QOTD on Outsourcing & Con-men

When you've outsourced almost all of your technically skilled
staff, you're an easy mark for con-men because you no longer have people who can look at stuff like this and tell it's obviously unworkable. -- Marcus Ranum, CSO Tenable Network Security
Src: SANS NewsBites Vol 11 Num 101

QOTD - Pescatore on Facebook

Facebook should get smacked around for playing games with consumers private data. However, anyone who trusts consumer-grade services whose revenue is all from selling advertising around users data is probably also putting out milk and cookies for a jolly man who will come down the chimney with really neat toys next week. -- John Pescatore, Vice President at Gartner Inc
Src: SANS NewsBites Vol 11 Num 99

QOTD on Authentication

Authentication will not be able to solve the untrusted platform problem. If you use a compromised system, authentication doesn't matter. Out of band communication will only work if the out-of band channel and associated hardware is secure, which may be questionable if devices like smartphones are used. -- Dr. Johannes Ullrich, CTO of the Internet Storm Center & Dean of the Faculty of the graduate school at the SANS Technology Institute.
Src: SANS NewsBites Vol 11 Num 98

QOTD on Conficker

The more advanced malware doesn't take orders until the orders are signed. MD6 within Conficker is exactly for this. The only party with secret keys are the worm's authors.

This wasn't just an existing gang writing yet another worm, this was guys who were thinking differently. Maybe they'll never return to their bot, but they could be waiting for us to pay less attention to it. They know that it will not be monitored forever.

-- Mikko Hyppönen, Chief Research Officer at F-Secure Corp.
Src: Security researchers continue hunt for Conficker authors | SearchSecurity.com

QOTD on Cyberspace

Cyberspace grants small countries and individuals a power that was heretofore the preserve of great states. -- Major-General Amos Yadlin, chief of military intelligence for Israel
Src: Spymaster sees Israel as world cyberwar leader | Reuters

QOTD on CISO-CEO divide

If you sit in a CISO position and you can’t meaningfully talk about measures of risk and layers of risk, you’re probably not going to be successful. You can spend all your money having the latest virus protection put on your PCs and miss the fact that you’ve got massive enterprise risk because of vulnerabilities to the power infrastructure or legal liabilities of doing business in certain countries. -- Michael D. Capellas, Chairman & CEO of First Data
Src: Bridging the CISO-CEO Divide: Recommendations from Global 1000 Executives and a Fortune 500 CEO | RSA

QOTD by David Rice

Because software creates the environment of cyberspace, small elements of disorder in software (like software bugs), may lead to greater elements of disorder (like exploitation of vulnerabilities), which ultimately lead to more serious forms of crime (like cyber crime and cyber espionage). Historically, software manufacturers have not been liable for broken windows (software defects), even though software applications have been—and continue to be—shipped with an unknown number of latent and preventable weaknesses. Software does not 'break' in use, as do physical products. Software is shipped by the manufacturer already broken (with the extent of the 'brokenness' discovered at some later, unknown time). -- David Rice, author of Geekonomics: The Real Cost of Insecure Software
This is one of my favorite mental images for understanding the nature of software and cybercrime.

Src: Broken Windows Revisited: Why Insecure Software and Security Products Hurt the Global Economy - CSO Online - Security and Risk

QOTD on Risk & the State

How safe people feel depends, amongst other things, on whether they trust the institutions that make statements about risks. This applies to the assessment of the safety of technical systems as well as to food or public safety. Transparent communication of the risk assessment process with the participation of all the stakeholders and of the derived risk avoidance measures is, therefore, important in order to tackle the frequent discrepancy between the individual’s perceived degree of safety and the objectively measured degree of safety. This is particularly the case when questions are asked about which risk is acceptable and how much protection should be offered. In this context risk communication must not only reduce the gap between the individually perceived lack of safety and the objective level of safety. It must also highlight the limits to state action and demonstrate that increased safety for instance in the fields of crime prevention and public security may entail a loss of freedom or self-determination. Particularly in the field of precautionary measures this is a difficult balancing act. Where does the state’s duty of care end and where does state paternalism begin? The experts at the conference were not able to provide a definitive answer to these questions. -- Federal Institute for Risk Assessment (BfR) in Germany. Slides from Stakeholder Conference “Safer than safe? Legislation, Perception and Reality of State Risk Prevention” are available (in German) on the BfR website at www.bfr.bund.de
Src: How safe is safe? Conference explores the opportunities and limits of state risk prevention

QOTD on Attacker's Advantage

The advantage clearly lies with the attackers who only have to find a single vulnerable spot, as security defenders try to identify and then plug every possible hole.
The Information security industry is responding to try to safeguard access to data but it is a fast changing world and even compliance with current standards does not ensure protection or make you more secure. The past does not allow us to predict the future in information security and just because it hasn't happened yet does not mean it won't happen in the future. -- Dimitrios Petropoulos, Managing Director of Dubai-based Encode Middle East
Src: Corporate Information Security Comes Under Attack From Organised Crime as

QOTD on 2010 Infosec Skills

Information security professionals must focus on their prioritization skills and show their ability to think strategically and creatively to come up with ways to solve problems 'on the cheap.' -- Lee Kushner & Mike Murray

Src: Entering 2010: The economy and the state of information security

QOTD on Digital Forensics

Digital forensics is much harder than crime forensics. When there's a murder, there's a body. There's evidence everywhere. In digital forensics, there's no body. You might not even know there has been a murder until months after it happened. -- Dan Kaminsky, Director of Penetration Testing at IOActive
Src: Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel - breaches/Security | DarkReading

QOTD on Easy Targets

Once you've been hacked, you might as well paint a big red bull's-eye on your head because others will see that you have weaknesses, and they will come after you. -- Jim Jaeger, Director of cyber defense & forensics at General Dynamics Advanced Information Systems
Src: Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel - breaches/Security | DarkReading

QOTD - Pescatore on Online Privacy

When you use free consumer-grade services like web mail and social networks and the like, you have sold your privacy away. -- John Pescatore, VP Gartner Inc.
Src: SANS NewsBites Vol 11 Num 95

QOTD on Cybercrime

All of the current economic incentives favor cyber attackers -- Internet Security Alliance report "Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model"
Src: ISAlliance Delivers Cyber Security Report | Information Security Resources

QOTD on Privacy

Privacy is not just ethical, but is also good business. -- David Bender, a solo practitioner in Dobbs Ferry, N.Y.
Src: 11 Reasons Why Privacy Helps the Bottom Line | Law.com

QOTD on Passwords

The one consistent thing that stops the internet from being a feeding frenzy for intruders waiting to get at your network is the end-user password.
The problem is that once you have compromised a password, it is invisible because the password has allowed you to go in and do what you want. -- Jason Hart CEO of IT at CRYPTOcard Europe
Src: Password purveyor - Security - News & Features | ITP.net

MN-GTS - The State of (In)Security in 2009

Thank you to all who attended my presentation at the 2009 MN-GTS State of (In)Security. The Slides and handouts will be available for another 30 days and will then be removed.

Meanwhile if you have any questions or comments, I'd love to hear them, either on the blog or contact me via email/twitter.

QOTD on Cyberspace

The velocity of change in cyberspace should make “operational surprise” not a surprise at all, but a condition that is expected and must be managed. -- Report of the Defense Science Board, 2008 Summer Study on Capability Surprise (Vol 1).
Src: Report of the Defense Science Board, 2008 Summer Study on Capability Surprise (Vol 1).

QOTD on Fraud & Denial

Nobody really likes to know that a fraud is occurring under their noses. I have had fraud victims in complete denial when you show them all of the evidence of what has been transpiring and what has been transpiring for some time; where I have actually said 'We want to do a full investigation, can we pursue this?,' and they are so in denial in the 'it can't happen here' that it's hard to understand. People should look within their own organizations. They see fraud on the outside and they wipe their brow and say 'Whew, it hasn't happened to me!' But as I said, fraud is hidden so they are not going to know it; it is not going to rear its ugly head as obviously as one might think. -- Allan Bachman, Education Manager for the Association of Certified Fraud Examiners (ACFE)

Src: Fighting Fraud - Allan Bachman, Association of Certified Fraud Examiners

QOTD Bejtlich & Romans

I'm wondering if the Roman Senate debated Imperial immigration policy while Vandals trashed Rome, like current FISMA fans debate 'controls.' -- Richard Bejtlich, Director of Incident Response for General Electric
Src: I'm wondering if the Roman.. | Richard Bejtlich's Twitter Account

QOTD on Double-Edged Cyber-Weapons

Once you introduce them [cyber-weapons] to the battlefield, it's trivially easy for the other side to capture your artillery, as it were, and then use it against you if you're not already inoculated against it, and then against other friendlies. -- Ed Skoudis, InGuardians co-founder & SANS instructor
Src: The Cyberwar Plan | National Journal Magazine

QOTD on Cyber Adversaries

No matter how good technology is, the adversary always has an advantage because the defense sets up the game plan, sets up the rules, and then the adversary, the attacker can try to figure out ways to cheat. -- Dickie George, the National Security Agency's Information Assurance Directorate technical director
Src: Thinking Like a Hacker: Dickie George, Technical Director of Information Assurance, National Security Agency

Cybercrime - How did we get here?

