Dr. InfoSec™

QOTD on Web2.0

2009-11-14T05:46:00.000-08:00

We know that workers are using these applications [web 2.0 or "enterprise 2.0"] to help them get their jobs done, with or without approval from their IT departments. And now we know this is happening much faster than anticipated. It's naïve to think that old-school security practices can handle this deluge. Organizations must realize that banning or allowing specific applications in a black-and-white fashion is bad for business. They need a new approach that allows for shades of gray by enforcing appropriate application usage policies tailored for their workforce. This is a radical and necessary shift for today's IT security professionals. -- Rene Bonvanie, VP Marketing, Palo Alto

Src: Social networking — and its risks — are exploding in enterprise networks | GCN

QOTD on Win7 & Malware

2009-11-13T05:49:00.000-08:00

It’s not so much about technology any more. It’s just as much about social engineering that can trick you into giving them money, regardless of what kind of operating system you’re on. -- Petter Laudin, Managing director (UK & Ireland), Panda Security

Src: Windows 7 users have the same old security problems | IT PRO

QOTD on Managing InfoSec Risks

2009-11-12T05:30:00.000-08:00

Managing information security risks requires an approach that is flexible and focused on what matters most to the organization, protecting critical information. Only by understanding the use of information within critical business processes can an organization, and in particular its information security function, truly begin to manage its security needs. -- Paul van Kessel, Global Leader of Ernst & Young’s Technology and Security Risk Services

Src: Former employees a growing IT security threat | Ernst & Young

QOTD - Pescatore on Threats vs Humans

2009-11-11T05:46:00.000-08:00

It is important to educate people, but we have to realize human behavior will always change much more slowly than the threats do. -- John Pescatore, VP and Distinguished Analyst with Gartner, Inc.

Src: Gartner's John Pescatore on 2010 Threats, Trends | BankInfoSecurity.com

Microsoft's Security Development Lifecycle

2009-11-10T06:34:00.000-08:00

Microsoft has recently released an update to their Security Development Lifecycle meant to address the need for security in the agile development process. The document defines Microsoft's process, which is termed Secure by Design, Secure by Default, Secure in Deployment, and Communications (or SD3+C). The section below describes the list of products and services that are required to adopt the SDL process. This seems to cover basically every piece of software that Microsoft makes.

What Products and Services Are Required to Adopt the SDL Process?

Any software release that is commonly used or deployed within any organization, such as a business organization or a government or nonprofit agency.

Any software release that regularly stores, processes, or communicates PII or other sensitive information. Examples include financial or medical information.

Any software product or service that targets or is attractive to children 13 years old or younger.

Any software release that regularly connects to the Internet or other networks. Such software might be designed to connect in different ways, including:

Always online. Services provided by a product that involve a presence on the Internet (for example, Windows® Messenger).

Designed to be online. Browser or mail applications that expose Internet functionality (for example, Microsoft Office Outlook® or Microsoft Internet Explorer®).

Exposed online. Components that are routinely accessible through other products that interact with the Internet (for example, Microsoft ActiveX® controls or PC–based games with multiplayer online support).

Any software release that automatically downloads updates.

Any software release that accepts or processes data from an unauthenticated source, including:

Callable interfaces that “listen.”

Functionality that parses any unprotected file types that should be limited to system administrators.

Any release that contains ActiveX controls.

Any release that contains COM controls.

Src: Microsoft's Security Development Lifecycle

QOTD on the State of Information Security

2009-11-10T05:14:00.000-08:00

The likeliest future state of security can be characterized as a Perpetual Arms Race, between hackers and criminals on one side and enterprises and governments on the other side. -- Joseph Feiman, John Pescatore, Neil MacDonald

Src: Security in 2013 and Beyond | Gartner, Inc.

