QOTD - ENISA on Smart Phones & Privacy

If you are one of the hundreds of millions of smartphone users worldwide, you probably spend more time with your phone than your spouse: with its array of applications and sensors, it may even know more about you.
-- ENISA Official Press Release

Src: Security, is there an app for that? EU’s cyber-security agency highlights risks & opportunities of smartphones | ENISA

QOTD on SSN use in US Military

I stenciled portions of my Social Security number on my laundry bag in Iraq, where it was memorized by foreign-national laundry workers trying to enhance their customer service. I’d walk in and they’d say, ‘Number 1234, here’s your laundry,’ and they were very proud of that fact.
-- Lt. Col. Gregory Conti, former army intelligence officer, now West Point faculty

Colonel Conti has co-authored a report critical of the military's pervasive use of SSNs. The report is entitled  The Military’s Cultural Disregard for Personal Information

Src: Service Members Face New Threat - Identity Theft - NYTimes.com

QOTD on Stuxnet

Stuxnet is like the arrival of an F-35 fighter jet on a World War I battlefield.
-- Ralph Langner,of Langner Communications GmbH

Src: Analysis: Stuxnet: A new weapon for cyber insurgents? | Reuters

QOTD - Hutton on the Fallacy of Security as Engineering

A security management approach focused solely on engineering fails primarily because of the “intelligent” or adaptable attacker. For example, if security were pure engineering, it would be like building a bridge or getting an airplane in the air. In these cases, the forces that are applied to the infrastructure do not adapt or change tactics to cause failure. At worst, in engineering against nature we only have a difficult time adapting to forces unforeseen due to a combination of factors.

But InfoSec has to deal with the behaviors of attackers. Their sentience includes creativity and adaptability. The wind does not act to deceive. Gravity and rust do not go “low and slow” to evade detection. Rain does not customize its raindrops to bypass umbrellas. But sentient attackers do change to evade defenses and reach their goal.
-- Alex Hutton, who "works in Risk Intelligence for a Fortune-something company." (src: http://newschoolsecurity.com/about/)

Src: What is Information Security: New School Primer « The New School of Information Security

QOTD on Digital World

Now, you have this gray world in which everything overlaps, and everything that's personal is business and vice versa, and now it's a mess.
-- Lewis Maltby, President of the National Workrights Institute

Src: Wipeout: When Your Company Kills Your iPhone : NPR

QOTD on Technology in the Business

Information security affects more organizations on more levels as technology permeates every functional area of a business and more staff members assume the role of knowledge worker.
-- Tim Herbert, Vice President for Research at CompTIA

Src: Security Arms Race Persists: Better Defenses Challenged by New Threats, Vulnerabilities, New CompTIA Study Finds | Business Wire

QOTD - Assante on Stuxnet

Stuxnet is, at the very least, an important wake-up call for digitally enhanced and reliant countries – at its worst, a blueprint for future attackers.
--Michael Assante, president of the National Board of Information Security Examiners,
and formerly with the Idaho National Laboratory
as well as CSO North American Electric Reliability Corp

Src: Son of Stuxnet? Variants of the cyberweapon likely, senators told - CSMonitor.com

QOTD on e-spying

A knowledge economy needs to protect from exploitation the intellectual property at the heart of the creative and high-tech industry sectors.
-- Iain Lobban, director of the Britain's Government Communications Headquarters (GCHQ)

Src: Cyber Threats Very Real For Britain: Official | RedOrbit.com

QOTD on Patient Data

Patient information is like radioactive material [...] It must be protected. It must be contained. It cannot be taken out of the building, sent out of the building, or looked at inappropriately if the employee is not permitted to access it.

The problem is students and employees and younger folks coming into work think of Facebook and Twitter as something you do. Just as you shouldn't be saying anything about patients on the telephone, you shouldn't be Twittering or Facebooking about work.
-- Arthur R. Derse, MD, director of the Center for Bioethics and Medical Humanities at the Medical College of Wisconsin in Milwaukee

Src: Containing the Patient Privacy Breach | HealthLeadersMedia.com

QOTD on Patching

Unlike IT systems, users cannot be patched and will always be vulnerable to manipulation and infection.
-- Uri Rivner, head of new technologies, identity protection and verification at RSA

Src: RSA Europe 2010: Trojans are going after all businesses, not just banks, says security expert - 13/10/2010 - Computer Weekly

QOTD on Smart Grid

The more proliferation there is of intelligent metering and energy usage, the more opportunities there are for attackers.
-- Heath Thompson, CTO at metering company Landis+Gyr.

Src: Cyber attacks on utilities tipped to soar > Application Security > Network Access > Access Control > News > SC Magazine Australia/NZ

QOTD on Communication

The security of corporate information will stand or fall by the ability of the organisation’s various functions to communicate clearly and effectively with one another. It takes all teams to sustain a meaningful dialogue, so a change in mindset is needed from all sides.
-- Richard Sykes, PwC Governance Risk and Compliance Leader

Src: PricewaterhouseCoopers Media Centre - Speaking the same language: Five key steps for the business, IT and security leader
Src: Direct link to article (PDF)

QOTD on the Need for a Security Collective

Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.
Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.
-- Scott Charney, Corporate VP of Trustworthy Computing at Microsoft

Src: The Need for Global Collective Defense on the Internet - Microsoft on The Issues - Site Home - TechNet Blogs

QOTD on Security Hampering Productibity

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity. That said, there are a lot of very, very silly URL blocking and email policies in place out there that *do* impact productivity, *don't* increase security and *do* encourage users to bypass IT systems.
-- John Pescatore, VP Gartner Inc.

Src: SANS NewsBites Vol 12 Num 78

QOTD on Stuxnet-like weapons

A cyberweapon like Stuxnet threatens nation-states much more than it threatens a non-state actor that could deploy it in the future. [...]

In short, like every other major new weapons system introduced since the slingshot, Stuxnet creates new strengths as well as new vulnerabilities for the states that may wield it.
-- Caroline B. Glick, writing for The Jerusalem Post

Src: Column one: The lessons of Stuxnet | JPost.com

QOTD on Stuxnet

The Stuxnet worm is a wake up call to governments around the world. It is the first known worm to target industrial control systems and grants hackers unobstructed control of vital public infrastructures like power plants, dams and chemical facilities.
-- Derek Reveron, professor of national security at the U.S. Naval War School in Rhode Island

Src: Stuxnet Cyber Attack on Iran Stirs New Global Awareness | Finance News

QOTD - Distance to Malware

No matter how careful you are, today’s Internet user is usually only two short clicks away from malicious content and an infected computer or network.
-- Charles Renert, Senior Director for Security Research at Websense

Src: Internet Users Are Only Two Clicks Away from Malicious Content

QOTD - Geer on Cyber-Security

Information security is perhaps the hardest technical field on the planet. Nothing is stable, surprise is constant, and all defenders work at a permanent, structural disadvantage compared to the attackers. Because the demands for expertise so outstrip the supply,the fraction of all practitioners who are charlatans is rising.
-- Dr. Dan Geer, CISO of In-Q-Tel, in prepared testimony presented before the U.S. House Subcommittee on Emerging Threats, Cybersecurity, and Science on April 25, 2007.

Src: The Two Most Important Questions in Cybersecurity - The Firewall - the world of security - Forbes

QOTD - Hypponen on Stuxnet

It is rare to see an attack using one zero-day exploit. Stuxnet used not one, not two, but four.
-- Mikko Hypponen, Chief Research Officer at F-Secure

Src: BBC News - Stuxnet worm 'targeted high-value Iranian assets'

QOTD - @EdSkoudis on Security

Just because something is configured 'correctly' doesn't mean that the system is actually secure.
-- Ed Skoudis, co-founder of Inguardians

Src: SANS NewsBites Vol 12 Num 75

QOTD - Pescatore on Malware

Just as we learned years ago in the crypto world that governments and government agencies do *not* have a monopoly on crypto talent, the same is true with malware development. It is a mistake to think that sophisticated malware means government sponsorship - - the talent pool putting together financially motivated targeted attacks for cybercrime has been leading the way for a long time.
-- John Pescatore, Vice President at Gartner Inc.