A security vendor's view of why cybercrime is so prevalent:
Firstly, cybercrime is low risk; since it transcends geo-political borders, it is difficult for law enforcement agencies to catch the perpetrators [...]
Secondly, cybercrime is easy: there is extensive documentation on hacking and virus writing freely available on the Internet, meaning that no sophisticated knowledge or skill is required.
These are the two main factors which have lead to cybercrime becoming a multi-billion dollar industry, truly a self sustaining eco-system of its own.
-- Costin Raiu, Chief Security Expert for Kaspersky
Src: Browsing malicious websites | Viruslist.com

QOTD on Securing Data

Our task is not getting any easier; the sum total of information in the world grows continually and permeates everything we do and everywhere we go. While the majority of the attacks remain rather mundane, the criminals are adapting to our current protection strategies and inventing news ways to attain the data they value. -- Peter Tippett, VP of research and intelligence for Verizon Business Security Solutions
Src: Data Breaches Continue to Soar | eWeek.com

QOTD - FBI on Cyber Threat

The FBI considers the cyber threat against our nation to be one of the greatest concerns of the 21st century. -- Steven Chabinksy, deputy assistant director of the FBI's cyber division
Src: NSA Is Giving Microsoft Some Help On Windows 7 Security - The Two-Way - Breaking News, Analysis Blog | NPR

QOTD on Cyberspace

Cyberspace has no boundaries. It's just everywhere, and it permeates everything we do.... We continue to improve our capabilities, but so do the adversaries. -- Retired US Air Force Lt. Gen. Harry Raduege, ran the Defense Information Systems Agency from 2000 to 2005
Src: The Cyberwar Plan | National Journal Magazine

FBI's View of the Cyber Threat

“Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace, ” Senate Judiciary Committee, Subcommittee on Terrorism and Homeland Security:
The most sophisticated actors have the ability to alter our hardware and software along the global supply chain route, conduct remote intrusions into our networks, establish the physical and technical presence necessary to re-route and monitor our wireless communications, and plant dangerous insiders within our private sector and government organizations. The actors that currently have all of these capabilities — which is a finding that is distinct from whether and when they are using them — include multiple nation states and likely include some organized crime groups.

In the cyber realm, the technical positioning an adversary requires to steal data typically provides them with the very same access and systems administrator rights that could be used for destructive purposes. As a result, our adversaries' use of Computer Network Exploitation — the ability to monitor our networks and steal our secrets — might simultaneously provide them with pre-positioned capabilities to conduct Computer Network Attack — the ability to deny, disrupt, degrade, or destroy our information, our networks, and the infrastructure services that rely upon them.

-- Steven R. Chabinsky, Deputy Assistant Director, Cyber Division, FBI
Src: View a Hearing or Meeting

QOTD on Patch Tuesday

Patch tuesday is simply a hacker notification system that over 200 million systems are now vulnerable and they probably won't get patched in the next three months. It's a hacker notification system. -- David Rice, author of Geekonomics

I'll admit it, this is one of my favorite information security quotes.

Src: Risky Business #78 -- Geekonomics author David Rice | Risky Business

QOTD on Possible Federal Data Breach Law

Most organizations are national and international. To have to hire lawyers to study differences in the laws and define what they have to do in each state doesn't make sense from a cost or efficiency point of view. I'd hope any federal regulation would pre-empt state laws, because it would be the more business friendly approach. -- Phil Neray, VP of Guardium
Src: Federal data breach notification standard must pre-empt state laws | Nextgov

QOTD on Web2.0

We know that workers are using these applications [web 2.0 or "enterprise 2.0"] to help them get their jobs done, with or without approval from their IT departments. And now we know this is happening much faster than anticipated. It's naïve to think that old-school security practices can handle this deluge. Organizations must realize that banning or allowing specific applications in a black-and-white fashion is bad for business. They need a new approach that allows for shades of gray by enforcing appropriate application usage policies tailored for their workforce. This is a radical and necessary shift for today's IT security professionals. -- Rene Bonvanie, VP Marketing, Palo Alto
Src: Social networking — and its risks — are exploding in enterprise networks | GCN

QOTD on Win7 & Malware

It’s not so much about technology any more. It’s just as much about social engineering that can trick you into giving them money, regardless of what kind of operating system you’re on. -- Petter Laudin, Managing director (UK & Ireland), Panda Security

Src: Windows 7 users have the same old security problems | IT PRO

QOTD on Managing InfoSec Risks

Managing information security risks requires an approach that is flexible and focused on what matters most to the organization, protecting critical information. Only by understanding the use of information within critical business processes can an organization, and in particular its information security function, truly begin to manage its security needs. -- Paul van Kessel, Global Leader of Ernst & Young’s Technology and Security Risk Services
Src: Former employees a growing IT security threat | Ernst & Young

QOTD - Pescatore on Threats vs Humans

It is important to educate people, but we have to realize human behavior will always change much more slowly than the threats do. -- John Pescatore, VP and Distinguished Analyst with Gartner, Inc.
Src: Gartner's John Pescatore on 2010 Threats, Trends | BankInfoSecurity.com

Microsoft's Security Development Lifecycle

Microsoft has recently released an update to their Security Development Lifecycle meant to address the need for security in the agile development process. The document defines Microsoft's process, which is termed Secure by Design, Secure by Default, Secure in Deployment, and Communications (or SD3+C). The section below describes the list of products and services that are required to adopt the SDL process. This seems to cover basically every piece of software that Microsoft makes.
What Products and Services Are Required to Adopt the SDL Process?
  • Any software release that is commonly used or deployed within any organization, such as a business organization or a government or nonprofit agency.
  • Any software release that regularly stores, processes, or communicates PII or other sensitive information. Examples include financial or medical information.
  • Any software product or service that targets or is attractive to children 13 years old or younger.
  • Any software release that regularly connects to the Internet or other networks. Such software might be designed to connect in different ways, including:
    • Always online. Services provided by a product that involve a presence on the Internet (for example, Windows® Messenger).
    • Designed to be online. Browser or mail applications that expose Internet functionality (for example, Microsoft Office Outlook® or Microsoft Internet Explorer®).
    • Exposed online. Components that are routinely accessible through other products that interact with the Internet (for example, Microsoft ActiveX® controls or PC–based games with multiplayer online support).
  • Any software release that automatically downloads updates.
  • Any software release that accepts or processes data from an unauthenticated source, including:
    • Callable interfaces that “listen.”
    • Functionality that parses any unprotected file types that should be limited to system administrators.
    • Any release that contains ActiveX controls.
    • Any release that contains COM controls.

Src: Microsoft's Security Development Lifecycle

QOTD on the State of Information Security

The likeliest future state of security can be characterized as a Perpetual Arms Race, between hackers and criminals on one side and enterprises and governments on the other side. -- Joseph Feiman, John Pescatore, Neil MacDonald
Src: Security in 2013 and Beyond | Gartner, Inc.

