QOTD on Cyber Threats

Speaking generically, we're seeing a lot more targeted attacks where people focus on [employees with] the highest set of privileges, and then work backwards, gaining access to secondary parties to get to the primary source. George Kurt, McAfee chief technology officer
Src: Hackers ran detailed reconnaissance on Google employees - V3.co.uk - formerly vnunet.com


Every piece of APT [Advanced Persistent Threat] malware cataloged by MANDIANT initiated only outbound network connections. No sample listened for inbound connections. So, unless an enterprise network is specifically monitoring outbound network traffic for APT-related anomalies, it will not identify the APT malware outbound beaconing attempts. -- Wendi Rafferty writing for the Mandiant Blog
Another item worth noting: 83% of APTs used TCP port 80 or 443 (i.e. looking like normal web browser activity)

Src: M-unition » Blog Archive » M-Trends: Advanced Persistent Threat Malware

QOTD on Cyber Threats

Current security models are minimally effective against cyber criminals and many organizations appear to be largely unaware of that fact. -- Ted DeZabala, principal at Deloitte & Touche LLP
Src: Cyber Crime Called Out as 'Clear and Present Danger' by Deloitte's New Center for Security... -- NEW YORK, Jan. 25 /PRNewswire

QOTD - Bayuk on Security

If a boss thinks that security procedures can be sacrificed, then the staff will sacrifice them, no matter how many documents Human Resources may make them sign that state the contrary. -- Jennifer Bayuk, book author, consultant, and former chief information security officer at Bear Stearns
Src: Former Bear Stearns exec pens security guide - USATODAY.com

QOTD - Yoran on Cyber Threats

Every network with any size to it has been compromised in the past year or two. Advanced stuff is getting through pervasively. It’s simply impossible to protect an enterprise today. -- Amit Yoran, CEO of NetWitness & former chief of the Homeland security department’s national cybersecurity division.
Src: Cyberattack threat to US groups | FT.com

QOTD - Bayuk on Security

I am not advocating any one big brother, just multiple simultaneous watchdogs that would be able to coordinate efforts in a crisis because they each individually understand how genuinely valuable their own security is to them. -- Jennifer Bayuk, book author, consultant, and former chief information security officer at Bear Stearns

Src: Former Bear Stearns exec pens security guide - USATODAY.com

QOTD on Cyber Threats

Targeted attacks are part of everyday life now, and the sooner people wake up to this, the better prepared they can be. -- Zane Jarvis, AusCERT senior information security analyst
Src: Old software leaved the door open for net nasties | The Australian

QOTD on the Democratization of Espionage

Brian Krebs asks Roland Dobbins, solutions architect at the Asia Pacific division of Arbor Networks, about the meaning of the current situation with cyber spying, botnets, and the low level of risk for those engaging in such activities. Roland replies:
Because it's so cheap through the use of botnets for bad guys to get this information, ordinary people are essentially the targets of espionage in a way that has never been true before in human history. Their personal information is being targeted by folks who have resources that in many cases are beyond what nation states would have been able to bring to bear only ten years ago.
Src: Botnets: "The Democratization of Espionage" - CSO Online - Security and Risk

QOTD on Toxic Data & The Enterprise

The best thing enterprises can do now is examine their security program to make sure that it includes healthy balanced diet of controls that protect both toxic data and secrets. -- Andrew Jaquith, Senior Analyst at Forrester Research

Src: The attack on Google: What it means - Community - ComputerworldUK

How Bad Passwords Lead to Breached Accounts

Imperva's analysis of the Dec 2009 breach of 32 million RockYou username & passwords provides a window into the average user's password practices: poor (to say the least). Among the findings listed in the report:
  • The top passwords were: 
    • #1: 123456 
    • #2: 12345
    • #3: 123456789
    • #4: Password
    • #5: iloveyou
  • 30% of users had passwords of 6 characters or less.
  • Almost 50% of passwords were composed of: "used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
  • Less than 4% of passwords had any special characters.
Given some basic assumptions about an average DSL connection, the report concludes that
a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts.
After the first wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts.
One of the recommendations is for administrators to
Make sure passwords are not kept in clear text. Always digest password before storing to DB.
I believe it is irresponsible that some web-based applications are still storing passwords in plain text, and just as bad, to be able to send you your "old" password (meaning the password is either stored in plain text or in a reversible "encryption" format).

Note: emphasis is mine

Src: Imperva report - Consumer Password Worst Practices

The Fallacy of Secure Software?

Justin Clarke, lead author of "SQL Injection Attacks and Defense," wrote a guest blog entry for fudsec.com dealing with Software Security. He mentions the two top SecSDLC models, OpenSAMM and BSIMM, and goes on to write:
...what is the activity that both OpenSAMM and BSIMM both consider to be the most important things with developing secure software? Pentesting? Code review?

