Cyber-Crime & Anonimity
"Considering the anonymity of cyberspace, cybercrime may in fact be one of the most dangerous criminal threats ever. A vital component in fighting transnational crime must therefore include the policing of information security and the provision of secure communication channels for police worldwide based on common standards..." -- Ronald K. Noble, INTERPOL Secretary General
Herzog on Security
"If we keep doing what we know doesn't work even "good enough", why keep doing it? It wasn't until we accepted that there are things we can never reliably know that we knew we had better find the limits to that which we did know. So then at least we'd have that going for us. For example we know that we can't reliably determine the impact of a particular vulnerability for everyone in some big database of vulnerabilities because it will always depend on the means of interactions and the functioning controls of the target being attacked..." -- Pete Herzog, managing director of ISECOM
Northcutt on CIA
"Confidentiality, integrity and availability are always important, but master the skill of knowing which one is most important for a given business, system or file routine..." -- Stephen Northcutt, CEO of SANS Technology Institute
Sound Security Investments
"Put simply, this means that spending hundreds of thousands of Pounds, Euros or Dollars on a security system, plugging it in and switching it on - then presuming your company is secure - is a totally inadequate approach, because it usually results in relatively poor levels of protection for your organization as the threats from criminals are constantly changing. Configuration, constant evaluation and constant updating of security rules are essential to the IT security of a business. Of course, the degree to which protection is needed is a matter of balancing risk and cost, and this equation is a unique business decision as with any other senior management process..." -- Ray Bryant, CEO of idappcom
Jaquith on Zero-Trust Model of Information Security
"Successfully controlling the spread of sensitive information requires inverting conventional wisdom entirely, by planning as if the enterprises owned no devices at all. Forrester calls this concept the "zero-trust model of information security", centered on the idea that security must become ubiquitous throughout your infrastructure. Simply put: treat all endpoints as hostile..." -- Forrester Research's Andrew Jaquith for ComputerWeekly.com
Mobile Security
"Just because a mobile site is meant to be viewed on a mobile browser with limited functionality doesn't mean an attacker can't load it in a normal browser and have full use of their powerful tools to bypass authentication, find vulnerabilities in non-standard encryption, and ultimately crack the site -- and the main data store behind it. It's like having two doors to your bank vault. Web applications of today are like the highly guarded front door fortified by mature security practices and fully capable of stopping an intruder. Mobile APIs are like the unguarded back door -- offering far easier access to would-be attackers..." -- Pete Soderling, founder of Stratus Security
Cross-posted from Dr. Infosec