'You security guys keep talking and talking about the end of the world. It doesn't seem to come.' -- quote from a "prominent CIO" as reported by Eugene Schultz, CTO of Emagined Security
Src: SANS NewsBites Vol 12 Issue 16
QOTD - Pescatore on Waledac
Pulling dandelions makes the lawn look better for a while, but you really need regular pre-emergence weed control to make a difference in the long run. -- John Pescatore, VP Gartner, IncIn reference to Microsoft getting a temporary injunction to shut down 277 domains associated with the Waledac botnet.
Src: SANS NewsBites Vol 12 Issue 16
QOTD on InfoSec
The benefits of information security—protecting computer systems and networks—are inherently invisible: if threats have been averted, things work as normal. That means it often gets neglected.Src: A special report on managing information: New rules for big data | The Economist
QOTD - Geer on Evolution
The central tenet of the theory of evolution is that the changes which determine fitness are responses to threats imposed on the organism from the outside, that survival pressure forces change, but that only some changes aid survival. The threats are threats because they are new; technically, the appearance of a new survival threat is known as a punctuated equilibrium. All of us in the security field owe our jobs to one of these equilibrium punctuations: the sudden exposure of all computers to widely interconnected networks (the near simultaneous arrival of the first browser and the first network stack in Windows).Please, go read the whole article, it is well worth it!
[...]
The equilibrium punctuation, the paradigm shift that is already here, is that data is now king. Yes, Moore’s Law still holds – every eighteen months a dollar buys twice what it did before – but a dollar buys twice as much storage about every twelve months and back in the lab they are doubling bandwidth about every nine. Every decade, that is two orders of magnitude for computing, three for storage, and four for bandwidth. The future of computing is, thus, all about data in motion. Data’s value and risk overtook the value and risk of networks and infrastructure; data punctuated the equilibrium of security management. To retain the former paradigm is to fail to evolve, and failing to evolve is a dead end. -- Dan Geer, Chief Scientist Emeritus at Verdasys
Note: emphasis is mine.
Src: The Enterprise Information Protection Paradigm | TMCNet.com
QOTD on Cyber Attacks
A cyberattack would be like being bled to death and not noticing it and that's kind of what's happening now. -- James Lewis, senior fellow at the nonprofit Center for Strategic and International Studies (CSIS)Src: Experts warn of catastrophe from cyberattacks | InSecurity Complex - CNET News
QOTD - Blair on E-spy
Mr. Dennis C. Blair, Director of US National Intelligence, speaking at the Alfred M. Landon Lecture Series on Public Issues, Kansas State University, Manhattan, Kansas:
One of the major growth areas of the business of gathering intelligence is penetrating foreignEarlier, Mr. Blair also said:
networks, and bringing information to our analysts to write their reports. In this area, I can’t give
you many specific examples, since they’re classified. But it’s not difficult to imagine the value of
being able to read the e-mails of some foreigner involved in a plot against the United States.
Increasingly, the information we want to see – in order to find out what others are thinking andSrc: 20100222_speech.pdf (PDF) from DNI.gov
doing – is stored and shared in their networks. So that’s where we go to get it. Foreign
governments communicate on networks [...] Organizations in which we’re interested store their records electronically, not in file cabinets.
QOTD on Eyes Wide Open
Enterprises contemplating using advertising supported IT like free mail and social networking services need to go in with their eyes wide open - the real customers are the advertisers, not the users of the services. -- John Pescatore, VP Gartner IncSrc: SANS NewsBites Vol 12 Num 13
QOTD on Cyberwar
But what many have failed to realize is that cyberwar is already here and the battle is already being waged. At the frontlines are corporate assets: intellectual property, research, schematics, sensitive proprietary data, and confidential customer and employee information.Src: Cisco/ScanSafe 2009 Annual Global Threat Report (PDF)
QOTD on Cyberwar
It [cyber warfare] is a cheaper, less risky form of spying. Consider the risks and costs of training spies and getting them placed in positions in which they are able to steal information versus social engineering, breaking into systems, and/or installing malware in systems while the perpetrator works from home. The risks-rewards ratio of the later is much more favorable. -- Eugene Schultz, CTO of Emagined SecuritySrc: SANS NewsBites Vol 12 Num 12
QOTD on Malware
Modern malware is merely a tool – and only one of many – used by cybercriminals to carry out their attacks. To approach today’s security challenges as a malware problem is to completely miss the bigger picture – it is a criminally run sophisticated e-business network intent on gathering intellectual and corporate assets. It is not simply a malware problem per se; it is a large scale cyber-espionage assault and all countries are being adversely impacted.Src: Cisco/ScanSafe 2009 Annual Global Threat Report (PDF)
QOTD by Skoudis
Unencrypted data should be the exception, not the rule. -- Ed Skoudis, co-founder of Inguardians & SANS lead instructorSrc: SANS NewsBites Vol 12 Num 12
QOTD by Mandiant
There are thousands of companies compromised. Actively, right now. -- Kevin Mandia, CEO and president of MandiantNote: the Mandiant report ("M-Trends") is worth reading, even if one has to fill out a form to get access to it.
Src: Report Details Hacks Targeting Google, Others | Threat Level | Wired.com
OQTD - Pescatore on Attacks
Everything connected to the Internet is under constant attack, just as every house is under constant attack by storms, termites, burglars, etc. -- John Pescatore, VP at Gartner Inc.Src: SANS NewsBites Vol 12 Num 9
Gartner Analyst: "Are These Banks Asleep at the Wheel?"
