Dr. InfoSec™

QOTD - Hypponen on AV vs Targeted Malware

2012-06-02T11:53:00.001-07:00

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

-- Mikko Hypponen, Chief Research Officer of F-Secure

Src: Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet | Threat Level | Wired.com

QOTD - Kaspersky on No-More-Privacy

2012-05-23T11:33:00.000-07:00

We can forget about privacy. There’s no privacy anymore. You can have privacy if you live somewhere in the jungle, or the middle of Siberia.

-- Eugene Kaspersky, CEO of Kaspersky Lab

Src: Why Eugene Kaspersky has big problems with big data

QOTD - Kaspersky on Cyber-Weapons

2012-05-22T11:09:00.000-07:00

A cyber-weapon is a boomerang. Sooner or later it will fly back to you.

-- Eugene Kaspersky, CEO of Kaspersky Lab

Src: Why Eugene Kaspersky has big problems with big data (Page 3)

QOTD on Big Data

2012-04-23T17:15:00.001-07:00

Given enough data, intelligence and power, corporations and government can connect dots in ways that only previously existed in science fiction.

-- Alexander Howard, government 2.0 correspondent at the technology publisher O'Reilly Media.

Src: Big Data age puts privacy in question as information becomes currency | Technology | guardian.co.uk
Note: Alex' full interview transcript can be found at https://plus.google.com/107980702132412632948/posts/RegCw2P51Hk

QOTD - Heartland CEO on Breach Response

2012-04-16T08:05:00.001-07:00

To be PCI compliant does not mean you can't be breached. Any of us that processes PII (personally identifiable information) should be humble. ... Anyone that thinks they're not going to be breached is being naive.

-- Bob Carr, CEO of Heartland Payment Systems

Note: emphasis is mine.

Src: Heartland CEO on Breach Response - BankInfoSecurity

QOTD - FBI Director on Nation States

2012-04-05T04:55:00.000-07:00

State-sponsored hackers are patient and calculating. They have the time, money and resources to burrow in and wait. You may discover one breach only to find that the real damage has been done at a much higher level.

-- Robert Mueller, Director of the FBI

Src: FBI Director says cybercrime will eclipse terrorism

FBI Director on Cyber Threats

2012-04-04T04:53:00.000-07:00

We anticipate that the cyberthreat will pose the greatest threat to our country.
[...]
There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.

-- Robert Mueller, Director of the FBI

Note: emphasis is mine.

Src: FBI Director says cybercrime will eclipse terrorism

QOTD - Art Coviello RSA 2012 Keynote - Risks

2012-04-03T04:35:00.000-07:00

However, accepting the inevitability of compromise does not mean that we have to accept the inevitability of loss. We can manage risk to an acceptable level. We won’t stop every individual attack, but we can reduce the window of vulnerability from all attacks, and put the balance of control back firmly in the hands of security practitioners.
[...]
Although our industry has been talking about risk‐based security for a while, the fact remains that few organizations do it meaningfully and well. We must learn to evaluate risk at more substantive and granular levels. There’s risk, and then there’s risk.
Fundamentally, risk is a function of three components: How vulnerable you are to attack; how likely you are to be targeted; and the value of what’s at stake. In a world of advanced threats, we must evaluate risk not just from the inside out, but the outside in as well.
[...]
In looking at your organization from the point of view of your attackers, you are more likely to spot critical vulnerabilities and be able to focus your risk mitigation efforts.

-- Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA

Note: emphasis is mine.

Src: RSA Conference Keynote from Art Coviello, “Sustaining Trust in a Hyperconnected World” (San Francisco, February 28, 2012)

QOTD - Art Coviello RSA 2012 Keynote - Attacks

2012-04-02T11:32:00.000-07:00

Never have we witnessed so many high profile attacks in one year. Never have the attacks been as targeted – with the aim of breaching one organization as a stepping‐stone to attack others.
[...]
The reality today is that we are in a race with our adversaries – they win when they can they spot weaknesses and exploit them faster than we can identify the attack patterns and prevent them. Right now they are winning!

-- Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA

Src: RSA Conference Keynote from Art Coviello, “Sustaining Trust in a Hyperconnected World” (San Francisco, February 28, 2012)

QOTD - Geer on The Craft of InfoSec

2012-04-02T11:18:00.000-07:00

The craft that we're trying to practice [IA/infosec]... is always changing.

-- Dr. Dan Geer, CISO of In-Q-Tel

Src: Risky Business Podcast # 227 (around minute 46)

QOTD - Art Coviello RSA 2012 Keynote - Adversaries

2012-03-31T05:16:00.000-07:00

New breeds of cybercriminals, hacktivists and rogue nation states have become as adept at exploiting the vulnerabilities of our digital world as our customers have become at exploiting its value. With increased speed, agility and cunning, attackers are taking advantage of gaps in security resulting from the openness of today’s hyper-connected infrastructures, and our own slow response to recognize the potency of the emerging threat landscape and our inability to band together. Our adversaries are better coordinated, have developed better intelligence, and easily outflank our traditional perimeter defenses.

-- Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA

Note: emphasis is mine.

Src: RSA Conference Keynote from Art Coviello, “Sustaining Trust in a Hyperconnected World” (San Francisco, February 28, 2012)

QOTD - Geer on Whether Laws Can Keep Up with Technology

2012-03-30T05:20:00.000-07:00

You typically don't need a rule to prevent you from doing something that is impossible...
But we are, these days, making impossible things possible rather faster than the legislatures can keep up.

-- Dr. Dan Geer, CISO of In-Q-Tel

Src: Risky Business Podcast # 227 (around minute 31)

QOTD - VZ DBIR on Intelligent Attackers

2012-03-29T04:57:00.000-07:00

Attackers are only as intelligent and adaptive as WE FORCE THEM TO BE. Clearly—as a community—we’re not exactly forcing them to bring their A-game.

Src: Verizon 2012 Data Breach Incident Report (PDF), covering incidents of 2011

QOTD - NSA Chief on Cyber Espionage

2012-03-28T06:46:00.001-07:00

[...] cyberspace is becoming more dangerous.
[...] now the more sophisticated cyber criminals are shifting away from botnets and such “visible” means of making money and toward stealthier, targeted thefts of sensitive data they can sell.
[...]
State-sponsored industrial espionage and theft of intellectual capital now occurs with stunning rapacity and brazenness, and some of that activity links back to foreign intelligence services. Companies and government agencies around the world are thus being looted of their intellectual property by national intelligence actors...

-- Gen. Keith Alexander, Director of the NSA & Commander of the US Cyber Command

Src: CYBERCOM Posture Statement for 27Mar12 SASC Hearing FINAL v 1 as of 21 March 2012.doc

QOTD - Geer on the Rate of Change

2012-03-27T05:05:00.000-07:00

The rate at which we are turning the impossible into the possible is accelerating and will continue to do so because technologic change is now in a positive feedback loop.

-- Dr. Dan Geer, CISO of In-Q-Tel

Src: Cybersecurity and National Policy | National Security Journal | Harvard Law School

QOTD - Bryan Sartin on the DBIR

2012-03-26T06:54:00.000-07:00

This is a study of security failures and the lessons that can be learned from them.

-- Bryan Sartin, VP of the Verizon RISK (Research Investigations Solutions Knowledge) Team

Src: financialservices.house.gov/UploadedFiles/091411sartin.pdf (PDF)

QOTD on Being a Target

2012-03-21T09:18:00.001-07:00

Small companies are targeted now because there's high return at fairly little effort. If you're a company with a hot piece of technology … I'd consider it a certainty you'd be a target.

-- Grady Summers, Vice President at Mandiant

Src: Five Ways You Can Avoid IP Theft | Entrepreneur.com

QOTD on Hacker Targets

2012-03-14T07:18:00.001-07:00

Hackers may target any IT operation for any reason.
Many hackers, of course, are in it for the money. (This includes some Anonymous hackers.) They will aim for customer account numbers or other data of direct monetary value. But many hackers, including some of the most sophisticated, are in it for a mixture of more indirect motives. These include notoriety, the sheer thrill of the chase, and increasingly, a vague but militant political agenda.