Nope - it's having someone who is championing and driving software security within the organization. Having a group of folks who are ready and willing to shepherd and drive through all of the various changes to how the organization works over time. These are sometimes (in BSIMM in particular) referred to as the Software Security Group (SSG), and in many cases can be make or break in getting adoption and use of security initiatives within the organization.

After all of that, it turns out the best thing for software security in your organization may well be you...
Note: emphasis kept from the original document.
Src: The Fallacy of Secure Software | fudsec.com

QOTD on Industrialized Malware

Malware is "becoming 'industrialised', with an underground economy growing up around it. The malware used to infiltrate target computers is professionally packaged and sold online, often with licence agreements and support contracts; and would-be criminals can rent the computing resources they need to engineer an attack from owners of 'botnets' – vast networks of compromised machines that can be controlled remotely." -- Jessica Twentyman, in the Financial Times

Src: Every IT user is at risk from cyberattacks | FT.com

QOTD - @Dakami on Aurora

Ultimately, vulnerabilities happen. They happen to Web browsers -- all of them -- they happen to document readers -- all of them -- and they happen to operating systems and even network infrastructure. -- Dan Kaminsky, Director of penetration testing for IOActive.
Src: 7 Steps For Protecting Your Organization From 'Aurora' | DarkReading

Google, Privacy, & Schneier

A quick set of quotes to show differing perspectives on Privacy. Google' CEO, Eric Schmidt, made a statement on privacy that is likely to have worried many privacy advocates:
If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.
Bruce Schneier's response (on his blog) uses materials from one of his posts from 2006:
Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance.
Privacy is a basic human need.
Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.
European governments and citizens have traditionally been a lot more careful and diligent with protecting one's privacy. The global, connected, world we live in may just end up benefiting from such principles. For more information about Privacy Principles, I refer you to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Src: My Reaction to Eric Schmidt | Schneier on Security

QOTD on Cyber Threats

For a sophisticated adversary, it’s to his advantage to keep your network up and running. He can learn what you know. He can cause confusion, delay your response times – and shape your actions. -- Unnamed source
Src: Spooks in the Machine: How the Pentagon Should Fight Cyber Spies | Progressive Fix

QOTD on Security vs Risk

An organization with a zero failure rate is an organization that takes sure things, not risks.
Assuming you want to take real risks and accept some failures as an inevitable by-product, your first step is to find all the structural factors that are in place to discourage risk-taking.
Start with information security. Is it operating according to the risk profile you want, or is it in full prevent mode, trying to maximize security rather than optimizing it? -- Bob Lewis, writing for InfoWorld.com
Note: emphasis mine

Src: Wanted: IT risk-takers | Adventures in IT - InfoWorld

QOTD - Litan on Defeating 2-Factor Auth

Criminals are successfully launching man-in-the-browser attacks that circumvent strong two-factor and other authentication that communicate through the user's browser. The fraudsters are also successfully having telecommunication carriers forward phone calls used to authenticate users and/or transactions to the fraudster's phone instead of the legitimate user's phone. These attacks were successfully and repeatedly executed against many banks and their customers across the globe in 2009. While bank accounts are the main immediate targets, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data within the next three years. -- Avivah Litan, Vice President and Distinguished Analyst in Gartner Research
Src: Where Strong Authentication Fails and What You Can Do About It | Gartner

Academia and Risk Management

The Association of Governing Boards (AGB), an association focusing on governance and leadership issues in higher education has recently released a report entitled "The State of Enterprise Risk Management at Colleges and Universities Today." Based on a survey of more than 600 respondents (in June 2008), the report covers "attitudes, practices and policies regarding enterprise risk management among American colleges and universities." The AGB's site also hosts a two-page document called "Enterprise Risk Management: Best Practices for Boards, Presidents, and Chancellors." with an accompanying (simple) worksheet covering most basic types of risks in higher ed. All of these documents are also contained in the report.

The report provides valuable action items for university leaders and board members. Most of the recommendations include the need to define one's risk appetite and engage in a systematic and comprehensive, regular risk assessment.

Unfortunately, in my opinion, the effect of looming cuts from most state budgets will mean that this report and its recommendations will be ignored by most institutions until an "incident" forces them to rethink their position.

Src: Research Agenda | Association of Governing Boards

QOTD on Risk

Although risk cannot be eliminated, it can be managed, and we need to embed risk consideration into every management function. -- Al Horvath, Penn State University Vice President
Src: Managing risk is everyone's business at Penn State | Penn State Live

QOTD - Pescatore on Google Attack

The source of the attacks is getting all the headlines but as usual the attack vector is more important. Five years ago the source of many attacks against US companies was traced to Russia, now it is China; but failing to protect your systems results in the same expensive damage to you and your customers regardless of who launched the attack. Similar targeted attacks have been going on for quite some time and many companies have kept their systems safe. -- John Pescatore, Vice President at Gartner, Inc
Note: Emphasis mine

