QOTD - Bill Gates on Trustworthy Computing

So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. [...] If we discover a risk that a feature could compromise someone’s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.

-- Bill Gates, at the time (2002) Chairman and Chief Software Architect at Microsoft

Src: Bill Gates' Trustworthy Computing Memo (from Microsoft, dated Jan 15, 2002, RTF format)

QOTD on the Need for a Secure OS

What we need is a secure operating system. That's the problem, if we're going to have any chance of winning this battle, because we're desperately losing it now. It's not even close. We gave up some time ago on building a secure OS. We don't have one. If there's any game changer that would moves us in the direction of fighting back, it's to reinvigorate the efforts of the '80s and '90s with a trusted operating system.

-- Robert Bigman, chief of the information assurance group at the CIA

Src: Top Government Security Officials Call For Secure OS Development | threatpost

QOTD on Stop, Think, Connect

People online need to check their brains at the keyboard. They use their heads when they drive so they drive safely. So they need to think when they're online. They need to stop before they're about to do something online, think about what it is they're about to do, and then connect, and do so in a safe way. It's sad for those of us in the information technology industry and people who have been cybersecurity geeks for 15 years, but nobody actually buys a computer to have computer security. They buy a computer to do things. That's the whole purpose of having a computer. That's why they're going to connect. They just need to do so in the right way.

-- Philip Reitinger, Deputy Undersecretary, US Department of Homeland Security

Src: DHS Hears Government Infosec Pros Concerns

QOTD - Hutton on the Fallacy of Security as Engineering

A security management approach focused solely on engineering fails primarily because of the “intelligent” or adaptable attacker. For example, if security were pure engineering, it would be like building a bridge or getting an airplane in the air. In these cases, the forces that are applied to the infrastructure do not adapt or change tactics to cause failure. At worst, in engineering against nature we only have a difficult time adapting to forces unforeseen due to a combination of factors.

But InfoSec has to deal with the behaviors of attackers. Their sentience includes creativity and adaptability. The wind does not act to deceive. Gravity and rust do not go “low and slow” to evade detection. Rain does not customize its raindrops to bypass umbrellas. But sentient attackers do change to evade defenses and reach their goal.

-- Alex Hutton, who "works in Risk Intelligence for a Fortune-something company." (src: http://newschoolsecurity.com/about/)

Src: What is Information Security: New School Primer « The New School of Information Security

QOTD on the Need for a Security Collective

Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.
[...]
Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.

-- Scott Charney, Corporate VP of Trustworthy Computing at Microsoft

Src: The Need for Global Collective Defense on the Internet - Microsoft on The Issues - Site Home - TechNet Blogs

QOTD on Security Hampering Productibity

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity. That said, there are a lot of very, very silly URL blocking and email policies in place out there that *do* impact productivity, *don't* increase security and *do* encourage users to bypass IT systems.

-- John Pescatore, VP Gartner Inc.

Src: SANS NewsBites Vol 12 Num 78

QOTD - Stiennon's Security Principles

1. A secure network assumes the host is hostile
2. A secure host assumes the network is hostile
3. Secure applications assume the user is hostile

Src: 3 Simple Security Principles | Focus.com

QOTD - Jaquith on Zero-Trust Model of Information Security

This article, written for ComputerWeekly.com by Forrester Research's Andrew Jaquith is a must read in its entirety. Here's a snippet to wet your appetite:

Successfully controlling the spread of sensitive information requires inverting conventional wisdom entirely, by planning as if the enterprises owned no devices at all.

Forrester calls this concept the "zero-trust model of information security", centered on the idea that security must become ubiquitous throughout your infrastructure. Simply put: treat all endpoints as hostile.

Some of the important concepts include:

* Thin client: process centrally, present locally
* Thin device: replicated data, with device-kill for insurance
* Protected process: local information processing in a secure "bubble"
* Protected data: documents protect themselves regardless of location
* Eye-in-the-sky: know when important information leaves

Src: Own nothing – control everything: five patterns for securing data on devices you don’t own - 08/09/2010 - Computer Weekly

QOTD - PwC on Security Awareness Training

The main objective of any awareness raising approach is that it leads people to demonstrate ‘new’ behaviours. To do this it must answer the question ‘what’s in it for me?’. However, human behaviour is complex and simply telling people what to do is seldom enough to make people change the way they act.

