We’ve always said that if you can’t protect it, don’t collect it.
-- Marc Rotenberg, executive director of the Electronic Privacy Information Center
Note: emphasis is mine.
Src: Sony Says PlayStation Hacker Got Personal Data - NYTimes.com
We’ve always said that if you can’t protect it, don’t collect it.
We can't keep pace with the Googles, and we're not going to out-Apple Apple, But we need to take advantage of what they're doing, and make sure our workforce is exposed to the same technologies.
Malware is a growing industry. The cliche that this was a couple of kids doing this in their parents’ basement was never true in the first place. Now it’s totally wrong, now the suits and the MBAs are peddling this stuff both to crooks and to wannabe Big Brothers.
The fact is that you can do everything well, and be breached; or you can do nothing and suffer no recognizable breach.
Traditional war is more like a bullet to the chest. Cyberwar is like a cancer -- just as dangerous and deadly, but far more torturous over the long term. And like cancer, we've yet to find a cure for cyberwar.
There is a class of user who cannot be protected from themselves. Many users can learn from the mistakes of others, especially when the material is presented well. For the avid, rabid fan, sometimes the only way they will learn is to get bit a few times.
The FBI, with our partners in the intelligence community, believe the cyber terrorism threat is real and is rapidly expanding. Terrorists have shown a clear interest in pursuing hacking skills. And they will either train their own recruits or hire outsiders, with an eye toward coupling physical attacks with cyber attacks.
The nature of the threats has expanded from targeting individual bank accounts to targeting the information and physical infrastructure of nation states.
One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.
[...]
It is also important to note that just as stealth fighters evade radar instead of defeating it, APTs do not “defeat” security products. They just find ways to fly below the existing technology.
[...]
What we’re witnessing now are the early days. We’re now in 1939, and U-boats are an impossible menace. We’re now in 2004, and social engineering attacks get away with our customer’s money. We’re now in 2011, and the tidal wave of targeted attacks has reached our shores. It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.
Most organizations are still not postured from a security or architecture standpoint to confine and limit the scale of the breach once an attacker has gained access to the internal network.