QOTD - Schneier on Privacy

If we believe privacy is a social good, something necessary for democracy, liberty and human dignity, then we can't rely on market forces to maintain it. Broad legislation protecting personal privacy, by giving people control over their personal data is the only solution. -- Bruce Schneier, Chief Security Technology Officer of BT
Src: Google And Facebook's Privacy Illusion - Forbes.com

QOTD on Hackers

The hacking community is an aristocracy. The more skills you have, the higher status you have in the group. -- Max Kilger, a senior member of the non-profit research organization,The Honeynet Project
Src: Security expert predicts criminals to take cyber extortion tactics to the U.S.

QOTD on Social Networks

A perfect storm is developing between the number of people flocking to social networks and the new, increasingly sophisticated malware attacks cybercriminals are launching to prey on the personal data they're sharing. -- Jeff Horne, director of threat research at Webroot
Src: Social Networking Exposes Business Networks to Risk ( - Internet - Security )

QOTD on Security & The Board

The challenge faced by many security professionals today is not that technology is less secure than in the past; it’s more that it’s being implemented without sufficient due diligence. This may be because traditional security practice is perceived as being too slow and onerous, and organisations are actively deciding they don’t want to miss the boat and are prepared to take the risk. Or, it may be because senior business managers are being ignorant and in denial of their responsibilities. The fact is that if something goes wrong, the consequences have to be dealt with by business people, not the techies. But do your senior business execs really understand the extent to which they are responsible for the information held by your organisation?
[...]
If we insist on starting with technology, we will always be running after the curve. But at least if we start with people and process, and remember this is fundamentally about the information businesses use on a day-to-day basis, we give ourselves an anchor point to which we can return whenever things change.-- Jon Collins, Freeform Dynamics analyst
Src: Security: Get the board on board - 27 Apr 2010 - Computing

QOTD on Disclosure & Risk

I believe that there is a preponderance of vulnerabilities to the extent that, although patching vulnerabilities does lead to a smaller attack surface, the attack surface is so large that this is inconsequential to the net impact on risk. That is, the reduction in attack surface does not outweigh the increase in threat arising from this discovery and disclosure process. -- Pete Lindstrom, Research Director for Spire Security
Src: Rudeness, risk and vulnerability disclosure | Spire Security Viewpoint

QOTD on Google

They have an awful lot of data. They record everything. They have your IP address, your search requests, the contents of every e-mail you've ever sent or received. They know the news you read, the places you go. They're even collecting real-time GPS location and DNS look-ups.
They know who you friends are, where you live, where you work, where you are spending your free time. They know about your health, your love life, your political leanings. They even know what you are thinking about. -- Moxie Marlinspike, Privacy advocate, creator of the GoogleSharing Firefox Addon, speaking at the SOURCE conference about Google
Src: Privacy Tool Sidesteps Google's Data Collection | threatpost

QOTD on Bypassing Security Policies

When companies set unrealistic rules -- like limiting users to a very small email box capacity or restricting the ability to attach files to messages -- users will often find ways to get around them. Their motivation is not to break IT rules, but to get their jobs done. -- Rene Bonvanie, vice president of worldwide marketing at Palo Alto Networks
Src: Why Employees Break Security Policy (And What You Can Do About It) - client security/Security - DarkReading

QOTD on Certifications

Certifications mark you as a serious and committed part of the IT arena who is willing to learn new technologies and keep current in an industry that is forever changing. [...] Certifications help set the person that possesses them apart from those who don’t, as a professional who should be respected and sought after.

Src: Vincent Martin, Senior Network Administrator & Owner, Martin Consulting Group, in a LinkedIn discussion post. Used with permission.

QOTD - Brian Snow on Trust

Our society has become too complex. There's too many interwoven, inter-dependencies between national players, corporate players, individuals, around the world, to really be able to sort out, and untangle, all these inter-dependencies for actual trust relationships to evolve that you can work with. -- Brian Snow, former technical director, National Security Agency (US). RB 140 podcast, around minute 30
Src: Risky Business #140 -- Former NSA tech director, info assurance, Brian Snow | Risky Business

QOTD on Malware Clouds

The biggest cloud on the planet is controlled by a vast criminal enterprise that uses that botnet to send spam, hack computers, spread malware and steal personal information and money. -- Rodney Joffe, senior vice president and senior technologist at the infrastructure services firm Neustar, as reported by Robert Mullins of Network World.
Src: The biggest cloud on the planet is owned by ... the crooks | NetworkWorld.com Community

