QOTD on Stuxnet

The Stuxnet worm is a wake up call to governments around the world. It is the first known worm to target industrial control systems and grants hackers unobstructed control of vital public infrastructures like power plants, dams and chemical facilities.
-- Derek Reveron, professor of national security at the U.S. Naval War School in Rhode Island

Src: Stuxnet Cyber Attack on Iran Stirs New Global Awareness | Finance News

QOTD - Distance to Malware

No matter how careful you are, today’s Internet user is usually only two short clicks away from malicious content and an infected computer or network.
-- Charles Renert, Senior Director for Security Research at Websense

Src: Internet Users Are Only Two Clicks Away from Malicious Content

QOTD - Geer on Cyber-Security

Information security is perhaps the hardest technical field on the planet. Nothing is stable, surprise is constant, and all defenders work at a permanent, structural disadvantage compared to the attackers. Because the demands for expertise so outstrip the supply,the fraction of all practitioners who are charlatans is rising.
-- Dr. Dan Geer, CISO of In-Q-Tel, in prepared testimony presented before the U.S. House Subcommittee on Emerging Threats, Cybersecurity, and Science on April 25, 2007.

Src: The Two Most Important Questions in Cybersecurity - The Firewall - the world of security - Forbes

QOTD - Hypponen on Stuxnet

It is rare to see an attack using one zero-day exploit. Stuxnet used not one, not two, but four.
-- Mikko Hypponen, Chief Research Officer at F-Secure

Src: BBC News - Stuxnet worm 'targeted high-value Iranian assets'

QOTD - @EdSkoudis on Security

Just because something is configured 'correctly' doesn't mean that the system is actually secure.
-- Ed Skoudis, co-founder of Inguardians

Src: SANS NewsBites Vol 12 Num 75

QOTD - Pescatore on Malware

Just as we learned years ago in the crypto world that governments and government agencies do *not* have a monopoly on crypto talent, the same is true with malware development. It is a mistake to think that sophisticated malware means government sponsorship - - the talent pool putting together financially motivated targeted attacks for cybercrime has been leading the way for a long time.
-- John Pescatore, Vice President at Gartner Inc.

Src: SANS NewsBites Vol 12 No 74

QOTD on Cyber-Crime & Anonymity

Considering the anonymity of cyberspace, cybercrime may in fact be one of the most dangerous criminal threats ever. A vital component in fighting transnational crime must therefore include the policing of information security and the provision of secure communication channels for police worldwide based on common standards.
-- Ronald K. Noble, INTERPOL Secretary General

Src: DigitalIDNews | INTERPOL: Online ID needed

QOTD - Herzog on Security

If we keep doing what we know doesn't work even "good enough", why keep doing it? It wasn't until we accepted that there are things we can never reliably know that we knew we had better find the limits to that which we did know. So then at least we'd have that going for us. For example we know that we can't reliably determine the impact of a particular vulnerability for everyone in some big database of vulnerabilities because it will always depend on the means of interactions and the functioning controls of the target being attacked.
-- Pete Herzog, managing director of ISECOM

Src: Better Security Through Sacrificing Maidens | InfoSecIsland.com

QOTD - Stiennon's Security Principles



  1. A secure network assumes the host is hostile
  2. A secure host assumes the network is hostile
  3. Secure applications assume the user is hostile

Src: 3 Simple Security Principles | Focus.com

QOTD - Northcutt on CIA

Confidentiality, integrity and availability are always important, but master the skill of knowing which one is most important for a given business, system or file routine.

-- Stephen Northcutt, CEO of SANS Technology Institute

Src: Advice to Security Pros: Learn Chinese

QOTD on Sound Security Investments

Put simply, this means that spending hundreds of thousands of Pounds, Euros or Dollars on a security system, plugging it in and switching it on - then presuming your company is secure - is a totally inadequate approach, because it usually results in relatively poor levels of protection for your organization as the threats from criminals are constantly changing. Configuration, constant evaluation and constant updating of security rules are essential to the IT security of a business. Of course, the degree to which protection is needed is a matter of balancing risk and cost, and this equation is a unique business decision as with any other senior management process.
-- Ray Bryant, CEO of idappcom

Src: The buck stops here: why the CEO is responsible for everything

QOTD - Jaquith on Zero-Trust Model of Information Security

This article, written for ComputerWeekly.com by Forrester Research's Andrew Jaquith is a must read in its entirety. Here's a snippet to wet your appetite:
Successfully controlling the spread of sensitive information requires inverting conventional wisdom entirely, by planning as if the enterprises owned no devices at all.

Forrester calls this concept the "zero-trust model of information security", centered on the idea that security must become ubiquitous throughout your infrastructure. Simply put: treat all endpoints as hostile.
Some of the important concepts include:
* Thin client: process centrally, present locally
* Thin device: replicated data, with device-kill for insurance
* Protected process: local information processing in a secure "bubble"
* Protected data: documents protect themselves regardless of location
* Eye-in-the-sky: know when important information leaves
Src: Own nothing – control everything: five patterns for securing data on devices you don’t own - 08/09/2010 - Computer Weekly

QOTD on Mobile Security

Just because a mobile site is meant to be viewed on a mobile browser with limited functionality doesn't mean an attacker can't load it in a normal browser and have full use of their powerful tools to bypass authentication, find vulnerabilities in non-standard encryption, and ultimately crack the site -- and the main data store behind it.

It's like having two doors to your bank vault.

Web applications of today are like the highly guarded front door fortified by mature security practices and fully capable of stopping an intruder. Mobile APIs are like the unguarded back door -- offering far easier access to would-be attackers.
-- Pete Soderling, founder of Stratus Security

Src: Technology News: Mobile Tech: The Ultimate Jailbreaker, Part 3

QOTD on Privacy

Every piece of data on the Internet maps back to who created it and who they know. Where they were when they did it, where they've been and where they plan to go. What they are interested in, attend to, and interact with, and is around them, and when they do these things. The contextualization of the web in the world and the connection of the world to the web, mediated by the connections of people to each other, is forming a new Internet which has vast implications of privacy, identity, and innovation; and how we are going to structure our societies and our economies.
-- Marc Davis, Partner Architect at Microsoft Online Services Division

Src: Microsoft's Davis on Privacy: Your Digital Life Data is Bankable Currency | NetworkWorld.com

QOTD on APTs

If they don’t know what it is, it’s an APT. While the attacks aren’t new — they have happened in the government world for a long time — the realization of what is going on is new. It can be difficult for an organization to sort out whether it is just a zero-day malware or if the organization is being specifically targeted. In the conventional world, if somebody launches a missile, you can pretty much understand what the intent is and you can attribute it. In the cyber world, if someone launches an attack, you might not be sure who is behind it and you don’t know what the intent is. In the military world, they make a distinction between information gathering and an actual attack.
-- George Kurtz, worldwide CTO for McAfee

Src: Lessons learned from investigating the Google attacks -- Government Computer News