QOTD - Spafford on Infosec as a Profession

The real value chance for advancement and chance to make a difference is in treating this really as a profession [...] It's very similar to what one might encounter in becoming a doctor, lawyer or college professor, where you have to devote yourself to life-long education and development and continuing to hone your skills. Part of being a professional is to actually continue to improve in what you're doing, rather than treating it simply as a job [...] I think it's time to also make the distinction between having a job and being part of a profession. Training will get you a job. Education - especially ongoing education - is part of being a professional and that's where I think the future really lies for many people in this field.
-- Professor Eugene H. Spafford, Executive Director, CERIAS at Purdue University

Note: emphasis is mine.

Src: Infosec Careers: The New Demands (see page 3 for actual quote)

QOTD on Mobile Phones & Security

The forthcoming ubiquity of near-field communication payment technology in smartphones is especially worrisome.

Two-factor authentication originally emerged because people couldn't trust computers. Using mobile phones as an identity factor defeats two-factor authentication.
-- Marc Maiffret, CTO of eEye Digital Security

Note: emphasis is mine

Analysis: the future of malware | Computerworld New Zealand

QOTD - Social Networks and You

When people make trust decisions with social networks, they don't always understand the ramifications. Today, you are far more knowable by someone who doesn't know you than ever before in the past.
-- Dr. Hugh Thompson, program chair of RSA Conferences.

QOTD on Theories and Models

As the field of information security matures, naturally, more attention and work is being done to establish theories and models that could one day be used to predict or detect behaviors or incidents. The quote below, from Emmanuel Derman's book "Models.Behaving.Badly" isn't about information security but about finance; however, I believe the lesson is equally applicable to our field.
The similarity of physics and finance lies more in their syntax than their semantics. In physics you’re playing against God, and He doesn’t change His laws very often. In finance you’re playing against God’s creatures, agents who value assets based on their ephemeral opinions. The truth therefore is that there is no grand unified theory of everything in finance. There are only models of specific things.

Src: Models.Behaving.Badly | Not Even Wrong Blog
(Hat tip to @oneraindrop for mentioning this blog post)

QOTD - Cyber Spies Are Winning

Business leaders are waking up to the new reality that cyber adversaries, from hacktivists to nation-state adversaries, can gain almost unlimited access to their networks. Corporate boards are now demanding answers from befuddled Chief Information Security Officer who frequently only have their compliance lists instead of real solutions to counter the threat.

The reality is we have all collectively been too complacent in the face of a determined adversary for too long. We have let our technology stagnate for a decade using reactive defenses developed in the 2oth century against a 21st century threat that produces over 70,000 new attacks every day. All the while there is a constant, methodical, silent, systemic hoovering of our nation’s secrets and our corporations’ intellectual property, eroding our ability to compete against emerging economies. The intellectual wealth of our nation is being stolen out from underneath us, hastening the flattening of the world faster than even Thomas Friedman predicted. For the nation that invented the Internet and built billion dollar businesses like Google and Facebook, it’s time to re-invent security for the digital economy.
-- Anup Ghosh,founder and CEO of Invincea

Src: Cyber Spies Are Winning: Time To Reinvent Online Security - Forbes

QOTD on A New Security Reality


Containment is the new prevention.

For years, security defenses have focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.
-- Websense Security Labs Blog

Src: 2012 Cyber Security Predictions from the Websense Security Labs - Security Labs

QOTD on Social Engineering

The most advanced criminals are going to ride the waves of personal devices, personal social media use, and personal web activities of employees to create more advanced, social engineering attacks to get in. Many of the business and government attacks in the coming year won’t necessarily be about how complex the code is, but how well they can convincingly lure unsuspecting victims to click.
-- Dan Hubbard, Websense CTO

QOTD - RSA's Schwartz on Cyber Security

The human is the new security perimeter. You can spend a fortune on technologies, but attackers will send one email to one of your employees and you'll be done.
You're only one click away from compromise.
-- Eddie Schwartz, CSO at RSA

Src: Cyber attacks: resistance is futile | Sydney Morning Herald

QOTD on Compromise

You should just assume every device someone has is compromised and adjust for that.
-- Chip Tsantes, principal at Ernst & Young

CSrc: Cyber Attacks Increasingly Focused at Individual Users: Ernst & Young - Insurance & Technology

QOTD - FBI on Cyber Espionage

This is definitely the golden age of cyber espionage. Foreign states are stealing data left and right from private-sector companies, nonprofit organizations and government agencies.
-- Steven Chabinsky, deputy assistant director of the FBI’s cyber division

Src: U.S. cyber espionage report names China and Russia as main culprits - The Washington Post

QOTD on Data Leaks

Everybody has data leakage; it's just a matter of when you find it.
-- Chip Tsantes, principal at Ernst & Young

Src: Cyber Attacks More Frequent and Harder to Detect - Bank Systems & Technology

QOTD - Spafford on Infosec Training

The approach that’s currently been taken is sort of the equivalent of telling employees, ‘when you come to work, don’t open any square blue boxes.’ But then someone sends in square red boxes, and they all get taken.