QOTD - Rivner on CyberCrime

We are seeing a celestial alignment within the world of online fraud which means that a much broader segment of corporate Internet users are being targeted by criminals who are looking to steal more than just credit card numbers and consumer identities. Advanced, stealthy Trojans like Zeus that are detected less than 46% of the time are readily available to online criminals who are interested in stealing information for illegal gain. -- Uri Rivner, Head of New CyberCrime Technology at RSA, The Security Division of EMC
Src: RSA Launches New CyberCrime Intelligence Service | SecurityWeek

QOTD - APTs as Drones

These attacks have demonstrated that companies of all sectors are very lucrative targets. [APTs are] the equivalent of the modern drone on the battlefield. With pinpoint accuracy, they deliver their deadly payload, and once discovered -- it is too late. -- George Kurtz, CTO of McAfee
Src: Targeted cyberattacks test enterprise security controls

QOTD - Coviello on Virtualization

Virtualization is the engine of the cloud that will propel us forward; not in one sudden, giant leap, but rather as a journey that organizations will take at their own pace, realizing tangible benefits at every step along the way.
And by embedding security in the virtual abstraction layer - we get our "do over"!
We can enforce policies for information, identity, and infrastructure within this virtual layer. As a result, we can shift from infrastructure to information-centric policy concentrating on what is most important -- the information and who gets access -- rather than on a meaningless perimeter or mere plumbing.
Now, the enterprise must have far more mature processes for Governance, Risk and Compliance that can span their physical and virtual infrastructures. And because of the convergence of roles I spoke of earlier (server administration, network etc.) monitoring and controlling privileged access becomes increasingly important.
-- Art Coviello, RSA President
Note: emphasis mine.

Src: Keynotes - RSA Conference 2010 San Francisco

QOTD - Geer on APTs

As the cyber world is a world of interconnections, a defensive failure outside of your view or scope may propagate to you. The most skilled opponents rely on such propagation, and they are persistent, their technology is advanced and the result is threatening. -- Dan Geer, CISO at In-Q-Tel
Src: Advanced persistent threat ( - Legal - Security )

QOTD - Coviello on Soda Clouds

Sometimes you just don't want the same two tenants on the same physical machine. For example I can't imagine Coke would ever want their virtual machines on the same hardware as Pepsi's. -- Art Coviello, RSA President

Src: Keynotes - RSA Conference 2010 San Francisco

QOTD - Napolitano on Secure Ecosystem

I'm asking you before then to redouble the efforts that you are making to increase security, to increase reliability, and to increase the equality of the products that you have that enter the global supply chain.
[...]
We have to get to a level of performance in the information technology infrastructure, hardware, software, that creates a secure IT ecosystem... -- Janet Napolitano, U.S. DHS Secretary

Src: Keynotes - RSA Conference 2010 San Francisco

QOTD - Coviello on Cloud Computing

The journey to the cloud is inevitable and we’re going to have to secure it.
[...]
Cloud infrastructures will catapult us forward because they force enterprises to focus on their security policies and processes – and not just on security technology.
[...]
In short... the cloud will turn the way we deliver security inside out.
[...]
Cloud computing will indeed complete the transformation of IT infrastructures unleashed by the Internet. As security practitioners, we must lead, not follow. -- Art Coviello, RSA President
 Note: emphasis mine.

Src: Keynotes - RSA Conference 2010 San Francisco

QOTD - Napolitano on Security & People


A secure cyber-environment is as much about people and habits and culture as it is about machines. Because even the most elegant technological solution will ultimately fail unless it has the support of talented professionals and of a public that understands how to stay safe when online. -- Janet Napolitano, U.S. DHS Secretary

Src: Keynotes - RSA Conference 2010 San Francisco

QOTD on APTs

If you have not yet identified systems within your enterprise that have been compromised through these advanced attacks, you probably are very lucky -- or you aren't looking closely enough. -- Amit Yoran, CEO of NetWitness
Src: Targeted cyberattacks test enterprise security controls

QOTD - Napolitano on Cyber-Security

The cyber challenges we confront today are every bit as much about culture & people as they are about technology. -- Janet Napolitano, U.S. DHS Secretary

Src: Keynotes - RSA Conference 2010 San Francisco

Secure360 2010 Presentation Slides

Thank you to all who attended my Secure360 2010 presentation. Given that it was standing room only, I take it that this topic is dear to many of you. I encourage you to connect with me via this blog, twitter, or email, to continue this discussion.

