Attackers Winning the Arms Race
"When attackers assume little if any risk to make an attack, they will attack with abandon. When attackers can use automation, they will attack with vigor. When attackers’ fundamental operational costs are a mere fraction of defenders’ fundamental operational costs, the attackers can win the arms race. When attackers can mount assaults without warning signs, defenders must always be on high alert. All of these things can be obtained in the digital arena, and when that happens, the only strategy is worst-case preemption. This is true in the world of terrorism but truer yet in the digital world..." -- Dan Geer, then VP and Chief Scientist of Verdasys, now Chief Information Security Officer for In-Q-Tel
Northcutt on Deprovisioning
"Whenever you terminate someone who has had system access, it is imperative that you make it impossible for that person to come back into your systems. Stories like this offer a strong argument for two factor authentication and I do not mean What is your pet's name..." -- Stephen Northcutt, President of the SANS Technology Institute
On Cyber Defense
"A static cyber defense can never win against an agile cyber offense. You beat me 99 times, I will come after you 100 times. Beat me 999 times, I will come after you 1000 times, and we will beat you..." -- Bruce Held, Intelligence Chief for the US Department of Energy
Building Secure Code
"For decades, we've taught people how to code, but not necessarily how to code securely..." -- Max Rayner, former CTO at Travelzoo, speaking as a panelist at a recent (ISC)2 conference on Software Security
On Social Networks
"Anyone who visits a social networking site should know that it's a business model. The service is not free. We users pay for it with our private data..." -- Ilse Aigner, Germany's Consumer Minister
Pescatore on Privacy Violations
"Dealing with the impact of getting caught surreptitiously violating customer privacy, costly. Avoiding violating your customers' privacy, priceless..." -- John Pescatore, VP at Gartner, Inc.
On SAS-70
"Given that SAS 70 cannot be considered as proof that an offered IT service is secure, it should be a matter of suspicion when a vendor insists that it is..." -- Jay Heiser, Research Vice President at Gartner, Inc
Cross-posted from Dr. Infosec