QOTD on Cyberspace

The velocity of change in cyberspace should make “operational surprise” not a surprise at all, but a condition that is expected and must be managed. -- Report of the Defense Science Board, 2008 Summer Study on Capability Surprise (Vol 1).
Src: Report of the Defense Science Board, 2008 Summer Study on Capability Surprise (Vol 1).

QOTD on Fraud & Denial

Nobody really likes to know that a fraud is occurring under their noses. I have had fraud victims in complete denial when you show them all of the evidence of what has been transpiring and what has been transpiring for some time; where I have actually said 'We want to do a full investigation, can we pursue this?,' and they are so in denial in the 'it can't happen here' that it's hard to understand. People should look within their own organizations. They see fraud on the outside and they wipe their brow and say 'Whew, it hasn't happened to me!' But as I said, fraud is hidden so they are not going to know it; it is not going to rear its ugly head as obviously as one might think. -- Allan Bachman, Education Manager for the Association of Certified Fraud Examiners (ACFE)

Src: Fighting Fraud - Allan Bachman, Association of Certified Fraud Examiners

QOTD Bejtlich & Romans

I'm wondering if the Roman Senate debated Imperial immigration policy while Vandals trashed Rome, like current FISMA fans debate 'controls.' -- Richard Bejtlich, Director of Incident Response for General Electric
Src: I'm wondering if the Roman.. | Richard Bejtlich's Twitter Account

QOTD on Double-Edged Cyber-Weapons

Once you introduce them [cyber-weapons] to the battlefield, it's trivially easy for the other side to capture your artillery, as it were, and then use it against you if you're not already inoculated against it, and then against other friendlies. -- Ed Skoudis, InGuardians co-founder & SANS instructor
Src: The Cyberwar Plan | National Journal Magazine

QOTD on Cyber Adversaries

No matter how good technology is, the adversary always has an advantage because the defense sets up the game plan, sets up the rules, and then the adversary, the attacker can try to figure out ways to cheat. -- Dickie George, the National Security Agency's Information Assurance Directorate technical director
Src: Thinking Like a Hacker: Dickie George, Technical Director of Information Assurance, National Security Agency

Cybercrime - How did we get here?

A security vendor's view of why cybercrime is so prevalent:
Firstly, cybercrime is low risk; since it transcends geo-political borders, it is difficult for law enforcement agencies to catch the perpetrators [...]
Secondly, cybercrime is easy: there is extensive documentation on hacking and virus writing freely available on the Internet, meaning that no sophisticated knowledge or skill is required.
These are the two main factors which have lead to cybercrime becoming a multi-billion dollar industry, truly a self sustaining eco-system of its own.
-- Costin Raiu, Chief Security Expert for Kaspersky
Src: Browsing malicious websites | Viruslist.com

QOTD on Securing Data

Our task is not getting any easier; the sum total of information in the world grows continually and permeates everything we do and everywhere we go. While the majority of the attacks remain rather mundane, the criminals are adapting to our current protection strategies and inventing news ways to attain the data they value. -- Peter Tippett, VP of research and intelligence for Verizon Business Security Solutions
Src: Data Breaches Continue to Soar | eWeek.com

QOTD - FBI on Cyber Threat

The FBI considers the cyber threat against our nation to be one of the greatest concerns of the 21st century. -- Steven Chabinksy, deputy assistant director of the FBI's cyber division
Src: NSA Is Giving Microsoft Some Help On Windows 7 Security - The Two-Way - Breaking News, Analysis Blog | NPR

QOTD on Cyberspace

Cyberspace has no boundaries. It's just everywhere, and it permeates everything we do.... We continue to improve our capabilities, but so do the adversaries. -- Retired US Air Force Lt. Gen. Harry Raduege, ran the Defense Information Systems Agency from 2000 to 2005
Src: The Cyberwar Plan | National Journal Magazine

FBI's View of the Cyber Threat

“Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace, ” Senate Judiciary Committee, Subcommittee on Terrorism and Homeland Security:
The most sophisticated actors have the ability to alter our hardware and software along the global supply chain route, conduct remote intrusions into our networks, establish the physical and technical presence necessary to re-route and monitor our wireless communications, and plant dangerous insiders within our private sector and government organizations. The actors that currently have all of these capabilities — which is a finding that is distinct from whether and when they are using them — include multiple nation states and likely include some organized crime groups.

