QOTD - Scanning Humans and Machines for Vulnerabilities

Attackers look for vulnerabilities in both machines and people... This is to say, they scan Web servers for vulnerabilities which could be exploited to gain access to sensitive data, [and] they also look at individuals working for target organizations and go after them with targeted attacks, with the goal of getting access via the employee's credentials or identity. 
-- Phil Hochmuth, program manager of security products at research firm IDC

Src: What kind of target are you?

QOTD - On playing defense

In security, if you're the good guy, you're playing defense. If you play defense long enough, you lose. Something is going to get you. 
-- Benson Yeung, senior partner and founder of Triware Networld Systems LLC

Src: How to mitigate risk associated with a customer's potential data breach

QOTD - A Theory of What Drives People to Maintain Information Security

People only feel compelled to secure information when all of the following apply:
  1. They have a personal connection to it 
  2. They truly understand the risk that exposure of the information poses 
  3. The impact of such an exposure affects them directly
--Antonio Maio, Senior Product Manager with TITUS

Src: What Drives People to Maintain Information Security - The Data Center Journal

Note: this is an interesting theory, and obviously one that would need to be put to the test in order to successfully drive change in employees' behaviors.

QOTD on Shadow IT

I'd argue that Shadow IT is not a problem; it's progress. It's kind of like software Darwinism. The services and applications that are adopted widely are the ones that IT will have to figure out how to support – whether they like it or not. On the other hand, the ones that IT legitimately cannot sign off on – because they are too insecure, too poorly designed or simply an invitation for an audit – will die off.
-- Ian Murdock, VP Platform, ExactTarget

Src: IT Departments: Stop Complaining about Shadow IT - Datamation

Note: emphasis is mine.

QOTD on Fingerprints

...fingerprints are not private, you leave them lying around everywhere, and if someone has enough incentive – and the resources available to them – they may try to defeat any security system that you trust your fingerprint to unlock.
-- Graham Cluley, veteran of the AV industry

Src: How to beat fingerprint scanners - watch this video and find out

QOTD - NSA vs Crypto - What to trust?

I trust AES-256, I trust ECC with non-NSA curves, I trust RSA with keys that are at least 2048 bits.
[...]
I suspect they can factor 1024-bit RSA keys in a fairly short amount of time, and some of the success they noted is based on that.
[...]
Actually, I'd be shocked and a bit disappointed if they can't.
-- Adam Caudill, security researcher

Src: NSA Fallout: Encrypt Everything, Enterprises Advised - Security

QOTD - Where is Your Critical Data?

Don't just assume you know where your critical data is. Look for it across your environment, as it usually turns up in unexpected places.
-- Randy Trzeciak, senior member at the SEI-CERT at the Carnegie Mellon University

Src: Keeping secrets from insiders likely to turn on you