8 We're already one of the fastest growing industries Everyone with experience in cybersecurity is guaranteed a job for life VCs and PE firms have been dumping money in this space like crazy Dumping money in this space... we might be on to something here... 1. Comfort myths and lies - we *****want***** recycling to work, because the alternative is a feeling of helplessness - we *****want***** switching to an electric car and buying carbon credits to work for the same reasons - so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves ethics suddenly get more flexible 2. Fake it til you make it Theranos raised a billion dollars because we were EAGER TO BELIEVE 3. burden of proof there are a lot of scenarios in security where's it's very difficult to measure value people can, and will, take advantage of that
#9 We're already one of the fastest growing industries Everyone with experience in cybersecurity is guaranteed a job for life VCs and PE firms have been dumping money in this space like crazy Dumping money in this space... we might be on to something here... 1. Comfort myths and lies - we *****want***** recycling to work, because the alternative is a feeling of helplessness - we *****want***** switching to an electric car and buying carbon credits to work for the same reasons - so we tell ourselves, and our customers (carbon neutral advertising - maybe from Hello Fresh) these “comfort lies” until we begin to believe them ourselves ethics suddenly get more flexible 2. Fake it til you make it Theranos raised a billion dollars because we were EAGER TO BELIEVE 3. burden of proof there are a lot of scenarios in security where's it's very difficult to measure value people can, and will, take advantage of that
#10 A bit of a tease here - see if you can spot the pattern
#11 Vendors, industry analysts, investors, even defenders... are eager to see their suspicions confirmed... and to get validation for what they do. InfoSec is FULL of mission-oriented folks that don't just do this for the money, this is also a calling for them. They have a deep desire to hear that what they do makes a difference; makes the world a safer place. Vendors and investors desire market fit; validation that they're building the right product at the right time to get that evasive 100x return Lies and myths are welcomed with open arms
#12 Sunk cost fallacy is also an issue here how do you think someone feels when they find out they've been spreading a myth in every sales conversation for the past 2 years? Some recover and stop Others just continue THIS is where a myth becomes a lie People often wonder if scenarios like Theranos were always a scam, or if there was a turning point. I believe most start out with good intentions My theory is that the turning point is often a sunk cost decision
#15 Cybercrime will cause $10.5 trillion in damages in 2023? 146 billion records will be stolen? Over the last two decades, nearly every credit card in the world was exposed in a data breach and what was the impact? It was impossible for carders to monetize even a tiny fraction of the data stolen It wasn't scalable 146 records stolen 45 million credit cards exposed $2.9 billion dollars per minute? WHY NOT 100 million port scans blocked at the firewall it's all meaningless
#18 What's the first thing you think when you see these numbers? I think: what's Germany's GDP? Is it less than this? What's the number for fraud globally? How much in ransom payments were paid last year? Yes, in fact, Germany's GDP is less than $6 trillion dollars. Global fraud is less than this Ransomware, one of the biggest issues in our industry, hasn't topped $1B yet in fact ransom payments decreased by 40% in 2022 compared to 2021 so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages? there's no way! And in fact, there's absolutely no data behind stats like these $6T is more than all the insurance premiums paid globally! That includes ALL insurance, not just cybersecurity insurance that's life insurance, car insurance, giant container ship insurance, pet insurance, cancel my flight insurance best buy replacement plan on my Dyson vacuum insurance This is a genius business move: Step1: understand what vendors need or want to hear Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm Step3: create great sound bytes - facts optional, post them everywhere e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source Step4: profit - create tons of "research papers" for vendors Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
#19 What's the first thing you think when you see these numbers? I think: what's Germany's GDP? Is it less than this? What's the number for fraud globally? How much in ransom payments were paid last year? Yes, in fact, Germany's GDP is less than $6 trillion dollars. Global fraud is less than this Ransomware, one of the biggest issues in our industry, hasn't topped $1B yet in fact ransom payments decreased by 40% in 2022 compared to 2021 so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages? there's no way! And in fact, there's absolutely no data behind stats like these $6T is more than all the insurance premiums paid globally! That includes ALL insurance, not just cybersecurity insurance that's life insurance, car insurance, giant container ship insurance, pet insurance, cancel my flight insurance best buy replacement plan on my Dyson vacuum insurance This is a genius business move: Step1: understand what vendors need or want to hear Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm Step3: create great sound bytes - facts optional, post them everywhere e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source Step4: profit - create tons of "research papers" for vendors Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
