Fidelity doesn't pay when it comes to passwords – the most important passwords should be changed every three months. -- Dieter Kempf, a member of the presiding committee of Germany's Bitkom industry associationSrc: Passwords: The only constant in life - The H Security: News and Features
QOTD on Passwords
QOTD - Pity the modern CIO
Pity the modern CIO who is forced to cut costs, upgrade critical infrastructure and somehow support and secure a myriad of consumer devices that have become as common as paperclips and Post-It notes in the workplace. -- David Needle, West Coast bureau chief at InternetNews.comSrc: What IT Doesn't Know Can Hurt Everyone: Study - InternetNews.com
QOTD on Smart-Grid Privacy
We, Siemens, have the technology to record it (energy consumption) every minute, second, microsecond, more or less live.Src: Privacy concerns challenge smart grid rollout
From that we can infer how many people are in the house, what they do, whether they're upstairs, downstairs, do you have a dog, when do you habitually get up, when did you get up this morning, when do you have a shower: masses of private data.
We think the regulator needs to send a strong signal to say that the data belongs to consumers and consumers alone. We believe that's a blocker to people adopting the technology.
-- Martin Pollock of Siemens Energy
QOTD - NASA CISO on Secure Software
The software industry is really one of the only organizations where you can knowingly build a defective product and push it out to a potential buyer and the buyer assumes all the risk. -- Jerry Davis, CISO for NASASrc: Federal News Radio 1500 AM: NASA launches software assurance program
QOTD on Privacy Engineers
There doesn't yet appear to be such a thing as a privacy engineer; given the relative paucity of models and mechanisms, that's not too surprising. Until we build up the latter, we won't have a sufficient basis for the former. For privacy by design to extend beyond a small circle of advocates and experts and become the state of practice, we'll need both. -- Stuart Shapiro, Principal Information Privacy and Security Engineer at The MITRE CorporationSrc: Privacy By Design: Moving From Art to Practice | June 2010 | Communications of the ACM
QOTD on PII & De-Identification
Just as medieval alchemists were convinced a (mythical) philosopher’s stone can transmute lead into gold, today’s privacy practitioners believe that records containing sensitive individual data can be “de-identified” by removing or modifying PII [Personally Identifiable Information]. -- Narayanan, A. and Prof. Shmatikov, V.Src: Narayanan, A. and Shmatikov, V. 2010. Myths and fallacies of "personally identifiable information". Commun. ACM 53, 6 (Jun. 2010), 24-26. DOI= http://doi.acm.org/10.1145/1743546.1743558
Direct link to PDF document
QOTD - EU Justice Commissioner on Privacy Laws
We need to find ways to empower web surfers. Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will. -- Viviane Reding, EU Justice CommissionerSrc: EU Data-Protection Laws Need Revamping for Internet Privacy, Reding Says - Bloomberg
QOTD - Salem on the Right Security Focus
The device is not important. The device will change. Who are the people and what is the information we need to protect? -- Enrique Salem, Symantec President and CEOSrc: Cybersecurity Czar: Remember, End Users Are No Security Experts - Security - IT Channel News by CRN
QOTD - Pescatore on the State of Security in 2010
Ninety percent of attacks are exploiting vulnerabilities we already knew about, by missing patches, deciding not to patch, or uses of technology in which we made the decision to deploy without putting security controls on it. Less than 1% are zero-day attacks; the other 99% are exploited configurations and unpatched machines that the simplest vulnerability scan would've found.Src: Gartner: Enterprises must learn to detect botnet threats
[...]
The bottom line is the attack surface for threats is going up. There are more moving parts in the way we're consuming and delivering IT. ... There's all the opportunity for a bot to take hold. -- John Pescatore, vice president and research fellow at Gartner Research
QOTD on Your Facebook Data
The gargantuan amount of high-quality user data on Facebook is causing everyone--from marketers to hackers--to salivate like dogs gazing at a steak. They all want a piece of you. -- Narasu Rebbapragada writing for PC WorldSrc: What Is Your Facebook Data Worth?
QOTD - Ashcroft on Cybersecurity
The protection of our enterprises and the protection of our country both are too important to reserve exclusively to law enforcement or information professionals alone the duty of protection,Src: Ashcroft: Cybersecurity Takes a Village - www.esecurityplanet.com
[...]
The truth of the matter is access is a balancing act that must be at the proper level for appropriate users. And the access meter needs to read 'impossible' for all others. -- John Ashcroft, former US Attorney General
QOTD - Avivah Litan on Cognitive Passwords
Banks and other companies who rely on knowledge based authentication – the process that asks users ’secret’ questions that only the legitimate can presumably answer – are in a quandry because fraudsters are answering those questions successfully all too many times.As Avivah explains, it turns out that the crooks are getting the information straight from the data aggregators by spear-phishing their employees.
[...]
