Rob Cheng's Blog
The Ten Biggest Lies in Cybersecurity

Biggest Lies in Cybersecurity

Prevention is futile
About 10 years ago, long before the ransomware pandemic began, the powers that be decided that cyber prevention was futile, and cyber security should exclusively focus on reaction. Development and improvements to legacy preventative solutions were halted in favor of reactive architectures such as next generation antivirus, Enhanced Detect and Respond (EDR), Extended Detect and Respond (XDR), and Endpoint Protection Platform (EPP). A more prudent and effective strategy is a hybrid between prevention and reaction, however abandoning prevention, maximized revenue for the cybersecurity industry.
Multifactor authentication is the answer
Although MFA is prevention, MFA is expensive with recurring maintenance costs. Not all ransomware enters through an authentication breach. Lately, the ransomware makers are offering insiders of a bounty of $100,000, to release ransomware onto a network. MFA is good but insufficient in itself to thwart ransomware.
Backing up data stops ransomware
When ransomware was in its infancy, good backups enabled quick restoration of operations and no ransomware payments. Today’s ransomware exfiltrates data, disables backup services, and encrypts the original data set and the backup too. Airgapping backups is useless, since the ransomware waits until the backup is not airgapped, and encrypts at that time. Restoring from backup is good for disaster recovery except for ransomware.
Reacting quickly is the key to stopping ransomware
While it is possible to monitor, detect and respond to malicious human activity, ransomware traverses a network at 100 to 1000 times the speed of humans. Ransomware infects a network in seconds or perhaps a few minutes. People cannot respond fast enough.
Ransomware is here to stay
Repeating this lie is job security for the sycophants of the cybersecurity industry. Ransomware is a business with revenues (ransom payments) and expenses. Proactively preventing the ransomware from entering the network simultaneously drives down revenue and increases the costs of the ransomware business model. Ransomware is a metastasizing cancer, but there is still time to suffocate its lifeblood, money.
The problem is Russia
Ransomware is the monetization of security holes. The purveyors of ransomware only need a fast internet connection, obfuscation tools, and a country outside of American law enforcement. Even if ransomware’s origin were Russia, ransomware could be made almost anywhere whose citizens are looking to make a quick million and get away with it.
The higher the budget, the better the cybersecurity
This one is up there with “lather, rinse, repeat” and “drinking alcohol daily improves life expectancy”, although you got to love the moxie. Cybersecurity giant, Accenture, was hit with a garden variety ransomware that stole terabytes of proprietary data, and a $40M ransom. Accenture had almost unlimited budget for cyber. The Accenture infection is analogous to the neighborhood fire department, fire trucks, and firemen burning to the ground.
Layered security is the right approach
This lie is the cybersecurity industry saying that they have no idea whether this widget works, and neither do you, so you might was well give it a try. This Frankenstein approach to cybersecurity makes it impossible to understand what works and what is useless. Paying for useless security maximizes revenue for the cybersecurity industry.
There are no silver bullets
Application whitelisting is the silver bullet. NIST advises organizations to use modern whitelisting programs, also known as application control programs, to stop cyber threats. The Australian Signals Directorate’s Essential Eight Maturity Model has four levels (0-3) and levels 1, 2, and 3 require application whitelisting.
Cybersecurity is complicated
The cybersecurity industry’s ineffective, reactive, throw spaghetti at the wall, prevention be damned architecture is complicated and intellectually out of reach for businesses, lawmakers, and laypeople. There are many prevention paradigms in our society and none are complicated. Health care, fire prevention, tooth paste, home security and so on. Making cybersecurity unduly obtuse and complicated is part of the industry’s sales playbook but it doesn’t have to be this way.
What you can do
Stop repeating the lies. Use common sense. Keep an eye on Australia. When buying cyber products, ask your well dressed, attractive, articulate sales person whether any of their customers have been infected with ransomware lately.
My Last Conversation with Mike Hammond

About two weeks before Hammer passed away, Ted asked me to give him a ring, I gladly accepted. Over the years, Hammer and I have kept in touch, but it had been about a year since we last spoke.

We talked for 99 minutes, which I would describe as a normal conversation between him and I. During that time, we laughed, cried and reminisced.


Hammer had an incredible sense of humor, with a unique talent to make a large group of people pay attention and laugh. His sense of humor was gruff, intelligent and usually insightful. I would put Hammer’s wit similar to Larry the Cable Guy. I love this Robin Hood photo of me, Hammer and Tommy because I have a huge grin on my face. I am sure Hammer had just pulled off another one liner.