QOTD on Cyberwarfare

In the Cold War, there was symmetry in vulnerabilities – each side had cities and populations that the other could hold hostage. That symmetry no longer exists. The United States is far more dependent on digital networks than its opponents and this asymmetric vulnerability means that the United States would come out worse in any cyber exchange. -- James Lewis, Center for Strategic and International Studies

Src: Report: Cyberterror Not a Credible Threat | Threatpost

QOTD - Schneier on AntiVirus

Antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective. -- Bruce Schneier, Chief Security Technology Officer of BT Global Services
Src: Schneier-Ranum Face-Off: Is antivirus dead? | Information Security Magazine

The state of the [security] industry

The thought leaders in security have come to realize that even strong defenses are penetrable. They understand that in spite of the millions of dollars spent and their best efforts, that enterprises are already compromised and will continue to be compromised for the foreseeable future and that all of the vendor and marketing claims and promises are not about to change that very cold and stark reality. If anything, the increasing complexity of technology has increased the ease with which easy-to-use advanced threats can impact enterprise business environments with little care for their state of compliance with meaningless regulatory mandates. While expecting perfect protection is a failed strategy, many on the leading edge are learning to operate in environments they suspect of being partially compromised and increasingly focus their efforts on the ability to understand incident scope, impact and validate cleanup. -- Amit Yoran, CEO of NetWitness
The entire article is full of insightful comments by many key players in the information security space. Absolutely worth the 5-10 minutes it will take you to read it, even if you find yourself disagreeing with some of the opinions.

Src: The state of the industry | SC Magazine US

QOTD on Fighting Malware in the Future

In the future, it seems the most successful criminal malware will be super-stealthy infections that users don't even know they've got. If that happens, a co-operative community of antivirus companies, researchers, ISPs, police forces and other government agencies may be our only hope. -- Jack Schofield
Src: Malware: the net's silent assassin | Technology | The Guardian

QOTD on Data Permanence

Information doesn't fade the way it used to. Documents that once upon a time could be counted on to be filed and forgotten are now finding an afterlife in digital, searchable form. -- Martin Kaste

Src: Digital Data Make For A Really Permanent Record | NPR.org

QOTD on Malware

Last year [2008], the number of unique malicious programs and variants that were created outstripped all the legitimate software published in the world, straining the accuracy of anti-virus solutions like never before. -- Roger A. Grimes
Src: InfoWorld review: Whitelisting security comes of age | Infoworld

QOTD on Data Deluge

The problem for law enforcement and intelligence today is not the lack of information; it is the deluge of it. -- Ron Deibert, director of the Citizen Lab, a principal with the SecDev Group, & cofounder of and principal investigator for the Information Warfare Monitor.
Src: Smarter sleuthing can save our online privacy | The Globe and Mail

QOTD on CIO Skills

CIOs need to inculcate a blend of three skills - conceptual, technical and human skills, but most importantly the human skill, as they are the bridge between the top-level and the low-level management. -- Dr. Nityesh Bhatt, Associate Professor, Nirma Institute of Management
Src: CIOs need to champion human skills | CIOL News Reports

QOTD on Being Secure

You don't want to be the most secure place on earth-you want to be secure enough to make others a more attractive target (hackers are smart and lazy, too-they strive for the easy prey in most cases), and you want to be in business. Otherwise your security model stinks. -- Michael Oberlaender
Src: The Magic Triangle of IT Security | ComputerWorld

QOTD on Biometrics

The reality is that biometrics are a feel-good measure designed to give people the false impression that they are more secure than they were before, when in fact they are more at risk. Identity theft victims report that it can take three, five or more years to clean up the financial mess left after a stolen Social Security number. How long will it take to clean up a stolen fingerprint? -- George Tillmann, a former CIO, management consultant and the author of The Business-Oriented CIO
Src: The case against biometric identity theft protection | IDG.no

QOTD Schmidt on the Value of Data

Many businesses, governments and individuals are still unclear of the true value of data and where it resides and who has ownership is even less clear. We need to be better at controlling and managing data and understand the expectations of the data owners and providers. For example, if we give personal data to identify and validate ourselves – this data is only required for a short period of time and could then be destroyed. -- Professor Howard A. Schmidt, CISSP, president of ISF.
Src: RSA Europe: Information Security and data value should be part of education and training | Infosecurity (UK)

QOTD on Banking Fraud

We don't need to know who's doing it, just what it looks like at an earlier phase, so we can alert our institutions and prepare them on what to look for. -- Doug Johnson, Senior Policy Analyst at the American Bankers Association.
Src: Online Fraud: New Victims, New Approaches | BankInfoSecurity.com


No one could credibly deny that IT has a significant responsibility for security and privacy, but care should be taken to distinguish enablement from execution. The fact is, IT alone cannot solve the problem. -- Ted DeZabala, author & national leader of the Security & Privacy Services practice at Deloitte & Touche LLP.
The CIO as Chief Security/Privacy Officer | CIOInsight.com

QOTD on e-Spying

Modern-day espionage doesn't involve cloak and dagger anymore. It's all electronic. -- Tom Kellermann, Vice President at Core Security Technologies
Src: China Expands Cyberspying in U.S., Report Says | WSJ.com

QOTD - Schmidt on Current Laws

We still have 18th century laws looking at 21st century technologies – that needs to be changed. -- Howard Schmidt, ISF President & CEO.
Src: RSA Europe: Two-factor authentication is worth nothing, says executive director, EEMA | Infosecurity (UK)

QOTD - Spafford on the security conundrum

No individual business is facing huge losses necessarily, but collectively we are facing just unimaginable losses, but nobody is willing to pay the cost up front for what is necessary to solve the problem in the longer term.

The problem is that we generally only respond to crisis. And the kinds of problems that we are seeing in the whole information security arena is not a spot crisis; it is a growing community problem. So when we are talking tens of billions of dollars of loss every year in intellectual property theft, fraud, unnecessary or over-expenditure on security goods and services, and various other kinds of problems, that cost is not borne by any single entity, but it is borne by everyone. This results in a huge friction on the economy. It is definitely a loss to society. But no one feels it enough that they are willing to make the investment and the sacrifices to move forward. The government might play a role in this, and one way would be to phase in some liability on operators and vendors for obviously making poor choices. -- Prof. Eugene Spafford, Purdue University
Src: The State of Information Assurance Education 2009: Prof. Eugene Spafford, Pursue University

QOTD on Questioning our Assumptions

One of the many pitfalls of information security is the illusion of permanence that surrounds many longstanding tools, policies and ways of doing business. Too often, the fact that 'it's always been done that way' clouds our judgment and blinds us to a system's holes. To avoid that mistake, it's time to learn how to second-guess yourself. -- Ed Moyle, manager with CTG's information security solutions practice

Src: Why It Pays to Second-Guess Your Technology Assumptions | TechNewsWorld

QOTD on Humans & Complexity

While technology and information have evolved and grown dramatically over the past 100 years, people's behaviors to cope with this growth have evolved at a much slower pace and our ability to keep up with the complexity foisted upon us is limited. So today, high value is found in taming the complexity so that humans can take full advantage of these dramatic developments and advancements in technology. This is the challenge facing IT organizations around the world. -- Art Coviello, President RSA
Src: RSA Executives Offer Seven Guiding Principles To Maximize Megatrends Redefining the Information Security Industry | Reuters

QOTD on Managing your Career

If you're going to be the CEO of your own career, how do you want people to think of you? It's necessary to develop your own personal board of directors. You need to have a couple of people on there who know your marketplace and value what you're doing. -- Joyce Brocaglia, President and CEO of Alta Associates
Src: SC World Congress: Build a personal network - SC Magazine US

QOTD on Business Alignment

After years of “thinking differently”, business and IT leaders may be starting to think like each other.
Src: 2010 Global State of Information Security Survey by PricewaterhouseCoopers

QOTD - Baker on Breaches

Many organizations right now have breaches they don't know about and won't discover for some time to come. -- Wade Baker, Research & Intelligence Principal at Verizon Business
Src: Cyberthieves find workplace networks are easy pickings | USATODAY.com

QOTD - Pescatore on Occurrences

Data loss is to information security as patient mortality is to medicine. 'Extremely rare' has to mean 'close to never' vs. 'not often.' -- John Pescatore, Vice President at Gartner Inc.
Src: SANS NewsBites Vol 11 Num 80

QOTD - Rand on Cyberwar

Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities. Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought. -- RAND Corporation report "Cyberdetterance and Cyberwar"
[Note: emphasis is mine]
Src: RAND report on Cyberdetterance and Cyberwar

QOTD - Rothke on Encryption vs Data Destruction

"Encryption is a fantastic way to assure the privacy of live data, but is not suitable for the protection of end-of-life data," says Ben Rothke, Senior Security Consultant with BT Professional Services & author of Computer Security: 20 Things Every Employee Should Know.

Ben goes on to explain that
Encryption's weakness is that the keys used to secure the data may be compromised. Even if the 256-bit Advanced Encryption Standard (AES) is used, which is unbreakable using current technology; data can be compromised if the user chooses a weak passphrase to protect the data, or if the key was not properly destroyed.

