Dr. InfoSec's Quotes of the Week (004)

Sunday, July 25, 2010

Christophe Veltsos

C6eac1ead1a5946e78fb19701ff40acd

Attackers Winning the Arms Race

"When attackers assume little if any risk to make an attack, they will attack with abandon. When attackers can use automation, they will attack with vigor. When attackers’ fundamental operational costs are a mere fraction of defenders’ fundamental operational costs, the attackers can win the arms race. When attackers can mount assaults without warning signs, defenders must always be on high alert. All of these things can be obtained in the digital arena, and when that happens, the only strategy is worst-case preemption. This is true in the world of terrorism but truer yet in the digital world..." -- Dan Geer, then VP and Chief Scientist of Verdasys, now Chief Information Security Officer for In-Q-Tel

Northcutt on Deprovisioning

"Whenever you terminate someone who has had system access, it is imperative that you make it impossible for that person to come back into your systems. Stories like this offer a strong argument for two factor authentication and I do not mean What is your pet's name..." -- Stephen Northcutt, President of the SANS Technology Institute

On Cyber Defense

"A static cyber defense can never win against an agile cyber offense. You beat me 99 times, I will come after you 100 times. Beat me 999 times, I will come after you 1000 times, and we will beat you..." -- Bruce Held, Intelligence Chief for the US Department of Energy

Building Secure Code

"For decades, we've taught people how to code, but not necessarily how to code securely..." -- Max Rayner, former CTO at Travelzoo, speaking as a panelist at a recent (ISC)2 conference on Software Security

On Social Networks

"Anyone who visits a social networking site should know that it's a business model. The service is not free. We users pay for it with our private data..." -- Ilse Aigner, Germany's Consumer Minister

Pescatore on Privacy Violations

"Dealing with the impact of getting caught surreptitiously violating customer privacy, costly. Avoiding violating your customers' privacy, priceless..." -- John Pescatore, VP at Gartner, Inc.

On SAS-70

"Given that SAS 70 cannot be considered as proof that an offered IT service is secure, it should be a matter of suspicion when a vendor insists that it is..." -- Jay Heiser, Research Vice President at Gartner, Inc

Cross-posted from Dr. Infosec

Possibly Related Articles:
7057
Security Awareness
Security Awareness
Post Rating I Like this!
5c857bc159e9c361aebbb1eab4c87c3f
Mister Reiner Here are some thoughts on these quotes:

Northcutt on Deprovisioning

Authentication doesn't matter if an ex-employee's Trojan is running as root.

Building Secure Code

It's a good thing we don't need to teach people how to breath, otherwise we would have a REAL problem on our hands. Why can't people take the initiative to learn how to code securely on their own - or is that like asking children to learn how to wipe their own bottoms without any instruction? I guess ignorance is bliss.

On Social Networks

Privacy is in the eye of participant. If there is no expectation of privacy, what's the problem?

Pescatore on Privacy Violations

Avoidance in this context seems like dodging an endless shower of flaming arrows. Getting hit by one of them is inevitable and unavoidable. Someone needs to tell the emperor that he isn't wearing an impervious suit of invisible armor.

On SAS-70

Anyone's claims of having a secure technology should be taken with a grain of salt - well... better make that a salt shaker. After all we've been through over the years, are people still gullible enough to think that anything is secure? I guess so. LOL
1280115374
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.