If we believe privacy is a social good, something necessary for democracy, liberty and human dignity, then we can't rely on market forces to maintain it. Broad legislation protecting personal privacy, by giving people control over their personal data is the only solution. -- Bruce Schneier, Chief Security Technology Officer of BTSrc: Google And Facebook's Privacy Illusion - Forbes.com
QOTD - Schneier on Privacy
QOTD on Hackers
The hacking community is an aristocracy. The more skills you have, the higher status you have in the group. -- Max Kilger, a senior member of the non-profit research organization,The Honeynet ProjectSrc: Security expert predicts criminals to take cyber extortion tactics to the U.S.
QOTD on Social Networks
A perfect storm is developing between the number of people flocking to social networks and the new, increasingly sophisticated malware attacks cybercriminals are launching to prey on the personal data they're sharing. -- Jeff Horne, director of threat research at WebrootSrc: Social Networking Exposes Business Networks to Risk ( - Internet - Security )
QOTD on Security & The Board
The challenge faced by many security professionals today is not that technology is less secure than in the past; it’s more that it’s being implemented without sufficient due diligence. This may be because traditional security practice is perceived as being too slow and onerous, and organisations are actively deciding they don’t want to miss the boat and are prepared to take the risk. Or, it may be because senior business managers are being ignorant and in denial of their responsibilities. The fact is that if something goes wrong, the consequences have to be dealt with by business people, not the techies. But do your senior business execs really understand the extent to which they are responsible for the information held by your organisation?Src: Security: Get the board on board - 27 Apr 2010 - Computing
[...]
If we insist on starting with technology, we will always be running after the curve. But at least if we start with people and process, and remember this is fundamentally about the information businesses use on a day-to-day basis, we give ourselves an anchor point to which we can return whenever things change.-- Jon Collins, Freeform Dynamics analyst
QOTD on Disclosure & Risk
I believe that there is a preponderance of vulnerabilities to the extent that, although patching vulnerabilities does lead to a smaller attack surface, the attack surface is so large that this is inconsequential to the net impact on risk. That is, the reduction in attack surface does not outweigh the increase in threat arising from this discovery and disclosure process. -- Pete Lindstrom, Research Director for Spire SecuritySrc: Rudeness, risk and vulnerability disclosure | Spire Security Viewpoint
QOTD on Google
They have an awful lot of data. They record everything. They have your IP address, your search requests, the contents of every e-mail you've ever sent or received. They know the news you read, the places you go. They're even collecting real-time GPS location and DNS look-ups.Src: Privacy Tool Sidesteps Google's Data Collection | threatpost
They know who you friends are, where you live, where you work, where you are spending your free time. They know about your health, your love life, your political leanings. They even know what you are thinking about. -- Moxie Marlinspike, Privacy advocate, creator of the GoogleSharing Firefox Addon, speaking at the SOURCE conference about Google
QOTD on Bypassing Security Policies
When companies set unrealistic rules -- like limiting users to a very small email box capacity or restricting the ability to attach files to messages -- users will often find ways to get around them. Their motivation is not to break IT rules, but to get their jobs done. -- Rene Bonvanie, vice president of worldwide marketing at Palo Alto NetworksSrc: Why Employees Break Security Policy (And What You Can Do About It) - client security/Security - DarkReading
QOTD on Certifications
Certifications mark you as a serious and committed part of the IT arena who is willing to learn new technologies and keep current in an industry that is forever changing. [...] Certifications help set the person that possesses them apart from those who don’t, as a professional who should be respected and sought after.
Src: Vincent Martin, Senior Network Administrator & Owner, Martin Consulting Group, in a LinkedIn discussion post. Used with permission.
QOTD - Brian Snow on Trust
Our society has become too complex. There's too many interwoven, inter-dependencies between national players, corporate players, individuals, around the world, to really be able to sort out, and untangle, all these inter-dependencies for actual trust relationships to evolve that you can work with. -- Brian Snow, former technical director, National Security Agency (US). RB 140 podcast, around minute 30Src: Risky Business #140 -- Former NSA tech director, info assurance, Brian Snow | Risky Business
QOTD on Malware Clouds
The biggest cloud on the planet is controlled by a vast criminal enterprise that uses that botnet to send spam, hack computers, spread malware and steal personal information and money. -- Rodney Joffe, senior vice president and senior technologist at the infrastructure services firm Neustar, as reported by Robert Mullins of Network World.Src: The biggest cloud on the planet is owned by ... the crooks | NetworkWorld.com Community
QOTD - Rivner on CyberCrime
We are seeing a celestial alignment within the world of online fraud which means that a much broader segment of corporate Internet users are being targeted by criminals who are looking to steal more than just credit card numbers and consumer identities. Advanced, stealthy Trojans like Zeus that are detected less than 46% of the time are readily available to online criminals who are interested in stealing information for illegal gain. -- Uri Rivner, Head of New CyberCrime Technology at RSA, The Security Division of EMCSrc: RSA Launches New CyberCrime Intelligence Service | SecurityWeek
QOTD - APTs as Drones
These attacks have demonstrated that companies of all sectors are very lucrative targets. [APTs are] the equivalent of the modern drone on the battlefield. With pinpoint accuracy, they deliver their deadly payload, and once discovered -- it is too late. -- George Kurtz, CTO of McAfeeSrc: Targeted cyberattacks test enterprise security controls
QOTD - Coviello on Virtualization
Virtualization is the engine of the cloud that will propel us forward; not in one sudden, giant leap, but rather as a journey that organizations will take at their own pace, realizing tangible benefits at every step along the way.Note: emphasis mine.
