QOTD - Everyone is Spying (Just Like the NSA)

The agencies know perfectly well that every country, even when they cooperate on anti-terrorism, spies on its allies. The Americans spy on us on the commercial and industrial level like we spy on them, because it's in the national interest to defend our businesses. No one is fooled.
-- Bernard Squarcini, former head of France's secret services

Src: UPDATE 3-Merkel says U.S. spying an unacceptable breach of trust | Reuters

QOTD - UK TV Show on "Need to know"

Apparently the fact that you needed to know was not known at the time that the now known need to know was known, and therefore those that needed to advise and inform the Home Secretary perhaps felt that the information that he needed as to whether to inform the highest authority of the known information was not yet known and therefore there was no authority for the authority to be informed because the need to know was not at this time known or needed.
-- Derek Fowlds, playing the character of Bernard Woolley in the UK sitcom

Src: "Yes, Prime Minister" The Tangled Web (TV Episode 1988) - Quotes - IMDb

Side note: sometimes people in infosec take a very roundabout way to express what could otherwise be expressed in clear, simple terms.

QOTD - Scanning Humans and Machines for Vulnerabilities

Attackers look for vulnerabilities in both machines and people... This is to say, they scan Web servers for vulnerabilities which could be exploited to gain access to sensitive data, [and] they also look at individuals working for target organizations and go after them with targeted attacks, with the goal of getting access via the employee's credentials or identity. 
-- Phil Hochmuth, program manager of security products at research firm IDC

Src: What kind of target are you?

QOTD - On playing defense

In security, if you're the good guy, you're playing defense. If you play defense long enough, you lose. Something is going to get you. 
-- Benson Yeung, senior partner and founder of Triware Networld Systems LLC

Src: How to mitigate risk associated with a customer's potential data breach

QOTD - A Theory of What Drives People to Maintain Information Security

People only feel compelled to secure information when all of the following apply:
  1. They have a personal connection to it 
  2. They truly understand the risk that exposure of the information poses 
  3. The impact of such an exposure affects them directly
--Antonio Maio, Senior Product Manager with TITUS

Src: What Drives People to Maintain Information Security - The Data Center Journal

Note: this is an interesting theory, and obviously one that would need to be put to the test in order to successfully drive change in employees' behaviors.

QOTD on Shadow IT

I'd argue that Shadow IT is not a problem; it's progress. It's kind of like software Darwinism. The services and applications that are adopted widely are the ones that IT will have to figure out how to support – whether they like it or not. On the other hand, the ones that IT legitimately cannot sign off on – because they are too insecure, too poorly designed or simply an invitation for an audit – will die off.
-- Ian Murdock, VP Platform, ExactTarget

Src: IT Departments: Stop Complaining about Shadow IT - Datamation

Note: emphasis is mine.

QOTD on Fingerprints

...fingerprints are not private, you leave them lying around everywhere, and if someone has enough incentive – and the resources available to them – they may try to defeat any security system that you trust your fingerprint to unlock.
-- Graham Cluley, veteran of the AV industry

Src: How to beat fingerprint scanners - watch this video and find out

QOTD - NSA vs Crypto - What to trust?

I trust AES-256, I trust ECC with non-NSA curves, I trust RSA with keys that are at least 2048 bits.
I suspect they can factor 1024-bit RSA keys in a fairly short amount of time, and some of the success they noted is based on that.
Actually, I'd be shocked and a bit disappointed if they can't.
-- Adam Caudill, security researcher

Src: NSA Fallout: Encrypt Everything, Enterprises Advised - Security

QOTD - Where is Your Critical Data?

Don't just assume you know where your critical data is. Look for it across your environment, as it usually turns up in unexpected places.
-- Randy Trzeciak, senior member at the SEI-CERT at the Carnegie Mellon University

Src: Keeping secrets from insiders likely to turn on you

QOTD - Parallel Universes of Privacy

Both the U.S. and the EU need to break out of their parallel universes and find some common ground in order to better understand each other’s positions and avoid a political meltdown.
-- Christopher Kuner, Senior of Counsel in the Brussels office of Wilson, Sonsini, Goodrich & Rosati

Src: IAPP Privacy Perspectives

QOTD - Cyber Defense in the Boardroom?

The consequences of cyber attacks are now so severe that cyber defence must become a board room discussion.
-- Ross Parsell, Director of Cyber Security for Thales UK

Src: All FTSE 350 Firms 'At Risk Of Cyber Attack' - Yahoo! News UK

QOTD - Bank of England's Haldane on Cyber Risks

The focus on credit, market and liquidity risk over the past 5 years may have distracted attention from operational, and in particular cyber risks, among financial institutions and infrastructures. This is a rapidly rising area of risk with potentially systemic implications. It calls for a system-wide response.
--Andrew Haldane, Director of Financial Stability for the Bank of England

Src: www.bankofengland.co.uk/publications/Documents/other/treasurycommittee/appoint/haldane_jun13.pdf

QOTD - Obama on NSA Spying

You can’t have 100% security, and also then have 100% privacy, and zero inconvenience. We’re going to have to make some choices as a society. 
-- US President Barack Obama

Src: Obama: Spying programs only ‘modest’ invasion of privacy | The Ticket - Yahoo! News

QOTD on the value of data to hackers

Cyber criminals have come to appreciate that sensitive personal and organisational information are the currency of their ‘hacker economy.'
-- Vincent Weafer, Senior VP, McAfee Labs

