CyberWire Daily - Bonus Episode: 2024 Cybersecurity Canon Hall of Fame Inductee: Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us by Eugene Spafford, Leigh Metcalf, Josiah Dykstra and Illustrated by Pattie Spafford. [CSOP]
Episode Date: May 7, 2024Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, interviews Eugene Spafford about his 2024 Cybersecurity Canon Hall of Fame book: “Cybersecurity Myths and Misconceptio...ns.” References: Eugene Spafford, Leigh Metcalf, Josiah Dykstra, Illustrator: Pattie Spafford. 2023. Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us [Book]. Goodreads. Helen Patton, 2024. Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us [Book Review]. Cybersecurity Canon Project. Staff, 2024. CERIAS - Center for Education and Research in Information Assurance and Security [Homepage]. Purdue University. Rick Howard Cybersecurity Canon Concierge Cybersecurity Canon Committee members will be in the booth outside the RSA Conference Bookstore to help anybody interested in the Canon’s Hall of Fame and Candidate books. If you’re looking for recommendations, we have some ideas for you. RSA Conference Bookstore JC Vega: May 6, 2024 | 02:00 PM PDT Rick Howard: May 7, 2024 | 02:00 PM PDT Helen Patton: May 8, 2024 | 02:00 PM PDT Rick Howard RSA Birds of a Feather Session: I'm hosting a small group discussion called “Cyber Fables: Debating the Realities Behind Popular Security Myths.” We will be using Eugene Spafford’s Canon Hall of Fame book, “ “Cyber Fables: Debating the Realities Behind Popular Security Myths” as the launchpad for discussion. If you want to engage in a lively discussion about the infosec profession, this is the event for you. May. 7, 2024 | 9:40 AM - 10:30 AM PT Rick Howard RSA Book Signing I published my book at last year’s RSA Conference. If you’re looking to get your copy signed, or if you just want to tell me how I got it completely wrong, come on by. I would love to meet you. RSA Conference Bookstore May 8, 2024 | 02:00 PM PDT Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Goodreads. Rick Howard Cyware Panel: The Billiard Room at the Metreon | 175 4th Street | San Francisco, CA 94103 May 8, 2024 | 8:30am-11am PST Simone Petrella and Rick Howard RSA Presentation: Location: Moscone South Esplanade level May. 9, 2024 | 9:40 AM - 10:30 AM PT Simone Petrella, Rick Howard, 2024. The Moneyball Approach to Buying Down Risk, Not Superstars [Presentation]. RSA 2024 Conference. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more at zscaler.com slash security.
You're listening to the 2012 song Hall of Fame by The Script and Will.i.am,
which means it's that time of year again. The Cybersecurity Canon Committee has announced the Hall of Fame inductees
for the 2024 season to coincide with the RSA Conference,
and I got to interview the winning author.
As you all know, N2K and the leaders of the Cybersecurity Canon Project team up each year to highlight this valuable and free resource
for the entire InfoSec community
to find the absolute must-read books for the cybersecurity professional.
And the next book we're going to talk about, the next inductee into the Cannon Hall of Fame this
year, is Cybersecurity Myths and Misconceptions by Eugene Spafford. So, hold on to your butts.
Hold on to your butts. This is going to be fun.
My name is Rick Howard and I'm broadcasting from the CyberWire's
alternate Secret Sanctum Sanctorum
studios located underwater
somewhere along the San Francisco-Oakland Bay Bridge in the good old U.S. of A.
And the interns had a rip-roaring night their first night in town.
Hey, hey, did anybody find Kevin from last night?
We're all still looking for him. He'll turn up. He always does.
We're all still looking for him. He'll turn up. He always does.
You're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.
Before we get started, I have several events that I'm doing at the RSA Conference.
If you're attending, I would love for you to come by and say hello.
First, members of the Cybersecurity Canon Committee will be in the booth outside the RSA Conference bookstore
to help anybody interested in the Canon's Hall of Fame and Candidate books.