QOTD on Cyberwarfare

2009-11-09T05:27:00.000-08:00

In the Cold War, there was symmetry in vulnerabilities – each side had cities and populations that the other could hold hostage. That symmetry no longer exists. The United States is far more dependent on digital networks than its opponents and this asymmetric vulnerability means that the United States would come out worse in any cyber exchange. -- James Lewis, Center for Strategic and International Studies

Src: Report: Cyberterror Not a Credible Threat | Threatpost

QOTD - Schneier on AntiVirus

2009-11-08T05:17:00.000-08:00

Antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective. -- Bruce Schneier, Chief Security Technology Officer of BT Global Services

Src: Schneier-Ranum Face-Off: Is antivirus dead? | Information Security Magazine

The state of the [security] industry

2009-11-07T06:18:00.000-08:00

The thought leaders in security have come to realize that even strong defenses are penetrable. They understand that in spite of the millions of dollars spent and their best efforts, that enterprises are already compromised and will continue to be compromised for the foreseeable future and that all of the vendor and marketing claims and promises are not about to change that very cold and stark reality. If anything, the increasing complexity of technology has increased the ease with which easy-to-use advanced threats can impact enterprise business environments with little care for their state of compliance with meaningless regulatory mandates. While expecting perfect protection is a failed strategy, many on the leading edge are learning to operate in environments they suspect of being partially compromised and increasingly focus their efforts on the ability to understand incident scope, impact and validate cleanup. -- Amit Yoran, CEO of NetWitness

The entire article is full of insightful comments by many key players in the information security space. Absolutely worth the 5-10 minutes it will take you to read it, even if you find yourself disagreeing with some of the opinions.

Src: The state of the industry | SC Magazine US

QOTD on Fighting Malware in the Future

2009-11-06T04:57:00.000-08:00

In the future, it seems the most successful criminal malware will be super-stealthy infections that users don't even know they've got. If that happens, a co-operative community of antivirus companies, researchers, ISPs, police forces and other government agencies may be our only hope. -- Jack Schofield

Src: Malware: the net's silent assassin | Technology | The Guardian

QOTD on Data Permanence

2009-11-05T05:54:00.000-08:00

Information doesn't fade the way it used to. Documents that once upon a time could be counted on to be filed and forgotten are now finding an afterlife in digital, searchable form. -- Martin Kaste

Src: Digital Data Make For A Really Permanent Record | NPR.org

QOTD on Malware

2009-11-04T04:30:00.000-08:00

Last year [2008], the number of unique malicious programs and variants that were created outstripped all the legitimate software published in the world, straining the accuracy of anti-virus solutions like never before. -- Roger A. Grimes

Src: InfoWorld review: Whitelisting security comes of age | Infoworld

QOTD on Data Deluge

2009-11-03T12:32:00.000-08:00

The problem for law enforcement and intelligence today is not the lack of information; it is the deluge of it. -- Ron Deibert, director of the Citizen Lab, a principal with the SecDev Group, & cofounder of and principal investigator for the Information Warfare Monitor.

Src: Smarter sleuthing can save our online privacy | The Globe and Mail

QOTD on CIO Skills

2009-10-30T05:20:00.000-07:00

CIOs need to inculcate a blend of three skills - conceptual, technical and human skills, but most importantly the human skill, as they are the bridge between the top-level and the low-level management. -- Dr. Nityesh Bhatt, Associate Professor, Nirma Institute of Management

Src: CIOs need to champion human skills | CIOL News Reports

QOTD on Being Secure

2009-10-29T05:56:00.000-07:00

You don't want to be the most secure place on earth-you want to be secure enough to make others a more attractive target (hackers are smart and lazy, too-they strive for the easy prey in most cases), and you want to be in business. Otherwise your security model stinks. -- Michael Oberlaender

Src: The Magic Triangle of IT Security | ComputerWorld

QOTD on Biometrics

2009-10-28T06:06:00.000-07:00

The reality is that biometrics are a feel-good measure designed to give people the false impression that they are more secure than they were before, when in fact they are more at risk. Identity theft victims report that it can take three, five or more years to clean up the financial mess left after a stolen Social Security number. How long will it take to clean up a stolen fingerprint? -- George Tillmann, a former CIO, management consultant and the author of The Business-Oriented CIO

Src: The case against biometric identity theft protection | IDG.no

QOTD Schmidt on the Value of Data

2009-10-27T04:42:00.000-07:00

Many businesses, governments and individuals are still unclear of the true value of data and where it resides and who has ownership is even less clear. We need to be better at controlling and managing data and understand the expectations of the data owners and providers. For example, if we give personal data to identify and validate ourselves – this data is only required for a short period of time and could then be destroyed. -- Professor Howard A. Schmidt, CISSP, president of ISF.

