QOTD - Corman on e-Toasters

We’re putting IT on everything and while some people think IT on everything is a dream, I kind of think its a nightmare. If you have a toaster, there’s a certain risk that it will burn your house down. If you put software on it, it’s a vulnerable toaster. If you connect it to the Internet, its a vulnerable and exploitable toaster.
-- Josh Corman, Director of Security Intelligence at Akamai Technologies

Src: New Year’s Resolution: Do Software Better

QOTD on Cyberspace as the New Battlefront

States at the moment seem to have little self-restraint in cyber.
This is very dangerous... The consequence may be that... we find ourselves with a redefinition of 'war' - one that is never declared, seldom visible but effectively constant.
-- Alexander Klimburg, cyber security expert at the Austrian Institute for International Affairs

Src: Cyberspace the new frontier in Iran's war with foes - Yahoo! News

QOTD on Stuxnet

Stuxnet was effective, but it wasn't a knockout blow. What it has done, however, is open a new front. 
-- Ilan Berman, VP of the American Foreign Policy Council and former CIA &Pentagon consultant 

Src: Cyberspace the new frontier in Iran's war with foes - Yahoo! News

QOTD - Kaspersky on Cyberwarfare

We can’t let cyber-warfare stall human progress, as it threatens not only governments and businesses, but regular people as well.
[...]
In the long run, cyber-warfare is where all parties lose: attackers, victims and even uninvolved observers. Unlike traditional weapons, tools used in cyber-warfare are very easy to clone and reprogramme by adversaries. 
--Eugene Kaspersky, CEO and co-founder of Kaspersky Lab

Src: Kasperksy to launch own operating system | GulfNews.com

QOTD - Bits & Bytes

The uncomfortable reality of our world today is that bits and bytes can be as threatening as bullets and bombs.
-- Gen. Martin Dempsey, Chairman of the Joint Chiefs of Staff (US)


Src: WHY IT MATTERS: Cybersecurity - Yahoo! News

QOTD - Stuxnet & the genie in the bottle

Once the genie was out of the bottle with Stuxnet then it was always going to be a case of we must have our own variant or we will get left behind.

I think what people are missing is military theory. Sun Tzu, the ancient Chinese military general, said that 'to subdue the enemy without fighting is the essence of skill', and [Carl von] Clausewitz said 'war is the continuation of policy by other means', and cyberspace is perfect for those ideas. It allows you to do something better with another tool...
-- Commodore Patrick Tyrrell

Src: State-sponsored cyber espionage projects now prevalent, say experts | Technology | guardian.co.uk

QOTD on Big Data vs Privacy

...soon companies will know things about us that we do not even know about ourselves. This is the exciting possibility of Big Data, but for privacy, it is a recipe for disaster.
-- Paul Ohm, Associate Professor at the University of Colorado Law School

Src: Don't Build a Database of Ruin - Paul Ohm - Harvard Business Review

The undetected malware issue

For every Stuxnet or Flame that turns up, there likely are dozens or hundreds of analogous tools sitting undetected on systems around the world.
-- Dennis Fisher, Editor-in-chief, Threatpost

Src: Gauss, Flame Highlight Problem of Defeating High-End Malware | threatpost

QOTD - InfoSec and The CFO

Security is not just an IT risk, it’s a business risk. As CFO, your responsibility is to understand the business risks and how the organization is set up to mitigate those risks. 
-- Jason Pett, co-author of the PwC report entitled "Fortifying your defenses The role of internal audit in assuring data security and privacy" 

Src: C-Suite Slipping on Information Security, Study Finds

On Security for DNA Data

Ken Chahine (Senior VP of Ancestry.com & GM of AncestryDNA): Why would someone hack our servers to access my data when you could follow me to a coffee shop and grab a sample from my used coffee cup? 

Amy Gutman (Chair of the Presidential Commission for the Study of Bioethical Issues): The questions of personal privacy and genome sequencing do not boil down to ownership. I cannot own what I leave behind. 

Note: emphasis is mine.

Src: Do privacy concerns follow the coffee cup? » blog.Bioethics.gov - The blog of the Presidential Commission for the Study of Bioethical Issues

QOTD on Cyber Weapons

Advanced cyberwar is different: a country’s assets lie as much in the weaknesses of enemy computer defenses as in the power of the weapons it possesses. So in order to assess one’s own capability, there is a strong temptation to penetrate the enemy’s systems before a conflict erupts. It is no good trying to hit them once hostilities have broken out; they will be prepared and there’s a risk that they already will have infected your systems. Once the logic of cyberwarfare takes hold, it is worryingly pre-emptive and can lead to the uncontrolled spread of malware.
-- Misha Glenny, visiting professor at the Columbia University School of International and Public Affairs

Src: Stuxnet Will Come Back to Haunt Us - NYTimes.com

QOTD - Hypponen on AV vs Targeted Malware

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.
-- Mikko Hypponen, Chief Research Officer of F-Secure

Src: Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet | Threat Level | Wired.com

QOTD - Kaspersky on No-More-Privacy

We can forget about privacy. There’s no privacy anymore. You can have privacy if you live somewhere in the jungle, or the middle of Siberia.
-- Eugene Kaspersky, CEO of Kaspersky Lab

Src: Why Eugene Kaspersky has big problems with big data

QOTD - Kaspersky on Cyber-Weapons

A cyber-weapon is a boomerang. Sooner or later it will fly back to you.
-- Eugene Kaspersky, CEO of Kaspersky Lab

Src: Why Eugene Kaspersky has big problems with big data (Page 3)

QOTD on Big Data

Given enough data, intelligence and power, corporations and government can connect dots in ways that only previously existed in science fiction.
-- Alexander Howard, government 2.0 correspondent at the technology publisher O'Reilly Media.