Src: Could more policies help curb cyber attacks on federal agencies? -- Federal Computer Week

QOTD - E&Y on the human perimeter

The human being is now the perimeter, not the systems.

QOTD on the Need for a Secure OS

What we need is a secure operating system. That's the problem, if we're going to have any chance of winning this battle, because we're desperately losing it now. It's not even close. We gave up some time ago on building a secure OS. We don't have one. If there's any game changer that would moves us in the direction of fighting back, it's to reinvigorate the efforts of the '80s and '90s with a trusted operating system.
-- Robert Bigman, chief of the information assurance group at the CIA

QOTD - PwC on APTs

The most sophisticated, adaptive and persistent class of cyber threats is no longer a rare event.
The report goes on to say:
In the few short months since this survey was launched on February 10, 2011, for example, leading organizations worldwide have been targeted by Advanced Persistent Threat attacks. These entities include national governments, nuclear laboratories, security firms, military contractors and an international organization that oversees the global financial system.
Yet APT isn’t just a threat to the public sector and the defense establishment. It’s an increasingly urgent issue for the private sector as well.
Src: Global state of information security security 2012: PwC

QOTD - If I was a CSO – By a “Hacker”


Don't buy expensive boxes just because you think, or have been told, they will make you secure. We’ll either by-pass that box, or own the box. Either way, you’ve prospectively wasted your money and the end result from my perspective is the same. I own you. As has been said before, you could use that money for a corporate Ferrari for team moral instead, better use of the money. Your security is rarely better from these product. Save the money to hire people with skills instead of getting magic boxes that do little or nothing. We find it amusing that in 2011 we can own 90%+ of systems that we approach first time, yet these companies all have packet filtering routers, FWs, IDS/IPS and WAFs. Isn’t that so obvious.
Note: emphasis is mine

Src: If I was a CSO – By a “Hacker” | CSO

QOTD - RSA's Coviello on Security

Intelligence about your potential attackers and most valuable assets shows you where to focus your efforts, such as what systems to protect and what users to closely monitor.
-- Art Coviello, executive chairman of RSA

Note: is it just me or does this ring similar to Sun Tzu's Art of War ('know thyself and know thy enemy')

QOTD - Raytheon's Cyberchief on Attacks

You will be attacked. You will be exploited. It's not a matter of whether something will get in your system, but more how long you will continue to have them in your system.
-- Vincent Blake, head of cyber security at Raytheon U.K.

Src: Raytheon's Cyberchief Describes 'Come to Jesus' Moment | PCWorld Business Center

QOTD - IBM on the new security reality

Phishing, spear phishing, APTs and targeted network attacks seem here to stay for the foreseeable future.
[...]
...we are witnessing a paradigm shift and an unprecedented assault on the fabric of trust
Src: IBM Security X-Force 2011 Mid-year Trend and Risk Report

QOTD - Corman on Security Vendors

Vendors pluck out figures that support their sales pitch. They use statistics like a drunk uses lampposts – more for support than illumination.
-- Joshua Corman, director of security intelligence at Akamai

Src: Infosec 'needs warrior cryptoboffins' to beat hackers

QOTD - IBM on Data Breaches

Each new breach reinforces the awareness that basic network security is not just a technical problem, but rather a complex business challenge where risk exposure, communication, end-user education, and technology must be considered in a delicate balance.
Src: IBM Security X-Force 2011 Mid-year Trend and Risk Report

QOTD on 2011 as the Year of the Breach

An explosion of breaches has opened 2011 with continuing, near daily new reports, marking this year as “The Year of the Security Breach.” These breaches have been notable not just for their frequency, but for the presumed operational competency of many of the victims. The environment is changing: the boundaries of business infrastructure are being extended – and sometimes obliterated – by the emergence of cloud, mobility, social business, big data and more, while the attacks are getting more and more sophisticated, often showing evidence of extensive pre-operation intelligence collection and careful, patient, long term planning. The repercussions of these attacks are large enough to move security discussions out of technical circles and into the board room.
I have to say that I fully agree with this statement and welcome the boost in visibility (acknowledging an obvious bias on my part given my chosen area of specialty). The world is changing, under our very feet and, as a global society, we need to pay attention to these changes and take charge of the information security risks.