Src: Hackers' Citadel and Koobface Trojans pose major threats to business data - IT News from V3.co.uk

QOTD on the Data Sharing vs Control

The reality is, our ability to exchange electronic information is already well beyond our ability to control it. 
-- John Leipold, CEO of Valley Hope Technology

Src: Rules on Medical-Record Privacy Face Challenges - WSJ.com

QOTD on Cyber Arms Races

As long as I have an adversary spending his treasure ... nothing static will remain secure -- that's the nature of arms races. It is a guarantee that the system will be found vulnerable. So I think to a large extent we have to stop fooling ourselves that we actually can create completely secure systems. We certainly need to create the best system we can, but that system cannot remain static. It has to change, morph, grow over time, as we learn about our adversaries' behavior.
-- Dave Aucsmith, senior dir. of Microsoft's Institute for Advanced Technology in Governments

Src: 'Aurora' Cyber Attackers Were Really Running Counter-Intelligence - CIO.com

QOTD - Clapper on Global Threats in 2013

Threats are more interconnected and viral. Events which at first blush seem local and irrelevant can quickly set off transnational disruptions that affect U.S. national interests. "War" now includes a software variant -- a soft war variation. Arms include cyber and financial weapons, and attacks can be deniable and non-attributable.
-- James Clapper, Director of National Intelligence (US)

Src: remarks on the Worldwide Threat Assessment to the Provided to the House Permanent Select Committee on Intelligence

QOTD on Bypassing AV

For someone doing a targeted attack, AV is not too much of an obstacle. The fraudster has all the information he needs to run tests against an AV program and ensure he can defeat it. Today you can buy, in the underground market, tests for banking Trojans to ensure they're not detected by AV.
-- Toralv Dirro, security strategist for McAfee Labs

QOTD - Worldwide Threat Assessment of the US Intelligence Community

Threats are more diverse, interconnected and viral than at any time in history. Attacks, which might involve cyber and financial weapons, can be deniable and unattributable. Destruction can be invisible, latent and progressive.
-- James Clapper, Director of National Intelligence 

Src: Report: Cyberattacks a key threat to U.S. national security - CNN.com
Direct link to testimony (PDF)

QOTD - On passive attacks

While many organizations worth compromising for IP theft likely have robust perimeter defenses, not all have controls in place to defense against a scenario (in which) the attackers wait for the victims to come to them.
-- Nicholas Percoco, Senior VP of SpiderLabs (part of Trustwave)

Src: Many Watering Holes, Targets In Hacks That Netted Facebook, Twitter and Apple | The Security Ledger

QOTD - Post-Crypto World?

If someone can own your computer and see everything you're doing, it doesn't matter that the data is encrypted. If you can't trust the computer you're running crypto on, it doesn't matter how good the crypto is.
-- Dr. Matthew Green, Assistant Research Professor, Department of Computer Science, Johns Hopkins University

Src: Are we now living in a post-crypto world? - CSO Online - Security and Risk

QOTD - Shamir on APTs & Crypto

It's very hard to use cryptography effectively if you assume an APT [Advanced Persistent Threat] is watching everything on a system.
-- Adi Shamir, renowned cryptographer & A.M. Turing Award Winner

Src: Are we now living in a post-crypto world? - CSO Online - Security and Risk

QOTD - EU's Neelie Kroes on Internet Security

We are all here because we recognise the Internet is important: for our economy, for our values, and for our human rights. We all recognise that insecure systems could harm those benefits. [...] 
We rely on the internet for ever more services – from shopping and socialising, to healthcare, education, and smart transport. 
But the more we depend on it – the more we depend on it to be secure. Staying open and free is essential to online innovation. And there is no true freedom without security – not when you're walking down the street, and not when you're online.
-- Neelie Kroes, VP of the European Commission responsible for the Digital Agenda

Src: EUROPA - PRESS RELEASES - Press Release - SPEECH - Using cybersecurity to promote European values

QOTD on The Need For a Secure Internet

As more people come to rely on the Internet, they rely on it to be secure. And as the online world becomes a part of everything we do, securing that world is essential to ensuring a society that remains secure, prosperous and free.
-- Neelie Kroes, VP of the European Commission responsible for the Digital Agenda

Src: EUROPA - PRESS RELEASES - Press Release - Speech - Towards a coherent international cyberspace policy for the EU

QOTD on Dealing with Advanced Attackers

... Preventing attackers from getting anything useful off a network is far more important than trying to prevent every attacker from getting in.
-- Dennis Fisher, Editor-in-chief, Threatpost.com

Src: How the RSA Attackers Swung and Missed at Lockheed Martin

QOTD on Security for Android Devices

You don’t need a zero-day to attack Android if consumers are running 13-month-old software.
[... ]
With Android, the situation is worse than a joke, it’s a crisis.
[... ]
Outside the geek space, consumers don’t know the problem exists. They may realize they’re not getting feature updates, but they may think security updates are happening in the background, or they don’t realize security updates are important.
-- Chris Soghoian, Principal Technologist and a Senior Policy Analyst with the Speech,
Privacy and Technology Project at the American Civil Liberties Union

QOTD on Anti-Virus

Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats.
Anti-virus software alone is not enough. 

QOTD - Neelie Kroes on Importance of Cyber Security

Cybersecurity is too important to leave to chance, to the good will of individual companies.
-- Neelie Kroes, European Union commissioner for the digital agenda

Src: Europe Weighs Requiring Firms to Disclose Data Breaches - NYTimes.com