Src: SANS NewsBites Vol 12 Issue 4

QOTD Northcutt - Breaches & TV shows

I wish there was another way to change corporate behavior other than lawsuits, but clearly lawsuits and possibly ridicule are the only tools we have. Perhaps a reality TV show could be fashioned around data breaches. -- Stephen Northcutt, President SANS Technology Institute
Src: SANS NewsBites Vol 12 Issue 4

QOTD - Jaquith on Security & the Cloud

In time 'the cloud' will be the best thing that has ever happened to information security, because it focuses attention on the data, not the infrastructure. Or to put it differently, it puts the 'information' back into Information Security. This is exactly the discussion we need to have. -- Andrew Jaquith, Senior Analyst for Forrester research and book author
Src: The Forrester Blog For Security & Risk Professionals

Components of a good Infosec Strategy

A good information security strategy should incorporate four things: proactive security management rather than point-in-time compliance; cost-effective security initiatives to meet regulatory requirements; within the bounds of operational challenges; and capacity to address risks from emerging technologies. -- Gerry Chng, Far East Area information security champion, Ernst & Young
Src: Study: back-to-basics security strategy the way to go | The Industry Standard

QOTD on Privacy

Our citizens are not objects. They are human beings. -- Viviane Reding, incoming EU Justice Commissioner
Src: Europe, Mideast Protest Tighter Airline Security - NYTimes.com

QOTD on Data vs Privacy

As organizations gather and keep more information and make more decisions based on it, all kinds of privacy (will that clinical data be kept anonymous? who can look at your car's 'black box?') and security issues raise their ugly head. Not all data-based decisions are wise decisions, especially when they're based on outdated or incomplete information, as was partly the case in the recent financial crisis. -- Rob Preston, VP and editor in chief of InformationWeek
Src: Down To Smarter Business: People Want Technology Focused On Results, Not ''Solutions'' -- Emerging Technology

QOTD on Privacy

Privacy: By 2020, you will have to go to a museum to understand what it meant. Privacy eroded, due to cameras everywhere and increasing sophistication of data analysis. Most people, considering themselves good at heart, traded it away for the sake of better search results. -- Quentin Hardy, writing for Forbes
Src: How Tech Will Change Our Future - Forbes.com

QOTD on Metrics

Choosing the right metrics system is not easy. Metrics can have unintended and unanticipated consequences. They have unanticipated consequences simply because managers and employees are smart and creative in their efforts to succeed. The firm becomes exactly what it seeks to measure. -- Hauser & Katz
Src: Hauser, J., G. Katz. 1998. Metrics: you are what you measure! European Management,
Journal 16 (5) 516-528

QOTD on Cyber Crime

The cyber crime landscape has evolved into a set of highly specialized criminal products and services that are able to target specific organizations, regions, and customer profiles by using a sophisticated set of malware exploits and anonymization systems, which routinely evade present-day security controls. -- Richard Baich, a principal in Deloitte & Touche LLP's Security & Privacy Practice
Src: Greatest Cyber Risk Driven by Remote Network Access and Embedded Malicious Code: Deloitte Poll | PRNewsWire.com

QOTD on Value of Data

Data is more valuable than money. Once money is spent it is gone. Data can be reused and can give you the ability to access online banking applications, use credit cards and penetrate firewalls over and over. A famous bank robber from the 1900s was asked why he robbed banks. He said 'because that is where the money is.' Cyber criminals today go to where the data is, because it allows them to access money. Executives need to develop cyber programs to stay ahead of criminals and stop old cat and mouse games. -- Richard Baich, a principal in Deloitte & Touche LLP's Security & Privacy Practice
Note: emphasis is mine

Src: Greatest Cyber Risk Driven by Remote Network Access and Embedded Malicious Code: Deloitte Poll | PRNewsWire.com

QOTD - FBI Director on Cyber Threats

Far too little attention has been paid to cyber threats and their consequences. Intruders are reaching into our networks every day looking for valuable information. Unfortunately they're finding it. -- Robert Mueller, FBI Director
Src: Citing cybercrime, FBI director doesn't bank online

QOTD - SMBs & online banking

It's time for small business to wake up and understand the true risk of online banking. If the bank thinks you were negligent, they do not have any obligation to pay you back. -- Avivah Litan, banking security analyst at Gartner, Inc.
Src: Cybercrooks stalk small businesses that bank online | USATODAY.com

Happy new year

What an interesting year 2009 turned out to be. What will 2010 have in store for security professionals? Federal legislation, worldwide criminal activity, a resurging global economy? This field (information security & privacy) promises to once again not disappoint. Stay tuned.

QOTD - Schneier on Security

Security is both a feeling and a reality. The propensity for security theater comes from the interplay between the public and its leaders. When people are scared, they need something done that will make them feel safe, even if it doesn't truly make them safer. Politicians naturally want to do something in response to crisis, even if that something doesn't make any sense. -- Bruce Schneier, book author & CTO of BT
Src: CNN