It’s a very serious problem that deserves a serious solution. It will be solved but it will take time. In the meantime, service providers cannot count on the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual. -- Avivah Litan, VP Gartner Research
Src: Avivah Litan — A Member of the Gartner Blog Network
QOTD - PwC on Security Awareness Training
The main objective of any awareness raising approach is that it leads people to demonstrate ‘new’ behaviours. To do this it must answer the question ‘what’s in it for me?’. However, human behaviour is complex and simply telling people what to do is seldom enough to make people change the way they act.Src: PwC Report "Security awareness: Turning your people into your first line of defence" (PDF)
Also see: Invest in making employees more alert to security risks, says PricewaterhouseCoopers Human Resources - News | HR News | HR Magazine | hrmagazine.co.uk
QOTD on Cyber Insecurity
Cyber-terrorists have turned Internet technology into a weapon capable of unimaginable destruction. The result is that everyone is a target. -- Josh Zachry, associate director of research operations at the Institute for Cyber Security at the University of Texas at San AntonioSrc: Cyber espionage threatens global security (part 2) | Troy Media Corporation
QOTD - Liberman on those dangerous electronic pipelines
The Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets. -- Joseph Lieberman, independent Senator for ConnecticutSrc: Senators tackle Internet security - The Boston Globe
QOTD on SmartGrid: Money Trumps Security
From a hardware perspective, cell phones today are more secure than many of the smart meters in deploymentSrc: Money trumps security in smart meter rollouts, experts say | InSecurity Complex - CNET News
Those meters, however, may be used as attack vectors into the spheres of power distribution and generation, as well as into customer databases at the utilities. They deserve nothing less than the best hardware protection available. -- Karsten Nohl, a security researcher based in Germany presenting at the the Ninth Workshop on the Economics of Information Security at Harvard University
QOTD - Cyber-Security & Squirrels
The truth is also that a well-placed squirrel can wreak almost as much havoc as a cyber attack on a power grid. -- Dr. Charles Palmer, Director of the Institute for Advanced Security, IBM
Src: The State of Cybersecurity
QOTD - Lieberman on cyber bad-guys?
Our economic security, our national security, and our public safety are now all at risk as a result of new kinds of enemies, with new kinds of names like cyberwarriors, cyberspies, cyberterrorists, and cybercriminals. -- Joseph Lieberman, independent Senator for ConnecticutSrc: Senators tackle Internet security - The Boston Globe
QOTD on Passwords & Lemons
Because ordinary users are unlikely to spot the difference between high and low-quality password implementations, password security in websites can be modelled as a lemons market. In applying this model, insecure sites can beat secure sites in the market with lower deployment costs if password security offers no advantage in gaining users.
Src: The password thicket: technical and market failures in human authentication on the web, Ninth Workshop on the Economics of Information Security (WEIS 2010), 7-8 June 2010, Harvard / USA, 2010.
QOTD on Privacy & Internet
We're at a very early stage right now of figuring out how do we keep the Internet as a space where individuals can be empowered, yet at the same time [make sure that] it doesn't turn into a place where people are just attacking each other and bringing down each other's systems. -- Rebecca MacKinnon of Princeton University's Center for Information Technology PolicySrc: Does Averting Cyberwar Mean Giving Up Web Privacy? : NPR
QOTD - Bonnie, Clyde, & Cybercrime
If Bonnie and Clyde were alive today, they'd be quite amused at just how easy it is to make a dishonest buck. Today's criminals have swapped machine guns and getaway cars for viruses, Trojans, rootkits, and other malicious software. Financial fraud as well as identity and intellectual property theft are the crimes of choice. -- Randy George, writing for InformationWeekSrc: 5 Web Security Best Practices For SMBs -- Web Security -- InformationWeek
QOTD - Economics of Targeted Attacks
The cost of non-scalable attacks is such that very few users are targeted. It further suggests a security investment strategy for Internet users: all scaleable [i.e. non-targeted] attacks should be addressed first. Consider the case where Alice’s [a potential victim] email account can be harvested for value $200 by a non-scalable attacker [i.e. a targeted attack]. Alice’s avoidance of harm depends not so much on her security investments, but on the relative worthlessness of other email accounts, from which hers cannot be distinguished. -- Cormac Herley of Microsoft Research, who presented a paper entitled "The Plight of the Targeted Attacker in a World of Scale," at the 2010 Workshop on the Economics of Information Security.