Src: SANS NewsBites Vol 12 No 74

QOTD on Cyber-Crime & Anonymity

Considering the anonymity of cyberspace, cybercrime may in fact be one of the most dangerous criminal threats ever. A vital component in fighting transnational crime must therefore include the policing of information security and the provision of secure communication channels for police worldwide based on common standards.
-- Ronald K. Noble, INTERPOL Secretary General

Src: DigitalIDNews | INTERPOL: Online ID needed

QOTD - Herzog on Security

If we keep doing what we know doesn't work even "good enough", why keep doing it? It wasn't until we accepted that there are things we can never reliably know that we knew we had better find the limits to that which we did know. So then at least we'd have that going for us. For example we know that we can't reliably determine the impact of a particular vulnerability for everyone in some big database of vulnerabilities because it will always depend on the means of interactions and the functioning controls of the target being attacked.
-- Pete Herzog, managing director of ISECOM

Src: Better Security Through Sacrificing Maidens | InfoSecIsland.com

QOTD - Stiennon's Security Principles

  1. A secure network assumes the host is hostile
  2. A secure host assumes the network is hostile
  3. Secure applications assume the user is hostile

Src: 3 Simple Security Principles | Focus.com

QOTD - Northcutt on CIA

Confidentiality, integrity and availability are always important, but master the skill of knowing which one is most important for a given business, system or file routine.

-- Stephen Northcutt, CEO of SANS Technology Institute

Src: Advice to Security Pros: Learn Chinese

QOTD on Sound Security Investments

Put simply, this means that spending hundreds of thousands of Pounds, Euros or Dollars on a security system, plugging it in and switching it on - then presuming your company is secure - is a totally inadequate approach, because it usually results in relatively poor levels of protection for your organization as the threats from criminals are constantly changing. Configuration, constant evaluation and constant updating of security rules are essential to the IT security of a business. Of course, the degree to which protection is needed is a matter of balancing risk and cost, and this equation is a unique business decision as with any other senior management process.
-- Ray Bryant, CEO of idappcom

Src: The buck stops here: why the CEO is responsible for everything

QOTD - Jaquith on Zero-Trust Model of Information Security

This article, written for ComputerWeekly.com by Forrester Research's Andrew Jaquith is a must read in its entirety. Here's a snippet to wet your appetite:
Successfully controlling the spread of sensitive information requires inverting conventional wisdom entirely, by planning as if the enterprises owned no devices at all.

Forrester calls this concept the "zero-trust model of information security", centered on the idea that security must become ubiquitous throughout your infrastructure. Simply put: treat all endpoints as hostile.
Some of the important concepts include:
* Thin client: process centrally, present locally
* Thin device: replicated data, with device-kill for insurance
* Protected process: local information processing in a secure "bubble"
* Protected data: documents protect themselves regardless of location
* Eye-in-the-sky: know when important information leaves
Src: Own nothing – control everything: five patterns for securing data on devices you don’t own - 08/09/2010 - Computer Weekly

QOTD on Mobile Security

Just because a mobile site is meant to be viewed on a mobile browser with limited functionality doesn't mean an attacker can't load it in a normal browser and have full use of their powerful tools to bypass authentication, find vulnerabilities in non-standard encryption, and ultimately crack the site -- and the main data store behind it.

It's like having two doors to your bank vault.

Web applications of today are like the highly guarded front door fortified by mature security practices and fully capable of stopping an intruder. Mobile APIs are like the unguarded back door -- offering far easier access to would-be attackers.
-- Pete Soderling, founder of Stratus Security

Src: Technology News: Mobile Tech: The Ultimate Jailbreaker, Part 3

QOTD on Privacy

Every piece of data on the Internet maps back to who created it and who they know. Where they were when they did it, where they've been and where they plan to go. What they are interested in, attend to, and interact with, and is around them, and when they do these things. The contextualization of the web in the world and the connection of the world to the web, mediated by the connections of people to each other, is forming a new Internet which has vast implications of privacy, identity, and innovation; and how we are going to structure our societies and our economies.
-- Marc Davis, Partner Architect at Microsoft Online Services Division

Src: Microsoft's Davis on Privacy: Your Digital Life Data is Bankable Currency | NetworkWorld.com


If they don’t know what it is, it’s an APT. While the attacks aren’t new — they have happened in the government world for a long time — the realization of what is going on is new. It can be difficult for an organization to sort out whether it is just a zero-day malware or if the organization is being specifically targeted. In the conventional world, if somebody launches a missile, you can pretty much understand what the intent is and you can attribute it. In the cyber world, if someone launches an attack, you might not be sure who is behind it and you don’t know what the intent is. In the military world, they make a distinction between information gathering and an actual attack.
-- George Kurtz, worldwide CTO for McAfee

Src: Lessons learned from investigating the Google attacks -- Government Computer News

QOTD on Insiders

Insiders do not attack – instead they use legitimate accesses in support of their operations.
-- DARPA (US) Broad Agency Agreement for Project CINDER

Src: DARPA-BAA-10-84, Cyber Insider Threat (CINDER) Program | FedBizOps

QOTD on Online Privacy

As social media become more embedded in everyday society, the mismatch between the rule-based privacy that software offers and the subtler, intuitive ways that humans understand the concept will increasingly cause cultural collisions and social slips. But people will not abandon social media, nor will privacy disappear. They will simply work harder to carve out a space for privacy as they understand it and to maintain control, whether by using pseudonyms or speaking in code.
-- Danah Boyd, fellow at Harvard University's Berkman Center for Internet and Society

Src: Why Privacy Is Not Dead | Technology Review

QOTD - Geer on Risk & Dependencies

The root source of risk is dependence — dependence on system state, including dependence on expectations of system state reliability. Indeed, my definition of security has co-evolved with my understanding of risk and risk’s source, to where I currently define security as the absence of unmitigatable surprise. Thus, increasing dependence results in heightened difficulty in crafting mitigations. This increasing complexity embeds dependencies in a manner that may diminish the frequency of surprises; however, the surprises will be all the more unexpected when they inevitably occur.
And that is the crux of the matter: our dependence on all things cyber as a society is now inestimably irreversible and irreversibly inestimable. That sounds more apocalyptic than I intend, but the competent risk manager always asks, “How bad could it be?” or, in the altogether American tortious style, “Who will have to pay?”
-- Dan Geer, Chief Information Security Officer for In-Q-Tel

Note: emphasis is mine

Src: Cybersecurity and National Policy | Harvard National Security Journal

QOTD on Disclosure

Thinking that there's no one else out there who knows the details of a given zero-day flaw is one of the things that leads to ridiculously long gaps between disclosure and the release of a patch. Even in the case of a vulnerability for which all of the details aren't public, a bit of information combined with a short window of time before a patch is available can give attackers the head start they need to launch mass exploits.
-- Dennis Fisher, Editor at ThreatPost

Src: Why Vulnerability Research Matters | threatpost

QOTD on Ostriches

If you bury your head in the sand and you're unwilling to learn the methods of the bad guys you're more susceptible to fall for them.

-- Chris Hadnagy, Operations Manager for Offensive Security

Src: Social Engineering 101 (Q&A) | InSecurity Complex - CNET New

QOTD on Security Culture

I find it interesting to compare and contrast the differences in information security emphasise and skills across the world. In the USA, for example, it's clear that technology rules. In the UK, process is King. (Our legacy to the world is ISO 27000). In the rest of the World, however, it's generally people and culture that top the agenda.
-- founding director of the Jericho Forum and the Institute for Information Security Professionals

Src: Security awareness in different cultures - David Lacey's IT Security Blog

QOTD by Google CEO

I don't believe society understands what happens when everything is available, knowable and recorded by everyone all the time. [...] I mean we really have to think about these things as a society.
-- Eric Schmidt, CEO of Google

Src: Holman W. Jenkins, Jr.: Google and the Search for the Future - WSJ.com

QOTD on Social Engineering

The thing [about social networking] that hasn't changed is the human factor. People are trusting of other people, especially if there is a request for help. One of the biggest things that worked for the Capture the Flag contest at Defcon was a contestant who said "Can you please help me with this?" Asking people for help, the human vulnerability, has not changed over the years [...] There is an inherent desire for people to help other people. There are trends of a positive nature, but they still get exploited. People are more security conscious today [...] The negative is we're so desensitized to certain attacks that we don't take notice to things that are occurring to us right under our nose.
-- Chris Hadnagy, Operations Manager for Offensive Security

Src: Social Engineering 101 (Q&A) | InSecurity Complex - CNET New

QOTD - Ranum on Terminals

It's 2010, and we still have operating systems that get infected with malware and keystroke loggers and stuff like that. As long as you have got endpoints that are so easily compromised, then you are going to have this problem. It doesn't really matter whose fault it is, you are going to have this problem because the endpoint has to be a reliable terminal, and it's not.

