QOTD - WEF - Axioms for the Cyber Age

Axioms for the Cyber Age:

Any device with software-defined behaviour can be tricked into doing things its creators did not intend.

Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not yet been detected.

The document (correctly IMO) summarizes the current state of affairs with respect to system security:

There are no proven secure systems, only systems whose faults have not yet been discovered, so trying to overcome “hackability” may be as hopeless as denying gravity.

Src: Global Risks 2012 - Seventh Edition | World Economic Forum

QOTD - IBM on Data Breaches

Each new breach reinforces the awareness that basic network security is not just a technical problem, but rather a complex business challenge where risk exposure, communication, end-user education, and technology must be considered in a delicate balance.

Src: IBM Security X-Force 2011 Mid-year Trend and Risk Report

QOTD on 2011 as the Year of the Breach

An explosion of breaches has opened 2011 with continuing, near daily new reports, marking this year as “The Year of the Security Breach.” These breaches have been notable not just for their frequency, but for the presumed operational competency of many of the victims. The environment is changing: the boundaries of business infrastructure are being extended – and sometimes obliterated – by the emergence of cloud, mobility, social business, big data and more, while the attacks are getting more and more sophisticated, often showing evidence of extensive pre-operation intelligence collection and careful, patient, long term planning. The repercussions of these attacks are large enough to move security discussions out of technical circles and into the board room.

I have to say that I fully agree with this statement and welcome the boost in visibility (acknowledging an obvious bias on my part given my chosen area of specialty). The world is changing, under our very feet and, as a global society, we need to pay attention to these changes and take charge of the information security risks.

Note: emphasis is mine

Src: IBM Security - X-Force 2011 Mid-Year Trend and Risk Report

QOTD - Schwartz on APTs

The new fact of life is a 'state' of persistent, dynamic, intelligent threat and disruption, the economic and societal ramifications of which are overwhelming. This doesn't mean that we as a collective of security professionals are powerless against our adversaries – we can and should be able to manage our risk to an acceptable level and change the ongoing and grim trends.

-- Eddie Schwartz, Chief Security Officer of RSA, The Security Division of EMC

Src: Cyber Security Leaders Rally to Combat Advanced Persistent Threats

Nasdaq-OMX CEO on Cyber Attacks

As we sit here, there are people trying to slam into our system every day. So we have to be ever-vigilant against an ever-changing foe.
[...]
We recognize that we're under constant attack and by that I mean literally constant attack.

-- Robert Greifeld, CEO of Nasdaq OMX Group

Src: Nasdaq spends to fend off `constant' hack attacks - Chicagotribune.com

QOTD - Litan on Online Bank Fraud

The law hasn't kept up, the regulators haven't kept up, and you're going to get a different opinion from every judge.
[...]
In the end, businesses are guilty until proven innocent.

-- Avivah Litan, VP & Distinguished Analyst at Gartner Research

Src: Who Bears Online Fraud Burden: Bank or Business? -- InformationWeek

QOTD - FBI on the State of Cyber-Crime

We are facing a very innovative crime, and innovation has to be the response.
[...]
Given enough money, time and resources, an adversary will be able to access any system. Companies need to understand that.

-- Gordon Snow, Assistant Director of the FBI's Cyber Division

Src: Cyber cops stymied by anonymous hackers

QOTD on Today's Threats

The nature of the threats has expanded from targeting individual bank accounts to targeting the information and physical infrastructure of nation states.

-- Stephen Trilling, senior VP, Symantec Security Technology & Response

Src: Symantec Report Finds Cyber Threats Skyrocket in Volume and Sophistication

QOTD - Uri Rivner on the RSA Hack

One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.
[...]
It is also important to note that just as stealth fighters evade radar instead of defeating it, APTs do not “defeat” security products. They just find ways to fly below the existing technology.
[...]
What we’re witnessing now are the early days. We’re now in 1939, and U-boats are an impossible menace. We’re now in 2004, and social engineering attacks get away with our customer’s money. We’re now in 2011, and the tidal wave of targeted attacks has reached our shores. It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.

-- Uri Rivner, Head of New Technologies, Consumer Identity Protection, at RSA

Src: Anatomy of an Attack « Speaking of Security – The RSA Blog and Podcast

QOTD on IP as the new target

Cybercriminals understand there is greater value in selling a corporations’ proprietary information and trade secrets which have little to no protection making intellectual capital their new currency of choice.

-- McAfee & SAIC

Src: Intellectual capital is the new cybercrime currency | HelpNetSecurity

QOTD on the new targets of cyber-crime

Cybercriminals have shifted their focus from physical assets to data driven properties, such as trade secrets or product planning documents. We’ve seen significant attacks targeting this type of information. Sophisticated attacks such as s Operation Aurora, and even unsophisticated attacks like Night Dragon, have infiltrated some of the of the largest, and seemingly most protected corporations in the world. Criminals are targeting corporate intellectual capital and they are often succeeding.