Some have suggested that encryption and then losing the keys is a method of destruction. But in speaking with those who have forensic labs, they note that there are ways of getting keys, as well as cracking keys on lesser levels of encryption. Given that, encryption should be used as a security mechanism, not as a destruction tool.
Src: Why Information Must Be Destroyed, Part Two | CSO Online

QOTD Ranum on Distributed Data

Distributed data is distributed vulnerability. Accessibility from everywhere means leakage everywhere. But, strangely, whenever one of us "old school" security practitioners says that, the rejoinder is "data compartmentalization is an impediment to doing business." Ultimately it will sink in - you either have impediments to doing business, or you have leaks. -- Marcus Ranum, CSO for Tenable Network Security
Src: SANS NewsBites Vol 11 Num 79

QOTD on the Next World War

The next world war could begin in cyberspace.
In Cyberspace there is no such thing as a superpower: Every citizen is a superpower. -- Mr. Hamadoun Touré, Secretary General of the International Telecommunication Union (UN)
Src: World War III Could Be Fought on Internet, Says ITU Head | PC World

QOTD - Stiennon on Sun Tzu's Teachings

Sun Tsu’s teaching is clear. Security must rely on strong defenses even when no attacks are evident. -- Richard Stiennon, founder of IT-Harvest.
Src: Sun Tzu on defense | ThreatChaos

QOTD - Paller on Security Guys

If your security guys aren’t fixing this, you need to get new security guys. -- Alan Paller, Director of Research for SANS
Src: Cyber threats adopting new tactics | FederalTimes.com

QOTD - Davidoff on SSL

TLS/SSL is like a nice sturdy two-by-four. Can you use it to build a secure infrastructure? Yes. Is it a secure infrastructure all by itself? No. -- Sherri Davidoff is the co-author of the new SANS class 'Sec558: Network Forensics' and author of Philosecurity
Src: How SSL-encrypted Web connections are intercepted

QOTD - Northcutt on 2-factor Authentication

Asking the name of your pet really does not meet the spirit of two factor authentication. -- Stephen Nortcutt, President SANS Institute.
Src: SANS NewsBites Vol 11 Num 76

QOTD - PCI is what you make out of it

PCI is what you make out of it. If you treat it strategically and get C-level executive involvement, it can turn into a very mature security program that happens to encompass PCI requirements. -- Brian Contos, Chief Security Strategist for Imperva
Src: PCI More Of a 'Check-Box' Than Security For Most Retailers - DarkReading

QOTD - Australians & Security

Australian PC and Internet users are completely unconcerned with security in general, claiming uninstalled software updates to be more useless than a chocolate beer keg on Ayers Rock. -- Commander Neil Gaughan, Australian Federal Police
Src: Aussies Embroiled in Botnet Protection Debate | Internet Evolution

QOTD - Liston on HHS Harm Threshold Loophole

Tom Liston, senior security consultant & malware analyst for Inguardians, comments on a recently announced loophole that allows HIPAA-covered entities to dispense with breach notification if the harm threshold is not met. The harm threshold is met if the breach poses "significant risk of financial, reputational or other harm to [an] individual."
Ok... let me get this straight: I screw up and let someone steal your data. Then *I* (an acknowledged screw-up) get to decide if my screw-up poses any harm to you!?!? What could possibly go wrong with that? Next up: rapists, murderers, and felons get to decide if they're ready to be released from prison...
Src: SANS NewsBites Vol 11 Num 74

QOTD - Liston on Malware Persistence

Tom Liston, senior security consultant & malware analyst for Inguardians, comments about a study from TrendMicro which found that 50% of infected machines remain infected 10 months later (the malware does not bring attention to itself):
Well, duh! I don't find this surprising in the least. Anymore, malware has a business model... and nothing interferes with that model more than having your malware *removed*.
Src: SANS NewsBites Vol 11 Num 74

QOTD on Cybercrime Threat Landscape

The motivation for purveyors of malware used to be mostly about spite and the possibility of recognition. Now, it's about money. Botnets, zombie computers, phishing scams, spam, ID theft and corporate network intrusion all come together to form an often lucrative business model for criminally minded hackers. -- Jeff Debrosse, North American Research Director at ESET
Src: Technology News: Malware: Navigating the New Cybercrime Threatscape, Part 2

QOTD - Lieberman on the Internet

The Internet now is a global asset – a new strategic high ground - that simply must be secured just as any military commander would seize and control the high ground of a battle field. But unlike a battlefield, securing cyberspace is much more complicated to do since the Internet is an open, public entity. Security cannot be achieved by the government alone. Public-private partnership is essential. Together, business, government, law enforcement, and our foreign allies must partner to mitigate these attacks and bring these criminals to justice. -- US Senator Joe Lieberman, Homeland Security and Governmental Affairs Committee Chairman
[Note: emphasis is mine]

Src: Latest Trend Targets Medium to Small Companies, HSGAC Legislation Will Address Cyber Security | Senate.gov

QOTD on Anonymity

Anonymity is not sufficient for privacy when dealing with social networks. -- Dr. Arvind Narayanan and his research advisor Dr. Vitaly Shmatikov
Src: Pulling back the curtain on "anonymous" Twitterers - Ars Technica

Infected USB shuts down London council

How much damage can ONE infected USB flash-drive do? If it's infected with Conficker-D and your IT systems are not appropriately maintained and patched (council was still running Windows 2000, requested an update to Windows XP). In addition to being out of commission for a week, "further shutdowns followed when the network was reinfected twice in the next week, and all terminals had to be rebuilt or replaced."

Src: Computer virus cripples council’s work for weeks | News
Src: Conficker borks London council | TheRegister
Src: Ealing Council facing £501,000 fine after its network was hit by a virus that crippled it for weeks | SC Magazine

Playing 'Whac-A-Mole' with personal data

According to this article, the current legal approach to protecting Personally Identifiable Information (PII) can be compared to playing "Whac-A-Mole" with personal data. Dr. Paul Ohm, law professor at the University of Colorado Law School, writes:
Data can either be useful or perfectly anonymous but never both.
For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical 'database of ruin,' the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Reidentification has formed the database of ruin and given access to it to our worst enemies.
The trouble is that PII is an ever-expanding category. Ten years ago, almost nobody would have categorized movie ratings and search queries as PII, and as a result, no law or regulation did either.
Src: "Anonymized" data really isn't—and here's why not - Ars Technica

ENISA Warns of Alarming Increase in ATM Crime

As the annual cost of ATM-related fraud in Europe approaches half a billion Euros, the European Network and Information Security Agency (ENISA), has issued Golden Rules to protect consumers against ATM fraud/crime:

Choosing an ATM Machine
1) Don't use ATMs with extra signage or warnings
2) Try to use ATMs inside banks
3) Don't use freestanding ATMs
Physical surroundings
4) Use an ATM which is in clear view and well lit
5) Be cautious of strangers and check they are at a reasonable distance away
Making Operations
6) Pay careful attention to the front of the machine for Tampering
7) Pay attention to the card reader for signs of additional devices
8) Look carefully for differences or unusual characteristics of the ATM's PIN pad
9) Look out for extra cameras
10) Protect your PIN by standing close to the ATM and shielding the key pad
11) Report confiscated cards immediately
12) Beware of ATMs that don't dispense cash and non-bank ATMs that don't charge fees
Statement Reviews
13) Frequently review your account statements
14) Report any suspicious activity immediately
Src: ENISA Warns of Alarming Increase in ATM Crime

QOTD on Locational Privacy

The idea of constantly monitoring the citizenry’s movements used to conjure up images of totalitarian states. Now, technology does the surveillance — generally in the name of being helpful. It’s time for a serious conversation about how much of our privacy of movement we want to give up. -- Adam Cohen, member of the Times editorial board
Src: A Casualty of the Technology Revolution - ‘Locational Privacy’ - NYTimes.com

QOTD on Cyberwarfare

Cyberwarfare is a global chess game in which citizens, governments and corporations are the pawns. In the past an enemy came over the ocean to attack; now they come over the Internet. In modern warfare the cyber component is just as important as boots on the ground. -- John Bumgarner, Research Director for Security Technology, U.S. Cyber Consequences Unit
Src: Report: Russian mob aided cyberattacks on Georgia | CNET News