-- Rick Robinson, freelance writer

Note: emphasis is mine.

Editorial: leave it to a professional writer to come up with one of the best summaries of hacker targets and motives.

Src: Anonymous Hackers' FBI Revenge Hits Spanish Security Firm | Inbfoboom

QOTD on The New Security Reality

2012-02-10T06:55:00.000-08:00

You should assume that every server in your company is compromised, then build your security around that.
[...]
Don't assume you're safe. Assume you're not, and figure out now how to react when you are compromised.

-- Andy Dancer, MD and CTO EMEA for Trend Micro

Src: Treat every corporate server as compromised, advises security expert - 25 Nov 2011 - Computing News

QOTD on APTs

2012-02-09T08:48:00.000-08:00

The difficult thing about APTs is that they exploit employee knowledge gaps, process weaknesses, and technology vulnerabilities in random combinations. Patient, well-resourced, and highly skilled adversaries take their time to figure out where we are most vulnerable and then use this knowledge as a weapon against us. You could do 99 things right, and the bad guys will find and leverage the one thing you do wrong.

-- Jon Oltsik, ESG senior principal analyst

Note: emphasis is mine.

Advanced Persistent Threats Get More Respect - Security - Cyberterror - Informationweek

QOTD on The Security Perimeter

2012-02-08T06:51:00.000-08:00

The days of the perimeter working as the sole defence mechanism are no longer with us.
[...]
Once hackers defeat the perimeter, they will make stealthy, pinpoint attacks from there.
This isn't an outbreak which shuts all the corporate machines down – it's about probing and searching for valuable data or other vulnerabilities.

-- Andy Dancer, MD and CTO EMEA for Trend Micro

Src: Treat every corporate server as compromised, advises security expert - 25 Nov 2011 - Computing News

QOTD on Banking Security

2012-02-06T10:47:00.000-08:00

There is no single, easy, solution for the banks to ensure the security of their online banking systems. A combination of techniques, working to complement each other, is required rather than relying solely on two-factor authentication regardless of how sophisticated this technique seems. Any approach to combating attacks against online banking must include updating and implementing rigorous anti-fraud control design processes, monitoring for any out of the ordinary customer transactions and tracking browsing patterns all of which could indicate an attack.

-- Hugh Callaghan, security expert at Ernst & Young

Note: emphasis is mine.

Src: Hackers may be able to 'outwit' online banking security devices • The Register

QOTD - WEF - Online Security As Public Good

2012-01-27T12:09:00.000-08:00

Online security is also an example of a public good; costs are borne privately, but benefits are shared. When individuals weigh the cost of investing in antivirus software, they do not take into account the benefits of protecting other users from spam and advanced persistent threat attacks if their computers are infected with malware.
[...]
Innovative multistakeholder collaboration will be required to tip the balance towards investment in creating systemic resilience.

Note: emphasis is mine.

Src: Global Risks 2012 - Seventh Edition | World Economic Forum

QOTD - WEF - Axioms for the Cyber Age

2012-01-25T09:07:00.000-08:00

Axioms for the Cyber Age:

Any device with software-defined behaviour can be tricked into doing things its creators did not intend.

Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not yet been detected.

The document (correctly IMO) summarizes the current state of affairs with respect to system security:

There are no proven secure systems, only systems whose faults have not yet been discovered, so trying to overcome “hackability” may be as hopeless as denying gravity.

Src: Global Risks 2012 - Seventh Edition | World Economic Forum

QOTD - Bill Gates on Trustworthy Computing

2012-01-18T12:19:00.000-08:00

So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. [...] If we discover a risk that a feature could compromise someone’s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.

-- Bill Gates, at the time (2002) Chairman and Chief Software Architect at Microsoft

Src: Bill Gates' Trustworthy Computing Memo (from Microsoft, dated Jan 15, 2002, RTF format)