Src: RSA Europe: Information Security and data value should be part of education and training | Infosecurity (UK)

QOTD on Banking Fraud

2009-10-26T07:24:00.000-07:00

We don't need to know who's doing it, just what it looks like at an earlier phase, so we can alert our institutions and prepare them on what to look for. -- Doug Johnson, Senior Policy Analyst at the American Bankers Association.

Src: Online Fraud: New Victims, New Approaches | BankInfoSecurity.com

QOTD on CIO as CSO+CPO

2009-10-25T06:08:00.000-07:00

No one could credibly deny that IT has a significant responsibility for security and privacy, but care should be taken to distinguish enablement from execution. The fact is, IT alone cannot solve the problem. -- Ted DeZabala, author & national leader of the Security & Privacy Services practice at Deloitte & Touche LLP.

The CIO as Chief Security/Privacy Officer | CIOInsight.com

QOTD on e-Spying

2009-10-24T06:52:00.000-07:00

Modern-day espionage doesn't involve cloak and dagger anymore. It's all electronic. -- Tom Kellermann, Vice President at Core Security Technologies

Src: China Expands Cyberspying in U.S., Report Says | WSJ.com

QOTD - Schmidt on Current Laws

2009-10-23T05:12:00.000-07:00

We still have 18th century laws looking at 21st century technologies – that needs to be changed. -- Howard Schmidt, ISF President & CEO.

Src: RSA Europe: Two-factor authentication is worth nothing, says executive director, EEMA | Infosecurity (UK)

QOTD - Spafford on the security conundrum

2009-10-22T04:53:00.000-07:00

No individual business is facing huge losses necessarily, but collectively we are facing just unimaginable losses, but nobody is willing to pay the cost up front for what is necessary to solve the problem in the longer term.

The problem is that we generally only respond to crisis. And the kinds of problems that we are seeing in the whole information security arena is not a spot crisis; it is a growing community problem. So when we are talking tens of billions of dollars of loss every year in intellectual property theft, fraud, unnecessary or over-expenditure on security goods and services, and various other kinds of problems, that cost is not borne by any single entity, but it is borne by everyone. This results in a huge friction on the economy. It is definitely a loss to society. But no one feels it enough that they are willing to make the investment and the sacrifices to move forward. The government might play a role in this, and one way would be to phase in some liability on operators and vendors for obviously making poor choices. -- Prof. Eugene Spafford, Purdue University

Src: The State of Information Assurance Education 2009: Prof. Eugene Spafford, Pursue University

QOTD on Questioning our Assumptions

2009-10-21T04:31:00.000-07:00

One of the many pitfalls of information security is the illusion of permanence that surrounds many longstanding tools, policies and ways of doing business. Too often, the fact that 'it's always been done that way' clouds our judgment and blinds us to a system's holes. To avoid that mistake, it's time to learn how to second-guess yourself. -- Ed Moyle, manager with CTG's information security solutions practice

Src: Why It Pays to Second-Guess Your Technology Assumptions | TechNewsWorld

QOTD on Humans & Complexity

2009-10-20T04:19:00.000-07:00

While technology and information have evolved and grown dramatically over the past 100 years, people's behaviors to cope with this growth have evolved at a much slower pace and our ability to keep up with the complexity foisted upon us is limited. So today, high value is found in taming the complexity so that humans can take full advantage of these dramatic developments and advancements in technology. This is the challenge facing IT organizations around the world. -- Art Coviello, President RSA

Src: RSA Executives Offer Seven Guiding Principles To Maximize Megatrends Redefining the Information Security Industry | Reuters

QOTD on Managing your Career

2009-10-17T12:55:00.000-07:00

If you're going to be the CEO of your own career, how do you want people to think of you? It's necessary to develop your own personal board of directors. You need to have a couple of people on there who know your marketplace and value what you're doing. -- Joyce Brocaglia, President and CEO of Alta Associates

Src: SC World Congress: Build a personal network - SC Magazine US