QOTD - Blind Mice & Swiss Cheese Security

A lot of security professionals will concede that they have been reduced to blind mice looking at traffic streaming through security devices that have been turned into Swiss cheese by Web applications. -- Mike Vizard
Src: Blind Mice and the Swiss Cheese Security Model | ITBusinessEdge.com

QOTD on the Dark Cyber World

The cyber world has slowly become a crowded place and a gold-mine of personal data. Where crowds meet, bad people hide. Where valuable information is stored, bad people lurk. Dark individuals and dark clouds stealthily hide behind the virtual masses and surgically coordinate their terrorist actions or illegal activities. For law enforcement agencies the identification of such activities is a tremendously complicated task: too many protocols, applications and services to watch; too many cyber users and communications; too much content to be analyzed and understood... and everything at the nearly close speed-of-light. -- Dr. Antonio Nucci, CTO at Narus
Src: Shedding Light on the Dark Cyber World Part II | ConvergeDigest.com

QOTD from IBM X-Force Report

The Internet has finally taken on the characteristics of the Wild West where no one is to be trusted. There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity. -- Kris Lamb, Director X-Force (now part of IBM)
Src: IBM X-Force(R) Report Reveals Unprecedented State of Web Insecurity

QOTD - Rob Lee on Security for SMBs

Small businesses are being affected greatly by poor security practices. It isn't a risk issue. It is a survival one. -- Rob Lee, Director at Mandiant & Faculty Fellow at SANS Institute
Src: SANS NewsBites Vol 11 Num 67

QOTD on Privacy

Privacy is an essential freedom that shapes our society, an internationally recognized human right, and the foundation of modern democracy, but if we don’t value our privacy or stand up for it as our right, it will be eroded over time. -- Office of the Privacy Commissioner of Canada
Src: Maintaining your privacy continues to be a challenge every day | Sault This Week

Tighter Security Urged for Businesses Banking Online

How can businesses secure their financial accounts from hackers? Information security professionals have been advocating the use of more advanced measures such as the one recently recommended by the Financial Services Information Sharing and Analysis Center:
carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.
Src: Tighter Security Urged for Businesses Banking Online | WashingtonPost.com

QOTD on Hackers vs Authentication Tokens

They don’t break the encryption; they just log in at the same time you do. -- Joe Stewart, director of malware research for SecureWorks
The article discusses the recent increase in real-time fraud in which hackers can negate the security advantages of token-based authentication devices by stealing the access credentials and using them in real time.

Src: Hackers Exploit an Evolving Web | NYTimes.com

Rich Mogull on Safe Browsing Environments

Rich Mogull, founder of Securosis, shares with Macworld readers the elaborate (but in my view entirely justified) setup he uses to browse the Internet in a secure fashion. For the average user, this setup would definitely be too much. However, if money or fame makes you a likely target, this setup provides some of the best protections that technology can provide today.
My chosen profession requires a tad more paranoia than is mentally healthy for the average user. Still, these techniques are relevant for anyone concerned about security. At a minimum, I recommend dedicated password management, a dedicated Web browser or SSB [Site Specific Browser] for banking, and perhaps a VM [Virtual Machine] for those occasional trips to the darker edges of the Internet.
In my own practice, I use many of the same techniques described by Rich; after reading this, I will start implementing the rest.

Src: Super-safe Web browsing | Macworld

Malware today & in the future

This article is a good summary of the state of malware development today and what we need to start bracing for. While most malware will continue to be of the general kind, spreading like fire, a new breed of targeted malware is emerging. One piece of malware
was written specifically to crawl for, and to steal intellectual property. What was most unusual about the malware is that could crawl different file types -- Excel, PDF, for instance -- for intellectual property to steal, Hoglund says. Then it would encrypt and send the stolen information to its own servers.
Some malware has attacked researchers' hosts and networks while other variants can detect if they are running in a virtual machine, a common practice to isolate and study malware.

Src: Rare Malware A Hint Of Threats To Come | DarkReading

QOTD - Pescatore's "Mindset List"

John Pescatore posted his own version of the "Mindset List," a yearly list published by Beloit College about incoming students' frames of reference. Pescatore's tenth entry deserved to be shared with the rest of the infosec community:
The same percentage of them fall for scams and malware in online social networks as the percentage of their parents who fell for email scams and the percentage of their grandparents who fell for real world scams. Despite the changes, they are still just human beings after all. -- John Pescatore, VP Gartner Inc.
Read the rest here.

Src: John Pescatore's Blog| Gartner Blog Network

QOTD on Funding Security Technology R&D

Part of the problem with security today is that people only want to fund technologies that require constant updating. Essentially signatures are the razor blades of our industry. But basically if you have to update it, then it doesn't work as a defensive toolset. -- Dave Aitel, CTO of Immunity
Src: SecurityMetrics mailing list [posted with author's permission]

QOTD on Heartland Hacker Getting Caught

The more sophisticated thieves are ingenious, and no company or government agency should rest easy with a false sense of security that our bad-guy days of worry are over. A few very skilled hackers slipped up and got caught [e.g. recent indictment of Albert Gonzales], but one can only imagine that even smarter ones are still out there and hard at work. -- Brenda Eaden, CEO of ID Theft eLearning Intelligence
Src: Experts: More Heartland-Style Breaches Expected | BankInfoSecurity.com

QOTD Litan on the US Credit Card System

It's time for the U.S. card industry 'to get on the bandwagon and upgrade payment card system security, and stop pretending that PCI is working. -- Avivah Litan, Distinguished Analyst at Gartner Group
Src: Experts: More Heartland-Style Breaches Expected | BankInfoSecurity.com

QOTD - DDoS is the new poetry

It's time for the cybersecurity community to accept the uncomfortable truth that DDOS is what people do when they hate each other. In the past, they used to trade hate mail; today, they trade DDOS attacks.
Thanks to the Internet, today there are plenty of other ways for concerned and patriotic citizens to show their excitement about a war their country is fighting. DDOS is the new poetry.
Trying to analyze the cyber-dimension of a real war is impossible without understanding the causes, the conduct, and the aftermath of the war. -- Evgeny Morozov, a fellow at the Open Society Institute
Src: There is no need for Kremlin in this hypothesis or why DDOS is the new poetry | Net Effect | ForeignPolicy.com

QOTD on Cyberwarfare & Govt Readiness

Worldwide, governments need to be more involved and coordinate better on cyber warfare issues. Cyberwarfare moves at a speed much faster, and has the potential to cause more damage to critical infrastructures quicker, than any military offensive. -- Sam Masiello, VP, Information Security at MX Logic
Src: Civilians cyberattacked Georgia in 2008 war | SC Magazine US

QOTD Schneier on Security by Design

Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely. -- Bruce Schneier, Chief Security Technology Officer of BT.
Src: Lesson From the DNS Bug: Patching Isn't Enough | Schneier on Security Blog

QOTD Ranum on Leaks

If you knew what you think you know, you wouldn't have been able to say what you just said, so I know that you don't know anything. -- Marcus Ranum, CSO of Tenable Network Security
Those that have been in the information security long enough know Marcus and his reputation as a skeptic. I have to say that I was very impressed with Marcus' quote given that it was provided during an interview with Patrick Gray of the Risky Business Podcast.

Src: Risky Business #106 -- Centrelink's new PLAID auth protocol

QOTD Schultz on Smart Grid Standards

The real question is instead whether [NERC] standards prescribe acceptable levels of security that result in sufficient controls that mitigate most identified risks. -- Eugene Schultz, CTO of Emagined Security
Src: SANS NewsBites Vol 11 Num 63

QOTD Security Folks vs Risk Folks

A security person would say we would protect the data at all costs. A risk-oriented person would say let's try to quantify the business impact of this data and then protect the data that is absolutely critical to our operations. -- Rob Whiteley, Vice President and Research Director at Forrester Research Inc.
This article is a worthwhile read as it addresses things that IT and Security staff can/should and can't/shouldn't try to control.

Src: Data has become too distributed to secure, Forrester says | SearchSecurity.com

QOTD - Weatherford on Deprovisioning

De-provisioning users is one of the most important things an organization can do yet it continues to be one of those things people simply don't think is important enough...until they become a victim. -- Mark Weatherford, CISO for the State of California.
Src: SANS NewsBites Vol 11 Num 63

QOTD Schneier on The Security Mindset

The security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems. -- Bruce Schneier, Chief Security Technology Officer of BT.
Src: The Security Mindset | Schneier on Security Blog

aGoodL0ngPa$$w0rd IS NOT a good long password

I recently came across this password strength checker from Microsoft. While giving users feedback about the relative strengths of their passwords is a good way to help them choose good passwords, I also wanted to illustrate how current password strength checkers often fall short of their goals.

