QOTD - Pescatore on National Cybersecurity Strategy

Cybersecurity is an inherently distributed problem that will continue to evolve at the speed of technology. -- John Pescatore, Vice President and Research Fellow in Gartner Research.
[Editorial note: this is a must-read document from one of the country's leading source of information security research and advice.]

Src: Toward a National Cybersecurity Strategy | Gartner

QOTD - Schultz on Social Networking

Social networking is incredibly popular, yet it poses so many risks that people should think twice before joining any social networking site. I decline all invitations to join MySpace, Facebook, and other sites mainly because of the risk of identity theft when personal information is shared on these sites. -- Dr. Eugene Schultz, CTO of Emagined Security
I concur with the exception of Twitter. Twitter's clean interface, easy to understand privacy settings (i.e. public or "protect my updates"), and popularity with security tweeple make it one of the leading platforms to grow one's knowledge of the field and network with fellow information security professionals.

Src: SANS NewsBites Vol 11 Num 39

Warner Touts E-Medical Data Despite Hacker Attack

One of the keys is how we ensure security and privacy. Just as we see that in financial records you can never get 100 percent protection, we have a very efficiently functioning system around financial records (and) around other critical information. -- US Senator Mark Warner
The recent news about a hacker gaining access to the State of Virginia's Prescription Monitoring Program highlights the differences, not the similarities, between the financial system and the health care system. In the financial system, money has no intrinsic value as all dollar bills are dollar bills; if your account is compromised and you are not the culprit, your account's balance will be restored in time.

In the case of electronic medical records, the records contain a detailed report of your health history, your prescription history, and possibly your mental health history. Health care data has intrinsic value; once stolen, that information can not only be used to commit prescription fraud and medical procedure reimbursement fraud, but long-term, it can be used to take advantage of you and those around you.

The article goes on to say that "frustrated lawmakers wanted to know why a firewall put in place by the Virginia Information Technologies Agency and its contractors didn't foil the attack." This statement illustrates how little the average lawmaker knows about the current level of threats to electronic data. Unfortunately, while your credit card can be closed and a new number re-issued, your health care records cannot.

Src: Warner Touts E-Medical Data Despite Hacker Attack | NYTimes.com

QOTD - Geer on Rate of Change in InfoSec

The world we live in now is one where the rate of change is so great it is hard to develop a skilled craft because by the time you do, the problem set has moved on.

I think information security is quite possibly the most intellectually challenging profession on the planet. For that reason that what was true yesterday may not be tomorrow. In information security in particular, the rising fraction of R & D that is done by the opposition, and is funded by the opposition by its own revenue, is quite fascinating and makes things very difficult. At the same time, have we made progress? Sure. But the challenging aspect to this continues to be this rate of change and the degree to which you need to be on your toes all the time. -- Dan Geer, CISO at In-Q-Tel
Src: Geer: Risk Management Should Change the Future | CSO Online

Twitter Search Yields Email Addresses

The blogosphere has been abuzz with reports of spammers using Twitter's own search feature to grow their spam databases. A simple search with "@gmail.com" or "email me" will return pages of people broadcasting their email addresses to the public timeline. Is this bad? Yes, but those users should know better than to broadcast their thoughts in the public timeline.

What bothers me the most about Twitter's search feature is that once a tweet has been posted to the public timeline, it can't be removed from it. It can be deleted, but it will still show up in the public timeline for weeks to come. As a proof of concept, I refer you to my earlier blog post on the subject.

Src: Spammers harvesting emails from Twitter - in real time | ZDNet.com

QOTD - Patrick Gray on Security vs Dancing Bears

Given a choice between a dancing bear screen-saver and adhering to a company security policy, the end user is going for the dancing bear every time. -- Patrick Gray, host of the Risky Business Podcast, Episode RB78: Interview with Geekonomics author David Rice
Also worth listening to is the audio of the GOVCert presentation by Geekonomics author David Rice

Study: Users will route around firewalls

Application developers are making it easy for users to negate corporate firewalls, and users are happily taking advantage of this, while corporate IT networks are constantly playing a cat and mouse game with these users.
...
A lot of the risks detailed in this report could be managed rather easily by giving users access to a comparable set of approved tools.
I've always been of the opinion that IT needs to work with users instead of trying to "control" them. One too many "No!" and a user will find his/her own way for getting things done.

Study: Employees Will Find Ways to Route Around Corporate Firewalls | ReadWriteWeb [tx @security4all]