And if you're looking for recommendations, we have some ideas for you.
It's on Monday, Tuesday, and Wednesday
at the RSA Conference Bookstore at 2 p.m. My slot is on Tuesday, so if you're looking to talk to me,
come find me then. Next, I'm hosting a small group discussion, RSA calls them birds of a feather
discussions, titled Cyber Fables, Debating the Realities Behind Popular Security Myths. The idea
came from the Hall of Fame book we're talking about today,
Cybersecurity Myths and Misconceptions.
If you want to mix it up with a bunch of smart people on this topic,
this is the event for you.
RSA hasn't picked a location yet,
but the session is on May 7th from 9.40 to 10.30 a.m.
Next, I'm doing a book signing.
I published my first principal's book at last year's RSA
conference. If you're looking to get your copy signed, or if you just want to tell me how I got
it completely wrong, come on by. I would love to meet you. It's at the RSA conference bookstore,
May 8th from 2 to 3 p.m. I'm also hosting a SciWare-sponsored panel on the latest developments
in Sock Fusion, and SciWare is paying for the breakfast.
How can you turn down a free meal?
It's at the Billiard Room at the Metronom on May 8th from 8.30 to 11 a.m.
And finally, Simone Petrella and I have been talking about Moneyball for workforce development
since the last RSA conference.
For those of you that don't know, Simone is the N2K president, and I love this
Moneyball idea. Come see us at Moscone South on the Esplanade level on May 9th from 940 to 1030.
That's a lot. So, with all those announcements out of the way, it's time to talk about the book.
Oh, yeah.
Eugene Spafford, Spaff to all those that know him, is one of the original cybersecurity founding fathers.
Historians usually put him in the same conversation with Bruce Schneier, Vint Cerf, and Richard Clark.
He's taught cybersecurity at Purdue University for 35 years, founded
SIRIUS, the Center for Education and Research in Information Assurance and Security, back in 1999,
and has developed fundamental technologies in intrusion detection, incident response,
firewalls, integrity management, and forensic investigation. Dr. Spafford is a fellow of the American Academy
of Arts and Sciences, the Association for the Advancement of Science, the ACM, the IEEE,
and the ISC-2. And that's just the first page of his bio. He wrote this book with his co-authors,
Lee Metcalf and Josiah Dykstra, and he even had his wife, Patty Spafford, provide the illustrations.
and Josiah Dykstra, and he even had his wife, Patty Spafford, provide the illustrations.
I interviewed him in April 2024, just prior to the RSA conference in May.
Before we get into this too much, first, congratulations on your book being inducted into the Cybersecurity Canon Hall of Fame. It's very exciting.
What motivated you all to tackle this particular subject?
exciting. What motivated you all to tackle this particular subject? My memory on this doesn't quite capture the very, very beginning, but I think we were having a discussion about
frustration we had with various parties proclaiming about things that were incorrect, giving advice that was
incorrect.
Some we'd see on social media, some we'd hear in conference presentations that we knew
was simply misinformed or just outright.
Self-serving may not be the best term to use,
but it was just wrong.
And the more we discussed about it,
the more we realized there was a sufficient body here
that writing a definitive work
to try to dispel some of those myths,
address some of the psychological biases,
and back them up with references would probably be a good thing.
I've had that thought for over a decade now, right? It started occurring to me, you know, around 2010 or so, that we all just kept looking at what our predecessors had done.
And, you know, we took the next step.
and, you know, we took the next step and we never questioned whether or not we were going in the right direction in the first place, whether or not our assumptions were even correct. And you cover
some of those in that book, in the book too. Is that a different way to say what you were saying?
Yeah, I think so. I remember even 30 years ago discussing how a lot of what we did in security was tails around the cap fire.
Exactly right.
And some of those tails were intended more to frighten than to educate.
But we have grown so quickly as a field, the technological transformation is so rapid that sometimes our documentation and understanding has simply not been able to keep up.