-- Marcus Ranum, CSO of Tenable Network Security

Src:Ranum: Be Serious about Cybersecurity

QOTD - Code-powered Cars?

It takes dozens of microprocessors running 100 million lines of code to get a premium car out of the driveway, and this software is only going to get more complex.

--Robert N. Charette, writing for IEEE Spectrum

  1. The "100 million" number is based on a quote in the article by Prof. Manfred Broy, a professor of informatics at Technical University, Munich.
  2. The article also lists figures (in millions of lines of code, or MLoC) for other technologies: F-22 Raptor (1.7MLoC), F-35 Joint Strike Fighter (5.7MLoC), and the Boeing 787 Dreamliner (6.5MLoC).

Src: IEEE Spectrum: This Car Runs on Code

QOTD on Malware

They’ll [i.e. hackers will] use the headlines of the day as bait. The malware will install itself on the user’s desktop or laptop, then dial out to another machine and say, ‘I’ve infected this organization, come do something.’

-- Wade Baker, director of risk intelligence for Verizon Business

Src: How hackers use the World Cup and Chelsea Clinton to steal your data -- Washington Technology


When a laptop is stolen, 99 percent of the time the [perpetrator] doesn't know he's got SSNs on it.

-- Thom VanHorn, VP of marketing for AppSec

Note the obvious bias due to the position of the person making the statement. Still, if the number is sound, it illustrates the current state of (in)security due to the lack of oversight of sensitive data.

Src: Six Florida Colleges Victims Of Widespread Data Breach - DarkReading

QOTD by Google CEO

If I look at enough of your messaging and your location, and use Artificial Intelligence, we can predict where you are going to go.

Show us 14 photos of yourself and we can identify who you are. You think you don't have 14 photos of yourself on the Internet? You've got Facebook photos!

-- Eric Schmidt, CEO of Google

Src: Google CEO Schmidt: "People Aren't Ready for the Technology Revolution": "- Sent using Google Toolbar"

QOTD on Security Skills

[Information security] professionals today are required to quickly detect and understand relationships and patterns within information and data to enable accuracy, timeliness and reliability of information to decision-makers for effective response.
They need to understand the dynamics of their environment, gather metrics to know whether their controls are working, and then have the time to perform tool gap analysis to determine if a new technology or tool suite would fit better in their environment.
This calls for a complete situational awareness across technology silos that enables detection of complex information and data patterns to quicken response time within organizations.
-- Seth Kulakow, former CISO for the Colorado Governor's Office of Information Technology

Src: Situational Awareness: A Must | BankInfoSecurity.com

QOTD on Hackers Winning

Why do hackers succeed? They're lucky, they're patient and they're brilliant. They're also better funded than you.
-- John Stewart, vice president and chief security officer, Cisco

Src: Hackers winning the security battle, says Cisco - Yahoo! News UK

QOTD on Cyber-crime & 0-day flaws

The cybercrime ecosystem continues to thrive without the need for zero day flaws, and it will continue to as long as millions of end users continue getting exploited with 6+ months old flaws.
-- Dancho Danchev, writing for ZDNet

Note: the entire article is worth reading as it provides a balanced perspective on zero-day exploits and their use in known cyber-crimes.

Src: Seven myths about zero day vulnerabilities debunked | ZDNet

QOTD - Hayden on The Cyber World

You guys made the cyber world look like the north German plain, and then you bitch and moan because you get invaded. We all get treated like Poland on the web, invaded from the west on even-numbered centuries, invaded from the east on odd-numbered centuries.

The inherent geography of this domain – everything plays to the offense. There's almost nothing inherent in the domain that plays to the defense. That really affects how you think about it when you're a GI.
-- Michael Hayden, retired General, former head of the CIA & NSA

Src: Fog of cyberwar: internet always favors the offense • The Register

QOTD on SmartGrid's Off-Switch

We’re about to acquire a significant new cyber-vulnerability. The world’s energy utilities are starting to install hundreds of millions of ‘smart meters’ which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay tariff; secondary purposes include supporting interruptible tariffs and
implementing rolling power cuts at times of supply shortage.

The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before. From the viewpoint of a cyber attacker – whether a hostile government agency, a terrorist organisation or even a militant environmental group – the ideal attack on a target country is to interrupt its citizens’ electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended.

Smart meters change the game. The combination of commands that will cause meters to interrupt the supply, of applets and software upgrades that run in the meters, and of cryptographic keys that are used to authenticate these commands and software changes, create a new strategic vulnerability[...]
From the abstract section of a paper by Ross Anderson and Shailendra Fuloria entitled "Who controls the off switch?"

Src: Light Blue Touchpaper » Blog Archive » Who controls the off switch?

QOTD - Hayden on Cyber

Cyber is a domain like land, sea, air, and space. The difference is that God made four and you made the last one. God did a better job.
-- Michael Hayden, retired General, former head of CIA & NSA

Src: US flank exposed on cyber war front: Hayden - Yahoo! News

QOTD on State of Security

Security technology and practice have advanced quite a bit in the past few years, but one thing that has become clear is that whatever gains have been made are just not keeping pace with the innovation of attackers. The advances being made by malware authors and crimeware gangs are keeping them well ahead of the curve and will continue to do so for the foreseeable future...

While money has been the main driver for targeted attacks for some time now, recent developments have shown that attackers are now intent on keeping control of a compromised system for as long as possible and they're finding new and interesting ways to stay hidden all the time.
-- Dennis Fisher, editor at Threatpost.com

Src: Persistent, Covert Malware Causing Major Damage | threatpost

QOTD by FBI AD on Cyber-Underground

The potential for considerable profits is enticing to young criminals, and has resulted in the creation of a large underground economy known as the cyber underground. The cyber underground is a pervasive market governed by rules and logic that closely mimic those of the legitimate business world, including a unique language, a set of expectations about its members’ conduct, and a system of stratification based on knowledge and skill, activities, and reputation.

One of the ways that cyber criminals communicate within the cyber underground is on website forums. It is on these forums that cyber criminals buy and sell login credentials (such as those for e-mail, social networking sites, or financial accounts); where they buy and sell phishing kits, malicious software, access to botnets; and victim social security numbers, credit cards, and other sensitive information. These criminals are increasingly professionalized, organized, and have unique or specialized skills.
-- Gordon M. Snow, Assistant Director, U.S. Federal Bureau of Investigation

Src: Federal Bureau of Investigation - Congressional Testimony

QOTD - Dealing with Today's Threats

You have to assume they're going to get in.
So, the art form here [i.e. dealing with the current attack landscape] is to figure out who's in your network, good or bad, figure out what they're doing, identify whether it is consistent with or contrary to all the policies you have to put in place to protect all of your information and systems. And, finally, once you determine if somebody is in there and doing something that you don't like ... figure out how to stop it, and figure out how to stop it quickly so that they don't do more than acceptable levels of harm. That's a new model; that's an entirely new prospect, and it requires new kinds of skills, new monitoring and controls technologies and new kinds of responses.

