QOTD - FBI Director - Two Kinds of Companies

There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese. 
-- James Comey, FBI Director

Src: FBI Director James Comey on threat of ISIS, cybercrime - CBS News

QOTD - World War C (C=CyberSpace)

Cyberspace has become a full-blown war zone as governments across the globe clash for digital supremacy in a new, mostly invisible theater of operations. Once limited to opportunistic criminals, cyber attacks are becoming a key weapon for governments seeking to defend national sovereignty and project national power.  
-- FireEye report entitled "World War C"

Src: How Classified NSA Exploit tools RADON and DEWSWEEPER Work - InfoSec Institute

Note: the rest of the page linked above is also worth reading, along with the original FireEye report of course (link to PDF). Here's the rest of the paragraph from FireEye's original paragraph (src):
From strategic cyber espionage campaigns, such as Moonlight Maze and Titan Rain, to the destructive, such as military cyber strikes on Georgia and Iran, human and international conflicts are entering a new phase in their long histories. In this shadowy battlefield, victories are fought with bits instead of bullets, malware instead of militias, and botnets instead of bombs. 
These covert assaults are largely unseen by the public. Unlike the wars of yesteryear, this cyber war produces no dramatic images of exploding warheads, crumbled buildings, or fleeing civilians. But the list of casualties—which already includes some of the biggest names in technology, financial services, defense, and government—is growing larger by the day.

QOTD - Blame it on Snowden

There are probably 30 governments who are going through that catalog and saying, 'I didn't know you could do that,' and saying, 'Find somebody who will give me one of these.'
authoritarian governments around the world are going to have new tools, and our tools are going to be less effective.
You can have these programs, of course, but if you debate intelligence programs in the clear, the chances are they are not particularly effective programs after they've been debated in that fashion. So I think that it's a very damaging debate to have. 
-- Stewart Baker, former assistant secretary of Homeland Security,
as interviewed by NPR

Src: The Case Against Clemency: Expert Says Snowden's Leaks Hurt Security : The Two-Way : NPR

Editorial note: There. End of debate! There should be no debate.

QOTD - On Zero Day Attacks

Zero-day attacks last between 19 days and 30 months, with a median of 8 months and an average of approximately 10 months. This shows that attackers have plenty of time to execute their attack without hinderance before it becomes a known vulnerability.
After zero-day vulnerabilities are disclosed, the number of malware variants exploiting them increases 183–85,000 times and the number of attacks increases 2–100,000 times.
Once a vulnerability has been announced hackers worldwide get to work creating their attacks for the vulnerability. Knowing this data it is best to keep a machine up to date on patches. 
Src: Zero-day Attack Data | Cyber Security
Link to full paper

Note: emphasis is mine

QOTD - FBI on Hackers and Basements

We're in a day when a person can commit about 15,000 bank robberies sitting in their basement.
-- Robert Anderson, executive assistant director of the FBI's Criminal Cyber Response and Services Branch

Src: Officials warn 500 million financial records hacked

QOTD - DoJ rep on Social Engineering & Executives

...until from the C-level down, major business organizations realize that even the C-level and the senior manager level executives need to be trained that they could be singled out to become the vector for an attack, I suspect we will continue to see major data breaches day after day, week after week and year after year.
-- Jonathan J. Rusch, deputy chief for strategy and policy at the US Justice Department’s fraud section

Src: Social Engineering, Data Breaches & Top Execs | Technocrat

QOTD - Advice for CFOs

Your information network will be compromised. In today’s increasingly sophisticated 24/7 tech world, this is a certainty on par with death and taxes. The sooner CFOs accept this reality, the more they’ll be to minimize data breaches at their company.
Src: Five Truths About Cyber Security - CFO

QOTD - DHS on CyberSecurity & Risk

Cybersecurity is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cybersecurity risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cybersecurity risk throughout the enterprise.
Src: https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

QOTD on InfoSec as a Top Concern for Management

... cyber-security can no longer be an isolated function but requires a focused effort and collaborative conversations among the various functions in an organisation.
--Tal Mozes, leader of Hacktics Advanced Security Centre

Src: Information security finally a top concern for management | Latest News & Updates at Daily News & Analysis

QOTD - Ex-NSA Deputy Director on Managing Privileged Users

Snowden was a system administrator, so by design he had more privileges. Does that expose a weakness in the system? In hindsight, Snowden went far beyond where we would have expected him to go. The challenge is how do you extend trust to individuals that you’ve gone to great time and trouble to find, vet, and develop confidence in, and allow them to exercise ingenuity, innovation, and creativity? We need to up our game without crushing the 99.9 percent of people who have operated faithfully. We need to focus on behaviors—on the access to data in real time, instead of on defending perimeters, operating systems, or artifacts. You’re looking for a change in behavior that is an anomaly and warrants close examination. 
 -- John C. Inglis, former NSA Deputy Director 

Src: Ex-NSA Deputy Director Says the Agency Must Be “Biased” Towards Defense, Not Attack | MIT Technology Review

QOTD - Mikko on Government Malware

We had the nuclear arms race for decades, but now we seem to be in a cyber arms race.
The idea of democratic western governments backdooring technology or using malware and trojans against other democratic governments would've sounded like science-fiction, but that is exactly where we are today.
-- Mikko Hypponen, Chief Research Officer for F-Secure

Src: Black Hat: Expert sheds light on government sponsored malware creation - SC Magazine

Snowden on Smart Phones

The NSA, the Russian Intelligence Service, the Chinese Intelligence Service, any intelligence service in the world that has significant funding and a real technological research team, can own that phone the minute it connects to their network. As soon as you turn it on, it can be theirs. They can turn it into a microphone, they can take pictures from it, they can take the data off of it.
-- Edward Snowden

