If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders.

“Do I want to know why you’re so informed about spyware?” she asked. Nikolaos gave her a charming, dazzling smile. “No, my dear. You do not.”

We didn’t install the [Code Red] patch on those DMZ systems because they were only used for development and testing [Shortly after spending 48 hours straight removing Code Red worm from internal corporate servers in 2001].

The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won’t suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.

To competently perform rectifying security service, two critical incident response elements are necessary: information and organization.

If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.

Doveryai, no proveryai (Trust, but verify).

When entrusted to process, you are obligated to safeguard.

Give a man an audit and he will be secure for a day. Teach a man to audit and he will be secure for the rest of his life.