Hammer shared with me the details of his wife’s passing. It had happened very suddenly. They learned of her illness in March and she was gone in June. Hammer was hurting and he let it all out. I had known Hammer for over 25 years, but I had never seen him like this. I knew that my friend was hurting, and so we cried together.


Hammer’s accomplishments at Gateway were numerous and profound. The sum of them all is a testament to his hard work and insane intelligence. His one accomplishment that he was the most proud was driving the company’s cash balance over one billion dollars. I asked him how he did it, and he slowly and humbly told me what he did. To be honest, I did not understand a lot of it, but I do know it took a special person to make it happen.

Shortly after we both became Senior Vice Presidents, he made it his personal goal to drive the company’s cash over ten figures. No one told Hammer to do this, he just took it upon himself. Think about how much understanding of the company’s financial status and operations to make such an ambitious target. Over the next four months, Hammer worked tirelessly on this goal. He traveled the globe to realign our supply chain to make the company as efficient as possible. The buzz word at the time was “just in time inventory”, and Hammer made it all happen single-handedly. To be clear, there were no drawn out meetings, no Powerpoint presentations, just one guy “hammering” his vision home. I remember the cold January day in South Dakota, when Dave McKittrick shared with the management team the Q4 97 financial results. Hammer and I shared a long hard hug.


At the end of our conversation, Hammer said, “I love you, Robby.” He frequently ended our conversations this way, and to be honest, I did not always reciprocate. I am so glad that this last time, I did. And I really meant it.

More importantly, he said, “Robby, we accomplished great things together.” I am very proud of this last comment. The most important word in that comment is “together”. Hammer made me a better business man and person and I like to think I did the same for him.

I love you Hammer.

Programming Computers

My interest in computers and programming dates back to when I was a junior in high school. I loved my Texas Instruments programmable calculator and I purchased two of them. By the time, I was in high school, I took my first computer class. We had a small teletype that we could access the school’s mainframe, and we would create simple basic programs. I realized that typing would be an important part of my life, and I convinced my friend Gordon Stewart, to take typing class with me. At the time, typing was considered to be a skill for secretaries, and Gordon and I were the only two boys in the entire class. Based on my love of computers and mathematics, I entered two country science fairs and came in second both times. My mother was a systems programmer for the US Naval Academy in Annapolis, MD. That was great fun. I had access to the Naval Academy’s mainframe and I would spend hours writing simple programs. One program randomized my entire album collection and then I would listen to all of my albums based on the randomized output.

When I went to college, there were two mandatory computer classes. At Cornell, they used a language called PL/C. We had to type our programs using IBM punch cards. Once the program was punched, they were read by a card reader, and then you waited for a while until the printer spit out the results of your program. I became a coop student for Xerox Corporation, and they used an interesting language called APL. It was a symbol based language but you could write extremely complex code using only one or two lines of code. My assignment was to write a simulator so that Xerox could understand how well their new copiers would perform in a wide variety of simulated office environments.

Once I started at Texas Instruments, the PC revolution began. In the early 80’s, computers were quite different and they all came standard with some sort of programming language. My roommate, Steve Burtzel, bought us a Texas Instruments PC (TIPC), and I started programming. At the time, we decided to write software that would manage a video rental store. At the time, the video rental business had just taken off. My other roommate, Dan Cerys, and I wrote the entire thing in Pascal. We got it all done but unfortunately we never made a business out of it.

Later,, I purchased my own TIPC and I started again with Basic. I wrote a black jack simulator so I could understand the probabilities of winning with different scenarios between me and a simulated dealer. The TIPC had a 4.77 Mhz processor and I would let my simulator run for days. Then I discovered dBase and Clipper. From there, I was able to write business applications and sell them. I wrote a billing program for Kaplan that had a SAT test business. I also wrote a property management system which I sold to a friend of mine. I made about $10,000 doing that, which for me was a lot of money.

When I went to Gateway, I pretty much stopped writing code all together. I wrote a few Excel macros and played around with MS Access but none of that is real code. When I left Gateway and started PC Pitstop, I was anxious to get back into coding again. The new language was Javascript, and I dove in purchasing many books and writing sample code for my company. Unfortunately, my skill level was inadequate (I was told), and I just kept to running the business side of things while others ran the technical side.

