QOTD - Litan on Online Bank Fraud

The law hasn't kept up, the regulators haven't kept up, and you're going to get a different opinion from every judge.
[...]
In the end, businesses are guilty until proven innocent.
-- Avivah Litan, VP & Distinguished Analyst at Gartner Research

Src: Who Bears Online Fraud Burden: Bank or Business? -- InformationWeek

QOTD on Cyber Attacks

Nowhere is the need to act today rather than tomorrow more evident than in this area. A well orchestrated cyber attack can turn off the power in your house, your city, your country. It can shut down air traffic control. It can shut down banks. In short, a cyber attack can bring a country down without a single soldier having to cross its borders.

This is not science fiction. It is the real world.
-- Anders Fogh Rasmussen, NATO Secretary General

Note: emphasis is mine.

Src: Meeting Future Challenges Together - Speech at the Bucharest University | Facebook

QOTD on Attack Surface & Risk

The attack surface of a target is not influenced by changes in the operating environment, attack tactics, attacker strategy, or attacker operational capability. These things will change the risk of whether or not something may be attacked and the impact of that attack but the attack surface has been there the whole time as the same thing as always. In our work [OSSTMM], the attack surface is the quantity of points of interactions with a target (or asset). These include interactions necessary for operations. The only means of changing the attack surface is by adding or removing controls over the interactions, changing the quantity of points of interactions, or by changing the scope to include previously unknown targets.

Many things will influence attacker motives, capabilities, and style but that only represents what they do and not the surface of what they can attack. So if you clone a military base it has the same attack surface at home and in a war zone or on the moon and the Earth. What is different is risk and not what can be attacked. The points of interaction remain the same. That's the nice thing about measuring an attack surface- it's pretty static in terms of the things you can't control so it's in your power to address the operations you want and the interactions you don't want. So that means while you can be pretty sure that any change in environment, tactical ability, or motives will bring about changes in risk to the point where it seems to benefit whomever responds to it first (attacker or defender) the attack surface will stay the same.
-- Pete Herzog, Managing Director, ISECOM - Institute for Security and Open Methodologies

Src: Security Metrics mailing list. Posted with the permission of the author

QOTD on Adequate Security Spending

Not everyone needs to spend to defend against the upper echelon of threat agents. Everyone needs to spend to defend against the lowest echelon. 
 -- Wade Baker, Director, Research & Intelligence at Verizon Business

Src: Security Metrics mailing list. Posted with permission of the author.

QOTD - FBI on the State of Cyber-Crime

We are facing a very innovative crime, and innovation has to be the response.
[...]
Given enough money, time and resources, an adversary will be able to access any system. Companies need to understand that.
-- Gordon Snow, Assistant Director of the FBI's Cyber Division

Src: Cyber cops stymied by anonymous hackers

QOTD - Google's Eric Schmidt on Living in the Information Age

In a 100 years, we've gone from the average person having access to almost no information to the average person in the world having access to all the world's information.
-- Eric Schmidt, Google Executive Chairman

Note: Quote can be found around minute 4:40 of the video

Src: Google’s Eric Schmidt talks Microsoft, recommends Macs | WinRumors