'You security guys keep talking and talking about the end of the world. It doesn't seem to come.' -- quote from a "prominent CIO" as reported by Eugene Schultz, CTO of Emagined Security

Src: SANS NewsBites Vol 12 Issue 16

QOTD - Pescatore on Waledac

Pulling dandelions makes the lawn look better for a while, but you really need regular pre-emergence weed control to make a difference in the long run. -- John Pescatore, VP Gartner, Inc
In reference to Microsoft getting a temporary injunction to shut down 277 domains associated with the Waledac botnet.

Src: SANS NewsBites Vol 12 Issue 16

QOTD on InfoSec

The benefits of information security—protecting computer systems and networks—are inherently invisible: if threats have been averted, things work as normal. That means it often gets neglected.
Src: A special report on managing information: New rules for big data | The Economist

QOTD - Geer on Evolution

The central tenet of the theory of evolution is that the changes which determine fitness are responses to threats imposed on the organism from the outside, that survival pressure forces change, but that only some changes aid survival. The threats are threats because they are new; technically, the appearance of a new survival threat is known as a punctuated equilibrium. All of us in the security field owe our jobs to one of these equilibrium punctuations: the sudden exposure of all computers to widely interconnected networks (the near simultaneous arrival of the first browser and the first network stack in Windows).
The equilibrium punctuation, the paradigm shift that is already here, is that data is now king. Yes, Moore’s Law still holds – every eighteen months a dollar buys twice what it did before – but a dollar buys twice as much storage about every twelve months and back in the lab they are doubling bandwidth about every nine. Every decade, that is two orders of magnitude for computing, three for storage, and four for bandwidth. The future of computing is, thus, all about data in motion. Data’s value and risk overtook the value and risk of networks and infrastructure; data punctuated the equilibrium of security management. To retain the former paradigm is to fail to evolve, and failing to evolve is a dead end. -- Dan Geer, Chief Scientist Emeritus at Verdasys
Please, go read the whole article, it is well worth it!

Note: emphasis is mine.

Src: The Enterprise Information Protection Paradigm | TMCNet.com

QOTD on Cyber Attacks

A cyberattack would be like being bled to death and not noticing it and that's kind of what's happening now. -- James Lewis, senior fellow at the nonprofit Center for Strategic and International Studies (CSIS)
Src: Experts warn of catastrophe from cyberattacks | InSecurity Complex - CNET News

QOTD - Blair on E-spy

Mr. Dennis C. Blair, Director of US National Intelligence, speaking at the Alfred M. Landon Lecture Series on Public Issues, Kansas State University, Manhattan, Kansas:
One of the major growth areas of the business of gathering intelligence is penetrating foreign
networks, and bringing information to our analysts to write their reports. In this area, I can’t give
you many specific examples, since they’re classified. But it’s not difficult to imagine the value of
being able to read the e-mails of some foreigner involved in a plot against the United States.
Earlier, Mr. Blair also said:
Increasingly, the information we want to see – in order to find out what others are thinking and
doing – is stored and shared in their networks. So that’s where we go to get it. Foreign
governments communicate on networks [...] Organizations in which we’re interested store their records electronically, not in file cabinets.
Src: 20100222_speech.pdf (PDF) from DNI.gov

QOTD on Eyes Wide Open

Enterprises contemplating using advertising supported IT like free mail and social networking services need to go in with their eyes wide open - the real customers are the advertisers, not the users of the services. -- John Pescatore, VP Gartner Inc
Src: SANS NewsBites Vol 12 Num 13

QOTD on Cyberwar

But what many have failed to realize is that cyberwar is already here and the battle is already being waged. At the frontlines are corporate assets: intellectual property, research, schematics, sensitive proprietary data, and confidential customer and employee information.
Src: Cisco/ScanSafe 2009 Annual Global Threat Report (PDF)

QOTD on Cyberwar

It [cyber warfare] is a cheaper, less risky form of spying. Consider the risks and costs of training spies and getting them placed in positions in which they are able to steal information versus social engineering, breaking into systems, and/or installing malware in systems while the perpetrator works from home. The risks-rewards ratio of the later is much more favorable. -- Eugene Schultz, CTO of Emagined Security
Src: SANS NewsBites Vol 12 Num 12

QOTD on Malware

Modern malware is merely a tool – and only one of many – used by cybercriminals to carry out their attacks. To approach today’s security challenges as a malware problem is to completely miss the bigger picture – it is a criminally run sophisticated e-business network intent on gathering intellectual and corporate assets. It is not simply a malware problem per se; it is a large scale cyber-espionage assault and all countries are being adversely impacted.
Src: Cisco/ScanSafe 2009 Annual Global Threat Report (PDF)

QOTD by Skoudis

Unencrypted data should be the exception, not the rule. -- Ed Skoudis, co-founder of Inguardians & SANS lead instructor
Src: SANS NewsBites Vol 12 Num 12

QOTD by Mandiant

There are thousands of companies compromised. Actively, right now. -- Kevin Mandia, CEO and president of Mandiant
Note: the Mandiant report ("M-Trends") is worth reading, even if one has to fill out a form to get access to it.

Src: Report Details Hacks Targeting Google, Others | Threat Level | Wired.com

OQTD - Pescatore on Attacks

Everything connected to the Internet is under constant attack, just as every house is under constant attack by storms, termites, burglars, etc. -- John Pescatore, VP at Gartner Inc.
Src: SANS NewsBites Vol 12 Num 9

Gartner Analyst: "Are These Banks Asleep at the Wheel?"

