QOTD on Outsourcing & Con-men

When you've outsourced almost all of your technically skilled
staff, you're an easy mark for con-men because you no longer have people who can look at stuff like this and tell it's obviously unworkable. -- Marcus Ranum, CSO Tenable Network Security
Src: SANS NewsBites Vol 11 Num 101

QOTD - Pescatore on Facebook

Facebook should get smacked around for playing games with consumers private data. However, anyone who trusts consumer-grade services whose revenue is all from selling advertising around users data is probably also putting out milk and cookies for a jolly man who will come down the chimney with really neat toys next week. -- John Pescatore, Vice President at Gartner Inc
Src: SANS NewsBites Vol 11 Num 99

QOTD on Authentication

Authentication will not be able to solve the untrusted platform problem. If you use a compromised system, authentication doesn't matter. Out of band communication will only work if the out-of band channel and associated hardware is secure, which may be questionable if devices like smartphones are used. -- Dr. Johannes Ullrich, CTO of the Internet Storm Center & Dean of the Faculty of the graduate school at the SANS Technology Institute.
Src: SANS NewsBites Vol 11 Num 98

QOTD on Conficker

The more advanced malware doesn't take orders until the orders are signed. MD6 within Conficker is exactly for this. The only party with secret keys are the worm's authors.

This wasn't just an existing gang writing yet another worm, this was guys who were thinking differently. Maybe they'll never return to their bot, but they could be waiting for us to pay less attention to it. They know that it will not be monitored forever.

-- Mikko Hyppönen, Chief Research Officer at F-Secure Corp.
Src: Security researchers continue hunt for Conficker authors | SearchSecurity.com

QOTD on Cyberspace

Cyberspace grants small countries and individuals a power that was heretofore the preserve of great states. -- Major-General Amos Yadlin, chief of military intelligence for Israel
Src: Spymaster sees Israel as world cyberwar leader | Reuters

QOTD on CISO-CEO divide

If you sit in a CISO position and you can’t meaningfully talk about measures of risk and layers of risk, you’re probably not going to be successful. You can spend all your money having the latest virus protection put on your PCs and miss the fact that you’ve got massive enterprise risk because of vulnerabilities to the power infrastructure or legal liabilities of doing business in certain countries. -- Michael D. Capellas, Chairman & CEO of First Data
Src: Bridging the CISO-CEO Divide: Recommendations from Global 1000 Executives and a Fortune 500 CEO | RSA

QOTD by David Rice

Because software creates the environment of cyberspace, small elements of disorder in software (like software bugs), may lead to greater elements of disorder (like exploitation of vulnerabilities), which ultimately lead to more serious forms of crime (like cyber crime and cyber espionage). Historically, software manufacturers have not been liable for broken windows (software defects), even though software applications have been—and continue to be—shipped with an unknown number of latent and preventable weaknesses. Software does not 'break' in use, as do physical products. Software is shipped by the manufacturer already broken (with the extent of the 'brokenness' discovered at some later, unknown time). -- David Rice, author of Geekonomics: The Real Cost of Insecure Software
This is one of my favorite mental images for understanding the nature of software and cybercrime.

Src: Broken Windows Revisited: Why Insecure Software and Security Products Hurt the Global Economy - CSO Online - Security and Risk

QOTD on Risk & the State

How safe people feel depends, amongst other things, on whether they trust the institutions that make statements about risks. This applies to the assessment of the safety of technical systems as well as to food or public safety. Transparent communication of the risk assessment process with the participation of all the stakeholders and of the derived risk avoidance measures is, therefore, important in order to tackle the frequent discrepancy between the individual’s perceived degree of safety and the objectively measured degree of safety. This is particularly the case when questions are asked about which risk is acceptable and how much protection should be offered. In this context risk communication must not only reduce the gap between the individually perceived lack of safety and the objective level of safety. It must also highlight the limits to state action and demonstrate that increased safety for instance in the fields of crime prevention and public security may entail a loss of freedom or self-determination. Particularly in the field of precautionary measures this is a difficult balancing act. Where does the state’s duty of care end and where does state paternalism begin? The experts at the conference were not able to provide a definitive answer to these questions. -- Federal Institute for Risk Assessment (BfR) in Germany. Slides from Stakeholder Conference “Safer than safe? Legislation, Perception and Reality of State Risk Prevention” are available (in German) on the BfR website at www.bfr.bund.de
Src: How safe is safe? Conference explores the opportunities and limits of state risk prevention

QOTD on Attacker's Advantage

The advantage clearly lies with the attackers who only have to find a single vulnerable spot, as security defenders try to identify and then plug every possible hole.
The Information security industry is responding to try to safeguard access to data but it is a fast changing world and even compliance with current standards does not ensure protection or make you more secure. The past does not allow us to predict the future in information security and just because it hasn't happened yet does not mean it won't happen in the future. -- Dimitrios Petropoulos, Managing Director of Dubai-based Encode Middle East
Src: Corporate Information Security Comes Under Attack From Organised Crime as

QOTD on 2010 Infosec Skills

Information security professionals must focus on their prioritization skills and show their ability to think strategically and creatively to come up with ways to solve problems 'on the cheap.' -- Lee Kushner & Mike Murray

Src: Entering 2010: The economy and the state of information security

QOTD on Digital Forensics

Digital forensics is much harder than crime forensics. When there's a murder, there's a body. There's evidence everywhere. In digital forensics, there's no body. You might not even know there has been a murder until months after it happened. -- Dan Kaminsky, Director of Penetration Testing at IOActive
Src: Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel - breaches/Security | DarkReading

QOTD on Easy Targets

Once you've been hacked, you might as well paint a big red bull's-eye on your head because others will see that you have weaknesses, and they will come after you. -- Jim Jaeger, Director of cyber defense & forensics at General Dynamics Advanced Information Systems
Src: Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel - breaches/Security | DarkReading

QOTD - Pescatore on Online Privacy

When you use free consumer-grade services like web mail and social networks and the like, you have sold your privacy away. -- John Pescatore, VP Gartner Inc.
Src: SANS NewsBites Vol 11 Num 95

QOTD on Cybercrime

All of the current economic incentives favor cyber attackers -- Internet Security Alliance report "Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model"
Src: ISAlliance Delivers Cyber Security Report | Information Security Resources

QOTD on Privacy

Privacy is not just ethical, but is also good business. -- David Bender, a solo practitioner in Dobbs Ferry, N.Y.
Src: 11 Reasons Why Privacy Helps the Bottom Line | Law.com

QOTD on Passwords

The one consistent thing that stops the internet from being a feeding frenzy for intruders waiting to get at your network is the end-user password.
...
The problem is that once you have compromised a password, it is invisible because the password has allowed you to go in and do what you want. -- Jason Hart CEO of IT at CRYPTOcard Europe
Src: Password purveyor - Security - News & Features | ITP.net

MN-GTS - The State of (In)Security in 2009

Thank you to all who attended my presentation at the 2009 MN-GTS State of (In)Security. The Slides and handouts will be available for another 30 days and will then be removed.

Meanwhile if you have any questions or comments, I'd love to hear them, either on the blog or contact me via email/twitter.