In the 2006 – 2007 time frame, PC Pitstop was at a technical stand still. It was frustrating because when technical people feel they are dealing with a non technical person, they are prone to misportray situations. So much to their frustration, I made a key decision and I decided to write computer code for my company. I was a man on a mission because there were so many things that I had wanted to accomplish and now I could. At that time, it was also a great time to start learning a new language because of Google. You no longer had to memorize syntax, and if you run into an error or a bug, you can also Google the error. Program had never been easier. Still today, I am proud to say that I have written code for many of our key products such as PC Matic, Driver Alert, Over Drive. Perhaps the most important part of this episode is that I could now have realistic expectations of what I wanted from our technical people. The hand waving and obfuscation was gone because I knew what I was talking about at the code level.

For the next 6 years, I was always writing code and sometimes a lot of it. To be honest I have always enjoyed programming. I love the feeling of accomplishment of writing solid code. Programming is not easy, and one runs into numerous road blocks, and it is sometimes easy to throw in the towel, but it is really something to make it to the end and write bug free code. One day, I was in NY City and I had just finished writing a Vulnerabilty Scanner for PC Pitstop, and I showed it to a potential Wall Street investor. I thought he would be impressed. Boy, was I wrong. He was scathing with one snide comment after another about the CEO that wrote computer code. His view is that if I was doing that, then I could not be doing an adequate job of running the company.

Of course I disagree. I believe that since the CEO understands the technical aspects of the business, we can have a technical superior product. I also can demand more respect from our developers than a CEO would normally get.

Insane Productivity

I like to get a lot of work done. Getting a lot of work done is my competitive advantage. If you think of your competitor, do you think you get more work done than them? Here are some ways to get insane amounts of work done.

Work from Home

Working out of your home is not for everyone, but if you are into insane productivity, then it is the holy grail. You waste productive time getting ready for work, worrying about your appearance, and then of course the commute to work. On top of that, once you arrive at work, there is the office chit chat, and the endless people that don’t know what to do that day. Of course, the nemesis of productivity are the dreaded meetings. All of that lost time can be spent doing real work, and moving your company ahead of the competition.

Get off Facebook

Some people think that using social media is the same as work. This is a colossal waste of time and a productivity killer. There is a certain psychological component to Facebook too. You think, OMG, my college roommate’s kid is on scholarship to Harvard University. Then you think, maybe I should do more for more my kids. But all of this is just wasted thoughts, that take away from your productivity.

The funny part is that Facebook is highly addictive. Many people cannot stop. I have mentioned to some that a key to improved productivity is to stop Facebook. They look at me like I am crazy. Some people have convinced themselves that Facebook makes them more productive. They are not.

Stop the News

It isn’t easy, but I have turned off all of the news in my life. I do not watch news on TV, and try to avoid the news whenever possible when on the internet. I believe that the news is constructed so that all of us are distracted from whatever is really important to us. Right now, we are in the midst of another presidential election, and whatever stupid or smart thing a candidate says, it makes national news.

The news is not about what’s important. It is now about page views and likes. And I hate to say it but what people want to read and what they need to read are two different things. Now our sports pages are filled with the home lives of the stars rather than just sports. Or the dentist that killed a lion. I don’t care about any of this and neither should you. Either way, you must agree that paying attention to any of this hurts your productivity and should be discarded.

Eat When You’re Hungry

I mean really hungry. Somewhere along the line, we have all been trained to eat three meals a day. When I get a lot of work done, I routinely skip meals. The funny thing is that people believe that skipping meals is unhealthy. That somehow a missed meal weakens the immune system, and may make you sick. This idea is archaic, and it comes from people that live in the most obese nation in the history of humanity.

When I miss a meal, it makes me hungry initially and it passes. But when you miss a meal, the next meal tastes even better. It is awesome plus you get done a lot more work than anyone else.

You Control the Internet

As a general guideline, the internet exists to make you more productive. It is great to research a problem, or to a check the background of a job candidate, but the internet should not control you. The internet is about page views and monetizing page views. So the more time you waste on things that you did not originally intend, the more money they make and the less you productive you have become. There is so much information good and bad on the internet, and you need to focus on just the information you need right now, so you can get back to work.


I have a feeling that this is going to come off as radical. And imagine that, insane productivity is considered radical. I love getting a lot of work done. It is a great feeling and you have after you are done. Radical it is.