Note: emphasis is mine

QOTD on the Value of Information Security

For any significantly sized company, information security is a critical business function because information management is a critical business function.
-- Eric Cowperthwaite, CSO at Providence Health and Services

Are you an IT security leader - really? - CSO Online - Security and Risk

QOTD - Perspectives on Security

While security is the most important thing to us, in spite of the self-deluding analysis we receive, it truly is not the most important thing to business. The most important thing to business is profits, followed closely by revenue. Dotted lines and potential liabilities are all fine and dandy. But at best organizations put a small (3% to 4%) of their budget into security. If something only is taking 3 to 4 percent of your budget, it probably only gets 3 to 4 percent of your time and attention.

This is the sad truth that a “mature” industry like ours has to realize. Until the problems and threats are felt by the business owners to warrant more than 3 to 4 percent investment, we are not going to see a radical change.
-- Alan Shimel, co-founder of The CISO Group

Src: Open Source Fact and Fiction: An Open Letter To The Information Security Industry: We Live In Amazing Times

QOTD on the Commoditization of Malware

The malware lifecycle has sped up dramatically. The 'time to market' difference between £1,000-plus innovative malware and £15 ready-to-run kit is now months, rather than years. Combine this with poor patching remaining prevalent in businesses of all sizes, and you have a lethal cocktail.

This means that any would-be hacker can cause thousands of pounds worth of damage with very little outlay or technical know-how. Using the same advanced tactics as big-time hackers, lower-level cyber criminals focus on stealing data or private information. Their methods are increasingly diverse and technically advanced, and this is one of the reasons APTs can be so damaging to small- and medium-sized businesses alike.

Four days after the Aurora hack on Google last January, the code used was available worldwide. Within 18 months, there had been 5,800 attacks using it. As time goes on, far from the code losing its potency, more people get hold of it.
-- Spencer Parker, Group Product Manager, Websense

Note: this is written by an information security vendor; however, there is value in the statements to raise awareness of the threats and how quickly research & development efforts get transferred from leading-edge malware to run-of-the-mill tools.

Src: The trickle-down effects of advanced persistent threats - SC Magazine UK

QOTD - Schwartz on APTs

The new fact of life is a 'state' of persistent, dynamic, intelligent threat and disruption, the economic and societal ramifications of which are overwhelming. This doesn't mean that we as a collective of security professionals are powerless against our adversaries – we can and should be able to manage our risk to an acceptable level and change the ongoing and grim trends.
-- Eddie Schwartz, Chief Security Officer of RSA, The Security Division of EMC

Src: Cyber Security Leaders Rally to Combat Advanced Persistent Threats

QOTD on Security vs Business

Security is a layer that needs to be there, it needs to be stringent, and it needs to be adhered to, but it cannot be an obstacle in providing information.
-- Mike Gleason, Director of Information Services at Scottsdale Healthcare

Src: HIPAA at 15: HITECH Tightens Health Care Data Privacy Laws - Health Care IT - News & Reviews - eWeek.com

QOTD - ASIO DG on e-Spying Threat

The Internet and increased connectivity has expanded infinitely the opportunities for the covert acquisition of information by state-sponsored and non-state sponsored actors.
-- Mr David Irvine AO, Director-General of the Australian Security Intelligence Organisation

Src: Australian Security Intelligence Organisation - Transcript of remarks by ASIO head on July 5, 2011

QOTD on SSL & Trust

If anyone is trying to convince you to use a trust system, you have to ask, who do I have to trust and for how long?
-- Moxie Marlinspike, co-founder and CTO of Whisper Systems

Black Hat Researcher Releases Tool to Bypass SSL Certificate Authorities (see page 2) | eWeek.com

QOTD - ASIO DG on e-Spying Threat

Cyber espionage has emerged as a serious and widespread concern and one that will continue to gain prominence due to the ongoing digitisation of data and increasing reliance on technology in commercial, governmental and military business.
-- Mr David Irvine AO, Director-General of the Australian Security Intelligence Organisation

Src: Royal United Services Institute of Australia - Transcript of remarks by ASIO head

QOTD - US DoD on Threat to Intellectual Property

While the threat to intellectual property is often less visible than the threat to critical infrastructure, it may be the most pervasive cyber threat today. Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies.
Src: US Department of Defense Strategy for Operating in Cyberspace

QOTD on Securing Customer Data

Security is not a 6 month or 12 month initiative – it’s part of innovation and the ongoing evolution of commerce. As fast as you invent a lock, there is criminal finding a way to pick it.