-- Preston Winter, former NSA CIO

Src: Living with IT Security Breaches | BankInfoSecurity.com:

QOTD on SmartPhone Hacking

Eventually, virus writers will realize it is easier to make money by infecting phones than it is by infecting computers...
And, of course, there are more phones on this planet than there are computers.
-- Mikko H. Hyppönen, F-Secure Chief Resource Officer
Src: AFP: Smartphones tempting new targets for hackers

QOTD on Online Privacy

Tiny pieces of disparate data are being mashed together to create a digital profile of you in detail you never thought imaginable. Whether you stay up late at night or have ever complained about a company could affect your employability. Whether you have expensive spending habits may affect if someone will invest in your company or date you.
-- Michael Fertik, ReputationDefender

Src: Technology and society: Virtually insecure | FT.com

QOTD on Governance

In the past, companies made it clear that you are on their network and, if you do anything bad, you will be kicked off. Today there are companies out there that say, 'Here's $2,000 -- go buy whatever you want, and the IT department will secure it.'
-- Alex Eckelberry, General Manager of GFI

Src: Avoiding Accidental Data Leaks In Small Businesses - breaches/Security - DarkReading

QOTD on a New IT Reality

It's a reality most people charged with safeguarding IT systems recognize but don't like: Their systems will be breached. And, it's a fact of life that information security professionals must deal with.
Src: Living with IT Security Breaches | BankInfoSecurity.com

QOTD on Attacks

[The attacks] may be originating from the outside, but we [employees] are doing all we can to help them in.
Thus the need to train employees to think before they click as traditional security controls alone may not be sufficient to protect users from all online threats. As Alex puts it,
If it is a targeted attack, that is going to be problematic. The vast majority of malware is customized every day, and so signature-based solutions are of limited use.
-- Alex Hutton, principal on research and intelligence for the Verizon Business RISK team

Src: Avoiding Accidental Data Leaks In Small Businesses - breaches/Security - DarkReading

QOTD - The Internet Never Forgets

The fact that the Internet never seems to forget is threatening, at an almost existential level, our ability to control our identities; to preserve the option of reinventing ourselves and starting anew; to overcome our checkered pasts.
-- Jeffrey Rosen, a law professor at George Washington University

Src: The Web Means the End of Forgetting - NYTimes.com


A lot of people will buy one [security] product and expect it to do everything -- and it doesn't. In the past, you could rely on your AV product to catch everything, but it can't anymore. 
-- Alex Eckelberry, General Manager of GFI

Src: Avoiding Accidental Data Leaks In Small Businesses - breaches/Security - DarkReading

QOTD on SAS-70

Given that SAS 70 cannot be considered as proof that an offered IT service is secure, it should be a matter of suspicion when a vendor insists that it is.
-- Jay Heiser, Research Vice President at Gartner, Inc

Src: SAS 70 is not proof of security, continuity or privacy compliance: Gartner

QOTD - Dan Geer, from 2006

When attackers assume little if any risk to make an attack, they will attack with abandon. When attackers can use automation, they will attack with vigor. When attackers’ fundamental operational costs are a mere fraction of defenders’ fundamental operational costs, the attackers can win the arms race. When attackers can mount assaults without warning signs, defenders must always be on high alert. All of these things can be obtained in the digital arena, and when that happens, the only strategy is worst-case preemption. This is true in the world of terrorism but truer yet in the digital world.
-- Dan Geer, then VP and Chief Scientist of Verdasys, now Chief Information Security Officer for In-Q-Tel
Src: Playing for Keeps, ACM Queue Vol 4, No 9

QOTD - Pescatore on Privacy Violations

Dealing with the impact of getting caught surreptitiously violating customer privacy, costly. Avoiding violating your customers' privacy, priceless.
-- John Pescatore, VP at Gartner, Inc.
Src: SANS NewsBites Vol 12 No 55

QOTD on Social Networks

Anyone who visits a social networking site should know that it's a business model. The service is not free. We users pay for it with our private data.
-- Ilse Aigner, Germany's Consumer Minister
Src: German minister calls for Internet 'honour code'

QOTD on Building Secure Code

For decades, we've taught people how to code, but not necessarily how to code securely.
-- Max Rayner, former CTO at Travelzoo, speaking as a panelist at a recent (ISC)2 conference on Software Security

Src: Insecure software: A never-ending saga - Information Security Magazine

QOTD - Northcutt on Deprovisioning

Whenever you terminate someone who has had system access, it is imperative that you make it impossible for that person to come back into your systems. Stories like this offer a strong argument for two factor authentication and I do not mean "What is your pet's name."
-- Stephen Northcutt, President of the SANS Technology Institute

Src: SANS NewsBites Vol 12 Num 54

QOTD on Cyber Defense

A static cyber defense can never win against an agile cyber offense. You beat me 99 times, I will come after you 100 times. Beat me 999 times, I will come after you 1000 times, and we will beat you.
-- Bruce Held, Intelligence Chief for the US Department of Energy

Src: How To Stop Cyberattacks: Diplomacy. Well, Maybe. | Danger Room | Wired.com

QOTD by Intel CISO

The biggest vulnerability we face today and the future is not the thing that the technical security person would think of, like a botnet or technical flaw, but the misperception of risk.
Today, those threat vectors are so subtle, you don't know that something's gotten installed on your computer. Because the incentive for the intruder is to not make you aware of it.
-- Malcolm Harkins, CISO & General Manager of Enterprise Capabilities for Intel Corp

Src: Intel CISO: The biggest security threat today is ... | Security - IT Management

QOTD on Passwords

Fidelity doesn't pay when it comes to passwords – the most important passwords should be changed every three months. -- Dieter Kempf, a member of the presiding committee of Germany's Bitkom industry association
Src: Passwords: The only constant in life - The H Security: News and Features

QOTD - Pity the modern CIO

Pity the modern CIO who is forced to cut costs, upgrade critical infrastructure and somehow support and secure a myriad of consumer devices that have become as common as paperclips and Post-It notes in the workplace. -- David Needle, West Coast bureau chief at InternetNews.com
Src: What IT Doesn't Know Can Hurt Everyone: Study - InternetNews.com

QOTD on Smart-Grid Privacy

We, Siemens, have the technology to record it (energy consumption) every minute, second, microsecond, more or less live.
From that we can infer how many people are in the house, what they do, whether they're upstairs, downstairs, do you have a dog, when do you habitually get up, when did you get up this morning, when do you have a shower: masses of private data.
We think the regulator needs to send a strong signal to say that the data belongs to consumers and consumers alone. We believe that's a blocker to people adopting the technology.
-- Martin Pollock of Siemens Energy
Src: Privacy concerns challenge smart grid rollout

QOTD - NASA CISO on Secure Software

The software industry is really one of the only organizations where you can knowingly build a defective product and push it out to a potential buyer and the buyer assumes all the risk. -- Jerry Davis, CISO for NASA
Src: Federal News Radio 1500 AM: NASA launches software assurance program

QOTD on Privacy Engineers

There doesn't yet appear to be such a thing as a privacy engineer; given the relative paucity of models and mechanisms, that's not too surprising. Until we build up the latter, we won't have a sufficient basis for the former. For privacy by design to extend beyond a small circle of advocates and experts and become the state of practice, we'll need both. -- Stuart Shapiro, Principal Information Privacy and Security Engineer at The MITRE Corporation
Src: Privacy By Design: Moving From Art to Practice | June 2010 | Communications of the ACM

QOTD on PII & De-Identification

Just as medieval alchemists were convinced a (mythical) philosopher’s stone can transmute lead into gold, today’s privacy practitioners believe that records containing sensitive individual data can be “de-identified” by removing or modifying PII [Personally Identifiable Information]. -- Narayanan, A. and Prof. Shmatikov, V.
Src: Narayanan, A. and Shmatikov, V. 2010. Myths and fallacies of "personally identifiable information". Commun. ACM 53, 6 (Jun. 2010), 24-26. DOI= http://doi.acm.org/10.1145/1743546.1743558
Direct link to PDF document

QOTD - EU Justice Commissioner on Privacy Laws

We need to find ways to empower web surfers. Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will. -- Viviane Reding, EU Justice Commissioner
Src: EU Data-Protection Laws Need Revamping for Internet Privacy, Reding Says - Bloomberg

QOTD - Salem on the Right Security Focus

The device is not important. The device will change. Who are the people and what is the information we need to protect? -- Enrique Salem, Symantec President and CEO
Src: Cybersecurity Czar: Remember, End Users Are No Security Experts - Security - IT Channel News by CRN

QOTD - Pescatore on the State of Security in 2010

Ninety percent of attacks are exploiting vulnerabilities we already knew about, by missing patches, deciding not to patch, or uses of technology in which we made the decision to deploy without putting security controls on it. Less than 1% are zero-day attacks; the other 99% are exploited configurations and unpatched machines that the simplest vulnerability scan would've found.
The bottom line is the attack surface for threats is going up. There are more moving parts in the way we're consuming and delivering IT. ... There's all the opportunity for a bot to take hold. -- John Pescatore, vice president and research fellow at Gartner Research
Src: Gartner: Enterprises must learn to detect botnet threats

QOTD on Your Facebook Data

The gargantuan amount of high-quality user data on Facebook is causing everyone--from marketers to hackers--to salivate like dogs gazing at a steak. They all want a piece of you. -- Narasu Rebbapragada writing for PC World
Src: What Is Your Facebook Data Worth?