Src: PwC Report "Security awareness: Turning your people into your first line of defence" (PDF)

Also see: Invest in making employees more alert to security risks, says PricewaterhouseCoopers Human Resources - News | HR News | HR Magazine | hrmagazine.co.uk

QOTD - Pescatore on OS & Security

The new calculus of targeted attacks means using a low market share product gains you *no* security through obscurity - if you are using Macs or Linux or whatever, when someone targets you they go after the numerous vulnerabilities in those platforms - or in reality, the vulnerabilities of your users. -- John Pescatore, VP of Gartner Inc.

Src: SANS NewsBites Vol 12 Num 44

QOTD on Complacent Security

We need to combat the complacency that sometimes prevails in our industry, the way that things have always been done may no longer be the *right* way to do things. Just because your incumbent security system tells you everything is rosy, it doesn't mean you're clean, as many corporations are discovering to their cost. -- Rik Ferguson, spokesman for Trend Micro

Src: Malice in Wonderland | CIO.co.uk

QOTD - Schneier on Function Creep

Far too often we build security for one purpose, only to find it being used for another purpose -- one it wasn't suited for in the first place. And then the security system has to play catch-up.
[...]
Sometimes it's obvious that security systems designed for one environment won't work in another.
[...]
The real problems arise when the changes happen in the background, without any conscious thought. -- Bruce Schneier is Chief Security Technology Officer at BT

Src: Security and Function Creep | Schneier.com

QOTD - Pescatore on Waledac

Pulling dandelions makes the lawn look better for a while, but you really need regular pre-emergence weed control to make a difference in the long run. -- John Pescatore, VP Gartner, Inc

In reference to Microsoft getting a temporary injunction to shut down 277 domains associated with the Waledac botnet.

Src: SANS NewsBites Vol 12 Issue 16

QOTD by Skoudis

Unencrypted data should be the exception, not the rule. -- Ed Skoudis, co-founder of Inguardians & SANS lead instructor

Src: SANS NewsBites Vol 12 Num 12

QOTD - Security vs Reality

Security needs to adjust to the realities of the business and when they do there are three core areas that you need to focus on in terms of protecting: the people, the process, the technology. -- Khalid Kark, VP & Principal Analyst at Forrester Research Inc

Src: CISOs take measured steps to reduce social media risks

QOTD on OS Security

The most secure [operating] system is the one that you know how to secure. -- Carole Fennelly, director of content and documentation at Tenable Network Security

Src: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News

QOTD on Social Engineering

Graham Cluley, senior technology consultant at Sophos, sheds light on the debate about PC vs Mac security:

They're both mature operating systems from the security point of view, and as good as each other. But, crucially, it's not about the operating system that is being run on the computer, it's the fleshy human sitting in front of it...I would argue that an Apple Mac user wanting to watch the 'Erin Andrews Peephole Video' is just as likely to download a bogus browser plug-in to help them do that, as a Windows user. And it doesn't matter that Mac OS X will ask them to enter their username and password to install the plug-in--they want to watch the video, they will enter their username and password. Social engineering is the unifying threat that puts all computer users at risk, regardless of operating system. And that's what most threats exploit.

Src: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News

QOTD - Jaquith on Security & the Cloud

In time 'the cloud' will be the best thing that has ever happened to information security, because it focuses attention on the data, not the infrastructure. Or to put it differently, it puts the 'information' back into Information Security. This is exactly the discussion we need to have. -- Andrew Jaquith, Senior Analyst for Forrester research and book author

Src: The Forrester Blog For Security & Risk Professionals

QOTD on Cyber Adversaries

No matter how good technology is, the adversary always has an advantage because the defense sets up the game plan, sets up the rules, and then the adversary, the attacker can try to figure out ways to cheat. -- Dickie George, the National Security Agency's Information Assurance Directorate technical director

Src: Thinking Like a Hacker: Dickie George, Technical Director of Information Assurance, National Security Agency

QOTD on Patch Tuesday

Patch tuesday is simply a hacker notification system that over 200 million systems are now vulnerable and they probably won't get patched in the next three months. It's a hacker notification system. -- David Rice, author of Geekonomics

I'll admit it, this is one of my favorite information security quotes.

Src: Risky Business #78 -- Geekonomics author David Rice | Risky Business