Bottom line: Protecting customer data is the right thing to do. It will save you money, it will make you money, and it will engender trust with consumers so that they will want to transact with you more.
-- Sean Cook, CEO of ShopVisible

QOTD - Mogull on Social Engineering

People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioral tendencies that can be exploited with careful manipulation. Many of the most damaging security penetrations are, and will continue to be, due to social engineering, not electronic hacking or cracking.
-- Rich Mogull, research director for information security and risk at Gartner (in 2004), now Analyst & CEO at Securosis.

Src: Old scams pose the 'greatest security risk' - CNET News

The State of Malware in 2011

One of the most challenging aspects of information security is the need to stay up-to-date about the threats. This post from Symantec details the level of sophistication displayed by a current crop of malware, in this case, an entire malware distribution network whose purpose is to infect (& bury deep in the OS), harvest credentials, and also subvert the machine's CPU cycles to crack a mathematical problem ("bitcoin mining").

Src: Introducing Trojan.Badlib: A Malware Distribution Network | Symantec Connect Community

Nasdaq-OMX CEO on Cyber Attacks

As we sit here, there are people trying to slam into our system every day. So we have to be ever-vigilant against an ever-changing foe.
[...]
We recognize that we're under constant attack and by that I mean literally constant attack.
-- Robert Greifeld, CEO of Nasdaq OMX Group

Src: Nasdaq spends to fend off `constant' hack attacks - Chicagotribune.com

QOTD - Litan on Online Bank Fraud

The law hasn't kept up, the regulators haven't kept up, and you're going to get a different opinion from every judge.
[...]
In the end, businesses are guilty until proven innocent.
-- Avivah Litan, VP & Distinguished Analyst at Gartner Research

Src: Who Bears Online Fraud Burden: Bank or Business? -- InformationWeek

QOTD on Cyber Attacks

Nowhere is the need to act today rather than tomorrow more evident than in this area. A well orchestrated cyber attack can turn off the power in your house, your city, your country. It can shut down air traffic control. It can shut down banks. In short, a cyber attack can bring a country down without a single soldier having to cross its borders.

This is not science fiction. It is the real world.
-- Anders Fogh Rasmussen, NATO Secretary General

Note: emphasis is mine.

Src: Meeting Future Challenges Together - Speech at the Bucharest University | Facebook

QOTD on Attack Surface & Risk

The attack surface of a target is not influenced by changes in the operating environment, attack tactics, attacker strategy, or attacker operational capability. These things will change the risk of whether or not something may be attacked and the impact of that attack but the attack surface has been there the whole time as the same thing as always. In our work [OSSTMM], the attack surface is the quantity of points of interactions with a target (or asset). These include interactions necessary for operations. The only means of changing the attack surface is by adding or removing controls over the interactions, changing the quantity of points of interactions, or by changing the scope to include previously unknown targets.

Many things will influence attacker motives, capabilities, and style but that only represents what they do and not the surface of what they can attack. So if you clone a military base it has the same attack surface at home and in a war zone or on the moon and the Earth. What is different is risk and not what can be attacked. The points of interaction remain the same. That's the nice thing about measuring an attack surface- it's pretty static in terms of the things you can't control so it's in your power to address the operations you want and the interactions you don't want. So that means while you can be pretty sure that any change in environment, tactical ability, or motives will bring about changes in risk to the point where it seems to benefit whomever responds to it first (attacker or defender) the attack surface will stay the same.
-- Pete Herzog, Managing Director, ISECOM - Institute for Security and Open Methodologies

Src: Security Metrics mailing list. Posted with the permission of the author

QOTD on Adequate Security Spending

Not everyone needs to spend to defend against the upper echelon of threat agents. Everyone needs to spend to defend against the lowest echelon. 
 -- Wade Baker, Director, Research & Intelligence at Verizon Business

Src: Security Metrics mailing list. Posted with permission of the author.