-- Simon Hunt, VP and CTO, endpoint security at McAfee

Src: Intellectual capital is the new cybercrime currency

QOTD on Cyber-Crime & Anonymity

Considering the anonymity of cyberspace, cybercrime may in fact be one of the most dangerous criminal threats ever. A vital component in fighting transnational crime must therefore include the policing of information security and the provision of secure communication channels for police worldwide based on common standards.

-- Ronald K. Noble, INTERPOL Secretary General

Src: DigitalIDNews | INTERPOL: Online ID needed

QOTD on Hackers Winning

Why do hackers succeed? They're lucky, they're patient and they're brilliant. They're also better funded than you.

-- John Stewart, vice president and chief security officer, Cisco

Src: Hackers winning the security battle, says Cisco - Yahoo! News UK

QOTD on Cyber-crime & 0-day flaws

The cybercrime ecosystem continues to thrive without the need for zero day flaws, and it will continue to as long as millions of end users continue getting exploited with 6+ months old flaws.

-- Dancho Danchev, writing for ZDNet

Note: the entire article is worth reading as it provides a balanced perspective on zero-day exploits and their use in known cyber-crimes.

Src: Seven myths about zero day vulnerabilities debunked | ZDNet

QOTD on State of Security

Security technology and practice have advanced quite a bit in the past few years, but one thing that has become clear is that whatever gains have been made are just not keeping pace with the innovation of attackers. The advances being made by malware authors and crimeware gangs are keeping them well ahead of the curve and will continue to do so for the foreseeable future...

While money has been the main driver for targeted attacks for some time now, recent developments have shown that attackers are now intent on keeping control of a compromised system for as long as possible and they're finding new and interesting ways to stay hidden all the time.

-- Dennis Fisher, editor at Threatpost.com

Src: Persistent, Covert Malware Causing Major Damage | threatpost

QOTD by FBI AD on Cyber-Underground

The potential for considerable profits is enticing to young criminals, and has resulted in the creation of a large underground economy known as the cyber underground. The cyber underground is a pervasive market governed by rules and logic that closely mimic those of the legitimate business world, including a unique language, a set of expectations about its members’ conduct, and a system of stratification based on knowledge and skill, activities, and reputation.

One of the ways that cyber criminals communicate within the cyber underground is on website forums. It is on these forums that cyber criminals buy and sell login credentials (such as those for e-mail, social networking sites, or financial accounts); where they buy and sell phishing kits, malicious software, access to botnets; and victim social security numbers, credit cards, and other sensitive information. These criminals are increasingly professionalized, organized, and have unique or specialized skills.

-- Gordon M. Snow, Assistant Director, U.S. Federal Bureau of Investigation

Src: Federal Bureau of Investigation - Congressional Testimony

QOTD - Dan Geer, from 2006

When attackers assume little if any risk to make an attack, they will attack with abandon. When attackers can use automation, they will attack with vigor. When attackers’ fundamental operational costs are a mere fraction of defenders’ fundamental operational costs, the attackers can win the arms race. When attackers can mount assaults without warning signs, defenders must always be on high alert. All of these things can be obtained in the digital arena, and when that happens, the only strategy is worst-case preemption. This is true in the world of terrorism but truer yet in the digital world.

-- Dan Geer, then VP and Chief Scientist of Verdasys, now Chief Information Security Officer for In-Q-Tel

Src: Playing for Keeps, ACM Queue Vol 4, No 9

QOTD - Avivah Litan on Cognitive Passwords

Banks and other companies who rely on knowledge based authentication – the process that asks users ’secret’ questions that only the legitimate can presumably answer – are in a quandry because fraudsters are answering those questions successfully all too many times.
[...]
It’s a very serious problem that deserves a serious solution. It will be solved but it will take time. In the meantime, service providers cannot count on the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual. -- Avivah Litan, VP Gartner Research

As Avivah explains, it turns out that the crooks are getting the information straight from the data aggregators by spear-phishing their employees.

Src: Avivah Litan — A Member of the Gartner Blog Network

QOTD - Bonnie, Clyde, & Cybercrime

If Bonnie and Clyde were alive today, they'd be quite amused at just how easy it is to make a dishonest buck. Today's criminals have swapped machine guns and getaway cars for viruses, Trojans, rootkits, and other malicious software. Financial fraud as well as identity and intellectual property theft are the crimes of choice. -- Randy George, writing for InformationWeek

Src: 5 Web Security Best Practices For SMBs -- Web Security -- InformationWeek

QOTD on ATM fraud

Crooks can steal every dime you own in seconds, and you won't even know it. -- Jody Barr, for WIStv.com

Src: ATM skimmers steal your info in seconds, becoming more popular - WIS News 10 - Columbia, South Carolina