QOTD on Passwords

Fidelity doesn't pay when it comes to passwords – the most important passwords should be changed every three months. -- Dieter Kempf, a member of the presiding committee of Germany's Bitkom industry association
Src: Passwords: The only constant in life - The H Security: News and Features

QOTD - Pity the modern CIO

Pity the modern CIO who is forced to cut costs, upgrade critical infrastructure and somehow support and secure a myriad of consumer devices that have become as common as paperclips and Post-It notes in the workplace. -- David Needle, West Coast bureau chief at InternetNews.com
Src: What IT Doesn't Know Can Hurt Everyone: Study - InternetNews.com

QOTD on Smart-Grid Privacy

We, Siemens, have the technology to record it (energy consumption) every minute, second, microsecond, more or less live.
From that we can infer how many people are in the house, what they do, whether they're upstairs, downstairs, do you have a dog, when do you habitually get up, when did you get up this morning, when do you have a shower: masses of private data.
We think the regulator needs to send a strong signal to say that the data belongs to consumers and consumers alone. We believe that's a blocker to people adopting the technology.
-- Martin Pollock of Siemens Energy
Src: Privacy concerns challenge smart grid rollout

QOTD - NASA CISO on Secure Software

The software industry is really one of the only organizations where you can knowingly build a defective product and push it out to a potential buyer and the buyer assumes all the risk. -- Jerry Davis, CISO for NASA
Src: Federal News Radio 1500 AM: NASA launches software assurance program

QOTD on Privacy Engineers

There doesn't yet appear to be such a thing as a privacy engineer; given the relative paucity of models and mechanisms, that's not too surprising. Until we build up the latter, we won't have a sufficient basis for the former. For privacy by design to extend beyond a small circle of advocates and experts and become the state of practice, we'll need both. -- Stuart Shapiro, Principal Information Privacy and Security Engineer at The MITRE Corporation
Src: Privacy By Design: Moving From Art to Practice | June 2010 | Communications of the ACM

QOTD on PII & De-Identification

Just as medieval alchemists were convinced a (mythical) philosopher’s stone can transmute lead into gold, today’s privacy practitioners believe that records containing sensitive individual data can be “de-identified” by removing or modifying PII [Personally Identifiable Information]. -- Narayanan, A. and Prof. Shmatikov, V.
Src: Narayanan, A. and Shmatikov, V. 2010. Myths and fallacies of "personally identifiable information". Commun. ACM 53, 6 (Jun. 2010), 24-26. DOI= http://doi.acm.org/10.1145/1743546.1743558
Direct link to PDF document

QOTD - EU Justice Commissioner on Privacy Laws

We need to find ways to empower web surfers. Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will. -- Viviane Reding, EU Justice Commissioner
Src: EU Data-Protection Laws Need Revamping for Internet Privacy, Reding Says - Bloomberg

QOTD - Salem on the Right Security Focus

The device is not important. The device will change. Who are the people and what is the information we need to protect? -- Enrique Salem, Symantec President and CEO
Src: Cybersecurity Czar: Remember, End Users Are No Security Experts - Security - IT Channel News by CRN

QOTD - Pescatore on the State of Security in 2010

Ninety percent of attacks are exploiting vulnerabilities we already knew about, by missing patches, deciding not to patch, or uses of technology in which we made the decision to deploy without putting security controls on it. Less than 1% are zero-day attacks; the other 99% are exploited configurations and unpatched machines that the simplest vulnerability scan would've found.
The bottom line is the attack surface for threats is going up. There are more moving parts in the way we're consuming and delivering IT. ... There's all the opportunity for a bot to take hold. -- John Pescatore, vice president and research fellow at Gartner Research
Src: Gartner: Enterprises must learn to detect botnet threats

QOTD on Your Facebook Data

The gargantuan amount of high-quality user data on Facebook is causing everyone--from marketers to hackers--to salivate like dogs gazing at a steak. They all want a piece of you. -- Narasu Rebbapragada writing for PC World
Src: What Is Your Facebook Data Worth?

QOTD - Ashcroft on Cybersecurity

The protection of our enterprises and the protection of our country both are too important to reserve exclusively to law enforcement or information professionals alone the duty of protection,
The truth of the matter is access is a balancing act that must be at the proper level for appropriate users. And the access meter needs to read 'impossible' for all others. -- John Ashcroft, former US Attorney General
Src: Ashcroft: Cybersecurity Takes a Village - www.esecurityplanet.com

QOTD - Avivah Litan on Cognitive Passwords

Banks and other companies who rely on knowledge based authentication – the process that asks users ’secret’ questions that only the legitimate can presumably answer – are in a quandry because fraudsters are answering those questions successfully all too many times.
It’s a very serious problem that deserves a serious solution. It will be solved but it will take time. In the meantime, service providers cannot count on the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual. -- Avivah Litan, VP Gartner Research
As Avivah explains, it turns out that the crooks are getting the information straight from the data aggregators by spear-phishing their employees.