In the cyber realm, the technical positioning an adversary requires to steal data typically provides them with the very same access and systems administrator rights that could be used for destructive purposes. As a result, our adversaries' use of Computer Network Exploitation — the ability to monitor our networks and steal our secrets — might simultaneously provide them with pre-positioned capabilities to conduct Computer Network Attack — the ability to deny, disrupt, degrade, or destroy our information, our networks, and the infrastructure services that rely upon them.

-- Steven R. Chabinsky, Deputy Assistant Director, Cyber Division, FBI
Src: View a Hearing or Meeting

QOTD on Patch Tuesday

Patch tuesday is simply a hacker notification system that over 200 million systems are now vulnerable and they probably won't get patched in the next three months. It's a hacker notification system. -- David Rice, author of Geekonomics

I'll admit it, this is one of my favorite information security quotes.

Src: Risky Business #78 -- Geekonomics author David Rice | Risky Business

QOTD on Possible Federal Data Breach Law

Most organizations are national and international. To have to hire lawyers to study differences in the laws and define what they have to do in each state doesn't make sense from a cost or efficiency point of view. I'd hope any federal regulation would pre-empt state laws, because it would be the more business friendly approach. -- Phil Neray, VP of Guardium
Src: Federal data breach notification standard must pre-empt state laws | Nextgov

QOTD on Web2.0

We know that workers are using these applications [web 2.0 or "enterprise 2.0"] to help them get their jobs done, with or without approval from their IT departments. And now we know this is happening much faster than anticipated. It's naïve to think that old-school security practices can handle this deluge. Organizations must realize that banning or allowing specific applications in a black-and-white fashion is bad for business. They need a new approach that allows for shades of gray by enforcing appropriate application usage policies tailored for their workforce. This is a radical and necessary shift for today's IT security professionals. -- Rene Bonvanie, VP Marketing, Palo Alto
Src: Social networking — and its risks — are exploding in enterprise networks | GCN

QOTD on Win7 & Malware

It’s not so much about technology any more. It’s just as much about social engineering that can trick you into giving them money, regardless of what kind of operating system you’re on. -- Petter Laudin, Managing director (UK & Ireland), Panda Security

Src: Windows 7 users have the same old security problems | IT PRO

QOTD on Managing InfoSec Risks

Managing information security risks requires an approach that is flexible and focused on what matters most to the organization, protecting critical information. Only by understanding the use of information within critical business processes can an organization, and in particular its information security function, truly begin to manage its security needs. -- Paul van Kessel, Global Leader of Ernst & Young’s Technology and Security Risk Services
Src: Former employees a growing IT security threat | Ernst & Young

QOTD - Pescatore on Threats vs Humans

It is important to educate people, but we have to realize human behavior will always change much more slowly than the threats do. -- John Pescatore, VP and Distinguished Analyst with Gartner, Inc.
Src: Gartner's John Pescatore on 2010 Threats, Trends | BankInfoSecurity.com