Link to presentation slides (PDF)

Chris

QOTD - Coviello on Cloud

Regarding cloud computing challenges & opportunities, RSA's President, Art Coviello, said:
We have to be careful we don’t end up in security hell!
[...]
Organizations are spending as much as two-thirds of their IT budgets just to maintain their infrastructure and
applications –keeping the lights on. Cloud computing can dramatically alter this two-thirds / one-third ratio … so that much more energy and investment can be directed toward real innovation and competitive advantage.
Trouble is something’s holding back the full realization of this cloud vision. And that in a word is security.
[...]
People everywhere must be able to trust the cloud even if they literally and metaphorically can’t see it.

Note: emphasis mine.

Src: Keynotes - RSA Conference 2010 San Francisco

Comments on FreePress article featuring @DrInfoSec

The article (linked below), written by Dan Linehan of the Mankato Free Press, contains a good summary of the discussion I had with Dan about Twitter, Facebook, and online security. This post is meant to provide additional information that didn't make it in the original newspaper article due to the paper's limited column space.
  1. I use an older, but dedicated, computer to check anything dealing with money (bank and credit card accounts). This computer runs what I consider to be a "pristine" environment that I periodically reset (to a "known good state") and then update. If you have an older computer laying around, you can use a free operating system like Ubuntu, as recently recommended by former Washington Post writer Brian Krebs. More recently, the Chief Information Officer (CIO) of a bank recommended that people switch to another operating system to do their online banking (Src: Bank CIO recommends Ubuntu for online banking). Perhaps the announcement by the Director of the FBI's Cyber Crime division that he would stop banking online can help convince people to change their online banking habits.
  2. The special program I use to open links is Firefox with the NoScript add-on. In addition, if using a public Wi-Fi (wireless Internet), I also use another layer of protection in the form of an application-level sandbox tool called Sandboxie.
  3. The "plastic film" used for privacy can be found by searching for "privacy filter" on a major search engine.
  4. On passwords: the three "rings" of security I referred are related to three levels of passwords that I recommend people use. The highest-privilege ring should be a series of complex passwords, to be used for bank and/or credit card web sites. The next ring would be used for medium-importance sites such as personal email accounts or other web sites that contain personally identifiable information (about you or others). The third ring, the lowest level, is used for sites that you regard as low-importance. For most of us, this would include most social networking sites and other just-for-fun logins.
  5. More information about the "hack" of Sarah Palin's account is available online. Specifically, "the hacker guessed that Alaska's governor had met her husband in high school, and knew Palin's date of birth and home Zip code." (Source)
  6. Some of the best information I can recommend for Twitter and other social networking sites can be found at:
    1. http://www.ehow.com/how_5071658_twitter-safely.html
    2. http://twitter.blog.avg.com/2010/02/top-10-tips-to-stay-safe-on-twitter-from-avg.html
  7. Bad passwords can lead to easily compromised accounts. Is your password on this list? If so, whatever account used such well-known passwords could already be in hackers' hands.
  8. Everyone should be careful what they reveal not only about themselves but also about others on social networks. In one case, a home burglary appears to be tied to a Facebook posting. In another case, a faculty member was fired for an improper posting.
More information about my profile and my certifications can be found on my LinkedIn profile.

Src: Staying safe on Twitter, Facebook » Local News » The Free Press, Mankato, MN

QOTD on Threats & Snipers

Security threats today are less like a disease or a cancer -- it's more like a sniper shooting you in the head as you come out the door. Malware is slipping through our most protected systems and we can't even see the threat coming. -- Ken Silva, CTO of VeriSign
Src: Security Panel to IT: 'Expect a Breach' — Datamation.com

QOTD on Sharing Attack Data

There's too much internal hoarding of intelligence for privacy or competitive reasons and too little sharing of information among researchers, victims, and law enforcement about real attacks. All this does is give the cybercriminals an edge.
[...]
Is there anyone looking at the big picture of these real attacks? Connecting the dots, sifting through the chaff, and correlating trends among them should be a priority for victim organizations, researchers, forensics investigators, and law enforcement. Otherwise the bad guys who are infecting companies with banking Trojans, stealing their intellectual property, and converting their enterprise machines into bots, will just keep owning us.
-- Kelly Jackson Higgins, Senior Editor, Dark Reading (on Twitter as @kjhiggins)
Src: Share -- Or Keep Getting Pwned - Dark Dominion Blog - Dark Reading

QOTD on us vs them

The organizational mantra should never be an 'us' (business users) vs. 'them' (IT) attitude. Today, it has be an 'us' (our company, united) vs. 'them' (our competitors). In this New Normal climate, IT needs to get on board and participate in business conversations about technology. Or else they will get thrown off the bus. -- Thomas Wailgum, Senior Editor at CIO.com
Src: Stupid Users Are So Stupid | CIO - Blogs and Discussion