QOTD - Ashcroft on Cybersecurity

The protection of our enterprises and the protection of our country both are too important to reserve exclusively to law enforcement or information professionals alone the duty of protection,
The truth of the matter is access is a balancing act that must be at the proper level for appropriate users. And the access meter needs to read 'impossible' for all others. -- John Ashcroft, former US Attorney General
Src: Ashcroft: Cybersecurity Takes a Village - www.esecurityplanet.com

QOTD - Avivah Litan on Cognitive Passwords

Banks and other companies who rely on knowledge based authentication – the process that asks users ’secret’ questions that only the legitimate can presumably answer – are in a quandry because fraudsters are answering those questions successfully all too many times.
It’s a very serious problem that deserves a serious solution. It will be solved but it will take time. In the meantime, service providers cannot count on the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual. -- Avivah Litan, VP Gartner Research
As Avivah explains, it turns out that the crooks are getting the information straight from the data aggregators by spear-phishing their employees.

Src: Avivah Litan — A Member of the Gartner Blog Network

QOTD - PwC on Security Awareness Training

The main objective of any awareness raising approach is that it leads people to demonstrate ‘new’ behaviours. To do this it must answer the question ‘what’s in it for me?’. However, human behaviour is complex and simply telling people what to do is seldom enough to make people change the way they act.
Src: PwC Report "Security awareness: Turning your people into your first line of defence" (PDF)

Also see: Invest in making employees more alert to security risks, says PricewaterhouseCoopers Human Resources - News | HR News | HR Magazine | hrmagazine.co.uk

QOTD on Cyber Insecurity

Cyber-terrorists have turned Internet technology into a weapon capable of unimaginable destruction. The result is that everyone is a target. -- Josh Zachry, associate director of research operations at the Institute for Cyber Security at the University of Texas at San Antonio
Src: Cyber espionage threatens global security (part 2) | Troy Media Corporation

QOTD - Liberman on those dangerous electronic pipelines

The Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets. -- Joseph Lieberman, independent Senator for Connecticut
Src: Senators tackle Internet security - The Boston Globe

QOTD on SmartGrid: Money Trumps Security

From a hardware perspective, cell phones today are more secure than many of the smart meters in deployment
Those meters, however, may be used as attack vectors into the spheres of power distribution and generation, as well as into customer databases at the utilities. They deserve nothing less than the best hardware protection available. -- Karsten Nohl, a security researcher based in Germany presenting at the the Ninth Workshop on the Economics of Information Security at Harvard University
Src: Money trumps security in smart meter rollouts, experts say | InSecurity Complex - CNET News

QOTD - Cyber-Security & Squirrels

The truth is also that a well-placed squirrel can wreak almost as much havoc as a cyber attack on a power grid. -- Dr. Charles Palmer, Director of the Institute for Advanced Security, IBM

Src: The State of Cybersecurity

QOTD - Lieberman on cyber bad-guys?

Our economic security, our national security, and our public safety are now all at risk as a result of new kinds of enemies, with new kinds of names like cyberwarriors, cyberspies, cyberterrorists, and cybercriminals. -- Joseph Lieberman, independent Senator for Connecticut
Src: Senators tackle Internet security - The Boston Globe

QOTD on Passwords & Lemons

Because ordinary users are unlikely to spot the difference between high and low-quality password implementations, password security in websites can be modelled as a lemons market. In applying this model, insecure sites can beat secure sites in the market with lower deployment costs if password security offers no advantage in gaining users.

Src: The password thicket: technical and market failures in human authentication on the web, Ninth Workshop on the Economics of Information Security (WEIS 2010), 7-8 June 2010, Harvard / USA, 2010.

QOTD on Privacy & Internet

We're at a very early stage right now of figuring out how do we keep the Internet as a space where individuals can be empowered, yet at the same time [make sure that] it doesn't turn into a place where people are just attacking each other and bringing down each other's systems. -- Rebecca MacKinnon of Princeton University's Center for Information Technology Policy
Src: Does Averting Cyberwar Mean Giving Up Web Privacy? : NPR

QOTD - Bonnie, Clyde, & Cybercrime

If Bonnie and Clyde were alive today, they'd be quite amused at just how easy it is to make a dishonest buck. Today's criminals have swapped machine guns and getaway cars for viruses, Trojans, rootkits, and other malicious software. Financial fraud as well as identity and intellectual property theft are the crimes of choice. -- Randy George, writing for InformationWeek
Src: 5 Web Security Best Practices For SMBs -- Web Security -- InformationWeek

QOTD - Economics of Targeted Attacks

The cost of non-scalable attacks is such that very few users are targeted. It further suggests a security investment strategy for Internet users: all scaleable [i.e. non-targeted] attacks should be addressed first. Consider the case where Alice’s [a potential victim] email account can be harvested for value $200 by a non-scalable attacker [i.e. a targeted attack]. Alice’s avoidance of harm depends not so much on her security investments, but on the relative worthlessness of other email accounts, from which hers cannot be distinguished. -- Cormac Herley of Microsoft Research, who presented a paper entitled "The Plight of the Targeted Attacker in a World of Scale," at the 2010 Workshop on the Economics of Information Security.

Src: Ninth Workshop on the Economics of Information Security (WEIS 2010) program (PDF)

QOTD on The State of Cybersecurity

As everything on the planet gets more connected, more sensors and more intelligent, everything is getting, well, smarter, some of these things have never been connected to anything before, whether it's transportation systems, water systems, power, oil and gas, and pipelines, and so on. All these things, as they get connected to be more efficient, have to also be focusing on being more secure. Because, now they are facing risks that they have never had before. And to me that is what cybersecurity is all about. It's about scope. -- Dr. Charles Palmer, Director of the Institute for Advanced Security and Chief Technologist of Cybersecurity and Privacy at IBM
Src: The State of Cybersecurity

QOTD on Cyber-Criminals

Criminals tend to be equal opportunity exploiters. By choosing a topic that inspires passion on both sides, they can get innocent surfers to succumb to their political fervor. -- Chester Wisniewski, Sophos

Src: Twitter malware attack targets Israeli blockade

QOTD - McGraw's Advice to Programmers

It is a myth that you have to have source code to exploit vulnerabilities. You (software developers) need to realize that your software is out there, and you are giving your attacker everything they need to exploit it. -- Gary McGraw, CTO of Cigital
Src: MIT Technology Review

QOTD - Schneier on Hiring Hackers

Hacking is primarily a mindset: a way of thinking about security. Its primary focus is in attacking systems, but it's invaluable to the defense of those systems as well. Because computer systems are so complex, defending them often requires people who can think like attackers.
Admittedly, there's a difference between thinking like an attacker and acting like a criminal, and between researching vulnerabilities in fielded systems and exploiting those vulnerabilities for personal gain.
An employer's goal should be to hire moral and ethical people with the skill set required to do the job.
-- Bruce Schneier, Chief Security Technology Officer of BT Global Services
Src: Weighing the risk of hiring hackers | TechTarget.com

QOTD - Pescatore on Business Priorities

Just as "features and fast to market are more important than security" was baked into the DNA of software companies in the early 1990s, "collect and expose user information" is baked into the DNA of today's generation of companies that sell advertising around other peoples data. -- John Pescatore, VP of Gartner Inc.