Src: Ninth Workshop on the Economics of Information Security (WEIS 2010) program (PDF)
QOTD on The State of Cybersecurity
As everything on the planet gets more connected, more sensors and more intelligent, everything is getting, well, smarter, some of these things have never been connected to anything before, whether it's transportation systems, water systems, power, oil and gas, and pipelines, and so on. All these things, as they get connected to be more efficient, have to also be focusing on being more secure. Because, now they are facing risks that they have never had before. And to me that is what cybersecurity is all about. It's about scope. -- Dr. Charles Palmer, Director of the Institute for Advanced Security and Chief Technologist of Cybersecurity and Privacy at IBMSrc: The State of Cybersecurity
QOTD on Cyber-Criminals
Criminals tend to be equal opportunity exploiters. By choosing a topic that inspires passion on both sides, they can get innocent surfers to succumb to their political fervor. -- Chester Wisniewski, Sophos
Src: Twitter malware attack targets Israeli blockade
QOTD - McGraw's Advice to Programmers
It is a myth that you have to have source code to exploit vulnerabilities. You (software developers) need to realize that your software is out there, and you are giving your attacker everything they need to exploit it. -- Gary McGraw, CTO of CigitalSrc: MIT Technology Review
QOTD - Schneier on Hiring Hackers
Hacking is primarily a mindset: a way of thinking about security. Its primary focus is in attacking systems, but it's invaluable to the defense of those systems as well. Because computer systems are so complex, defending them often requires people who can think like attackers.Src: Weighing the risk of hiring hackers | TechTarget.com
Admittedly, there's a difference between thinking like an attacker and acting like a criminal, and between researching vulnerabilities in fielded systems and exploiting those vulnerabilities for personal gain.
[...]
An employer's goal should be to hire moral and ethical people with the skill set required to do the job.
-- Bruce Schneier, Chief Security Technology Officer of BT Global Services
QOTD - Pescatore on Business Priorities
Just as "features and fast to market are more important than security" was baked into the DNA of software companies in the early 1990s, "collect and expose user information" is baked into the DNA of today's generation of companies that sell advertising around other peoples data. -- John Pescatore, VP of Gartner Inc.
Src: SANS NewsBites Vol 12 No 44
QOTD - ISACA on Social Media & Security
In a newly released paper entitled "Social Media: Business Benefits and Security, Governance and Assurance Perspectives," ISACA provides guidance for companies to address the increasing presence and relevance of social media while balancing the security and privacy implications. Excerpt below:
The use of social media is becoming a dominant force that has far-ranging implications for enterprises and individuals alike. While this emerging communication technology offers great opportunities to interact with customers and business partners in new and exciting ways, there are significant risks to those who adopt this technology without a clear strategy that addresses both the benefits and the risks. There are also significant risks and potential opportunity costs for those who think that ignoring this revolution in communication is the appropriate way to avoid the risks it presents. The only viable approach is for each enterprise to engage all relevant stakeholders and to establish a strategy and associated policies that address the pertinent issues.Src: ISACA Featured Deliverables
QOTD - Pescatore on OS & Security
The new calculus of targeted attacks means using a low market share product gains you *no* security through obscurity - if you are using Macs or Linux or whatever, when someone targets you they go after the numerous vulnerabilities in those platforms - or in reality, the vulnerabilities of your users. -- John Pescatore, VP of Gartner Inc.Src: SANS NewsBites Vol 12 Num 44
QOTD - Adobe & Security
We're in the security spotlight right now. There's no denying that the security community is really focused on ubiquitous third-party products like ours. We're cross-platform, on all these different kinds of devices, so yes, we're in the spotlight. -- Brad Arkin, Director for Product Security & Privacy at AdobeSecurity vendors & researchers agree on one thing: Adobe PDF & Adobe Flash are hacker favorites with F-Secure reporting that it's used in 61% of attacks (for Jan/Feb 2010) while Kaspersky's recent report gives it 47% (covering Q1 2010).
Src: Adobe: We know we're hackers' favorite target
QOTD - NIST on Continuous Monitoring
NIST wrote a FAQ to answer many of the questions about Continuous Monitoring and whether it replaces the security authorization process (it does NOT).
Also see NIST 800-37, Applying the Risk Management Framework to Federal Information Systems (February 2010)
Are there any risks associated with continuous monitoring?Src: NIST FAQ
Organizations should exercise caution in focusing solely on continuous monitoring at the expense of a holistic, risk‐based security life cycle approach. Without the appropriate planning for security controls (preferably early in the system development life cycle) and the correct implementation of those controls, the value of continuous monitoring is greatly diminished. This is because the near real‐time, ongoing monitoring of weak and/or ineffective security controls resulting from flawed information security requirements can result in a false sense of security.
Also see NIST 800-37, Applying the Risk Management Framework to Federal Information Systems (February 2010)
Labels:
complexity,
government,
management,
standards/policies
QOTD on Aurora Attacks
The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)Note: last emphasis added by me, earlier emphases from original document
The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.
Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.
When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system. -- David Marcus, Security Research and Communications Manager for McAfee
Src: Computer Security Research - McAfee Labs Blog
QOTD - Microsoft tooting its own security horn
When it comes to security, even hackers admit we’re doing a better job making our products more secure than anyone else. And it’s not just the hackers; third party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others. -- The Windows BlogMicrosoft apparently wrote the post in response to media reports that Google was planning to drop the Microsoft operating systems from its internal systems. While Microsoft has made progress in securing software, there is no reason to get complacent. There are still too many bugs being found and usually fixed in a timely manner, except for those for which Microsoft waits seven or more years to fix.
After all, when compared to other major software vendors with less-than-stellar track-records, Microsoft does indeed do a better job at making its products more secure. But more secure than the competition doesn't mean secure.
Src: The Windows Blog
Subscribe to:
Posts (Atom)