QOTD - Spafford on Infosec as a Profession

The real value chance for advancement and chance to make a difference is in treating this really as a profession [...] It's very similar to what one might encounter in becoming a doctor, lawyer or college professor, where you have to devote yourself to life-long education and development and continuing to hone your skills. Part of being a professional is to actually continue to improve in what you're doing, rather than treating it simply as a job [...] I think it's time to also make the distinction between having a job and being part of a profession. Training will get you a job. Education - especially ongoing education - is part of being a professional and that's where I think the future really lies for many people in this field.

-- Professor Eugene H. Spafford, Executive Director, CERIAS at Purdue University

Note: emphasis is mine.

Src: Infosec Careers: The New Demands (see page 3 for actual quote)

QOTD - RSA's Coviello on Security

Intelligence about your potential attackers and most valuable assets shows you where to focus your efforts, such as what systems to protect and what users to closely monitor.

-- Art Coviello, executive chairman of RSA

Note: is it just me or does this ring similar to Sun Tzu's Art of War ('know thyself and know thy enemy')

Src: RSA: Businesses need to radically change thinking on security, says RSA’s Art Coviello - 10/12/2011 - Computer Weekly

QOTD - Mogull on Social Engineering

People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioral tendencies that can be exploited with careful manipulation. Many of the most damaging security penetrations are, and will continue to be, due to social engineering, not electronic hacking or cracking.

-- Rich Mogull, research director for information security and risk at Gartner (in 2004), now Analyst & CEO at Securosis.

Src: Old scams pose the 'greatest security risk' - CNET News

QOTD - Google's Eric Schmidt on Living in the Information Age

In a 100 years, we've gone from the average person having access to almost no information to the average person in the world having access to all the world's information.

-- Eric Schmidt, Google Executive Chairman

Note: Quote can be found around minute 4:40 of the video

Src: Google’s Eric Schmidt talks Microsoft, recommends Macs | WinRumors

QOTD on Stop, Think, Connect

People online need to check their brains at the keyboard. They use their heads when they drive so they drive safely. So they need to think when they're online. They need to stop before they're about to do something online, think about what it is they're about to do, and then connect, and do so in a safe way. It's sad for those of us in the information technology industry and people who have been cybersecurity geeks for 15 years, but nobody actually buys a computer to have computer security. They buy a computer to do things. That's the whole purpose of having a computer. That's why they're going to connect. They just need to do so in the right way.

-- Philip Reitinger, Deputy Undersecretary, US Department of Homeland Security

Src: DHS Hears Government Infosec Pros Concerns

QOTD on the Trusted Insider

You have a lot of folks that…pretty much have the keys to the castle... The enterprise admins have the ability to scour the entire network. That’s a hurdle that everyone has, especially with the move to managed services. You don’t know who the people who are managing your systems are anymore.

-- anonymous security expert at the US Homeland Security Department

Src: Wikileaks insider threat: A lesson for government cybersecurity managers | TechTarget.com

QOTD - Some users learn quickly, others...

There is a class of user who cannot be protected from themselves. Many users can learn from the mistakes of others, especially when the material is presented well. For the avid, rabid fan, sometimes the only way they will learn is to get bit a few times.

-- Randy Abrams, Director of Technical Education at ESET

Src: Breaking dawn attack: How to avoid getting bit - viruses, twitter, spam, sophos, security, phishing, malware, Facebook, antispam - Computerworld

QOTD - Hutton on the Fallacy of Security as Engineering

A security management approach focused solely on engineering fails primarily because of the “intelligent” or adaptable attacker. For example, if security were pure engineering, it would be like building a bridge or getting an airplane in the air. In these cases, the forces that are applied to the infrastructure do not adapt or change tactics to cause failure. At worst, in engineering against nature we only have a difficult time adapting to forces unforeseen due to a combination of factors.

But InfoSec has to deal with the behaviors of attackers. Their sentience includes creativity and adaptability. The wind does not act to deceive. Gravity and rust do not go “low and slow” to evade detection. Rain does not customize its raindrops to bypass umbrellas. But sentient attackers do change to evade defenses and reach their goal.

-- Alex Hutton, who "works in Risk Intelligence for a Fortune-something company." (src: http://newschoolsecurity.com/about/)

Src: What is Information Security: New School Primer « The New School of Information Security

QOTD on Patching

Unlike IT systems, users cannot be patched and will always be vulnerable to manipulation and infection.