Avivah Litan, Vice President of Research at Gartner Inc and distinguished analyst, was recently interviewed by Linda McGlasson of the Information Security Media Group to discuss fraud trends in banking. What follows are excerpts from the transcript available on BankInfoSecurity.com's web site.
criminals are now focused on cross-channel fraud [...] they are getting better at figuring out how to call call-center operators and get their way through accounts using information that they gather on the internet to commit different kinds of fraud
they've been studying these bank websites, and they probably know more about how particular bank security works than many people at the bank themselves [...] They know how many seconds it takes for them to prompt users for authentication credential. So they've just gotten really good, some of them, at knowing how to penetrate bank security by studying them, copying them and figuring out how to socially engineer their customers to get through any of the security controls that are there.
The bottom line is all these factors [single factor, two-factor authentication] are going through the user's browser, and nothing is safe going through the user's browser because the new malware is now sitting inside that browser and is acting on behalf of the user. So you can put a biometric on your PC, you can put smart card, it doesn't matter. As long as it is going through the browser, the crooks have figured out how to beat it.
most banks are relying on cookies on customers' PC's to know it's a good customer. That reliance needs to end ...
As smaller local and regional banks are currently lagging behind in terms of fraud detection capability, Litan warns that failure to act now will likely result in government introducing new legislation or regulation.

Note: emphasis is mine.

Src: Analyst: "Are These Banks Asleep at the Wheel?" | BankInfoSecurity.com

QOTD - Security vs Reality

Security needs to adjust to the realities of the business and when they do there are three core areas that you need to focus on in terms of protecting: the people, the process, the technology. -- Khalid Kark, VP & Principal Analyst at Forrester Research Inc
Src: CISOs take measured steps to reduce social media risks

QOTD on Cyber Threats

We often find persistent, unauthorized, and at times, unattributable presences on exploited networks, the hallmark of an unknown adversary intending to do far more than merely demonstrate skill or mock a vulnerability. -- Dennis C. Blair, Director of US National Intelligence
Src: Google attacks 'wake-up call' - US intel chief | AFP

QOTD - Stiennon on Reality

Reality has a way of imposing itself regardless of theories. It is best to have a firm grip on reality before setting national policy or investing in technology. -- Richard Stiennon, founder of IT-Harvest, an independent analyst firm.
Src: ThreatChaos Security Blog | ThreatChaos

QOTD - APTs as the new norm

Security researchers have been saying for years now that attackers are using zero days as a matter of course. They buy and sell exploits for vulnerabilities that Microsoft, Adobe, Oracle and other software makers have never heard of, use them until they're burned and then move on to the next one. And it's not just intelligence agencies or state-sponsored groups who operate on this level; it's simply the way things work now. One researcher called the use of zero days a 'baseline.'
What the Aurora attack is, however, is the public face of a threat that has been hidden from most people's view for far too long. It's the common, albeit cleverly targeted, attack that is going on every day on networks around the world.
It's the new normal. -- Dennis Fisher, writing for Threatpost
Src: Google Attack Was Tip of the Iceberg | Threatpost

QOTD - Stiennon on Controls

No matter how smart you are you cannot impose controls on something you do not control. -- Richard Stiennon, founder of IT-Harvest, an independent analyst firm

Src: ThreatChaos Security Blog | ThreatChaos

QOTD - Schmidt on Security

There are no absolutes. We will never have 100 percent security and still have an open society. -- Howard Schmidt, White House Cybersecurity Coordinator
Src: Howard Schmidt: “We will never have 100 percent security and still have an open society” | Executive Gov

QOTD on Cyber Threats

Sensitive information is stolen daily from both government and private sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey. -- Dennis C. Blair, Director of US National Intelligence
Src: U.S. 'Severely Threatened' By Cyber Attacks -- InformationWeek

QOTD on Privacy vs Security

I've said for a long time privacy and security are two sides of the same coin. Very clearly, without security, we have no privacy. Data protection is key to the things we're going to do. -- Howard Schmidt, White House Cybersecurity Coordinator
Src: Privacy not taking back seat to security, cyberchief says | Federal News Radio 1500 AM

QOTD on Free Speech

At some point people who care about free speech will realise that free speech has to be funded, otherwise it's not free. -- Paul Lashmar, investigative journalist
Src: BBC News - WikiLeaks whistleblower site in temporary shutdown

QOTD on The Cloud

I’m a big proponent of moving things to the cloud, but doing it right. -- Howard Schmidt, White House Cybersecurity Coordinator
Src: Howard Schmidt: “We will never have 100 percent security and still have an open society” | Executive Gov

QOTD on OS Security

The most secure [operating] system is the one that you know how to secure. -- Carole Fennelly, director of content and documentation at Tenable Network Security
Src: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News

QOTD on Social Engineering

Graham Cluley, senior technology consultant at Sophos, sheds light on the debate about PC vs Mac security:
They're both mature operating systems from the security point of view, and as good as each other. But, crucially, it's not about the operating system that is being run on the computer, it's the fleshy human sitting in front of it...I would argue that an Apple Mac user wanting to watch the 'Erin Andrews Peephole Video' is just as likely to download a bogus browser plug-in to help them do that, as a Windows user. And it doesn't matter that Mac OS X will ask them to enter their username and password to install the plug-in--they want to watch the video, they will enter their username and password. Social engineering is the unifying threat that puts all computer users at risk, regardless of operating system. And that's what most threats exploit.
Src: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News