QOTD - FBI on the State of Cyber-Crime

We are facing a very innovative crime, and innovation has to be the response.
[...]
Given enough money, time and resources, an adversary will be able to access any system. Companies need to understand that.
-- Gordon Snow, Assistant Director of the FBI's Cyber Division

Src: Cyber cops stymied by anonymous hackers

QOTD - Google's Eric Schmidt on Living in the Information Age

In a 100 years, we've gone from the average person having access to almost no information to the average person in the world having access to all the world's information.
-- Eric Schmidt, Google Executive Chairman

Note: Quote can be found around minute 4:40 of the video

Src: Google’s Eric Schmidt talks Microsoft, recommends Macs | WinRumors

QOTD on PSN Breach

Adding a CISO after the fact is like hiring a bodyguard after you've been fatally wounded. It creates an impression that there's a lack of accountability.
-- Kevin Kosh, partner at Chen PR

Src: Sony Chief Stringer Blindsided by Hackers Seeking Revenge | Page 2 of 2

QOTD for IT Departments

When deny-by-default is the policy, the response to any request that leads to someone outside of IT using technology to innovate is, "Here's why you can't." In the new IT, the response has to be, "Here's how you can."
-- Bob Lewis, writing for Infoworld

QOTD on Stop, Think, Connect

People online need to check their brains at the keyboard. They use their heads when they drive so they drive safely. So they need to think when they're online. They need to stop before they're about to do something online, think about what it is they're about to do, and then connect, and do so in a safe way. It's sad for those of us in the information technology industry and people who have been cybersecurity geeks for 15 years, but nobody actually buys a computer to have computer security. They buy a computer to do things. That's the whole purpose of having a computer. That's why they're going to connect. They just need to do so in the right way.
-- Philip Reitinger, Deputy Undersecretary, US Department of Homeland Security

Src: DHS Hears Government Infosec Pros Concerns

QOTD on Security in Business

The most basic fact of business is that there are only three bottom-line priorities: revenue, cost, and risk. No matter what anyone at your company does, in the end it must tie back to making revenue grow, keeping costs under control, or managing risks more effectively.
-- Bob Lewis, writing for Infoworld

Src: How the App Store Reshapes IT's Priorities | PCWorld Business Center

QOTD on the Trusted Insider

You have a lot of folks that…pretty much have the keys to the castle... The enterprise admins have the ability to scour the entire network. That’s a hurdle that everyone has, especially with the move to managed services. You don’t know who the people who are managing your systems are anymore.
-- anonymous security expert at the US Homeland Security Department

Src: Wikileaks insider threat: A lesson for government cybersecurity managers | TechTarget.com

QOTD - Pescatore on Backward Thinking

Security strategies that are based on hoping the mainframe will come back will be bypassed like those little towns that were built 20 miles apart (because that is how far a horse could go in a day) got bypassed when the Interstates were built.
-- John Pescatore, vice president and research fellow at Gartner, Inc

QOTD - Google on Privacy

You should be able to delete information about you that we can control. You should own your data and we should be transparent.
-- Eric Schmidt, Executive Chairman of Google, Inc.

Src: Google Pledges Europe Privacy Controls to Fight ‘Elephant’ Image - Businessweek

QOTD - Obama on Cyberspace & Cybersecurity

Today, as nations and peoples harness the networks that are all around us, we have a choice. We can either work together to realize their potential for greater prosperity and security, or we can succumb to narrow interests and undue fears that limit progress. Cybersecurity is not an end unto itself; it is instead an obligation that our governments and societies must take on willingly, to ensure that innovation continues to flourish, drive markets, and improve lives. While offline challenges of crime and aggression have made their way to the digital world, we will confront them consistent with the principles we hold dear: free speech and association, privacy, and the free flow of information.

The digital world is no longer a lawless frontier, nor the province of a small elite. It is a place where the norms of responsible, just, and peaceful conduct among states and peoples have begun to take hold. It is one of the finest examples of a community self-organizing, as civil society, academia, the private sector, and governments work together democratically to ensure its effective management. Most important of all, this space continues to grow, develop, and promote prosperity, security, and openness as it has since its invention. This is what sets the Internet apart in the international environment, and why it is so important to protect.
-- US President Barrack Obama, The White House
[as quoted in the ZDNet article by David Gewirtz]

QOTD on US Int/l Strategy For Cyberspace

Assuring the free flow of information, the security and privacy of data, and the integrity of the interconnected networks themselves are all essential to American and global economic prosperity, security, and the promotion of universal rights.
-- US International Strategy for Cyberspace, White House (US)

Src: International_strategy_for_cyberspace.pdf (in Google Docs viewer)

QOTD on Security Myths

Sandboxing provides a malware free device, mobile apps are controlled, and there’s no money to steal in mobile apps are all myths will be proven wrong.
-- Amit Klein, CTO of Trusteer

Note: emphasis is mine.

