QOTD - Blind Mice & Swiss Cheese Security

A lot of security professionals will concede that they have been reduced to blind mice looking at traffic streaming through security devices that have been turned into Swiss cheese by Web applications. -- Mike Vizard
Src: Blind Mice and the Swiss Cheese Security Model | ITBusinessEdge.com

QOTD on the Dark Cyber World

The cyber world has slowly become a crowded place and a gold-mine of personal data. Where crowds meet, bad people hide. Where valuable information is stored, bad people lurk. Dark individuals and dark clouds stealthily hide behind the virtual masses and surgically coordinate their terrorist actions or illegal activities. For law enforcement agencies the identification of such activities is a tremendously complicated task: too many protocols, applications and services to watch; too many cyber users and communications; too much content to be analyzed and understood... and everything at the nearly close speed-of-light. -- Dr. Antonio Nucci, CTO at Narus
Src: Shedding Light on the Dark Cyber World Part II | ConvergeDigest.com

QOTD from IBM X-Force Report

The Internet has finally taken on the characteristics of the Wild West where no one is to be trusted. There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity. -- Kris Lamb, Director X-Force (now part of IBM)
Src: IBM X-Force(R) Report Reveals Unprecedented State of Web Insecurity

QOTD - Rob Lee on Security for SMBs

Small businesses are being affected greatly by poor security practices. It isn't a risk issue. It is a survival one. -- Rob Lee, Director at Mandiant & Faculty Fellow at SANS Institute
Src: SANS NewsBites Vol 11 Num 67

QOTD on Privacy

Privacy is an essential freedom that shapes our society, an internationally recognized human right, and the foundation of modern democracy, but if we don’t value our privacy or stand up for it as our right, it will be eroded over time. -- Office of the Privacy Commissioner of Canada
Src: Maintaining your privacy continues to be a challenge every day | Sault This Week

Tighter Security Urged for Businesses Banking Online

How can businesses secure their financial accounts from hackers? Information security professionals have been advocating the use of more advanced measures such as the one recently recommended by the Financial Services Information Sharing and Analysis Center:
carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.
Src: Tighter Security Urged for Businesses Banking Online | WashingtonPost.com

QOTD on Hackers vs Authentication Tokens

They don’t break the encryption; they just log in at the same time you do. -- Joe Stewart, director of malware research for SecureWorks
The article discusses the recent increase in real-time fraud in which hackers can negate the security advantages of token-based authentication devices by stealing the access credentials and using them in real time.

Src: Hackers Exploit an Evolving Web | NYTimes.com

Rich Mogull on Safe Browsing Environments

Rich Mogull, founder of Securosis, shares with Macworld readers the elaborate (but in my view entirely justified) setup he uses to browse the Internet in a secure fashion. For the average user, this setup would definitely be too much. However, if money or fame makes you a likely target, this setup provides some of the best protections that technology can provide today.
My chosen profession requires a tad more paranoia than is mentally healthy for the average user. Still, these techniques are relevant for anyone concerned about security. At a minimum, I recommend dedicated password management, a dedicated Web browser or SSB [Site Specific Browser] for banking, and perhaps a VM [Virtual Machine] for those occasional trips to the darker edges of the Internet.
In my own practice, I use many of the same techniques described by Rich; after reading this, I will start implementing the rest.

Src: Super-safe Web browsing | Macworld

Malware today & in the future

This article is a good summary of the state of malware development today and what we need to start bracing for. While most malware will continue to be of the general kind, spreading like fire, a new breed of targeted malware is emerging. One piece of malware
was written specifically to crawl for, and to steal intellectual property. What was most unusual about the malware is that could crawl different file types -- Excel, PDF, for instance -- for intellectual property to steal, Hoglund says. Then it would encrypt and send the stolen information to its own servers.
Some malware has attacked researchers' hosts and networks while other variants can detect if they are running in a virtual machine, a common practice to isolate and study malware.

Src: Rare Malware A Hint Of Threats To Come | DarkReading

QOTD - Pescatore's "Mindset List"

John Pescatore posted his own version of the "Mindset List," a yearly list published by Beloit College about incoming students' frames of reference. Pescatore's tenth entry deserved to be shared with the rest of the infosec community:
The same percentage of them fall for scams and malware in online social networks as the percentage of their parents who fell for email scams and the percentage of their grandparents who fell for real world scams. Despite the changes, they are still just human beings after all. -- John Pescatore, VP Gartner Inc.
Read the rest here.