#20 What's the first thing you think when you see these numbers? I think: what's Germany's GDP? Is it less than this? What's the number for fraud globally? How much in ransom payments were paid last year? Yes, in fact, Germany's GDP is less than $6 trillion dollars. Global fraud is less than this Ransomware, one of the biggest issues in our industry, hasn't topped $1B yet in fact ransom payments decreased by 40% in 2022 compared to 2021 so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages? there's no way! And in fact, there's absolutely no data behind stats like these $6T is more than all the insurance premiums paid globally! That includes ALL insurance, not just cybersecurity insurance that's life insurance, car insurance, giant container ship insurance, pet insurance, cancel my flight insurance best buy replacement plan on my Dyson vacuum insurance This is a genius business move: Step1: understand what vendors need or want to hear Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm Step3: create great sound bytes - facts optional, post them everywhere e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source Step4: profit - create tons of "research papers" for vendors Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
#21 What's the first thing you think when you see these numbers? I think: what's Germany's GDP? Is it less than this? What's the number for fraud globally? How much in ransom payments were paid last year? Yes, in fact, Germany's GDP is less than $6 trillion dollars. Global fraud is less than this Ransomware, one of the biggest issues in our industry, hasn't topped $1B yet in fact ransom payments decreased by 40% in 2022 compared to 2021 so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages? there's no way! And in fact, there's absolutely no data behind stats like these $6T is more than all the insurance premiums paid globally! That includes ALL insurance, not just cybersecurity insurance that's life insurance, car insurance, giant container ship insurance, pet insurance, cancel my flight insurance best buy replacement plan on my Dyson vacuum insurance This is a genius business move: Step1: understand what vendors need or want to hear Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm Step3: create great sound bytes - facts optional, post them everywhere e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source Step4: profit - create tons of "research papers" for vendors Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
#22 What's the first thing you think when you see these numbers? I think: what's Germany's GDP? Is it less than this? What's the number for fraud globally? How much in ransom payments were paid last year? Yes, in fact, Germany's GDP is less than $6 trillion dollars. Global fraud is less than this Ransomware, one of the biggest issues in our industry, hasn't topped $1B yet in fact ransom payments decreased by 40% in 2022 compared to 2021 so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages? there's no way! And in fact, there's absolutely no data behind stats like these $6T is more than all the insurance premiums paid globally! That includes ALL insurance, not just cybersecurity insurance that's life insurance, car insurance, giant container ship insurance, pet insurance, cancel my flight insurance best buy replacement plan on my Dyson vacuum insurance This is a genius business move: Step1: understand what vendors need or want to hear Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm Step3: create great sound bytes - facts optional, post them everywhere e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source Step4: profit - create tons of "research papers" for vendors Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
#23 What's the first thing you think when you see these numbers? I think: what's Germany's GDP? Is it less than this? What's the number for fraud globally? How much in ransom payments were paid last year? Yes, in fact, Germany's GDP is less than $6 trillion dollars. Global fraud is less than this Ransomware, one of the biggest issues in our industry, hasn't topped $1B yet in fact ransom payments decreased by 40% in 2022 compared to 2021 so you're telling me that ransomware payments are less than a sixth of a percent of total cybercrime damages? there's no way! And in fact, there's absolutely no data behind stats like these $6T is more than all the insurance premiums paid globally! That includes ALL insurance, not just cybersecurity insurance that's life insurance, car insurance, giant container ship insurance, pet insurance, cancel my flight insurance best buy replacement plan on my Dyson vacuum insurance This is a genius business move: Step1: understand what vendors need or want to hear Step2: create an impressive sounding PR/marketing business that advertises itself as a research firm Step3: create great sound bytes - facts optional, post them everywhere e.g. Steve Morgan "contributes" to Forbes and cites Forbes as the source for Cybersecurity Ventures' research Then the New York Times, CNBC, Comptia, the SEC can all cite Cybersecurity Ventures as a source Step4: profit - create tons of "research papers" for vendors Unfortunately, this is one stat that's correct. Steve Morgan has been WILDLY successful in getting his stats repeated EVERYWHERE
#25 Let's take a closer look at one of these stats. First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating. In 2017, I set out to document every company that had ever been destroyed by a breach. How many did I find? Only 23 over a 20 year period. All small businesses; maybe 4 had over 100 employees, but all less than 500 Is it possible I missed some, or some didn't get reported? Sure! Is it possible I'm missing 150 PER YEAR? Probably not. This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle. He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim. And that's at the core of what we're talking about here: there are a lot of folks out there that won't let the truth get in the way of a good sound byte
#26 Let's take a closer look at one of these stats. First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating. In 2017, I set out to document every company that had ever been destroyed by a breach. How many did I find? Only 23 over a 20 year period. All small businesses; maybe 4 had over 100 employees, but all less than 500 Is it possible I missed some, or some didn't get reported? Sure! Is it possible I'm missing 150 PER YEAR? Probably not. This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle. He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim. And that's at the core of what we're talking about here: there are a lot of folks out there that won't let the truth get in the way of a good sound byte
