QOTD on the Need for a Secure OS

What we need is a secure operating system. That's the problem, if we're going to have any chance of winning this battle, because we're desperately losing it now. It's not even close. We gave up some time ago on building a secure OS. We don't have one. If there's any game changer that would moves us in the direction of fighting back, it's to reinvigorate the efforts of the '80s and '90s with a trusted operating system.
-- Robert Bigman, chief of the information assurance group at the CIA

QOTD - PwC on APTs

The most sophisticated, adaptive and persistent class of cyber threats is no longer a rare event.
The report goes on to say:
In the few short months since this survey was launched on February 10, 2011, for example, leading organizations worldwide have been targeted by Advanced Persistent Threat attacks. These entities include national governments, nuclear laboratories, security firms, military contractors and an international organization that oversees the global financial system.
Yet APT isn’t just a threat to the public sector and the defense establishment. It’s an increasingly urgent issue for the private sector as well.
Src: Global state of information security security 2012: PwC

QOTD - If I was a CSO – By a “Hacker”


Don't buy expensive boxes just because you think, or have been told, they will make you secure. We’ll either by-pass that box, or own the box. Either way, you’ve prospectively wasted your money and the end result from my perspective is the same. I own you. As has been said before, you could use that money for a corporate Ferrari for team moral instead, better use of the money. Your security is rarely better from these product. Save the money to hire people with skills instead of getting magic boxes that do little or nothing. We find it amusing that in 2011 we can own 90%+ of systems that we approach first time, yet these companies all have packet filtering routers, FWs, IDS/IPS and WAFs. Isn’t that so obvious.
Note: emphasis is mine

Src: If I was a CSO – By a “Hacker” | CSO

QOTD - RSA's Coviello on Security

Intelligence about your potential attackers and most valuable assets shows you where to focus your efforts, such as what systems to protect and what users to closely monitor.
-- Art Coviello, executive chairman of RSA

Note: is it just me or does this ring similar to Sun Tzu's Art of War ('know thyself and know thy enemy')

QOTD - Raytheon's Cyberchief on Attacks

You will be attacked. You will be exploited. It's not a matter of whether something will get in your system, but more how long you will continue to have them in your system.
-- Vincent Blake, head of cyber security at Raytheon U.K.

Src: Raytheon's Cyberchief Describes 'Come to Jesus' Moment | PCWorld Business Center

QOTD - IBM on the new security reality

Phishing, spear phishing, APTs and targeted network attacks seem here to stay for the foreseeable future.
[...]
...we are witnessing a paradigm shift and an unprecedented assault on the fabric of trust
Src: IBM Security X-Force 2011 Mid-year Trend and Risk Report

QOTD - Corman on Security Vendors

Vendors pluck out figures that support their sales pitch. They use statistics like a drunk uses lampposts – more for support than illumination.
-- Joshua Corman, director of security intelligence at Akamai

Src: Infosec 'needs warrior cryptoboffins' to beat hackers

QOTD - IBM on Data Breaches

Each new breach reinforces the awareness that basic network security is not just a technical problem, but rather a complex business challenge where risk exposure, communication, end-user education, and technology must be considered in a delicate balance.
Src: IBM Security X-Force 2011 Mid-year Trend and Risk Report

QOTD on 2011 as the Year of the Breach

An explosion of breaches has opened 2011 with continuing, near daily new reports, marking this year as “The Year of the Security Breach.” These breaches have been notable not just for their frequency, but for the presumed operational competency of many of the victims. The environment is changing: the boundaries of business infrastructure are being extended – and sometimes obliterated – by the emergence of cloud, mobility, social business, big data and more, while the attacks are getting more and more sophisticated, often showing evidence of extensive pre-operation intelligence collection and careful, patient, long term planning. The repercussions of these attacks are large enough to move security discussions out of technical circles and into the board room.
I have to say that I fully agree with this statement and welcome the boost in visibility (acknowledging an obvious bias on my part given my chosen area of specialty). The world is changing, under our very feet and, as a global society, we need to pay attention to these changes and take charge of the information security risks.

Note: emphasis is mine

QOTD on the Value of Information Security

For any significantly sized company, information security is a critical business function because information management is a critical business function.
-- Eric Cowperthwaite, CSO at Providence Health and Services

Are you an IT security leader - really? - CSO Online - Security and Risk