Src: Edward Snowden's Motive Revealed: He Can 'Sleep at Night' - NBC News.com

QOTD on the Shadow IT Trend

CISOs, take note. Shadow IT is a trend that is way beyond building momentum. It’s more like a silent bullet train tearing through the IT landscape unnoticed and with little to no regard for corporate security.
Julian Waits, President & CEO of ThreatTrack Security

Src: Heartbleed Underscores Risks of Shadow IT | Innovation Insights

QOTD - Wade Baker on VZ DBIR 2014

After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning.
But by applying big data analytics to security risk management, we can begin to bend the curve and combat cybercrime more effectively and strategically.
Organizations need to realize no one is immune from a data breach. Compounding this issue is the fact that it is taking longer to identify compromises within an organization – often weeks or months, while penetrating an organization can take minutes or hours.
-- Wade Baker, principal author of the Data Breach Investigations Report series

Src: Verizon Enterprise Solutions

QOTD - Do Executives Get InfoSec?

[...] security issues have been worded in arcane language since they first came about – and this has led to the emergence of the Chief (information) Security Officer.

This means that the rest of the C-level staff can carry on as they want – cyber security is someone else's responsibility. Unfortunately, CSO staff tend to be security specialists – not business specialists, and so get in the way of business happening, with more of an approach of “don't do this”, rather than “how can we do this securely?”.

Security has to be baked in to the business – and not just at a cyber level.  Security is a business issue, and has to include how people operate; how information is used (including via telephone, paper and any other way).
-- Clive Longbottom, founder and analyst at Quocirca

Src: CEOs still don't get cyber security, study finds - SC Magazine UK

QOTD - Visa's CRO on High-Level Support of InfoSec & Risk

If you don't have the support of the CEO, or the board, or the owners ... you will never get anything done. Period.
-- Ellen Richey, Visa International's Chief Enterprise Risk Officer

Src: IT security is national security -- but you're not alone - Network World

QOTD - On the Value of Watering Holes

Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

[...] the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities.
-- Nicole Perlroth, technology reporter for The New York Times

Note: emphasis is mine.

Src: Hackers Lurking in Vents and Soda Machines - NYTimes.com

QOTD on Senior Execs and Boards

Senior executives and board members with fiduciary roles must take up the mantle to institute change in their companies. CIO’s and CISO’s must also be new-breed, proactive information security champions, each reporting directly to the CEO. They must operate from the same playbook with the same business rationale. Finding vulnerabilities must be rewarded. Every board meeting needs to make this an ongoing focus area to measure.

We have entered into a new era of pervasive technology and resulting exponential vulnerabilities. Senior executives and boards have no choice but to get in the game and drive the efforts to ensure their values and competitive advantage sustainability.

The return on investment for holistic security investment is your business survival.
-- Casey Fleming, chairman and CEO of BlackOps Partners Corporation

Note: emphasis is mine

Src: Wake-Up Call From the Largest Data Breach in History » The Epoch Times

QOTD - The 7-year-old APT

...the emergence of the [Careto] malware underscores that software-based espionage is an important new source of power. [...] If the NSA didn't build Careto, it's a safe bet that they have something like it. And intelligence agencies in China, Russia and other great powers are likely working on software like it too.
-- Timothy B. Lee, who covers technology policy, including copyright and patent law, telecom regulation, privacy, and free speech.

Src: This malware is frighteningly sophisticated, and we don’t know who created it

EU LIBE Committee Report on NSA/GCHQ: “Untargeted, Secret, Illegal Programs; Prohibit Mass Surveillance/Bulk Processing”

The draft report from the EU Committee on Civil Liberties, Justice, and Home Affairs argues that:
...recent revelations in the press by whistleblowers and journalists, together with the expert evidence given during this inquiry, have resulted in compelling evidence of the existence of far-reaching, complex and highly technologically advanced systems designed by US and some Member States’ intelligence services to collect, store and analyse communication and location data and metadata of all citizens around the world on an unprecedented scale and in an indiscriminate and non-suspicion-based manner;

...trust has been profoundly shaken: trust between the two transatlantic partners, trust among EU Member States, trust between citizens and their governments, trust in the respect of the rule of law, and trust in the security of IT services; 

...several governments claim that these mass surveillance programmes are necessary to combat terrorism; wholeheartedly supports the fight against terrorism, but strongly believes that it can never in itself be a justification for untargeted, secret and sometimes even illegal mass surveillance programmes; expresses concerns, therefore, regarding the legality, necessity and proportionality of these programmes;
The report also expresses the committee's views that it
Is adamant that secret laws, treaties and courts violate the rule of law; points out that any judgment of a court or tribunal and any decision of an administrative authority of a non-EU state authorising, directly or indirectly, surveillance activities such as those examined by this inquiry may not be automatically recognised or enforced, but must be submitted individually to the appropriate national procedures on mutual recognition and legal assistance, including rules imposed by bilateral agreements;
and that it
Regards it as a clear finding, as emphasised by the technology experts who testified before the inquiry, that at the current stage of technological development there is no guarantee, either for EU public institutions or for citizens, that their IT security or privacy can be protected from intrusion by well-equipped third countries or EU intelligence agencies (‘no 100% IT security’); notes that this alarming situation can only be remedied if Europeans are willing to dedicate sufficient resources, both human and financial, to preserving Europe’s independence and self-reliance; 
Note: emphasis is mine.

Src: EU LIBE Committee Report on NSA/GCHQ: “Untargeted, Secret, Illegal Programs; Prohibit Mass Surveillance/Bulk Processing” | LeakSource
Direct link to report: http://www.statewatch.org/news/2014/jan/ep-draft-nsa-surveillance-report.pdf