Src: AusCERT 2011: Mobile banking malware on the rise - Trusteer, mobile malware, banking mobile, AusCERT 2011, Amit Klein - CIO

QOTD on Technology & Security

We don’t have a road network to eliminate accidents; we have it to enable fast travel. Once you want fast travel then you know some accidents are inevitable … Technology goes so fast that we’re using it faster than we can think of the consequences.
-- Professor Fred Piper, Royal Holloway University of London’s Information Security Group.

QOTD on Data & Privacy

We’ve always said that if you can’t protect it, don’t collect it.
-- Marc Rotenberg, executive director of the Electronic Privacy Information Center

Note: emphasis is mine.

Src: Sony Says PlayStation Hacker Got Personal Data - NYTimes.com

QOTD - NSA CIO on Cloud Tech

We can't keep pace with the Googles, and we're not going to out-Apple Apple, But we need to take advantage of what they're doing, and make sure our workforce is exposed to the same technologies.
-- Lonny Anderson, CIO of the US National Security Agency (NSA)

Src: NSA developing cloud technologies - The H Security: News and Features

QOTD on the Business of Malware

Malware is a growing industry. The cliche that this was a couple of kids doing this in their parents’ basement was never true in the first place. Now it’s totally wrong, now the suits and the MBAs are peddling this stuff both to crooks and to wannabe Big Brothers.
-- Noah Schachtman, nonresident fellow at the Brookings Institution and editor of Wired’s Danger Room

QOTD on Fighting Breaches

The fact is that you can do everything well, and be breached; or you can do nothing and suffer no recognizable breach.
-- Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation.

QOTD on Cyberwar

Traditional war is more like a bullet to the chest. Cyberwar is like a cancer -- just as dangerous and deadly, but far more torturous over the long term. And like cancer, we've yet to find a cure for cyberwar.
-- David Gewirtz, Editor-in-Chief of the ZATZ magazines, Cyberterrorism Advisor for the International Association for Counterterrorism and Security Professionals, and faculty at UC Berkeley.

QOTD - Some users learn quickly, others...

There is a class of user who cannot be protected from themselves. Many users can learn from the mistakes of others, especially when the material is presented well. For the avid, rabid fan, sometimes the only way they will learn is to get bit a few times.
-- Randy Abrams, Director of Technical Education at ESET

QOTD - FBI Director on Cyber Terrorism

The FBI, with our partners in the intelligence community, believe the cyber terrorism threat is real and is rapidly expanding. Terrorists have shown a clear interest in pursuing hacking skills. And they will either train their own recruits or hire outsiders, with an eye toward coupling physical attacks with cyber attacks.
-- Robert S. Mueller, Director of (US) Federal Bureau of Investigation

Src: Mueller to U.S. Congress: FBI’s focus has shifted - National Law Enforcement | Examiner.com

QOTD on Today's Threats

The nature of the threats has expanded from targeting individual bank accounts to targeting the information and physical infrastructure of nation states.
-- Stephen Trilling, senior VP, Symantec Security Technology & Response

QOTD - Uri Rivner on the RSA Hack

One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.
[...]
It is also important to note that just as stealth fighters evade radar instead of defeating it, APTs do not “defeat” security products. They just find ways to fly below the existing technology.
[...]
What we’re witnessing now are the early days. We’re now in 1939, and U-boats are an impossible menace. We’re now in 2004, and social engineering attacks get away with our customer’s money. We’re now in 2011, and the tidal wave of targeted attacks has reached our shores. It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.
-- Uri Rivner, Head of New Technologies, Consumer Identity Protection, at RSA

Src: Anatomy of an Attack « Speaking of Security – The RSA Blog and Podcast

QOTD on Current Level of Readiness

Most organizations are still not postured from a security or architecture standpoint to confine and limit the scale of the breach once an attacker has gained access to the internal network.
-- Ryan Kazanciyan, a principal consultant for Mandiant

QOTD on insiders & outsiders

The distinction between insiders and outsiders is blurring. Sophisticated attackers infiltrate a network, steal valid credentials on the network, and operate freely - just as an insider would.
-- Scott Aken, vice president for cyber operations at SAIC

QOTD on Reverse Engineering

People believe that once you compile human readable 'source' code, that humans can no longer read the resulting binary 'object' code. That is in incorrect. Code can easily be decompiled back to (nearly) the original source. In our (Errata Security) pentests, we regularly find embedded usernames and passwords that nobody believe hackers can read. It usually takes us less than 5 minutes.
Note: emphasis is mine.