Src: SANS NewsBites Vol 12 No 44

QOTD - ISACA on Social Media & Security

In a newly released paper entitled "Social Media: Business Benefits and Security, Governance and Assurance Perspectives," ISACA provides guidance for companies to address the increasing presence and relevance of social media while balancing the security and privacy implications. Excerpt below:
The use of social media is becoming a dominant force that has far-ranging implications for enterprises and individuals alike. While this emerging communication technology offers great opportunities to interact with customers and business partners in new and exciting ways, there are significant risks to those who adopt this technology without a clear strategy that addresses both the benefits and the risks. There are also significant risks and potential opportunity costs for those who think that ignoring this revolution in communication is the appropriate way to avoid the risks it presents. The only viable approach is for each enterprise to engage all relevant stakeholders and to establish a strategy and associated policies that address the pertinent issues.
Src: ISACA Featured Deliverables

QOTD - Pescatore on OS & Security

The new calculus of targeted attacks means using a low market share product gains you *no* security through obscurity - if you are using Macs or Linux or whatever, when someone targets you they go after the numerous vulnerabilities in those platforms - or in reality, the vulnerabilities of your users. -- John Pescatore, VP of Gartner Inc.
Src: SANS NewsBites Vol 12 Num 44

QOTD - Adobe & Security

We're in the security spotlight right now. There's no denying that the security community is really focused on ubiquitous third-party products like ours. We're cross-platform, on all these different kinds of devices, so yes, we're in the spotlight. -- Brad Arkin, Director for Product Security & Privacy at Adobe
Security vendors & researchers agree on one thing: Adobe PDF & Adobe Flash are hacker favorites with F-Secure reporting that it's used in 61% of attacks (for Jan/Feb 2010) while Kaspersky's recent report gives it 47% (covering Q1 2010).

Src: Adobe: We know we're hackers' favorite target

QOTD - NIST on Continuous Monitoring

NIST wrote a FAQ to answer many of the questions about Continuous Monitoring and whether it replaces the security authorization process (it does NOT).
Are there any risks associated with continuous monitoring?
Organizations should exercise caution in focusing solely on continuous monitoring at the expense of a holistic, risk‐based security life cycle approach. Without the appropriate planning for security controls (preferably early in the system development life cycle) and the correct implementation of those controls, the value of continuous monitoring is greatly diminished. This is because the near real‐time, ongoing monitoring of weak and/or ineffective security controls resulting from flawed information security requirements can result in a false sense of security.
Also see NIST 800-37, Applying the Risk Management Framework to Federal Information Systems (February 2010)

QOTD on Aurora Attacks

The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)

The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.
Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.
When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system. -- David Marcus, Security Research and Communications Manager for McAfee
Note: last emphasis added by me, earlier emphases from original document

Src: Computer Security Research - McAfee Labs Blog

QOTD - Microsoft tooting its own security horn

When it comes to security, even hackers admit we’re doing a better job making our products more secure than anyone else. And it’s not just the hackers; third party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others. -- The Windows Blog
Microsoft apparently wrote the post in response to media reports that Google was planning to drop the Microsoft operating systems from its internal systems. While Microsoft has made progress in securing software, there is no reason to get complacent. There are still too many bugs being found and usually fixed in a timely manner, except for those for which Microsoft waits seven or more years to fix.

After all, when compared to other major software vendors with less-than-stellar track-records, Microsoft does indeed do a better job at making its products more secure. But more secure than the competition doesn't mean secure.

Src: The Windows Blog

QOTD - Pescatore on Google Wi-Fi Snafu

In business models that depend on getting people to expose information in order to sell advertising around it, it seems like mistakes always seem to fall on the accidentally collecting too much information, versus mistakenly ever collecting too little. -- John Pescatore, VP at Gartner, Inc.
Src: SANS NewsBites Vol 12 Num 41

QOTD - Ranum on Online Privacy

If you don't want to make something public don't blog, facebook, tweet, or otherwise publicly announce it! Three people can keep a secret if two of them are dead and nobody has published it on the Internet for all their 'friends' to see. -- Marcus Ranum, CSO of Tenable Network Security
Src: SANS NewsBites Vol 12 Num 42

QOTD - Pescatore on Facebook & Privacy

There is a big difference between making user privacy controls "simpler" and making user privacy a core feature in all Facebook software development. Especially in a business model in which all revenue depends on getting people to expose information so you can sell advertising around it. -- John Pescatore, VP at Gartner, Inc.
Src: SANS NewsBites Vol 12 Num 41

QOTD - Baker on Risk Models

Wade Baker, of Verizon Risk Intelligence, replying to a post on the Security Metrics mailing list about whether risk models are useful for non-tangible assets (human life or infosec assets that can't easily be quantified):
Having an impact that is extremely high (ie, human life) doesn’t invalidate the use of a risk model. If the probable impact is so high as to be intolerable, that simply means that risk level is intolerable regardless of threat frequency (which means keep spending money). Of course, the question is whether the impact of something (even human life) is truly intolerably high. The government enters wars knowing that life will be lost. I drive my family around in a car knowing there’s a chance of a fatal accident.

As to [whether] the financial models don’t work because governments don’t have profit – governments spend the money of the people. I’d be quite happy if the government spent my money as though they had to be mindful of operating in the black.
Reprinted with permission of the author.

QOTD - Online privacy is like a Tattoo

Posting something online is almost as bad as getting a tattoo. The act of pulling it off or making it disappear ultimately is expensive, and it's never complete. No matter what you do about it, it leaves a little scar. -- Paco Underhill, author of "What Women Want" and "Why We Buy."
Src: In shoppers' online networks, privacy has no price tag

QOTD - Shostack on Infosec & Oil Platform Engineering

Replying to a series of posts on the Security Metrics mailing list about whether information security is (or can aspire to become) an art, a science, or an engineering discipline, Adam Shostack, author of The New School of Information Security, wrote:
I think we're more like oil platform engineers than bridge engineers. Our mistakes are hidden, hard to estimate, and residue is turning up in unexpected places.
Note: posted with author's permission

QOTD on Home Users

Home users remain the most susceptible to infected malware and socially engineered threats, such as advertisements and personal assistance sites. -- Official Microsoft Blog
Src: The Official Microsoft Blog – News and Perspectives from Microsoft : Microsoft’s SIR v8 Offers Insight and Guidance on Cyber Defense

QOTD on PowerPoint

"PowerPoint makes us stupid, " said Gen. James N. Mattis of the Marine Corps.

Brig. Gen. H. R. McMaster, in a telephone interview said about PowerPoint: "It’s dangerous because it can create the illusion of understanding and the illusion of control. Some problems in the world are not bullet-izable."

One slide in particular, packed with minute details, has made the news recently when General McChrystal was reported as saying: "When we understand that slide, we’ll have won the war."

Src: Enemy Lurks in Briefings on Afghan War - PowerPoint - NYTimes.com

QOTD on Malware Kits

Malware kits are developed, released, and updated just like legitimate products – complete with advanced features and minor releases to improve kit effectiveness. -- Official Microsoft Blog
Src: The Official Microsoft Blog – News and Perspectives from Microsoft : Microsoft’s SIR v8 Offers Insight and Guidance on Cyber Defense

QOTD on ATM fraud

Crooks can steal every dime you own in seconds, and you won't even know it. -- Jody Barr, for WIStv.com
Src: ATM skimmers steal your info in seconds, becoming more popular - WIS News 10 - Columbia, South Carolina

QOTD on Malware Kits

People can launch attacks without even knowing a line of code, and the infrastructure now exists to pay the attacker per exploit achieved.
With an attack kit there is literally 'an app for that' and it is driving the explosive growth in internet-borne threats such as spam and zero-day attacks with new kits popping up every day. -- Bradley Anstis, VP of Technology Strategy at M86 Security.
Src: Russia dominating automated malware kit market - V3.co.uk - formerly vnunet.com

QOTD - Schneier on Privacy

If we believe privacy is a social good, something necessary for democracy, liberty and human dignity, then we can't rely on market forces to maintain it. Broad legislation protecting personal privacy, by giving people control over their personal data is the only solution. -- Bruce Schneier, Chief Security Technology Officer of BT
Src: Google And Facebook's Privacy Illusion - Forbes.com

QOTD on Hackers

The hacking community is an aristocracy. The more skills you have, the higher status you have in the group. -- Max Kilger, a senior member of the non-profit research organization,The Honeynet Project
Src: Security expert predicts criminals to take cyber extortion tactics to the U.S.

