Myths and Lies in InfoSec

Note: Presentation times are in Pacific Standard Time (PST).

Thursday, January 26, 2023 - 2:30 pm3:00 pm

Adrian Sanabria, Tenchi Security


In InfoSec, many closely held beliefs, commonly accepted best practices, and accepted ‘facts’ are just wrong. These myths and lies spread quickly. Collectively, they can point security teams in the wrong direction. They can give rise to ineffective products. They often make their way into legitimate research, clouding results.

"Sixty percent of small businesses close within 6 months of being hacked."

There's a good chance you've seen this stat before. It has no basis in reality. The available evidence suggests quite the opposite.

"Attackers only need to get it right once, defenders have to get it right every single time."

This idea has been repeated so often in InfoSec that it has become generally accepted as a true statement. It isn't just wrong, it's demotivating and encourages defeatist thinking that can sink the morale of a security team.

Most of the myths and lies in InfoSec take hold because they seem correct, or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups.

This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves.

This talk compiles some of the most interesting research I’ve done over the past decade. My goal is to convince you to treat vendor claims, commonly accepted industry statistics, and best practices with healthy skepticism. You don't need to be a data scientist or OSINT expert to test theories and discover the truth - you just need to sacrifice a bit of your time now and then. I'll show you how.

Adrian Sanabria, Tenchi Security

Adrian is a successful generalist with over two decades of experience hacking, fixing, breaking, building, and teaching in InfoSec. He’s always trying to see the big picture and figure out the best strategy. Despite all these years in the industry, he is still optimistic about our future.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {285647,
author = {Adrian Sanabria},
title = {Myths and Lies in {InfoSec}},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jan

Presentation Video