QOTD on IP as the new target

Cybercriminals understand there is greater value in selling a corporations’ proprietary information and trade secrets which have little to no protection making intellectual capital their new currency of choice.

QOTD on Cyber-War

The odds are we'll wait for a catastrophic event, and then overreact.
-- Mike McConnell, former director of National Intelligence (US)

QOTD on the new targets of cyber-crime

Cybercriminals have shifted their focus from physical assets to data driven properties, such as trade secrets or product planning documents. We’ve seen significant attacks targeting this type of information. Sophisticated attacks such as s Operation Aurora, and even unsophisticated attacks like Night Dragon, have infiltrated some of the of the largest, and seemingly most protected corporations in the world. Criminals are targeting corporate intellectual capital and they are often succeeding.
-- Simon Hunt, VP and CTO, endpoint security at McAfee

QOTD on Surveillance Society

The surveillance society is inevitable and irresistible.
-- Jeff Jonas, chief scientist of IBM’s Entity Analytics group

Src: If a surveillance society is inevitable, can privacy measures embedded in systems? | ZDNet

QOTD on Borderless Network

We've been working on an assumption that you need different levels of security for the internal network versus the external one, the Internet - the Big Bad World out there. That's been an incorrect assumption for at least ten years.
and earlier,
Start designing everything now to be externalisable.
-- Paul Simmonds, former AstraZeneca CISO, now with the Jericho Forum

Src: The key to security? Blow up the corporate wall - Computer Business Review

QOTD on Social Networks

The faith users put into social networks is providing an enormous universe of opportunity for nefarious actors.
-- Anup Ghosh, Chief Scientist at Invincea

Src: 40% of Social Network Users Attacked by Malware - Techland - TIME.com

QOTD on CIOs

The reality is that most CIOs have no idea what the Hell is on their network, not its provenance, what state it's in, let alone its state of vulnerability.
-- Paul Simmonds, former AstraZeneca CISO, now with the Jericho Forum

Src: The key to security? Blow up the corporate wall - Computer Business Review

QOTD on Custom Malware

Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere. I imagine anybody in the global 2,500 has this problem.
[...]
It's fairly trivial to customize an exploit to bypass 70 percent of the time. I do it all of the time on engagements.
-- Shawn Moyer, managing principal at security services firm Accuvant Labs

Src: Customized, stealthy malware growing pervasive - CSO Online - Security and Risk

QOTD on Botnets & Legacy

Botnets will be with us until the way computing works is fundamentally changed at the lowest level. Right now, we’re dealing with a legacy architecture that was invented back in the '70s. None of this was envisioned, so nobody designed any security into the lowest layers.

-- Joe Stewart, director of Malware Research for Dell SecureWorks

Src: What are Botnets? : Discovery News

QOTD on the State of Security

We've approached security layer by layer. I have one tool for Web access, another tool for network access, another tool for e-mail. And yet I can't answer the basic question: Am I secure?
-- Bill Veghte, EVP of HP's software division

Src: RSA: HP Proposes Holistic Security -- InformationWeek

QOTD on End Users & Security

In the modern organization, end-users are dictating IT priorities by bringing technology to the enterprise rather than the other way around. Pressure to secure too much and the resulting skills gap are creating risk for organizations worldwide.
-- Robert Ayoub, global program director - network security for Frost & Sullivan

Src: Latest Technologies Straining Cyber Security Staffs, Study Warns | EON: Enhanced Online News

QOTD - Chess as Warfare

In essence, chess is warfare, as much psychology as strategy. To win, one must understand the mentality of the opponent, hinted at in each new move. One must so thoroughly master the adversary’s weaknesses—an overzealous offence? guarding rather than attacking? a passion for sweeping one end?—that one can anticipate them and use them. Chess is a game of information, false and true, derived from what the opponent “should” do, based on his own past play or that of others, and on what the opponent actually does. Chess has no bloodshed, but the exhilaration of psychological warfare—taking no prisoners in a complete victory—is its attraction.
-- Stewart Gordon