And by embedding security in the virtual abstraction layer - we get our "do over"!
We can enforce policies for information, identity, and infrastructure within this virtual layer. As a result, we can shift from infrastructure to information-centric policy concentrating on what is most important -- the information and who gets access -- rather than on a meaningless perimeter or mere plumbing.
Now, the enterprise must have far more mature processes for Governance, Risk and Compliance that can span their physical and virtual infrastructures. And because of the convergence of roles I spoke of earlier (server administration, network etc.) monitoring and controlling privileged access becomes increasingly important.
-- Art Coviello, RSA President
Src: Keynotes - RSA Conference 2010 San Francisco
QOTD - Geer on APTs
As the cyber world is a world of interconnections, a defensive failure outside of your view or scope may propagate to you. The most skilled opponents rely on such propagation, and they are persistent, their technology is advanced and the result is threatening. -- Dan Geer, CISO at In-Q-TelSrc: Advanced persistent threat ( - Legal - Security )
QOTD - Coviello on Soda Clouds
Sometimes you just don't want the same two tenants on the same physical machine. For example I can't imagine Coke would ever want their virtual machines on the same hardware as Pepsi's. -- Art Coviello, RSA President
Src: Keynotes - RSA Conference 2010 San Francisco
QOTD - Napolitano on Secure Ecosystem
I'm asking you before then to redouble the efforts that you are making to increase security, to increase reliability, and to increase the equality of the products that you have that enter the global supply chain.
[...]
We have to get to a level of performance in the information technology infrastructure, hardware, software, that creates a secure IT ecosystem... -- Janet Napolitano, U.S. DHS Secretary
Src: Keynotes - RSA Conference 2010 San Francisco
[...]
We have to get to a level of performance in the information technology infrastructure, hardware, software, that creates a secure IT ecosystem... -- Janet Napolitano, U.S. DHS Secretary
Src: Keynotes - RSA Conference 2010 San Francisco
QOTD - Coviello on Cloud Computing
The journey to the cloud is inevitable and we’re going to have to secure it.Note: emphasis mine.
[...]
Cloud infrastructures will catapult us forward because they force enterprises to focus on their security policies and processes – and not just on security technology.
[...]
In short... the cloud will turn the way we deliver security inside out.
[...]
Cloud computing will indeed complete the transformation of IT infrastructures unleashed by the Internet. As security practitioners, we must lead, not follow. -- Art Coviello, RSA President
Src: Keynotes - RSA Conference 2010 San Francisco
QOTD - Napolitano on Security & People
A secure cyber-environment is as much about people and habits and culture as it is about machines. Because even the most elegant technological solution will ultimately fail unless it has the support of talented professionals and of a public that understands how to stay safe when online. -- Janet Napolitano, U.S. DHS Secretary
Src: Keynotes - RSA Conference 2010 San Francisco
QOTD on APTs
If you have not yet identified systems within your enterprise that have been compromised through these advanced attacks, you probably are very lucky -- or you aren't looking closely enough. -- Amit Yoran, CEO of NetWitnessSrc: Targeted cyberattacks test enterprise security controls
QOTD - Napolitano on Cyber-Security
The cyber challenges we confront today are every bit as much about culture & people as they are about technology. -- Janet Napolitano, U.S. DHS Secretary
Src: Keynotes - RSA Conference 2010 San Francisco
Secure360 2010 Presentation Slides
Thank you to all who attended my Secure360 2010 presentation. Given that it was standing room only, I take it that this topic is dear to many of you. I encourage you to connect with me via this blog, twitter, or email, to continue this discussion.
Link to presentation slides (PDF)
Chris
Link to presentation slides (PDF)
Chris
QOTD - Coviello on Cloud
Regarding cloud computing challenges & opportunities, RSA's President, Art Coviello, said:
Note: emphasis mine.