#27 Let's take a closer look at one of these stats. First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating. In 2017, I set out to document every company that had ever been destroyed by a breach. How many did I find? Only 23 over a 20 year period. All small businesses; maybe 4 had over 100 employees, but all less than 500 Is it possible I missed some, or some didn't get reported? Sure! Is it possible I'm missing 150 PER YEAR? Probably not. This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle. He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim. And that's at the core of what we're talking about here: there are a lot of folks out there that won't let the truth get in the way of a good sound byte
#28 Let's take a closer look at one of these stats. First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating. In 2017, I set out to document every company that had ever been destroyed by a breach. How many did I find? Only 23 over a 20 year period. All small businesses; maybe 4 had over 100 employees, but all less than 500 Is it possible I missed some, or some didn't get reported? Sure! Is it possible I'm missing 150 PER YEAR? Probably not. This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle. He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim. And that's at the core of what we're talking about here: there are a lot of folks out there that won't let the truth get in the way of a good sound byte
#29 Let's take a closer look at one of these stats. First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating. In 2017, I set out to document every company that had ever been destroyed by a breach. How many did I find? Only 23 over a 20 year period. All small businesses; maybe 4 had over 100 employees, but all less than 500 Is it possible I missed some, or some didn't get reported? Sure! Is it possible I'm missing 150 PER YEAR? Probably not. This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle. He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim. And that's at the core of what we're talking about here: there are a lot of folks out there that won't let the truth get in the way of a good sound byte
#30 Let's take a closer look at one of these stats. First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating. In 2017, I set out to document every company that had ever been destroyed by a breach. How many did I find? Only 23 over a 20 year period. All small businesses; maybe 4 had over 100 employees, but all less than 500 Is it possible I missed some, or some didn't get reported? Sure! Is it possible I'm missing 150 PER YEAR? Probably not. This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle. He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim. And that's at the core of what we're talking about here: there are a lot of folks out there that won't let the truth get in the way of a good sound byte
#31 Let's take a closer look at one of these stats. First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating. In 2017, I set out to document every company that had ever been destroyed by a breach. How many did I find? Only 23 over a 20 year period. All small businesses; maybe 4 had over 100 employees, but all less than 500 Is it possible I missed some, or some didn't get reported? Sure! Is it possible I'm missing 150 PER YEAR? Probably not. This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle. He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim. And that's at the core of what we're talking about here: there are a lot of folks out there that won't let the truth get in the way of a good sound byte
#32 Let's take a closer look at one of these stats. First off, TRUST YOUR GUT. If it sounds like BS, it's worth investigating. In 2017, I set out to document every company that had ever been destroyed by a breach. How many did I find? Only 23 over a 20 year period. All small businesses; maybe 4 had over 100 employees, but all less than 500 Is it possible I missed some, or some didn't get reported? Sure! Is it possible I'm missing 150 PER YEAR? Probably not. This answers a more broad and general assumption in our industry: the assumption that security incidents MUST be ending companies Ramon Ray: founder and owner of smallbiztechnology.com and Smart Hustle. He was still using the stat as recently as late 2021, five years after NextGov interviewed him for their article debunking this claim. And that's at the core of what we're talking about here: there are a lot of folks out there that won't let the truth get in the way of a good sound byte
#34 This is demotivating rhetoric at its worst. Many defenders are all too happy to accept that they're powerless. Humans the weakest link? Uh, no - whoever fails to build a human-safe environment is the weakest link!
#35 This is demotivating rhetoric at its worst. Many defenders are all too happy to accept that they're powerless. Humans the weakest link? Uh, no - whoever fails to build a human-safe environment is the weakest link!
#36 This is demotivating rhetoric at its worst. Many defenders are all too happy to accept that they're powerless. Humans the weakest link? Uh, no - whoever fails to build a human-safe environment is the weakest link!
#39 I learned many things from Wendy Nather, but one of the most important and useful lessons was to slow down, check my claims and statements, and make sure everything I'm saying was DEFENSIBLE.When we worked as analysts, everyone loved writing up a hot take on a topic, but it needed to be examined from multiple perspectives. It needed to be clearly stated as opinion or fact. It needed receipts, attributions, and references to back it up in case there's anger, blowback, or whatever else. Wendy would always back me up, as long as I wasn't talking out my ass and gave her something DEFENSIBLE to defend.This is all I'm asking here, and the main thing I want you to take away from this talk. Posting to twitter, writing a blog, working with marketing - take a little bit of extra time to make sure what you're sharing is true and defensible.And if you're feeling really spicy, help me out in challenging all the indefensible myths and lies out there.
#40 This is my conclusion cassowary He wants you to factor in some extra time for fact checks

Lies and Myths in InfoSec - 2023 Usenix Enigma

More Related Content

More from Adrian Sanabria

Recently uploaded

Editor's Notes