QOTD on insiders & outsiders

The distinction between insiders and outsiders is blurring. Sophisticated attackers infiltrate a network, steal valid credentials on the network, and operate freely - just as an insider would.
-- Scott Aken, vice president for cyber operations at SAIC

QOTD on Reverse Engineering

People believe that once you compile human readable 'source' code, that humans can no longer read the resulting binary 'object' code. That is in incorrect. Code can easily be decompiled back to (nearly) the original source. In our (Errata Security) pentests, we regularly find embedded usernames and passwords that nobody believe hackers can read. It usually takes us less than 5 minutes.
Note: emphasis is mine.

QOTD on IP as the new target

Cybercriminals understand there is greater value in selling a corporations’ proprietary information and trade secrets which have little to no protection making intellectual capital their new currency of choice.

QOTD on Cyber-War

The odds are we'll wait for a catastrophic event, and then overreact.
-- Mike McConnell, former director of National Intelligence (US)

QOTD on the new targets of cyber-crime

Cybercriminals have shifted their focus from physical assets to data driven properties, such as trade secrets or product planning documents. We’ve seen significant attacks targeting this type of information. Sophisticated attacks such as s Operation Aurora, and even unsophisticated attacks like Night Dragon, have infiltrated some of the of the largest, and seemingly most protected corporations in the world. Criminals are targeting corporate intellectual capital and they are often succeeding.
-- Simon Hunt, VP and CTO, endpoint security at McAfee

QOTD on Surveillance Society

The surveillance society is inevitable and irresistible.
-- Jeff Jonas, chief scientist of IBM’s Entity Analytics group

Src: If a surveillance society is inevitable, can privacy measures embedded in systems? | ZDNet

QOTD on Borderless Network

We've been working on an assumption that you need different levels of security for the internal network versus the external one, the Internet - the Big Bad World out there. That's been an incorrect assumption for at least ten years.
and earlier,
Start designing everything now to be externalisable.
-- Paul Simmonds, former AstraZeneca CISO, now with the Jericho Forum

Src: The key to security? Blow up the corporate wall - Computer Business Review

QOTD on Social Networks

The faith users put into social networks is providing an enormous universe of opportunity for nefarious actors.
-- Anup Ghosh, Chief Scientist at Invincea

Src: 40% of Social Network Users Attacked by Malware - Techland - TIME.com


The reality is that most CIOs have no idea what the Hell is on their network, not its provenance, what state it's in, let alone its state of vulnerability.
-- Paul Simmonds, former AstraZeneca CISO, now with the Jericho Forum

Src: The key to security? Blow up the corporate wall - Computer Business Review

QOTD on Custom Malware

Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere. I imagine anybody in the global 2,500 has this problem.
It's fairly trivial to customize an exploit to bypass 70 percent of the time. I do it all of the time on engagements.
-- Shawn Moyer, managing principal at security services firm Accuvant Labs

Src: Customized, stealthy malware growing pervasive - CSO Online - Security and Risk

QOTD on Botnets & Legacy

Botnets will be with us until the way computing works is fundamentally changed at the lowest level. Right now, we’re dealing with a legacy architecture that was invented back in the '70s. None of this was envisioned, so nobody designed any security into the lowest layers.

-- Joe Stewart, director of Malware Research for Dell SecureWorks

Src: What are Botnets? : Discovery News