Microsoft's Security Development Lifecycle

Microsoft has recently released an update to their Security Development Lifecycle meant to address the need for security in the agile development process. The document defines Microsoft's process, which is termed Secure by Design, Secure by Default, Secure in Deployment, and Communications (or SD3+C). The section below describes the list of products and services that are required to adopt the SDL process. This seems to cover basically every piece of software that Microsoft makes.
What Products and Services Are Required to Adopt the SDL Process?
  • Any software release that is commonly used or deployed within any organization, such as a business organization or a government or nonprofit agency.
  • Any software release that regularly stores, processes, or communicates PII or other sensitive information. Examples include financial or medical information.
  • Any software product or service that targets or is attractive to children 13 years old or younger.
  • Any software release that regularly connects to the Internet or other networks. Such software might be designed to connect in different ways, including:
    • Always online. Services provided by a product that involve a presence on the Internet (for example, Windows® Messenger).
    • Designed to be online. Browser or mail applications that expose Internet functionality (for example, Microsoft Office Outlook® or Microsoft Internet Explorer®).
    • Exposed online. Components that are routinely accessible through other products that interact with the Internet (for example, Microsoft ActiveX® controls or PC–based games with multiplayer online support).
  • Any software release that automatically downloads updates.
  • Any software release that accepts or processes data from an unauthenticated source, including:
    • Callable interfaces that “listen.”
    • Functionality that parses any unprotected file types that should be limited to system administrators.
    • Any release that contains ActiveX controls.
    • Any release that contains COM controls.

Src: Microsoft's Security Development Lifecycle

QOTD on the State of Information Security

The likeliest future state of security can be characterized as a Perpetual Arms Race, between hackers and criminals on one side and enterprises and governments on the other side. -- Joseph Feiman, John Pescatore, Neil MacDonald
Src: Security in 2013 and Beyond | Gartner, Inc.

QOTD on Cyberwarfare

In the Cold War, there was symmetry in vulnerabilities – each side had cities and populations that the other could hold hostage. That symmetry no longer exists. The United States is far more dependent on digital networks than its opponents and this asymmetric vulnerability means that the United States would come out worse in any cyber exchange. -- James Lewis, Center for Strategic and International Studies

Src: Report: Cyberterror Not a Credible Threat | Threatpost

QOTD - Schneier on AntiVirus

Antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective. -- Bruce Schneier, Chief Security Technology Officer of BT Global Services
Src: Schneier-Ranum Face-Off: Is antivirus dead? | Information Security Magazine

The state of the [security] industry

The thought leaders in security have come to realize that even strong defenses are penetrable. They understand that in spite of the millions of dollars spent and their best efforts, that enterprises are already compromised and will continue to be compromised for the foreseeable future and that all of the vendor and marketing claims and promises are not about to change that very cold and stark reality. If anything, the increasing complexity of technology has increased the ease with which easy-to-use advanced threats can impact enterprise business environments with little care for their state of compliance with meaningless regulatory mandates. While expecting perfect protection is a failed strategy, many on the leading edge are learning to operate in environments they suspect of being partially compromised and increasingly focus their efforts on the ability to understand incident scope, impact and validate cleanup. -- Amit Yoran, CEO of NetWitness
The entire article is full of insightful comments by many key players in the information security space. Absolutely worth the 5-10 minutes it will take you to read it, even if you find yourself disagreeing with some of the opinions.

Src: The state of the industry | SC Magazine US

QOTD on Fighting Malware in the Future

In the future, it seems the most successful criminal malware will be super-stealthy infections that users don't even know they've got. If that happens, a co-operative community of antivirus companies, researchers, ISPs, police forces and other government agencies may be our only hope. -- Jack Schofield
Src: Malware: the net's silent assassin | Technology | The Guardian

QOTD on Data Permanence

Information doesn't fade the way it used to. Documents that once upon a time could be counted on to be filed and forgotten are now finding an afterlife in digital, searchable form. -- Martin Kaste

Src: Digital Data Make For A Really Permanent Record | NPR.org

QOTD on Malware

Last year [2008], the number of unique malicious programs and variants that were created outstripped all the legitimate software published in the world, straining the accuracy of anti-virus solutions like never before. -- Roger A. Grimes
Src: InfoWorld review: Whitelisting security comes of age | Infoworld

QOTD on Data Deluge

The problem for law enforcement and intelligence today is not the lack of information; it is the deluge of it. -- Ron Deibert, director of the Citizen Lab, a principal with the SecDev Group, & cofounder of and principal investigator for the Information Warfare Monitor.
Src: Smarter sleuthing can save our online privacy | The Globe and Mail