Src: Big Data age puts privacy in question as information becomes currency | Technology | guardian.co.uk
Note: Alex' full interview transcript can be found at https://plus.google.com/107980702132412632948/posts/RegCw2P51Hk

QOTD - Heartland CEO on Breach Response

To be PCI compliant does not mean you can't be breached. Any of us that processes PII (personally identifiable information) should be humble. ... Anyone that thinks they're not going to be breached is being naive.
-- Bob Carr, CEO of Heartland Payment Systems

Note: emphasis is mine.

Src: Heartland CEO on Breach Response - BankInfoSecurity

QOTD - FBI Director on Nation States

State-sponsored hackers are patient and calculating. They have the time, money and resources to burrow in and wait. You may discover one breach only to find that the real damage has been done at a much higher level.
-- Robert Mueller, Director of the FBI

Src: FBI Director says cybercrime will eclipse terrorism

FBI Director on Cyber Threats

We anticipate that the cyberthreat will pose the greatest threat to our country.
[...]
There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.
-- Robert Mueller, Director of the FBI

Note: emphasis is mine.

Src: FBI Director says cybercrime will eclipse terrorism

QOTD - Art Coviello RSA 2012 Keynote - Risks

However, accepting the inevitability of compromise does not mean that we have to accept the inevitability of loss. We can manage risk to an acceptable level. We won’t stop every individual attack, but we can reduce the window of vulnerability from all attacks, and put the balance of control back firmly in the hands of security practitioners.
[...]
Although our industry has been talking about risk‐based security for a while, the fact remains that few organizations do it meaningfully and well. We must learn to evaluate risk at more substantive and granular levels. There’s risk, and then there’s risk.
Fundamentally, risk is a function of three components: How vulnerable you are to attack; how likely you are to be targeted; and the value of what’s at stake.  In a world of advanced threats, we must evaluate risk not just from the inside out, but the outside in as well.
[...]
In looking at your organization from the point of view of your attackers, you are more likely to spot critical vulnerabilities and be able to focus your risk mitigation efforts.
-- Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA

Note: emphasis is mine.

Src: RSA Conference Keynote from Art Coviello, “Sustaining Trust in a Hyperconnected World” (San Francisco, February 28, 2012)

QOTD - Art Coviello RSA 2012 Keynote - Attacks

Never have we witnessed so many high profile attacks in one year. Never have the attacks been as targeted – with the aim of breaching one organization as a stepping‐stone to attack others.
[...]
The reality today is that we are in a race with our adversaries – they win when they can they spot weaknesses and exploit them faster than we can identify the attack patterns and prevent them. Right now they are winning!
-- Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA

Src: RSA Conference Keynote from Art Coviello, “Sustaining Trust in a Hyperconnected World” (San Francisco, February 28, 2012)

QOTD - Geer on The Craft of InfoSec


The craft that we're trying to practice [IA/infosec]... is always changing.
-- Dr. Dan Geer, CISO of In-Q-Tel

Src: Risky Business Podcast # 227 (around minute 46)

QOTD - Art Coviello RSA 2012 Keynote - Adversaries


New breeds of cybercriminals, hacktivists and rogue nation states have become as adept at exploiting the vulnerabilities of our digital world as our customers have become at exploiting its value.  With increased speed, agility and cunning, attackers are taking advantage of gaps in security resulting from the openness of today’s hyper-connected infrastructures, and our own slow response to recognize the potency of the emerging threat landscape and our inability to band together.  Our adversaries are better coordinated, have developed better intelligence, and easily outflank our traditional perimeter defenses.
-- Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA

Note: emphasis is mine.

Src: RSA Conference Keynote from Art Coviello, “Sustaining Trust in a Hyperconnected World” (San Francisco, February 28, 2012)

QOTD - Geer on Whether Laws Can Keep Up with Technology


You typically don't need a rule to prevent you from doing something that is impossible...
But we are, these days, making impossible things possible rather faster than the legislatures can keep up.
-- Dr. Dan Geer, CISO of In-Q-Tel

Src: Risky Business Podcast # 227 (around minute 31)

QOTD - VZ DBIR on Intelligent Attackers


Attackers are only as intelligent and adaptive as WE FORCE THEM TO BE. Clearly—as a community—we’re not exactly forcing them to bring their A-game.
Src: Verizon 2012 Data Breach Incident Report (PDF), covering incidents of 2011