Case in point, both "aGoodL0ngPa$$w0rd" and "$3cretPa$$word" were rated as best passwords.

Yet both of these would be easily guessed by a password cracking program supporting leet speak.

QOTD on Roman Aqueducts & the Power Grid

Design decisions should anticipate changes over time to environmental and system factors, including security. Perceptions often lag reality, and it can be costly to weigh your options or implement changes only after security threats become too great to ignore. Built-in security is cheaper and more effective than trying to retrofit it after the system has already been placed into operation. Once the last brick has been placed, infrastructure design decisions have been 'cast in stone,' and like the aqueducts, are built to last and hence not easily changed or replaced.
The CSO Online article draws many good parallels between the significance of the roman aqueducts' designs and the current efforts to modernize the power grid into a "smart grid".

Src: 4 Things the Roman Aqueducts Can Teach Us About Securing the Power Grid | CSO Online

QOTD on Cyberwar

In this fog of [cyber] war, anonymity means stealth, deniability and lack of options to respond. If the US cannot respond, its deterrence fails.

Src: The US will lose its battle in cyberspace without a leader at the helm | Foreign Policy Journal

QOTD - Deloitte on InfoSec Castles and Moats

Deloitte's new report entitled "Intensive Risk, Elusive Value: A Risk Intelligent Executive's Guide to Security and Privacy," is targeted at board members and executives who might be wondering "Could this happen to us?" Here are a few interesting quotes to get you motivated to read the full document (see link below).
Data and information, the crown jewels of your enterprise, can no longer be defended in the manner of a moated castle, with security measures applied around the perimeter. Today, the moat has been drained, the walls toppled, and the assets scattered across the countryside.
And my new favorite:
Business as usual is business at risk.
Src: www.deloitte.com/us/RIExecGuideSandP

QOTD - InfoSec Threats, Predators, and Fruit Trees

Bill Lamoreaux, a member of the Security Metrics mailing list, wrote the following in reply to a posting about what infosec managers should do in the face of ever changing threat environments:
Infosec managers are more like vegetation on the savanna. If you're a tall tree with juicy fruit, you're going to have different predators (attackers) than if you're grass on ground. You're going to deal with common threats (fire, flood, etc) no matter what type of vegetation you are, but knowing who your primary predator(s) are, will go a long way in assisting with defending yourself against targeted attacks. Using the fruit tree example, having spines on your branches and making sure they're of a minimum length (compliance) to keep most of the giraffe at bay, will assist you in keeping more fruit on the branches and less in the your predator's stomach. If you're not assessing who your primary predators are (along with their skills, motives, objectives, etc) and what you need to defend, you're shooting in the dark and might as well grasp at the straws of compliance until you get some proper defenses up

Logging, measuring and digesting information is vital to the evolution of our security approaches. It's allows us to answer the Ed Koch catchphrase "How'm I doing?". If you don't know how you're getting attacked (and how effective you are against those attacks), you can't change your defense strategy (or worse, your defense philosophy).
[posted with permission of the original author]

QOTD on the Underground Economy

Every business model that exists in the legitimate business world is replicated in the criminal world, to the point that we see malware with service level agreements.
The weakest link in the chain when it comes to security is people. And people continue to be more exploited than systems and they will continue to be more exploited than systems. Consequently this also means we will see a rise in voice attacks and things like voice-over-IP might add to this. -- Rik Ferguson, senior security analyst and solutions architect at Trend Micro
Src: Know your enemy | ITP.net

QOTD on CEO/Security Disconnect

What the [security] industry has generally missed is that it is the business information that should be protected, and not the physical assets that is used to store, process, or transmit the information. -- Gerry Chng, partner of advisory services at Ernst & Young.
Gerry Chng made another good point when he said, earlier in the article:
The disconnect seems to arise from the fact that IT is typically managed by technologists, who place emphasis on relying on technology to solve security issues. Over the years, we have seen the obsession with hype on technology, where IT tries to secure the infrastructure and tangible assets, [such as] data centers, servers [and] databases.
Src: IT security needs 'healthy' C-level tension | ZDNet Asia

QOTD - Pescatore on Politicians & Technology

Very rarely do good things happen when technologists try to make public policy *or* when politicians try to dictate technology. -- John Pescatore, VP of Gartner Inc.
Src: SANS NewsBites Vol 11 Issue 60

Dr.InfoSec assists with Fayetteville Public Schools ID Theft case

As an information security professional, I always look for ways to be of assistance to others about the security and privacy of the data entrusted to them. This post is about exercising such an opportunity and in a small way, helping make a difference.

On July 29th, as I was following up on a story that flashed across my Twitter stream about 30 certified employees of a school district finding themselves victims of ID theft, I found something that should not have been there.

While looking for more information about the school district, I used a targeted Google search; it was a simple one, looking for pages containing the word 'certified.' While there were many search results, one in particular caught my eye: an Excel spreadsheet that appeared to contain Personally Identifiable Information (PII) including names, addresses, phone numbers, and social security numbers . Worse, it had been indexed by a major search engine, which meant that its contents had been cached for easier viewing, even after the file would be removed.

I placed a called to the school district right away and left a voicemail for the CIO. Within 20 minutes someone from the office had called me back. I shared with them what I had found and advised on short-term steps they should take to mitigate the problem.

While it may be tempting to lay blame for failing to properly safeguard sensitive data, this is not the purpose of this blog post. Instead, I wanted to share with the information security community and students that we can make a difference, even outside of business hours. In this case, I helped the school district identify one data leak. Was that spreadsheet the one used by fraudsters? It is simply too early to tell; the investigation is ongoing.

If you see something that is out of place, or poses a potential security/privacy risk, tell someone. It could help prevent 30 more people from becoming victims of ID theft.

Link: School District's Teachers Targeted In Identity Theft Scam | 4029tv.com
Link: Fayetteville Public Schools :: Administration

QOTD - DoD's Lentz on Cyberspace

We have to think of cyberspace as a global common that touches everything we do. Securing the global common is the joint responsibility of everyone. -- Robert F. Lentz, Chief Information Assurance Officer for the U.S. Department of Defense
Src: Better ID assurance is essential for the new online world, DOD deputy secretary says | GCN

QOTD - Merrill on Security, Users, and Campus Sidewalks

Douglas Merrill, former Google VP of Engineering, said, in his opening keynote:
Let users dictate enterprise security needs.
He went on to give an analogy that I am very familiar with, that of campus sidewalks: the planners place sidewalks and grass; students create their own paths through the grass (usually the most direct route); planners have to put roadblocks (chains, planters) to keep students off the grass.

He said, "security companies will change from creating infrastructure boundaries to infrastructure resilience. If we can build security correctly, we make things easier, not harder."

Src: Former Google VP Suggests User-Based Security | The Industry Standard

So you want to be a Chief Risk Officer?

John Ericksen, Chief Operating Risk Officer at PNC, described his responsibilities as having oversight of risks stemming from: operational risk governance, data analysis, external events, strategic risk elements, information security, privacy, business resilience, and financial intelligence.

For the banking sector, John considers the CRO's responsibility to be "to forge a view of these risks that transcends the bank's individual departments to enable quick decisions based on an enterprise-wide view of exposures" and being able "to add the right nuances to the information so you can have a thoughtful conversation about it with other staff."

Ultimately, the CRO must be able to understand data:
how it's collected, its integrity, what it's being used for, its accuracy and making sure the right data management systems and technology are in place to make informed decisions based on portfolio, geographic and customer views.
Src: The New Generals - 08..2009 | Bank Technology News

QOTD - Howard Schmidt on Data & Threats

Data is now the gold, the silver and diamonds of the online world and criminals see it as a low-risk way to steal money without going anywhere near the crime scene.
But even in today's financial climate and increased threat environment, we are better placed than ever before to meet these challenges – as long as we have the resolve to strengthen and invest in security rather than reduce it. -- Prof. Howard A. Schmidt, CEO of the Information Security Forum
Src: 'Crimeware as a service' set to increase over the next two years | SC Magazine UK

QOTD on Cybersecurity Decisions

When you make cybersecurity technology decisions, you want to make it within the context of things like knowing its effect on privacy, knowing whether the economics of the situation support the kinds of changes you are making, and understanding about business models, whether this consistent with the business model or not. -- Cornell Computer Science Professor Fred Schneider

Src: Producing the New Cybersecurity Pro | GovInfoSecurity.com

How Twitter Wolfes Look for Easy Prey

The majority of Twitter users don't mind sharing their tweets (i.e. their Twitter updates) with the rest of the world. After all, sharing ones thoughts/actions is at the core of social networks like Twitter, Facebook, MySpace.