Avivah Litan, Vice President of Research at Gartner Inc and distinguished analyst, was recently interviewed by Linda McGlasson of the Information Security Media Group to discuss fraud trends in banking. What follows are excerpts from the transcript available on BankInfoSecurity.com's web site.
Note: emphasis is mine.
Src: Analyst: "Are These Banks Asleep at the Wheel?" | BankInfoSecurity.com
criminals are now focused on cross-channel fraud [...] they are getting better at figuring out how to call call-center operators and get their way through accounts using information that they gather on the internet to commit different kinds of fraudAs smaller local and regional banks are currently lagging behind in terms of fraud detection capability, Litan warns that failure to act now will likely result in government introducing new legislation or regulation.
[...]
they've been studying these bank websites, and they probably know more about how particular bank security works than many people at the bank themselves [...] They know how many seconds it takes for them to prompt users for authentication credential. So they've just gotten really good, some of them, at knowing how to penetrate bank security by studying them, copying them and figuring out how to socially engineer their customers to get through any of the security controls that are there.
[...]
The bottom line is all these factors [single factor, two-factor authentication] are going through the user's browser, and nothing is safe going through the user's browser because the new malware is now sitting inside that browser and is acting on behalf of the user. So you can put a biometric on your PC, you can put smart card, it doesn't matter. As long as it is going through the browser, the crooks have figured out how to beat it.
[...]
most banks are relying on cookies on customers' PC's to know it's a good customer. That reliance needs to end ...
Note: emphasis is mine.
Src: Analyst: "Are These Banks Asleep at the Wheel?" | BankInfoSecurity.com
QOTD - Security vs Reality
Security needs to adjust to the realities of the business and when they do there are three core areas that you need to focus on in terms of protecting: the people, the process, the technology. -- Khalid Kark, VP & Principal Analyst at Forrester Research IncSrc: CISOs take measured steps to reduce social media risks
QOTD on Cyber Threats
We often find persistent, unauthorized, and at times, unattributable presences on exploited networks, the hallmark of an unknown adversary intending to do far more than merely demonstrate skill or mock a vulnerability. -- Dennis C. Blair, Director of US National IntelligenceSrc: Google attacks 'wake-up call' - US intel chief | AFP
QOTD - Stiennon on Reality
Reality has a way of imposing itself regardless of theories. It is best to have a firm grip on reality before setting national policy or investing in technology. -- Richard Stiennon, founder of IT-Harvest, an independent analyst firm.Src: ThreatChaos Security Blog | ThreatChaos
QOTD - APTs as the new norm
Security researchers have been saying for years now that attackers are using zero days as a matter of course. They buy and sell exploits for vulnerabilities that Microsoft, Adobe, Oracle and other software makers have never heard of, use them until they're burned and then move on to the next one. And it's not just intelligence agencies or state-sponsored groups who operate on this level; it's simply the way things work now. One researcher called the use of zero days a 'baseline.'Src: Google Attack Was Tip of the Iceberg | Threatpost
...
What the Aurora attack is, however, is the public face of a threat that has been hidden from most people's view for far too long. It's the common, albeit cleverly targeted, attack that is going on every day on networks around the world.
It's the new normal. -- Dennis Fisher, writing for Threatpost
QOTD - Stiennon on Controls
No matter how smart you are you cannot impose controls on something you do not control. -- Richard Stiennon, founder of IT-Harvest, an independent analyst firm
Src: ThreatChaos Security Blog | ThreatChaos
QOTD - Schmidt on Security
There are no absolutes. We will never have 100 percent security and still have an open society. -- Howard Schmidt, White House Cybersecurity CoordinatorSrc: Howard Schmidt: “We will never have 100 percent security and still have an open society” | Executive Gov
QOTD on Cyber Threats
Sensitive information is stolen daily from both government and private sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey. -- Dennis C. Blair, Director of US National IntelligenceSrc: U.S. 'Severely Threatened' By Cyber Attacks -- InformationWeek
QOTD on Privacy vs Security
I've said for a long time privacy and security are two sides of the same coin. Very clearly, without security, we have no privacy. Data protection is key to the things we're going to do. -- Howard Schmidt, White House Cybersecurity CoordinatorSrc: Privacy not taking back seat to security, cyberchief says | Federal News Radio 1500 AM
QOTD on Free Speech
At some point people who care about free speech will realise that free speech has to be funded, otherwise it's not free. -- Paul Lashmar, investigative journalistSrc: BBC News - WikiLeaks whistleblower site in temporary shutdown
QOTD on The Cloud
I’m a big proponent of moving things to the cloud, but doing it right. -- Howard Schmidt, White House Cybersecurity CoordinatorSrc: Howard Schmidt: “We will never have 100 percent security and still have an open society” | Executive Gov
QOTD on OS Security
The most secure [operating] system is the one that you know how to secure. -- Carole Fennelly, director of content and documentation at Tenable Network SecuritySrc: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News
QOTD on Social Engineering
Graham Cluley, senior technology consultant at Sophos, sheds light on the debate about PC vs Mac security:
They're both mature operating systems from the security point of view, and as good as each other. But, crucially, it's not about the operating system that is being run on the computer, it's the fleshy human sitting in front of it...I would argue that an Apple Mac user wanting to watch the 'Erin Andrews Peephole Video' is just as likely to download a bogus browser plug-in to help them do that, as a Windows user. And it doesn't matter that Mac OS X will ask them to enter their username and password to install the plug-in--they want to watch the video, they will enter their username and password. Social engineering is the unifying threat that puts all computer users at risk, regardless of operating system. And that's what most threats exploit.Src: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News
Subscribe to:
Posts (Atom)