QOTD - NSA Chief on Cyber Espionage

[...] cyberspace is becoming more dangerous.
[...] now the more sophisticated cyber criminals are shifting away from botnets and such “visible” means of making money and toward stealthier, targeted thefts of sensitive data they can sell.
[...]
State-sponsored industrial espionage and theft of intellectual capital now occurs with stunning rapacity and brazenness, and some of that activity links back to foreign intelligence services. Companies and government agencies around the world are thus being looted of their intellectual property by national intelligence actors...
-- Gen. Keith Alexander, Director of the NSA & Commander of the US Cyber Command

Src: CYBERCOM Posture Statement for 27Mar12 SASC Hearing FINAL v 1 as of 21 March 2012.doc

QOTD - Geer on the Rate of Change


The rate at which we are turning the impossible into the possible is accelerating and will continue to do so because technologic change is now in a positive feedback loop.
-- Dr. Dan Geer, CISO of In-Q-Tel

Src: Cybersecurity and National Policy | National Security Journal | Harvard Law School

QOTD - Bryan Sartin on the DBIR

This is a study of security failures and the lessons that can be learned from them.
-- Bryan Sartin, VP of the Verizon RISK (Research Investigations Solutions Knowledge) Team 

Src: financialservices.house.gov/UploadedFiles/091411sartin.pdf (PDF)

QOTD on Being a Target

Small companies are targeted now because there's high return at fairly little effort. If you're a company with a hot piece of technology … I'd consider it a certainty you'd be a target.
-- Grady Summers, Vice President at Mandiant

Src: Five Ways You Can Avoid IP Theft | Entrepreneur.com

QOTD on Hacker Targets

Hackers may target any IT operation for any reason.
Many hackers, of course, are in it for the money. (This includes some Anonymous hackers.) They will aim for customer account numbers or other data of direct monetary value. But many hackers, including some of the most sophisticated, are in it for a mixture of more indirect motives. These include notoriety, the sheer thrill of the chase, and increasingly, a vague but militant political agenda.
-- Rick Robinson, freelance writer

Note: emphasis is mine.

Editorial: leave it to a professional writer to come up with one of the best summaries of hacker targets and motives.

Src: Anonymous Hackers' FBI Revenge Hits Spanish Security Firm | Inbfoboom

QOTD on The New Security Reality

You should assume that every server in your company is compromised, then build your security around that.
[...]
Don't assume you're safe. Assume you're not, and figure out now how to react when you are compromised.
-- Andy Dancer, MD and CTO EMEA for Trend Micro

Src: Treat every corporate server as compromised, advises security expert - 25 Nov 2011 - Computing News

QOTD on APTs

The difficult thing about APTs is that they exploit employee knowledge gaps, process weaknesses, and technology vulnerabilities in random combinations. Patient, well-resourced, and highly skilled adversaries take their time to figure out where we are most vulnerable and then use this knowledge as a weapon against us. You could do 99 things right, and the bad guys will find and leverage the one thing you do wrong.
-- Jon Oltsik, ESG senior principal analyst

Note: emphasis is mine.

QOTD on The Security Perimeter

The days of the perimeter working as the sole defence mechanism are no longer with us.
[...]
Once hackers defeat the perimeter, they will make stealthy, pinpoint attacks from there.
This isn't an outbreak which shuts all the corporate machines down – it's about probing and searching for valuable data or other vulnerabilities.
-- Andy Dancer, MD and CTO EMEA for Trend Micro

Src: Treat every corporate server as compromised, advises security expert - 25 Nov 2011 - Computing News

QOTD on Banking Security

There is no single, easy, solution for the banks to ensure the security of their online banking systems. A combination of techniques, working to complement each other, is required rather than relying solely on two-factor authentication regardless of how sophisticated this technique seems. Any approach to combating attacks against online banking must include updating and implementing rigorous anti-fraud control design processes, monitoring for any out of the ordinary customer transactions and tracking browsing patterns all of which could indicate an attack.
-- Hugh Callaghan, security expert at Ernst & Young

Note: emphasis is mine.

QOTD - WEF - Online Security As Public Good

Online security is also an example of a public good; costs are borne privately, but benefits are shared. When individuals weigh the cost of investing in antivirus software, they do not take into account the benefits of protecting other users from spam and advanced persistent threat attacks if their computers are infected with malware.
[...]
Innovative multistakeholder collaboration will be required to tip the balance towards investment in creating systemic resilience.

QOTD - WEF - Axioms for the Cyber Age

Axioms for the Cyber Age:
Any device with software-defined behaviour can be tricked into doing things its creators did not intend.

Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not yet been detected.
The document (correctly IMO) summarizes the current state of affairs with respect to system security:
There are no proven secure systems, only systems whose faults have not yet been discovered, so trying to overcome “hackability” may be as hopeless as denying gravity.
Src: Global Risks 2012 - Seventh Edition | World Economic Forum

QOTD - Bill Gates on Trustworthy Computing

So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. [...] If we discover a risk that a feature could compromise someone’s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.
-- Bill Gates, at the time (2002) Chairman and Chief Software Architect at Microsoft

Src: Bill Gates' Trustworthy Computing Memo (from Microsoft, dated Jan 15, 2002, RTF format)