Src: Avivah Litan — A Member of the Gartner Blog Network

QOTD - PwC on Security Awareness Training

The main objective of any awareness raising approach is that it leads people to demonstrate ‘new’ behaviours. To do this it must answer the question ‘what’s in it for me?’. However, human behaviour is complex and simply telling people what to do is seldom enough to make people change the way they act.
Src: PwC Report "Security awareness: Turning your people into your first line of defence" (PDF)

Also see: Invest in making employees more alert to security risks, says PricewaterhouseCoopers Human Resources - News | HR News | HR Magazine | hrmagazine.co.uk

QOTD on Cyber Insecurity

Cyber-terrorists have turned Internet technology into a weapon capable of unimaginable destruction. The result is that everyone is a target. -- Josh Zachry, associate director of research operations at the Institute for Cyber Security at the University of Texas at San Antonio
Src: Cyber espionage threatens global security (part 2) | Troy Media Corporation

QOTD - Liberman on those dangerous electronic pipelines

The Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets. -- Joseph Lieberman, independent Senator for Connecticut
Src: Senators tackle Internet security - The Boston Globe

QOTD on SmartGrid: Money Trumps Security

From a hardware perspective, cell phones today are more secure than many of the smart meters in deployment
Those meters, however, may be used as attack vectors into the spheres of power distribution and generation, as well as into customer databases at the utilities. They deserve nothing less than the best hardware protection available. -- Karsten Nohl, a security researcher based in Germany presenting at the the Ninth Workshop on the Economics of Information Security at Harvard University
Src: Money trumps security in smart meter rollouts, experts say | InSecurity Complex - CNET News

QOTD - Cyber-Security & Squirrels

The truth is also that a well-placed squirrel can wreak almost as much havoc as a cyber attack on a power grid. -- Dr. Charles Palmer, Director of the Institute for Advanced Security, IBM

Src: The State of Cybersecurity

QOTD - Lieberman on cyber bad-guys?

Our economic security, our national security, and our public safety are now all at risk as a result of new kinds of enemies, with new kinds of names like cyberwarriors, cyberspies, cyberterrorists, and cybercriminals. -- Joseph Lieberman, independent Senator for Connecticut
Src: Senators tackle Internet security - The Boston Globe

QOTD on Passwords & Lemons

Because ordinary users are unlikely to spot the difference between high and low-quality password implementations, password security in websites can be modelled as a lemons market. In applying this model, insecure sites can beat secure sites in the market with lower deployment costs if password security offers no advantage in gaining users.

Src: The password thicket: technical and market failures in human authentication on the web, Ninth Workshop on the Economics of Information Security (WEIS 2010), 7-8 June 2010, Harvard / USA, 2010.

QOTD on Privacy & Internet

We're at a very early stage right now of figuring out how do we keep the Internet as a space where individuals can be empowered, yet at the same time [make sure that] it doesn't turn into a place where people are just attacking each other and bringing down each other's systems. -- Rebecca MacKinnon of Princeton University's Center for Information Technology Policy
Src: Does Averting Cyberwar Mean Giving Up Web Privacy? : NPR

QOTD - Bonnie, Clyde, & Cybercrime

If Bonnie and Clyde were alive today, they'd be quite amused at just how easy it is to make a dishonest buck. Today's criminals have swapped machine guns and getaway cars for viruses, Trojans, rootkits, and other malicious software. Financial fraud as well as identity and intellectual property theft are the crimes of choice. -- Randy George, writing for InformationWeek
Src: 5 Web Security Best Practices For SMBs -- Web Security -- InformationWeek

QOTD - Economics of Targeted Attacks

The cost of non-scalable attacks is such that very few users are targeted. It further suggests a security investment strategy for Internet users: all scaleable [i.e. non-targeted] attacks should be addressed first. Consider the case where Alice’s [a potential victim] email account can be harvested for value $200 by a non-scalable attacker [i.e. a targeted attack]. Alice’s avoidance of harm depends not so much on her security investments, but on the relative worthlessness of other email accounts, from which hers cannot be distinguished. -- Cormac Herley of Microsoft Research, who presented a paper entitled "The Plight of the Targeted Attacker in a World of Scale," at the 2010 Workshop on the Economics of Information Security.

