QOTD on Data & Privacy

We’ve always said that if you can’t protect it, don’t collect it.
-- Marc Rotenberg, executive director of the Electronic Privacy Information Center

Note: emphasis is mine.

Src: Sony Says PlayStation Hacker Got Personal Data - NYTimes.com

QOTD - NSA CIO on Cloud Tech

We can't keep pace with the Googles, and we're not going to out-Apple Apple, But we need to take advantage of what they're doing, and make sure our workforce is exposed to the same technologies.
-- Lonny Anderson, CIO of the US National Security Agency (NSA)

Src: NSA developing cloud technologies - The H Security: News and Features

QOTD on the Business of Malware

Malware is a growing industry. The cliche that this was a couple of kids doing this in their parents’ basement was never true in the first place. Now it’s totally wrong, now the suits and the MBAs are peddling this stuff both to crooks and to wannabe Big Brothers.
-- Noah Schachtman, nonresident fellow at the Brookings Institution and editor of Wired’s Danger Room

QOTD on Fighting Breaches

The fact is that you can do everything well, and be breached; or you can do nothing and suffer no recognizable breach.
-- Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation.

QOTD on Cyberwar

Traditional war is more like a bullet to the chest. Cyberwar is like a cancer -- just as dangerous and deadly, but far more torturous over the long term. And like cancer, we've yet to find a cure for cyberwar.
-- David Gewirtz, Editor-in-Chief of the ZATZ magazines, Cyberterrorism Advisor for the International Association for Counterterrorism and Security Professionals, and faculty at UC Berkeley.

QOTD - Some users learn quickly, others...

There is a class of user who cannot be protected from themselves. Many users can learn from the mistakes of others, especially when the material is presented well. For the avid, rabid fan, sometimes the only way they will learn is to get bit a few times.
-- Randy Abrams, Director of Technical Education at ESET

QOTD - FBI Director on Cyber Terrorism

The FBI, with our partners in the intelligence community, believe the cyber terrorism threat is real and is rapidly expanding. Terrorists have shown a clear interest in pursuing hacking skills. And they will either train their own recruits or hire outsiders, with an eye toward coupling physical attacks with cyber attacks.
-- Robert S. Mueller, Director of (US) Federal Bureau of Investigation

Src: Mueller to U.S. Congress: FBI’s focus has shifted - National Law Enforcement | Examiner.com

QOTD on Today's Threats

The nature of the threats has expanded from targeting individual bank accounts to targeting the information and physical infrastructure of nation states.
-- Stephen Trilling, senior VP, Symantec Security Technology & Response

QOTD - Uri Rivner on the RSA Hack

One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.
It is also important to note that just as stealth fighters evade radar instead of defeating it, APTs do not “defeat” security products. They just find ways to fly below the existing technology.
What we’re witnessing now are the early days. We’re now in 1939, and U-boats are an impossible menace. We’re now in 2004, and social engineering attacks get away with our customer’s money. We’re now in 2011, and the tidal wave of targeted attacks has reached our shores. It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.
-- Uri Rivner, Head of New Technologies, Consumer Identity Protection, at RSA

Src: Anatomy of an Attack « Speaking of Security – The RSA Blog and Podcast

QOTD on Current Level of Readiness

Most organizations are still not postured from a security or architecture standpoint to confine and limit the scale of the breach once an attacker has gained access to the internal network.
-- Ryan Kazanciyan, a principal consultant for Mandiant