Src: John Pescatore's Blog| Gartner Blog Network

QOTD on Funding Security Technology R&D

Part of the problem with security today is that people only want to fund technologies that require constant updating. Essentially signatures are the razor blades of our industry. But basically if you have to update it, then it doesn't work as a defensive toolset. -- Dave Aitel, CTO of Immunity
Src: SecurityMetrics mailing list [posted with author's permission]

QOTD on Heartland Hacker Getting Caught

The more sophisticated thieves are ingenious, and no company or government agency should rest easy with a false sense of security that our bad-guy days of worry are over. A few very skilled hackers slipped up and got caught [e.g. recent indictment of Albert Gonzales], but one can only imagine that even smarter ones are still out there and hard at work. -- Brenda Eaden, CEO of ID Theft eLearning Intelligence
Src: Experts: More Heartland-Style Breaches Expected | BankInfoSecurity.com

QOTD Litan on the US Credit Card System

It's time for the U.S. card industry 'to get on the bandwagon and upgrade payment card system security, and stop pretending that PCI is working. -- Avivah Litan, Distinguished Analyst at Gartner Group
Src: Experts: More Heartland-Style Breaches Expected | BankInfoSecurity.com

QOTD - DDoS is the new poetry

It's time for the cybersecurity community to accept the uncomfortable truth that DDOS is what people do when they hate each other. In the past, they used to trade hate mail; today, they trade DDOS attacks.
...
Thanks to the Internet, today there are plenty of other ways for concerned and patriotic citizens to show their excitement about a war their country is fighting. DDOS is the new poetry.
...
Trying to analyze the cyber-dimension of a real war is impossible without understanding the causes, the conduct, and the aftermath of the war. -- Evgeny Morozov, a fellow at the Open Society Institute
Src: There is no need for Kremlin in this hypothesis or why DDOS is the new poetry | Net Effect | ForeignPolicy.com

QOTD on Cyberwarfare & Govt Readiness

Worldwide, governments need to be more involved and coordinate better on cyber warfare issues. Cyberwarfare moves at a speed much faster, and has the potential to cause more damage to critical infrastructures quicker, than any military offensive. -- Sam Masiello, VP, Information Security at MX Logic
Src: Civilians cyberattacked Georgia in 2008 war | SC Magazine US

QOTD Schneier on Security by Design

Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely. -- Bruce Schneier, Chief Security Technology Officer of BT.
Src: Lesson From the DNS Bug: Patching Isn't Enough | Schneier on Security Blog

QOTD Ranum on Leaks

If you knew what you think you know, you wouldn't have been able to say what you just said, so I know that you don't know anything. -- Marcus Ranum, CSO of Tenable Network Security
Those that have been in the information security long enough know Marcus and his reputation as a skeptic. I have to say that I was very impressed with Marcus' quote given that it was provided during an interview with Patrick Gray of the Risky Business Podcast.

Src: Risky Business #106 -- Centrelink's new PLAID auth protocol

QOTD Schultz on Smart Grid Standards

The real question is instead whether [NERC] standards prescribe acceptable levels of security that result in sufficient controls that mitigate most identified risks. -- Eugene Schultz, CTO of Emagined Security
Src: SANS NewsBites Vol 11 Num 63

QOTD Security Folks vs Risk Folks

A security person would say we would protect the data at all costs. A risk-oriented person would say let's try to quantify the business impact of this data and then protect the data that is absolutely critical to our operations. -- Rob Whiteley, Vice President and Research Director at Forrester Research Inc.
This article is a worthwhile read as it addresses things that IT and Security staff can/should and can't/shouldn't try to control.

Src: Data has become too distributed to secure, Forrester says | SearchSecurity.com

QOTD - Weatherford on Deprovisioning

De-provisioning users is one of the most important things an organization can do yet it continues to be one of those things people simply don't think is important enough...until they become a victim. -- Mark Weatherford, CISO for the State of California.
Src: SANS NewsBites Vol 11 Num 63

QOTD Schneier on The Security Mindset

The security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems. -- Bruce Schneier, Chief Security Technology Officer of BT.
Src: The Security Mindset | Schneier on Security Blog

aGoodL0ngPa$$w0rd IS NOT a good long password

I recently came across this password strength checker from Microsoft. While giving users feedback about the relative strengths of their passwords is a good way to help them choose good passwords, I also wanted to illustrate how current password strength checkers often fall short of their goals.