Well, I've definitely participated in those discussions because early in my career was fear, uncertainty, and doubt.
That's how we all thought we would get money to fund our projects.
thought we would get money to fund our projects.
And as I've gotten older and more senile,
I realize that's probably not the way to go,
that we should probably have a better way to describe what we're trying to do.
And your book gives us all kinds of evidence and guidelines about how to do that,
so I really appreciate that.
I think we had a very good writing experience together because all three of us have had extensive experience in the field,
although in somewhat different areas, different perspectives. But it all came together really
well that we basically agreed on approaches and some of what the most important points were.
So it wasn't just your idea. It was all you guys coming together and saying, oh yeah,
that's another one of these things we have to highlight. So is that what you're saying?
Yeah, it was really a group effort.
And there were a couple chapters where I took the lead, for instance, the first chapter on what is security.
Then there were others where each of them took a lead in writing the chapter.
But all of us ended up contributing.
So you organized the book in four big sections. You got general issues like cybersecurity
definitions, products, and process. You got human issues like faulty assumptions and cognitive
biases and weird incentives that we are all following. We have contextual issues like bad analogies, legal issues,
and just myths about tools. And finally, we got data issues like probability and statistics,
AI, and machine learning. And I was wondering, out of all the myths you tackled in the book,
do you personally have a favorite one, a pet peeve maybe, that has been gnawing at you for
a long time and the book gave you a way to get it off your chest?
I would say there's two, really. And the first one was, as I said, chapter one,
that we all have an agreed upon definition of what cybersecurity is and what it's about.
And that's simply not true. And that leads to all kinds of follow-on difficulties
with lack of metrics and misapplying tools and so on.
The other is the canard that the user's the weakest link.
Yeah.
And that is extremely annoying to me
for a variety of reasons, primarily as an educator, in that people are really potentially our strongest element of protection.
authority to be able to assist in security and to just pick out the people who are trying to do their jobs, don't have the knowledge or don't have the tools, and blame them when things go wrong
is a broken approach to how to get better cybersecurity. That's one of my biggest
annoyances also. I can't believe we blame the user
just because we haven't designed the compute systems
and the security systems that are easy to use
and secure to use.
That just annoys the crap out of me.
And for the first one you mentioned too,
the definition of cybersecurity,
I get to talk to a lot of senior security professionals
in this job and you get any 10 in a room and ask them,
what are they trying to do with their program?
You're going to get two different answers
because none of us have said what we think
is the absolute first principle
for what we're all trying to do to protect our enterprise.
So I totally agree.
Does that match with what you're trying to say there?
In part, it's not only do we not know
what it is we're protecting, we don't agree what we're
protecting it against. And what's important. Why we're protecting it, how to allocate our resources
appropriately. And that's our show. Well, part of it. There's actually a whole lot more, and it's
all pretty great if I do say so myself. So here's the deal. We need your help so we can keep producing the insights
that make you smarter and keep you a step ahead
in the rapidly changing world of cybersecurity.
If you want the full show,
head on over to thecyberwire.com slash pro
and sign up for an account.
That's thecyberwire, all one word,.com slash pro.
For less than a dollar a day,
you can help us keep the lights on the mics
rolling and the insights flowing plus you get a whole bunch of other great stuff like ad-free
podcasts my favorite exclusive content newsletters and personal level up resources like practice
tests within 2k pro you get to help me and our team put food on the table for our families.
And you also get to be smarter and more informed than any of your friends.
I'd say that's a win-win.
So head on over to thecyberwire.com slash pro and sign up today for less than a dollar a day.
Now, if that's more than you can muster, that's totally fine.
Shoot an email to pro at n2k.com and we'll figure something out so you can join.
I'd love to see you over here at N2K Pro.
This episode was produced by Liz Stokes.
Our theme song is by Blue Dot Sessions, remixed by Elliot Peltzman,
who also mixes the show and provides original music.
Our executive producer is Jennifer Eidman. Our executive editor is Brandon Karp. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.