Src: Ninth Workshop on the Economics of Information Security (WEIS 2010) program (PDF)

QOTD on The State of Cybersecurity

As everything on the planet gets more connected, more sensors and more intelligent, everything is getting, well, smarter, some of these things have never been connected to anything before, whether it's transportation systems, water systems, power, oil and gas, and pipelines, and so on. All these things, as they get connected to be more efficient, have to also be focusing on being more secure. Because, now they are facing risks that they have never had before. And to me that is what cybersecurity is all about. It's about scope. -- Dr. Charles Palmer, Director of the Institute for Advanced Security and Chief Technologist of Cybersecurity and Privacy at IBM
Src: The State of Cybersecurity

QOTD on Cyber-Criminals

Criminals tend to be equal opportunity exploiters. By choosing a topic that inspires passion on both sides, they can get innocent surfers to succumb to their political fervor. -- Chester Wisniewski, Sophos

Src: Twitter malware attack targets Israeli blockade

QOTD - McGraw's Advice to Programmers

It is a myth that you have to have source code to exploit vulnerabilities. You (software developers) need to realize that your software is out there, and you are giving your attacker everything they need to exploit it. -- Gary McGraw, CTO of Cigital
Src: MIT Technology Review

QOTD - Schneier on Hiring Hackers

Hacking is primarily a mindset: a way of thinking about security. Its primary focus is in attacking systems, but it's invaluable to the defense of those systems as well. Because computer systems are so complex, defending them often requires people who can think like attackers.
Admittedly, there's a difference between thinking like an attacker and acting like a criminal, and between researching vulnerabilities in fielded systems and exploiting those vulnerabilities for personal gain.
An employer's goal should be to hire moral and ethical people with the skill set required to do the job.
-- Bruce Schneier, Chief Security Technology Officer of BT Global Services
Src: Weighing the risk of hiring hackers | TechTarget.com

QOTD - Pescatore on Business Priorities

Just as "features and fast to market are more important than security" was baked into the DNA of software companies in the early 1990s, "collect and expose user information" is baked into the DNA of today's generation of companies that sell advertising around other peoples data. -- John Pescatore, VP of Gartner Inc.

Src: SANS NewsBites Vol 12 No 44

QOTD - ISACA on Social Media & Security

In a newly released paper entitled "Social Media: Business Benefits and Security, Governance and Assurance Perspectives," ISACA provides guidance for companies to address the increasing presence and relevance of social media while balancing the security and privacy implications. Excerpt below:
The use of social media is becoming a dominant force that has far-ranging implications for enterprises and individuals alike. While this emerging communication technology offers great opportunities to interact with customers and business partners in new and exciting ways, there are significant risks to those who adopt this technology without a clear strategy that addresses both the benefits and the risks. There are also significant risks and potential opportunity costs for those who think that ignoring this revolution in communication is the appropriate way to avoid the risks it presents. The only viable approach is for each enterprise to engage all relevant stakeholders and to establish a strategy and associated policies that address the pertinent issues.
Src: ISACA Featured Deliverables

QOTD - Pescatore on OS & Security

The new calculus of targeted attacks means using a low market share product gains you *no* security through obscurity - if you are using Macs or Linux or whatever, when someone targets you they go after the numerous vulnerabilities in those platforms - or in reality, the vulnerabilities of your users. -- John Pescatore, VP of Gartner Inc.
Src: SANS NewsBites Vol 12 Num 44

QOTD - Adobe & Security

We're in the security spotlight right now. There's no denying that the security community is really focused on ubiquitous third-party products like ours. We're cross-platform, on all these different kinds of devices, so yes, we're in the spotlight. -- Brad Arkin, Director for Product Security & Privacy at Adobe
Security vendors & researchers agree on one thing: Adobe PDF & Adobe Flash are hacker favorites with F-Secure reporting that it's used in 61% of attacks (for Jan/Feb 2010) while Kaspersky's recent report gives it 47% (covering Q1 2010).

Src: Adobe: We know we're hackers' favorite target

QOTD - NIST on Continuous Monitoring

NIST wrote a FAQ to answer many of the questions about Continuous Monitoring and whether it replaces the security authorization process (it does NOT).
Are there any risks associated with continuous monitoring?
Organizations should exercise caution in focusing solely on continuous monitoring at the expense of a holistic, risk‐based security life cycle approach. Without the appropriate planning for security controls (preferably early in the system development life cycle) and the correct implementation of those controls, the value of continuous monitoring is greatly diminished. This is because the near real‐time, ongoing monitoring of weak and/or ineffective security controls resulting from flawed information security requirements can result in a false sense of security.
Also see NIST 800-37, Applying the Risk Management Framework to Federal Information Systems (February 2010)

QOTD on Aurora Attacks

The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)

The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.
Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.
When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system. -- David Marcus, Security Research and Communications Manager for McAfee
Note: last emphasis added by me, earlier emphases from original document

Src: Computer Security Research - McAfee Labs Blog

QOTD - Microsoft tooting its own security horn

When it comes to security, even hackers admit we’re doing a better job making our products more secure than anyone else. And it’s not just the hackers; third party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others. -- The Windows Blog
Microsoft apparently wrote the post in response to media reports that Google was planning to drop the Microsoft operating systems from its internal systems. While Microsoft has made progress in securing software, there is no reason to get complacent. There are still too many bugs being found and usually fixed in a timely manner, except for those for which Microsoft waits seven or more years to fix.

After all, when compared to other major software vendors with less-than-stellar track-records, Microsoft does indeed do a better job at making its products more secure. But more secure than the competition doesn't mean secure.

Src: The Windows Blog