Src: Saudi Aramco World : The Game of Kings
Note: emphasis is mine

QOTD - USDoD on CyberWarfare

First, cyberwarfare is asymmetric.The low cost of computing devices means that U.S. adversaries do not have to build expensive weapons, such as stealth fighters or aircraft carriers, to pose a significant threat to U.S. military capabilities. A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States' global logistics network, steal its operational plans, blind its intelligence capabilities, or hinder its ability to deliver weapons on target. Knowing this, many militaries are developing offensive capabilities in cyberspace, and more than 100 foreign intelligence organizations are trying to break into U.S. networks. Some governments already have the capacity to disrupt elements of the U.S. information infrastructure.
-- William J. Lynn III, US Deputy Secretary of Defense

Src: Cybersecurity - Defending a New Domain

QOTD on Prudent Security

The best question a managing director can ask is ‘tell me we’re not being complacent. You do have to reassess (security measures) from time to time because the risks are changing and your data is changing. Without being paranoid, you just have to be prudent.
-- Dermot Williams, managing director at Threatscape

Src: ANALYSIS: Taking the right response to data breach risk - Ireland’s CIO and strategy news and reports service – Siliconrepublic.com

QOTD - Dave Aitel's Simple AppSec Metric

If you spent more on your GUI than on your security, you don't have a secure application. Start preparing for the PR fallout of your website getting hacked now.
-- Dave Aitel, CTO Immunity, Inc.

[Dailydave] A simple 100% failproof security metric: "- Sent using Google Toolbar"

QOTD on Security Today

You could stop the rest of your IT, and put all of your resources into security for a year and still not be 100pc secure.
-- Owen O’Connor, president of the Irish chapter of the Information Systems Security Association (ISSA)

Src: ANALYSIS: Taking the right response to data breach risk - Ireland’s CIO and strategy news and reports service – Siliconrepublic.com

QOTD - KPMG on Current Security Landscape

Recent information security breaches reflect a worrying trend of very targeted hacking. Hackers have business heads in their sights as it gives them access to the most sensitive information, such as intellectual property and investment plans.
[...]
Information security attacks are a very real threat – they happen daily and just because a business or a business leader was not on a hacker's radar yesterday does not ensure safety today.
-- Paul Hanley, information security director at KPMG

Src: Nasdaq confirms its network was hacked - 07 Feb 2011 - Computing News

QOTD on Facebook & Privacy

The computer -- especially with sites like Facebook -- is now a virtual front door to your house allowing people access to your personal information. You deserve to look through the peep hole and decide who you are letting in.
-- US House Representative Joe Barton (Texas)

Src: Key lawmakers press Facebook on privacy concerns about user phone numbers and addresses [Updated] | Technology | Los Angeles Times

QOTD - Amoroso on Security via Diversity

Serious attacks are not stopped by running an anti-virus program, they are not stopped by having people change passwords, they are not stopped by firewalls, they are stopped by other means….The first and foremost thing is that diversity is good….From a network and systems perspective, I get a lot of sleep at night when there is an attack on an IP-based system knowing that it is not going anywhere near our TDM circuit-switched infrastructure; they are just separate. The technologies are different, the systems are different, and they are non-interoperable.
-- Edward Amoroso, Chief Security Officer at AT&T, author of Cyber Attacks: Protecting National Infrastructure

Src: Infosecurity (USA) - Information security practices need to be rethought, says AT&T security chief

QOTD - In Defense of FUD

If you think buying anything, whether physical or metaphysical, can completely relieve you of fear, uncertainty, and doubt, you are naïve. People don’t work that way, and we shouldn’t. Fear, uncertainty, and doubt, at reasonable levels, keep us alive, and alert.

I am not a proponent of crippling fear any more than I am a fan of naïve confidence, but a little bit of discomfort and uncertainty can drive us to question our preparedness, and rethink the challenges we face. And that is healthy.
-- Jack Daniel, Information Security Curmudgeon & Community Development Manager for Astaro

Src: Uncommon Sense Security: In Defense of FUD

QOTD on Big Brother's Little Brother

In the past we only worried about Big Brother governments assembling detailed dossiers about us. Then came what privacy advocates called Little Brother – corporations that collect data from their customers.
-- Don Tapscott and Anthony D. Williams

Src: CTV News | Social media's unexpected threat

QOTD on IT Risks

With insurance actuaries, the data stays the same. In IT security, nothing stays the same.
-- Chris Petch, Senior Research Analyst at the Information Security Forum

Src: Professional workshop: Managing your way out of risk - SC Magazine UK