QOTD on Social Networks

A perfect storm is developing between the number of people flocking to social networks and the new, increasingly sophisticated malware attacks cybercriminals are launching to prey on the personal data they're sharing. -- Jeff Horne, director of threat research at Webroot
Src: Social Networking Exposes Business Networks to Risk ( - Internet - Security )

QOTD on Security & The Board

The challenge faced by many security professionals today is not that technology is less secure than in the past; it’s more that it’s being implemented without sufficient due diligence. This may be because traditional security practice is perceived as being too slow and onerous, and organisations are actively deciding they don’t want to miss the boat and are prepared to take the risk. Or, it may be because senior business managers are being ignorant and in denial of their responsibilities. The fact is that if something goes wrong, the consequences have to be dealt with by business people, not the techies. But do your senior business execs really understand the extent to which they are responsible for the information held by your organisation?
If we insist on starting with technology, we will always be running after the curve. But at least if we start with people and process, and remember this is fundamentally about the information businesses use on a day-to-day basis, we give ourselves an anchor point to which we can return whenever things change.-- Jon Collins, Freeform Dynamics analyst
Src: Security: Get the board on board - 27 Apr 2010 - Computing

QOTD on Disclosure & Risk

I believe that there is a preponderance of vulnerabilities to the extent that, although patching vulnerabilities does lead to a smaller attack surface, the attack surface is so large that this is inconsequential to the net impact on risk. That is, the reduction in attack surface does not outweigh the increase in threat arising from this discovery and disclosure process. -- Pete Lindstrom, Research Director for Spire Security
Src: Rudeness, risk and vulnerability disclosure | Spire Security Viewpoint

QOTD on Google

They have an awful lot of data. They record everything. They have your IP address, your search requests, the contents of every e-mail you've ever sent or received. They know the news you read, the places you go. They're even collecting real-time GPS location and DNS look-ups.
They know who you friends are, where you live, where you work, where you are spending your free time. They know about your health, your love life, your political leanings. They even know what you are thinking about. -- Moxie Marlinspike, Privacy advocate, creator of the GoogleSharing Firefox Addon, speaking at the SOURCE conference about Google
Src: Privacy Tool Sidesteps Google's Data Collection | threatpost

QOTD on Bypassing Security Policies

When companies set unrealistic rules -- like limiting users to a very small email box capacity or restricting the ability to attach files to messages -- users will often find ways to get around them. Their motivation is not to break IT rules, but to get their jobs done. -- Rene Bonvanie, vice president of worldwide marketing at Palo Alto Networks
Src: Why Employees Break Security Policy (And What You Can Do About It) - client security/Security - DarkReading

QOTD on Certifications

Certifications mark you as a serious and committed part of the IT arena who is willing to learn new technologies and keep current in an industry that is forever changing. [...] Certifications help set the person that possesses them apart from those who don’t, as a professional who should be respected and sought after.

Src: Vincent Martin, Senior Network Administrator & Owner, Martin Consulting Group, in a LinkedIn discussion post. Used with permission.

QOTD - Brian Snow on Trust

Our society has become too complex. There's too many interwoven, inter-dependencies between national players, corporate players, individuals, around the world, to really be able to sort out, and untangle, all these inter-dependencies for actual trust relationships to evolve that you can work with. -- Brian Snow, former technical director, National Security Agency (US). RB 140 podcast, around minute 30
Src: Risky Business #140 -- Former NSA tech director, info assurance, Brian Snow | Risky Business

QOTD on Malware Clouds

The biggest cloud on the planet is controlled by a vast criminal enterprise that uses that botnet to send spam, hack computers, spread malware and steal personal information and money. -- Rodney Joffe, senior vice president and senior technologist at the infrastructure services firm Neustar, as reported by Robert Mullins of Network World.
Src: The biggest cloud on the planet is owned by ... the crooks | NetworkWorld.com Community

QOTD - Rivner on CyberCrime

We are seeing a celestial alignment within the world of online fraud which means that a much broader segment of corporate Internet users are being targeted by criminals who are looking to steal more than just credit card numbers and consumer identities. Advanced, stealthy Trojans like Zeus that are detected less than 46% of the time are readily available to online criminals who are interested in stealing information for illegal gain. -- Uri Rivner, Head of New CyberCrime Technology at RSA, The Security Division of EMC
Src: RSA Launches New CyberCrime Intelligence Service | SecurityWeek

QOTD - APTs as Drones

These attacks have demonstrated that companies of all sectors are very lucrative targets. [APTs are] the equivalent of the modern drone on the battlefield. With pinpoint accuracy, they deliver their deadly payload, and once discovered -- it is too late. -- George Kurtz, CTO of McAfee
Src: Targeted cyberattacks test enterprise security controls

QOTD - Coviello on Virtualization

Virtualization is the engine of the cloud that will propel us forward; not in one sudden, giant leap, but rather as a journey that organizations will take at their own pace, realizing tangible benefits at every step along the way.
And by embedding security in the virtual abstraction layer - we get our "do over"!
We can enforce policies for information, identity, and infrastructure within this virtual layer. As a result, we can shift from infrastructure to information-centric policy concentrating on what is most important -- the information and who gets access -- rather than on a meaningless perimeter or mere plumbing.
Now, the enterprise must have far more mature processes for Governance, Risk and Compliance that can span their physical and virtual infrastructures. And because of the convergence of roles I spoke of earlier (server administration, network etc.) monitoring and controlling privileged access becomes increasingly important.
-- Art Coviello, RSA President
Note: emphasis mine.

Src: Keynotes - RSA Conference 2010 San Francisco

QOTD - Geer on APTs

As the cyber world is a world of interconnections, a defensive failure outside of your view or scope may propagate to you. The most skilled opponents rely on such propagation, and they are persistent, their technology is advanced and the result is threatening. -- Dan Geer, CISO at In-Q-Tel
Src: Advanced persistent threat ( - Legal - Security )

QOTD - Coviello on Soda Clouds

Sometimes you just don't want the same two tenants on the same physical machine. For example I can't imagine Coke would ever want their virtual machines on the same hardware as Pepsi's. -- Art Coviello, RSA President

Src: Keynotes - RSA Conference 2010 San Francisco

QOTD - Napolitano on Secure Ecosystem

I'm asking you before then to redouble the efforts that you are making to increase security, to increase reliability, and to increase the equality of the products that you have that enter the global supply chain.
We have to get to a level of performance in the information technology infrastructure, hardware, software, that creates a secure IT ecosystem... -- Janet Napolitano, U.S. DHS Secretary

Src: Keynotes - RSA Conference 2010 San Francisco

QOTD - Coviello on Cloud Computing

The journey to the cloud is inevitable and we’re going to have to secure it.
Cloud infrastructures will catapult us forward because they force enterprises to focus on their security policies and processes – and not just on security technology.
In short... the cloud will turn the way we deliver security inside out.
Cloud computing will indeed complete the transformation of IT infrastructures unleashed by the Internet. As security practitioners, we must lead, not follow. -- Art Coviello, RSA President
 Note: emphasis mine.

Src: Keynotes - RSA Conference 2010 San Francisco

QOTD - Napolitano on Security & People

A secure cyber-environment is as much about people and habits and culture as it is about machines. Because even the most elegant technological solution will ultimately fail unless it has the support of talented professionals and of a public that understands how to stay safe when online. -- Janet Napolitano, U.S. DHS Secretary

Src: Keynotes - RSA Conference 2010 San Francisco


If you have not yet identified systems within your enterprise that have been compromised through these advanced attacks, you probably are very lucky -- or you aren't looking closely enough. -- Amit Yoran, CEO of NetWitness
Src: Targeted cyberattacks test enterprise security controls

QOTD - Napolitano on Cyber-Security

The cyber challenges we confront today are every bit as much about culture & people as they are about technology. -- Janet Napolitano, U.S. DHS Secretary

Src: Keynotes - RSA Conference 2010 San Francisco

Secure360 2010 Presentation Slides

Thank you to all who attended my Secure360 2010 presentation. Given that it was standing room only, I take it that this topic is dear to many of you. I encourage you to connect with me via this blog, twitter, or email, to continue this discussion.

