QOTD on Big Data

Given enough data, intelligence and power, corporations and government can connect dots in ways that only previously existed in science fiction.
-- Alexander Howard, government 2.0 correspondent at the technology publisher O'Reilly Media.

Src: Big Data age puts privacy in question as information becomes currency | Technology | guardian.co.uk
Note: Alex' full interview transcript can be found at https://plus.google.com/107980702132412632948/posts/RegCw2P51Hk

QOTD - Heartland CEO on Breach Response

To be PCI compliant does not mean you can't be breached. Any of us that processes PII (personally identifiable information) should be humble. ... Anyone that thinks they're not going to be breached is being naive.
-- Bob Carr, CEO of Heartland Payment Systems

Note: emphasis is mine.

Src: Heartland CEO on Breach Response - BankInfoSecurity

QOTD - FBI Director on Nation States

State-sponsored hackers are patient and calculating. They have the time, money and resources to burrow in and wait. You may discover one breach only to find that the real damage has been done at a much higher level.
-- Robert Mueller, Director of the FBI

Src: FBI Director says cybercrime will eclipse terrorism

FBI Director on Cyber Threats

We anticipate that the cyberthreat will pose the greatest threat to our country.
[...]
There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.
-- Robert Mueller, Director of the FBI

Note: emphasis is mine.

Src: FBI Director says cybercrime will eclipse terrorism

QOTD - Art Coviello RSA 2012 Keynote - Risks

However, accepting the inevitability of compromise does not mean that we have to accept the inevitability of loss. We can manage risk to an acceptable level. We won’t stop every individual attack, but we can reduce the window of vulnerability from all attacks, and put the balance of control back firmly in the hands of security practitioners.
[...]
Although our industry has been talking about risk‐based security for a while, the fact remains that few organizations do it meaningfully and well. We must learn to evaluate risk at more substantive and granular levels. There’s risk, and then there’s risk.
Fundamentally, risk is a function of three components: How vulnerable you are to attack; how likely you are to be targeted; and the value of what’s at stake.  In a world of advanced threats, we must evaluate risk not just from the inside out, but the outside in as well.
[...]
In looking at your organization from the point of view of your attackers, you are more likely to spot critical vulnerabilities and be able to focus your risk mitigation efforts.
-- Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA

Note: emphasis is mine.

Src: RSA Conference Keynote from Art Coviello, “Sustaining Trust in a Hyperconnected World” (San Francisco, February 28, 2012)

QOTD - Art Coviello RSA 2012 Keynote - Attacks

Never have we witnessed so many high profile attacks in one year. Never have the attacks been as targeted – with the aim of breaching one organization as a stepping‐stone to attack others.
[...]
The reality today is that we are in a race with our adversaries – they win when they can they spot weaknesses and exploit them faster than we can identify the attack patterns and prevent them. Right now they are winning!
-- Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA

Src: RSA Conference Keynote from Art Coviello, “Sustaining Trust in a Hyperconnected World” (San Francisco, February 28, 2012)

QOTD - Geer on The Craft of InfoSec


The craft that we're trying to practice [IA/infosec]... is always changing.
-- Dr. Dan Geer, CISO of In-Q-Tel

Src: Risky Business Podcast # 227 (around minute 46)