QOTD - Perspectives on Security

While security is the most important thing to us, in spite of the self-deluding analysis we receive, it truly is not the most important thing to business. The most important thing to business is profits, followed closely by revenue. Dotted lines and potential liabilities are all fine and dandy. But at best organizations put a small (3% to 4%) of their budget into security. If something only is taking 3 to 4 percent of your budget, it probably only gets 3 to 4 percent of your time and attention.

This is the sad truth that a “mature” industry like ours has to realize. Until the problems and threats are felt by the business owners to warrant more than 3 to 4 percent investment, we are not going to see a radical change.
-- Alan Shimel, co-founder of The CISO Group

Src: Open Source Fact and Fiction: An Open Letter To The Information Security Industry: We Live In Amazing Times

QOTD on the Commoditization of Malware

The malware lifecycle has sped up dramatically. The 'time to market' difference between £1,000-plus innovative malware and £15 ready-to-run kit is now months, rather than years. Combine this with poor patching remaining prevalent in businesses of all sizes, and you have a lethal cocktail.

This means that any would-be hacker can cause thousands of pounds worth of damage with very little outlay or technical know-how. Using the same advanced tactics as big-time hackers, lower-level cyber criminals focus on stealing data or private information. Their methods are increasingly diverse and technically advanced, and this is one of the reasons APTs can be so damaging to small- and medium-sized businesses alike.

Four days after the Aurora hack on Google last January, the code used was available worldwide. Within 18 months, there had been 5,800 attacks using it. As time goes on, far from the code losing its potency, more people get hold of it.
-- Spencer Parker, Group Product Manager, Websense

Note: this is written by an information security vendor; however, there is value in the statements to raise awareness of the threats and how quickly research & development efforts get transferred from leading-edge malware to run-of-the-mill tools.

Src: The trickle-down effects of advanced persistent threats - SC Magazine UK

QOTD - Schwartz on APTs

The new fact of life is a 'state' of persistent, dynamic, intelligent threat and disruption, the economic and societal ramifications of which are overwhelming. This doesn't mean that we as a collective of security professionals are powerless against our adversaries – we can and should be able to manage our risk to an acceptable level and change the ongoing and grim trends.
-- Eddie Schwartz, Chief Security Officer of RSA, The Security Division of EMC

Src: Cyber Security Leaders Rally to Combat Advanced Persistent Threats

QOTD on Security vs Business

Security is a layer that needs to be there, it needs to be stringent, and it needs to be adhered to, but it cannot be an obstacle in providing information.
-- Mike Gleason, Director of Information Services at Scottsdale Healthcare

Src: HIPAA at 15: HITECH Tightens Health Care Data Privacy Laws - Health Care IT - News & Reviews - eWeek.com

QOTD - ASIO DG on e-Spying Threat

The Internet and increased connectivity has expanded infinitely the opportunities for the covert acquisition of information by state-sponsored and non-state sponsored actors.
-- Mr David Irvine AO, Director-General of the Australian Security Intelligence Organisation

Src: Australian Security Intelligence Organisation - Transcript of remarks by ASIO head on July 5, 2011