Src: Keynotes - RSA Conference 2010 San Francisco
We have to be careful we don’t end up in security hell!
[...]
Organizations are spending as much as two-thirds of their IT budgets just to maintain their infrastructure and
applications –keeping the lights on. Cloud computing can dramatically alter this two-thirds / one-third ratio … so that much more energy and investment can be directed toward real innovation and competitive advantage.
Trouble is something’s holding back the full realization of this cloud vision. And that in a word is security.
[...]
People everywhere must be able to trust the cloud even if they literally and metaphorically can’t see it.
Note: emphasis mine.
Src: Keynotes - RSA Conference 2010 San Francisco
Comments on FreePress article featuring @DrInfoSec
The article (linked below), written by Dan Linehan of the Mankato Free Press, contains a good summary of the discussion I had with Dan about Twitter, Facebook, and online security. This post is meant to provide additional information that didn't make it in the original newspaper article due to the paper's limited column space.
Src: Staying safe on Twitter, Facebook » Local News » The Free Press, Mankato, MN
- I use an older, but dedicated, computer to check anything dealing with money (bank and credit card accounts). This computer runs what I consider to be a "pristine" environment that I periodically reset (to a "known good state") and then update. If you have an older computer laying around, you can use a free operating system like Ubuntu, as recently recommended by former Washington Post writer Brian Krebs. More recently, the Chief Information Officer (CIO) of a bank recommended that people switch to another operating system to do their online banking (Src: Bank CIO recommends Ubuntu for online banking). Perhaps the announcement by the Director of the FBI's Cyber Crime division that he would stop banking online can help convince people to change their online banking habits.
- The special program I use to open links is Firefox with the NoScript add-on. In addition, if using a public Wi-Fi (wireless Internet), I also use another layer of protection in the form of an application-level sandbox tool called Sandboxie.
- The "plastic film" used for privacy can be found by searching for "privacy filter" on a major search engine.
- On passwords: the three "rings" of security I referred are related to three levels of passwords that I recommend people use. The highest-privilege ring should be a series of complex passwords, to be used for bank and/or credit card web sites. The next ring would be used for medium-importance sites such as personal email accounts or other web sites that contain personally identifiable information (about you or others). The third ring, the lowest level, is used for sites that you regard as low-importance. For most of us, this would include most social networking sites and other just-for-fun logins.
- More information about the "hack" of Sarah Palin's account is available online. Specifically, "the hacker guessed that Alaska's governor had met her husband in high school, and knew Palin's date of birth and home Zip code." (Source)
- Some of the best information I can recommend for Twitter and other social networking sites can be found at:
- http://www.ehow.com/how_5071658_twitter-safely.html
- http://twitter.blog.avg.com/2010/02/top-10-tips-to-stay-safe-on-twitter-from-avg.html
- Bad passwords can lead to easily compromised accounts. Is your password on this list? If so, whatever account used such well-known passwords could already be in hackers' hands.
- Everyone should be careful what they reveal not only about themselves but also about others on social networks. In one case, a home burglary appears to be tied to a Facebook posting. In another case, a faculty member was fired for an improper posting.
Src: Staying safe on Twitter, Facebook » Local News » The Free Press, Mankato, MN
QOTD on Threats & Snipers
Security threats today are less like a disease or a cancer -- it's more like a sniper shooting you in the head as you come out the door. Malware is slipping through our most protected systems and we can't even see the threat coming. -- Ken Silva, CTO of VeriSignSrc: Security Panel to IT: 'Expect a Breach' — Datamation.com
QOTD on Sharing Attack Data
There's too much internal hoarding of intelligence for privacy or competitive reasons and too little sharing of information among researchers, victims, and law enforcement about real attacks. All this does is give the cybercriminals an edge.Src: Share -- Or Keep Getting Pwned - Dark Dominion Blog - Dark Reading
[...]
Is there anyone looking at the big picture of these real attacks? Connecting the dots, sifting through the chaff, and correlating trends among them should be a priority for victim organizations, researchers, forensics investigators, and law enforcement. Otherwise the bad guys who are infecting companies with banking Trojans, stealing their intellectual property, and converting their enterprise machines into bots, will just keep owning us.
-- Kelly Jackson Higgins, Senior Editor, Dark Reading (on Twitter as @kjhiggins)
QOTD on us vs them
The organizational mantra should never be an 'us' (business users) vs. 'them' (IT) attitude. Today, it has be an 'us' (our company, united) vs. 'them' (our competitors). In this New Normal climate, IT needs to get on board and participate in business conversations about technology. Or else they will get thrown off the bus. -- Thomas Wailgum, Senior Editor at CIO.comSrc: Stupid Users Are So Stupid | CIO - Blogs and Discussion
Subscribe to:
Posts (Atom)