QOTD on Online Privacy

Tiny pieces of disparate data are being mashed together to create a digital profile of you in detail you never thought imaginable. Whether you stay up late at night or have ever complained about a company could affect your employability. Whether you have expensive spending habits may affect if someone will invest in your company or date you.
-- Michael Fertik, ReputationDefender

Src: Technology and society: Virtually insecure | FT.com

QOTD on Governance

In the past, companies made it clear that you are on their network and, if you do anything bad, you will be kicked off. Today there are companies out there that say, 'Here's $2,000 -- go buy whatever you want, and the IT department will secure it.'
-- Alex Eckelberry, General Manager of GFI

Src: Avoiding Accidental Data Leaks In Small Businesses - breaches/Security - DarkReading

QOTD on a New IT Reality

It's a reality most people charged with safeguarding IT systems recognize but don't like: Their systems will be breached. And, it's a fact of life that information security professionals must deal with.
Src: Living with IT Security Breaches | BankInfoSecurity.com

QOTD on Attacks

[The attacks] may be originating from the outside, but we [employees] are doing all we can to help them in.
Thus the need to train employees to think before they click as traditional security controls alone may not be sufficient to protect users from all online threats. As Alex puts it,
If it is a targeted attack, that is going to be problematic. The vast majority of malware is customized every day, and so signature-based solutions are of limited use.
-- Alex Hutton, principal on research and intelligence for the Verizon Business RISK team

Src: Avoiding Accidental Data Leaks In Small Businesses - breaches/Security - DarkReading

QOTD - The Internet Never Forgets

The fact that the Internet never seems to forget is threatening, at an almost existential level, our ability to control our identities; to preserve the option of reinventing ourselves and starting anew; to overcome our checkered pasts.
-- Jeffrey Rosen, a law professor at George Washington University

Src: The Web Means the End of Forgetting - NYTimes.com


A lot of people will buy one [security] product and expect it to do everything -- and it doesn't. In the past, you could rely on your AV product to catch everything, but it can't anymore. 
-- Alex Eckelberry, General Manager of GFI

Src: Avoiding Accidental Data Leaks In Small Businesses - breaches/Security - DarkReading

QOTD on SAS-70

Given that SAS 70 cannot be considered as proof that an offered IT service is secure, it should be a matter of suspicion when a vendor insists that it is.
-- Jay Heiser, Research Vice President at Gartner, Inc

Src: SAS 70 is not proof of security, continuity or privacy compliance: Gartner

QOTD - Dan Geer, from 2006

When attackers assume little if any risk to make an attack, they will attack with abandon. When attackers can use automation, they will attack with vigor. When attackers’ fundamental operational costs are a mere fraction of defenders’ fundamental operational costs, the attackers can win the arms race. When attackers can mount assaults without warning signs, defenders must always be on high alert. All of these things can be obtained in the digital arena, and when that happens, the only strategy is worst-case preemption. This is true in the world of terrorism but truer yet in the digital world.
-- Dan Geer, then VP and Chief Scientist of Verdasys, now Chief Information Security Officer for In-Q-Tel
Src: Playing for Keeps, ACM Queue Vol 4, No 9

QOTD - Pescatore on Privacy Violations

Dealing with the impact of getting caught surreptitiously violating customer privacy, costly. Avoiding violating your customers' privacy, priceless.
-- John Pescatore, VP at Gartner, Inc.
Src: SANS NewsBites Vol 12 No 55

QOTD on Social Networks

Anyone who visits a social networking site should know that it's a business model. The service is not free. We users pay for it with our private data.
-- Ilse Aigner, Germany's Consumer Minister
Src: German minister calls for Internet 'honour code'

QOTD on Building Secure Code

For decades, we've taught people how to code, but not necessarily how to code securely.
-- Max Rayner, former CTO at Travelzoo, speaking as a panelist at a recent (ISC)2 conference on Software Security

Src: Insecure software: A never-ending saga - Information Security Magazine

QOTD - Northcutt on Deprovisioning

Whenever you terminate someone who has had system access, it is imperative that you make it impossible for that person to come back into your systems. Stories like this offer a strong argument for two factor authentication and I do not mean "What is your pet's name."
-- Stephen Northcutt, President of the SANS Technology Institute

Src: SANS NewsBites Vol 12 Num 54

QOTD on Cyber Defense

A static cyber defense can never win against an agile cyber offense. You beat me 99 times, I will come after you 100 times. Beat me 999 times, I will come after you 1000 times, and we will beat you.
-- Bruce Held, Intelligence Chief for the US Department of Energy

Src: How To Stop Cyberattacks: Diplomacy. Well, Maybe. | Danger Room | Wired.com

QOTD by Intel CISO

The biggest vulnerability we face today and the future is not the thing that the technical security person would think of, like a botnet or technical flaw, but the misperception of risk.
Today, those threat vectors are so subtle, you don't know that something's gotten installed on your computer. Because the incentive for the intruder is to not make you aware of it.
-- Malcolm Harkins, CISO & General Manager of Enterprise Capabilities for Intel Corp

Src: Intel CISO: The biggest security threat today is ... | Security - IT Management