Case in point, both "aGoodL0ngPa$$w0rd" and "$3cretPa$$word" were rated as best passwords.

Yet both of these would be easily guessed by a password cracking program supporting leet speak.

QOTD on Roman Aqueducts & the Power Grid

Design decisions should anticipate changes over time to environmental and system factors, including security. Perceptions often lag reality, and it can be costly to weigh your options or implement changes only after security threats become too great to ignore. Built-in security is cheaper and more effective than trying to retrofit it after the system has already been placed into operation. Once the last brick has been placed, infrastructure design decisions have been 'cast in stone,' and like the aqueducts, are built to last and hence not easily changed or replaced.
The CSO Online article draws many good parallels between the significance of the roman aqueducts' designs and the current efforts to modernize the power grid into a "smart grid".

Src: 4 Things the Roman Aqueducts Can Teach Us About Securing the Power Grid | CSO Online

QOTD on Cyberwar

In this fog of [cyber] war, anonymity means stealth, deniability and lack of options to respond. If the US cannot respond, its deterrence fails.

Src: The US will lose its battle in cyberspace without a leader at the helm | Foreign Policy Journal

QOTD - Deloitte on InfoSec Castles and Moats

Deloitte's new report entitled "Intensive Risk, Elusive Value: A Risk Intelligent Executive's Guide to Security and Privacy," is targeted at board members and executives who might be wondering "Could this happen to us?" Here are a few interesting quotes to get you motivated to read the full document (see link below).
Data and information, the crown jewels of your enterprise, can no longer be defended in the manner of a moated castle, with security measures applied around the perimeter. Today, the moat has been drained, the walls toppled, and the assets scattered across the countryside.
And my new favorite:
Business as usual is business at risk.
Src: www.deloitte.com/us/RIExecGuideSandP

QOTD - InfoSec Threats, Predators, and Fruit Trees

Bill Lamoreaux, a member of the Security Metrics mailing list, wrote the following in reply to a posting about what infosec managers should do in the face of ever changing threat environments:
Infosec managers are more like vegetation on the savanna. If you're a tall tree with juicy fruit, you're going to have different predators (attackers) than if you're grass on ground. You're going to deal with common threats (fire, flood, etc) no matter what type of vegetation you are, but knowing who your primary predator(s) are, will go a long way in assisting with defending yourself against targeted attacks. Using the fruit tree example, having spines on your branches and making sure they're of a minimum length (compliance) to keep most of the giraffe at bay, will assist you in keeping more fruit on the branches and less in the your predator's stomach. If you're not assessing who your primary predators are (along with their skills, motives, objectives, etc) and what you need to defend, you're shooting in the dark and might as well grasp at the straws of compliance until you get some proper defenses up

Logging, measuring and digesting information is vital to the evolution of our security approaches. It's allows us to answer the Ed Koch catchphrase "How'm I doing?". If you don't know how you're getting attacked (and how effective you are against those attacks), you can't change your defense strategy (or worse, your defense philosophy).
[posted with permission of the original author]

QOTD on the Underground Economy

Every business model that exists in the legitimate business world is replicated in the criminal world, to the point that we see malware with service level agreements.
[...]
The weakest link in the chain when it comes to security is people. And people continue to be more exploited than systems and they will continue to be more exploited than systems. Consequently this also means we will see a rise in voice attacks and things like voice-over-IP might add to this. -- Rik Ferguson, senior security analyst and solutions architect at Trend Micro
Src: Know your enemy | ITP.net

QOTD on CEO/Security Disconnect

What the [security] industry has generally missed is that it is the business information that should be protected, and not the physical assets that is used to store, process, or transmit the information. -- Gerry Chng, partner of advisory services at Ernst & Young.
Gerry Chng made another good point when he said, earlier in the article:
The disconnect seems to arise from the fact that IT is typically managed by technologists, who place emphasis on relying on technology to solve security issues. Over the years, we have seen the obsession with hype on technology, where IT tries to secure the infrastructure and tangible assets, [such as] data centers, servers [and] databases.
Src: IT security needs 'healthy' C-level tension | ZDNet Asia