However, what users often don't realize is that in aggregate, their tweets paint a picture about who they really are. Take for example those who tweet about hating their jobs. Using the search feature in Twitter, it is possible to gather scores of users who have recently tweeted on their negative feelings about work. This information is useful in the hands of someone looking to make contact with an insider, usually for nefarious purposes.

Another aspect of one's public twitter stream is whether (or in some cases how often) someone has fallen for a scam on Twitter, be it a phishing scam that they simply re-tweeted or a click-jacking attack that suddenly floods one's followers with tens or hundreds of dangerous tweets. Let's explore this item a little further.

Recently, several users fell prey to a scam promising to increase their number of followers. When they clicked on the link promising "tons of followers," users were asked for their username/password. This allowed the scammers to then use that account to spread their message onto more people.

The real danger behind such lapses in judgment, giving another site your (Twitter) credentials, comes from what it says about the victim. By monitoring patterns of behavior, attackers can zoom in on easy prey who appear to engage in a pattern of risky behavior by clicking dangerous links or providing sensitive information. Worse, if that person is one of your employees, attackers are likely to be able to extract username/passwords from the unsuspecting user again. How confident are you that one's Twitter password isn't also their password for work email, bank account info, etc?

QOTD - Graham Cluley on Hackers, Tigers & Zebras

The hackers are targeting the social networks; frankly, hackers go where the users are. It's like tigers finding out where the zebras go to get their drink of water. They're going to chase after them and take advantage of them. -- Graham Cluley, Senior Technology Consultant for Sophos, speaking to SearchSecurity.com's Security Wire Weekly podcast
Src: Defeating hackers is hard (mp3 podcast) or YouTube Video (clip)

QOTD on Compliance

Compliance can be a good starting point for securing information infrastructure and data if an organization has not put anything in place previously, but it cannot be the end point of the conversation. -- John Pironti, President of IP Architects, speaking at the ISACA International Conference in Los Angeles
The article also reports Pironti as cautioning that a single-minded focus on "security by compliance" will result in more lapses of security as adversaries shift to more effective and damaging attacks.

Src: A Policy Dialogue Platform - Promoting Better Governance | eGov monitor

Primer on Security Metrics and their Pitfalls

A great primer on the utility and pitfalls of security metrics written by Vicente Aceituno:
It is not easy to find metrics for security goals like security, trust and confidence. The main reason is that security goals are “negative deliverables”. The absence of incidents for an extended period of time leads to think that we are safe. If you life in a town where neither you nor anyone you know has ever been robbed, you feel safe. Incidents prevented can’t be measured in the same way a positive deliverable can, like the temperature of a room.
Src: Security Metrics | Information Security Management Maturity Model Blog

QOTD on Outsourced IT Supply Chain

Our national reliance on IT hardware and software from various non-pedigreed sources is a foundation for major cybersecurity risks having national security implications. The incident reports cited in this article further highlight potential risks ranging from logic bombs and self-modifying code, deliberately hidden back-doors to potentially fatal equipment failure and even foreign espionage...
As NIST advises, organizations must add “defense-in-breadth” to their strategy mix. While Defense-in-depth focuses on the operations phase of the systems development lifecycle, defense-in-breadth covers the entire lifecycle.
Src: Trust but verify: Security risks abound in the IT supply chain | GCN.com
Thanks to the CyberWarfare Forum Initiative for bringing this article to my attention.

QOTD on Risk vs Threats

Most security people don't understand risk -- they understand threats. Threats are just one input into the risk equation. Others come from operations, strategy, and marketing. -- John Pironti, President of IP Architects
Src: Security Boosted by Risk Management | ITManagement

QOTD - Gartner on Data Leaks and Pizza

Back in the day, watching the Dominos pizza delivery office closest to the White House in Washington DC was an information leakage path. Social network sites are the same thing - lots of worry in the military about loss of Operations Security because of all the tweeting and Facebook posting going on by active military and their families. -- John Pescatore, Vice President at Gartner, Inc.
Src: SANS NewsBites Vol 11 Num 53

QOTD - Honan on preparing for the breach

We have to accept that at some stage our organizations will suffer a breach. How we react and respond to the breach will make the difference as to whether stakeholders, be they customers or shareholders, will continue to view the organization. This case shows that clear, open and timely communication from senior management is valuable for rebuilding trust. -- Brian Honan, independent security consultant based in Dublin, Ireland
Src: SANS NewsBites Vol 11 Num 49

Like Dominoes - The Anatomy Of The Twitter Attack

How many of our systems have interconnections to other systems that have weaker security? If so, remember that your ultimate level of security is that of the weakest link. This is a story about an executive, in this case the CEO of Twitter, whose Gmail account gets compromised (domino #1: password reset), which leads to leakage of corporate sensitive information that was stored with Google Docs. The intruder then covered his tracks so that the account owner would not notice (domino #2: reset password back to original by correctly guessing the CEO was using a single password for multiple accounts).

The same warning are applicable for bank accounts, phone records, insurance contracts, health records. Any account with sensitive information which uses a weaker account (e.g. most webmail applications) as a backup is likely to be a target of attackers looking for fresh prey and easy access to documents.

Src: The Anatomy Of The Twitter Attack | TechCrunch.com

QOTD - Ranum on the Thrill of Hacking

Hacking systems - the thrill of the illicit, penetration, and the (slight) chance of getting caught - is a very self-reinforcing behavior. It's a paradoxical form of adrenaline addiction: the attacker is hooked on the rush, but sociopathically hides behind the safety of anonymity. It's not hard to see why a lot of hackers find it very hard to quit once they get started. -- Marcus J. Ranum, CSO Tenable Network Security Inc.
Src: SANS NewsBites Vol 11 Num 47

QOTD - Honan from bits and bytes to bullets and bombs

This case [International telecom hacker group busted] highlights the current threat posed by terrorism to computer systems worldwide. It is not to take these systems down but to raise money. The funds generated by compromising bits and bytes go to purchasing bullets and bombs. -- Brian Honan, independent security consultant based in Dublin, Ireland
Src: SANS NewsBites Vol 11 Num 47

QOTD - Pescatore on Lawsuits & Executives

There is always a hope in security circles that threats such as class action lawsuits or 'downstream liability' will cause a light bulb to go off in boards of directors' heads and they will say 'Aha - information security is important, increase the budget, promote the CISO!!' In reality, when boards hear 'liability' they tend to mostly make sure that the corporate Directors and Officers Liability insurance coverage is sufficient. The actual business damage of incidents is usually the bigger driver for action by boards of directors. -- John Pescatore, Vice President at Gartner Inc., writing about Aetna being named in a class action data breach lawsuit.
Src: SANS Institute - SANS NewsBites Vol 11 Num 46

Information Security: The Good, The Bad and The Ugly

"Why in the hell are you bothering with testing code that is already in production?" was reportedly asked by a CIO, upon learning of newly discovered vulnerabilities in their production system.

This article written by Kevin G. Coleman, Strategic Advisor with the Technolytics Institute, provides high level comments on the current state of information security and the relation to cybercrime and management.

Src: Information Security: The Good, The Bad and The Ugly | TMCNet.com

When BIOS updates become malware attacks

You get the call - a computer is acting strange, malware is the likely suspect. After recording appropriate activity logs and ensuring data is safe, you proceed with the disinfection: wipe the OS and reinstall from a clean image.

If you performed the procedure above, your machine may still be infected. The reason? The malware may have rooted itself deeply into the hardware itself, the BIOS, and not simply residing on the drive.

This is a fascinating and developing area of active research (both by hackers and security researchers such as those at Core Security) and a story that all information security professionals should be aware of.

Next time a machine is acting strange, wipe the OS and reinstall, but only after you have also flashed the BIOS.

Src: When BIOS updates become malware attacks | SearchSecurity.com

It's the compiler's fault - how good source code becomes a vulnerable implementation

As a faculty having taught programming classes for many years, I have stressed the value of writing good code, with the requisite error checks. Some languages like C/C++ need to be compiled, and over the years, compilers have been augmented with the capacity to make "smart" decisions about the source code, usually to improve execution speed or warn of dangerous omissions ("you did remember to initialize that value, right?").