-- Uri Rivner, head of new technologies, identity protection and verification at RSA

Src: RSA Europe 2010: Trojans are going after all businesses, not just banks, says security expert - 13/10/2010 - Computer Weekly

QOTD on the Need for a Security Collective

Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.
[...]
Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.

-- Scott Charney, Corporate VP of Trustworthy Computing at Microsoft

Src: The Need for Global Collective Defense on the Internet - Microsoft on The Issues - Site Home - TechNet Blogs

QOTD by Intel CISO

The biggest vulnerability we face today and the future is not the thing that the technical security person would think of, like a botnet or technical flaw, but the misperception of risk.
...
Today, those threat vectors are so subtle, you don't know that something's gotten installed on your computer. Because the incentive for the intruder is to not make you aware of it.

-- Malcolm Harkins, CISO & General Manager of Enterprise Capabilities for Intel Corp

Src: Intel CISO: The biggest security threat today is ... | Security - IT Management

QOTD on Passwords

Fidelity doesn't pay when it comes to passwords – the most important passwords should be changed every three months. -- Dieter Kempf, a member of the presiding committee of Germany's Bitkom industry association

Src: Passwords: The only constant in life - The H Security: News and Features

QOTD - PwC on Security Awareness Training

The main objective of any awareness raising approach is that it leads people to demonstrate ‘new’ behaviours. To do this it must answer the question ‘what’s in it for me?’. However, human behaviour is complex and simply telling people what to do is seldom enough to make people change the way they act.

Src: PwC Report "Security awareness: Turning your people into your first line of defence" (PDF)

Also see: Invest in making employees more alert to security risks, says PricewaterhouseCoopers Human Resources - News | HR News | HR Magazine | hrmagazine.co.uk

QOTD - Schneier on Hiring Hackers

Hacking is primarily a mindset: a way of thinking about security. Its primary focus is in attacking systems, but it's invaluable to the defense of those systems as well. Because computer systems are so complex, defending them often requires people who can think like attackers.
Admittedly, there's a difference between thinking like an attacker and acting like a criminal, and between researching vulnerabilities in fielded systems and exploiting those vulnerabilities for personal gain.
[...]
An employer's goal should be to hire moral and ethical people with the skill set required to do the job.
-- Bruce Schneier, Chief Security Technology Officer of BT Global Services

Src: Weighing the risk of hiring hackers | TechTarget.com

QOTD on Bypassing Security Policies

When companies set unrealistic rules -- like limiting users to a very small email box capacity or restricting the ability to attach files to messages -- users will often find ways to get around them. Their motivation is not to break IT rules, but to get their jobs done. -- Rene Bonvanie, vice president of worldwide marketing at Palo Alto Networks

Src: Why Employees Break Security Policy (And What You Can Do About It) - client security/Security - DarkReading

QOTD on People & Security

The human element is the largest security risk in any organization. Most security incidents are the result of human errors and human ignorance and not malicious intent. Therefore, it is critical that significant effort is focused on education and awareness to reduce these occurrences. -- Stephen Scharf, CISO at Experian and the former CSO at Bloomberg

Note: I realize that not everyone will agree with this statement. Still, there is much we can do to get people to think before they click.

Src: Weakest link: End-user education - SC Magazine US

QOTD on People vs Security

There's no virus protection for stupid. -- Rodney Joffe, senior technologist at Neustar & director of the Conficker Working Group

Src: Trojans produced by criminal gangs are on the warpath - SC Magazine UK

QOTD - Stiennon on Reality

Reality has a way of imposing itself regardless of theories. It is best to have a firm grip on reality before setting national policy or investing in technology. -- Richard Stiennon, founder of IT-Harvest, an independent analyst firm.

Src: ThreatChaos Security Blog | ThreatChaos

QOTD on OS Security

The most secure [operating] system is the one that you know how to secure. -- Carole Fennelly, director of content and documentation at Tenable Network Security

Src: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News

QOTD on Social Engineering

Graham Cluley, senior technology consultant at Sophos, sheds light on the debate about PC vs Mac security:

They're both mature operating systems from the security point of view, and as good as each other. But, crucially, it's not about the operating system that is being run on the computer, it's the fleshy human sitting in front of it...I would argue that an Apple Mac user wanting to watch the 'Erin Andrews Peephole Video' is just as likely to download a bogus browser plug-in to help them do that, as a Windows user. And it doesn't matter that Mac OS X will ask them to enter their username and password to install the plug-in--they want to watch the video, they will enter their username and password. Social engineering is the unifying threat that puts all computer users at risk, regardless of operating system. And that's what most threats exploit.

Src: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News