Link to presentation slides (PDF)


QOTD - Coviello on Cloud

Regarding cloud computing challenges & opportunities, RSA's President, Art Coviello, said:
We have to be careful we don’t end up in security hell!
Organizations are spending as much as two-thirds of their IT budgets just to maintain their infrastructure and
applications –keeping the lights on. Cloud computing can dramatically alter this two-thirds / one-third ratio … so that much more energy and investment can be directed toward real innovation and competitive advantage.
Trouble is something’s holding back the full realization of this cloud vision. And that in a word is security.
People everywhere must be able to trust the cloud even if they literally and metaphorically can’t see it.

Note: emphasis mine.

Src: Keynotes - RSA Conference 2010 San Francisco

Comments on FreePress article featuring @DrInfoSec

The article (linked below), written by Dan Linehan of the Mankato Free Press, contains a good summary of the discussion I had with Dan about Twitter, Facebook, and online security. This post is meant to provide additional information that didn't make it in the original newspaper article due to the paper's limited column space.
  1. I use an older, but dedicated, computer to check anything dealing with money (bank and credit card accounts). This computer runs what I consider to be a "pristine" environment that I periodically reset (to a "known good state") and then update. If you have an older computer laying around, you can use a free operating system like Ubuntu, as recently recommended by former Washington Post writer Brian Krebs. More recently, the Chief Information Officer (CIO) of a bank recommended that people switch to another operating system to do their online banking (Src: Bank CIO recommends Ubuntu for online banking). Perhaps the announcement by the Director of the FBI's Cyber Crime division that he would stop banking online can help convince people to change their online banking habits.
  2. The special program I use to open links is Firefox with the NoScript add-on. In addition, if using a public Wi-Fi (wireless Internet), I also use another layer of protection in the form of an application-level sandbox tool called Sandboxie.
  3. The "plastic film" used for privacy can be found by searching for "privacy filter" on a major search engine.
  4. On passwords: the three "rings" of security I referred are related to three levels of passwords that I recommend people use. The highest-privilege ring should be a series of complex passwords, to be used for bank and/or credit card web sites. The next ring would be used for medium-importance sites such as personal email accounts or other web sites that contain personally identifiable information (about you or others). The third ring, the lowest level, is used for sites that you regard as low-importance. For most of us, this would include most social networking sites and other just-for-fun logins.
  5. More information about the "hack" of Sarah Palin's account is available online. Specifically, "the hacker guessed that Alaska's governor had met her husband in high school, and knew Palin's date of birth and home Zip code." (Source)
  6. Some of the best information I can recommend for Twitter and other social networking sites can be found at:
    1. http://www.ehow.com/how_5071658_twitter-safely.html
    2. http://twitter.blog.avg.com/2010/02/top-10-tips-to-stay-safe-on-twitter-from-avg.html
  7. Bad passwords can lead to easily compromised accounts. Is your password on this list? If so, whatever account used such well-known passwords could already be in hackers' hands.
  8. Everyone should be careful what they reveal not only about themselves but also about others on social networks. In one case, a home burglary appears to be tied to a Facebook posting. In another case, a faculty member was fired for an improper posting.
More information about my profile and my certifications can be found on my LinkedIn profile.

Src: Staying safe on Twitter, Facebook » Local News » The Free Press, Mankato, MN

QOTD on Threats & Snipers

Security threats today are less like a disease or a cancer -- it's more like a sniper shooting you in the head as you come out the door. Malware is slipping through our most protected systems and we can't even see the threat coming. -- Ken Silva, CTO of VeriSign
Src: Security Panel to IT: 'Expect a Breach' — Datamation.com

QOTD on Sharing Attack Data

There's too much internal hoarding of intelligence for privacy or competitive reasons and too little sharing of information among researchers, victims, and law enforcement about real attacks. All this does is give the cybercriminals an edge.
Is there anyone looking at the big picture of these real attacks? Connecting the dots, sifting through the chaff, and correlating trends among them should be a priority for victim organizations, researchers, forensics investigators, and law enforcement. Otherwise the bad guys who are infecting companies with banking Trojans, stealing their intellectual property, and converting their enterprise machines into bots, will just keep owning us.
-- Kelly Jackson Higgins, Senior Editor, Dark Reading (on Twitter as @kjhiggins)
Src: Share -- Or Keep Getting Pwned - Dark Dominion Blog - Dark Reading

QOTD on us vs them

The organizational mantra should never be an 'us' (business users) vs. 'them' (IT) attitude. Today, it has be an 'us' (our company, united) vs. 'them' (our competitors). In this New Normal climate, IT needs to get on board and participate in business conversations about technology. Or else they will get thrown off the bus. -- Thomas Wailgum, Senior Editor at CIO.com
Src: Stupid Users Are So Stupid | CIO - Blogs and Discussion

QOTD - Paller on Smart Meters

The US utility industry has rushed to install smart meters, completely trusting the meter manufacturers to ensure they are secure, predictably without systematically analyzing the security risks involved and without verifying the vendor's efforts were effective against known threats. -- Alan Paller, Director of Research for the SANS Institute
Src: SANS NewsBites Vol 12 Num 25

QOTD on Security

The days of security for security's sake are past. -- Jonathan Gossels, President and CEO of SystemExperts
Src: Economic recovery strategies for information security professionals - Information Security Magazine

QOTD on Safe Online Banking

If you are using online banking you should be using a hardened system that is not used for anything else but online banking.
-- Jay McLaughlin, CIO CNL Bank

Src: Can Ubuntu save online banking? - Computerworld Blogs

QOTD on Tracking

If you don't know what you have and where it is, then how can you put the proper security controls in place to protect it? And what do you tell management when they ask what was on the CFO's laptop when he left it in the taxi? -- Kelly Jackson Higgins
Src: Tech Insight: Make The Secure Path Easy For Users - DarkReading

QOTD - FBI on Cybercrime

If we fail to act, the cyber threat can be an existential threat, meaning it can challenge our country's very existence, or significantly alter our nation's potential. I am convinced that given enough time, motivation and funding, a determined adversary will always -- always -- be able to penetrate a targeted system. -- Steven Chabinsky, Deputy Assistant FBI Director
Note: emphasis mine.

Src: FBI Underboss Says Cyber Criminals the New Mafia - www.esecurityplanet.com

QOTD on Security

Whenever information security is mentioned within most organisations there is a collective groan; the board don’t want to engage, staff don’t want to be encumbered and the IT department sometimes lack the guidance to implement anything effective.
To be attractive, security needs to be cheap to implement, validate, verify and maintain. But cheap must never mean sub-standard and this is the point at which the balance must be struck. -- Martyn Smith
Security On A Shoestring | Business Computing World

QOTD e-Records & Malware

So the malware sits on the doctors laptop, waits for him to log in ... and the malware is reading the data at the same time the doctor is. They [hackers] did not need to log in on your behalf. They did not need to crack passwords. They did not need to go to the hard drive and decrypt the data. They sat in the middle of the application. -- Dr. Taher Elgamal, CSO at Axway, was key in the development of SSL at Netscape
Src: As health data goes digital, security risks grow - BusinessWeek

Infosec Spotlight - OWASP

A quick post to encourage information security minded people to check out events and news from your local OWASP chapter; OWASP has locations in 160 different cities. OWASP "is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software." OWASP meetings are usually free, but often feature state of the art content. I have been to several in the Twin Cities area and have not been disappointed.

Whether you're a student, a government employee, a consultant, or work in the private sector, if web application security is in your scope, you ought to get involved with your local OWASP chapter or at least attend some of their events.

Link: OWASP Website
Link: OWASP Newsletters - OWASP