Brad Spengler, a security researcher, has created an instance of code where the compiler's "smart" logic actually degrades the overall security of the resulting binary by introducing a vulnerability that until now seemed un-exploitable.

After reading the SANS ISC post below, you might just be right to claim that it was the compiler's fault: "the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code."

A someone who has helped grow generations of students into programmers, the suggested fix is not acceptable as it puts the burden on the programmer to know how the compiler will optimize the code. A "smart" compiler should not penalize a programmer for being extra careful with his/her code.

Src: A new fascinating Linux kernel vulnerability | SANS ISC

QOTD -- Fox on Cyber Warfare and Attribution

War has not changed. The weapons of disruption, corruption, and destruction reflect only the evolution of human creativity and innovation. We must understand the conflicts that drive their use, be they individual, corporate, or international. Without this insight, we are doomed to cyber attrition.
Steven Fox, Principal Consultant & Founder, SecureLexicon.com, writing about Cyber Warfare.

Cyber Warfare and Attribution | CSOOnline Blog

QOTD - PrivacyProf on Data Aggregation

We are more than just the strict sum of a few pieces of information that may point to us.

A topic that is important and interesting to think about is how non-PII items, when combined with certain other non-PII items, can actually become PII. In other words, aggregating non-PII to form PII. In case that sounds fuzzy, think about it, very simplistically, this way...

Consider a zip code, first name, and birth year.

If you look at each of these separately, it would be hard to say you can link each of them to a specific individual. However, if you look at the three items in combination, you could very well be able to identify a specific individual. Especially in more sparsely populated geographic locations. So, does this combination of three items, as a group, represent PII?

It often takes just two pieces of information to be able to identify a specific individual. Once identified, finding out more information about that individual is trivial, and the stuff that criminals' dreams are made of.

Rebecca Herold, The Privacy Prof, blogging about the privacy threats of data aggregation, i.e. when it is possible to aggregate individual pieces that are not private to form a picture that can uniquely identify somebody.

What is PII? How About Groups Of Otherwise Non-PII? | Realtime IT Compliance

QOTD on CEOs & Cybersecurity

only 3% [of CEOs] cited malicious hackers as the top threat for their company's data security--about a fifth as many as the lower level employees who cited cybercriminals as the most important threat.
Src: What CEOs Don't Know About Cybersecurity | Forbes.com

NIST Draft Definition of Cloud Computing

Peter Mell, Project Lead for the NIST Cloud Computing group has released a Draft Working Definition of Cloud Computing:
Definition of Cloud Computing:
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models.
Essential Characteristics are listed as: on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured Service.

Delivery Models are listed as: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)

Deployment Models can be one of: private cloud, community cloud, public cloud, hybrid cloud.

Src: Cloud Computing | Computer Security Resource Center | Computer Security Division | NIST.gov

QOTD - RSA on Nature of Threats

It is now a common mantra in security that the nature of the threats has changed. Gone are the days of script kiddies looking for fame and notoriety; now enterprises face a very sophisticated worldwide fraud machine run by organized crime; with many players, each having their own niche. This system is very adaptable, changing tactics quickly to outwit any attempt to foil their operations. -- RSA report "Charting the Path: Enabling the 'Hyper-Extended' Enterprise in the Face of Unprecedented Risk"
Src: RSA, The Security Division of EMC

QOTD - Garfinkel: Privacy Requires Security, Not Abstinence

When someone can wreak havoc by misappropriating your personal data, privacy is threatened far more by the lack of a reliable online identification system than it would be by the introduction of one. And it is likely that it would cost society far more money to live with poor security than to address it. -- Simson Garfinkel, associate professor at the Naval Postgraduate School in Monterey, CA
Src: Privacy Requires Security, Not Abstinence | MIT Technology Review

Predicting Social Security Numbers from Public Data

we only used publicly available information, and ended up discovering, based on that information, that the randomness [used in assigning SSNs] is effectively so low that the entire 9 digits of an SSN can be predicted with a limited number of attempts. -- Alessandro Acquisti and Ralph Gross of Heinz College, Carnegie Mellon University.
One lesson we can draw is that what was once thought to be secure (or secure enough) is no longer (or not enough). The other lesson is that we need focus mitigating the risks created by the types of fraudulent transactions that are often based on easy-to-obtain credentials like SSNs (see Bruce Schneier's article in Forbes).

Src: Predicting Social Security Numbers from Public Data - FAQ

QOTD on Laws & Technology

We are still living in a world where we have literally Gutenberg-era laws and businesses are using Star Wars technology... [However] New technology does not absolve an organization from its obligation to retain, produce, or manage data in any way. -- John Bace, research analyst at the Gartner Group
Src: Compliance Week: Compliance Week: Cloud Computing Vs. Internal Controls

QOTD - PrivacyProf on tracking PII

Most business leaders, especially in business units, and in the legal office, just assume that all storage locations for PII are known and that there is a 100% complete inventory for it somewhere. Infosec, IT and most privacy practitioners know the real deal; it is rare that PII is formally defined, and even rarer to have an inventory of all PII. Considering the ease with which PII can be copied and distributed literally thousands of times with just one press of a button, and stored in any number of mobile devices and outside storage locations, it is very hard to have a complete PII inventory. But, it must be done. And doing so will help to determine the controls and other safeguards that need to be placed around PII to keep from having it stolen, leaked or lost.
Rebecca Herold, The PrivacyProf, blogging about the news that the University of Central Missouri didn't know that two printed reports (w/ 7,000 student names, SSNs, addresses, and birthdates) were stolen from a location on campus.

I have had similar findings in many of the information security assessments that I conducted in that management was often shocked to hear about the various sources and destinations of sensitive information throughout an organization. Until an organization traces the flow of sensitive data generated and consumed, management cannot hope to have an accurate inventory that data, its location, or whether it has been properly disposed of.

[Note: emphasis is mine]

Src: Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen - Realtime IT Compliance

QOTD - Rafal Los' Dose of Security Reality

In a typical company where risks are a-plenty, and IT is up to its eyeballs in delivery issues it's a little difficult to suddenly step in and talk about security vulnerabilities like they're somehow more important than the 10,000 things that are already on fire. When the whole forest is on fire... which tree do you save first?

Enterprises and SMBs alike are looking to save money, cut corners (whether they want to admit it or not) and unfortunately security sometimes falls off the docket. Whether it's the security team's fault for not properly articulating the issue or the CIO's for simply not understanding the risks... the result is often the same. Somewhere in your business are thousands of lines of insecure, exploitable, and very lucrative code. Worse yet - that stuff has been there for years and now when you review a small snip that's changing and find that the whole thing has to be re-done... no one wants to pony up the money to do the work - right? --Rafal Los, IT Security Risk Strategist, blogger at http://preachsecurity.blogspot.com/
Src: [RANT] Call Me a Realist | Digital Soapbox - Preaching Security to the Digital Masses

Zero Day Threat, the book

As I wrap up reading Zero Day Threat, written by USAToday's Byron Acohido and Jon Swartz, I wanted to share with you one of the paragraphs that best outlines the current mess of the US (and beyond) financial system. [emphasis is my own]
In the fast emerging cybercrime industry, hackers and scam artists morph and advance magnitudes of order faster than the banking and tech industries have been willing to shore up basic security. From corporate America's point of view, convenience and speed are the drivers of the business models of the new millennium. Security is a perception challenge.
I highly recommend this book to anyone charged with safeguarding data. It will open your eyes to a system of actors (banks, credit bureaus, scammers, drug-addicts, and malware authors) revolving around maximizing profit at the expense of the consumer. The book links the murky world of the "exploiters" with the ingenious capacity for "expediters" to generate new and better malware, while the "enablers" sit mainly idle, unwilling to commit to much-needed enhancements to secure consumers' financial records and credit histories.

As security professionals, we must engage in critical evaluation of the risks to the data we are entrusted with. This book is sure to generate many lively discussions among security pros, and one would hope, executive management, about the nature of the threat, the drivers, and the baseline security that ought to be implemented.

Src: Zero Day Threat official web site
Src: Cybercrime Book Excerpt: 'Zero Day Threat' | Wired.com
Src: You won't guess who's the bad guy of ID theft | USAToday