In continuation of yesterday’s piece on Chris Wysopal’s discussion with cyber-security guru Richard Clarke, this second installment focuses on questions asked by webinar participants in the live webcast. Remember, you can always download and view the recorded versions of our webinars here. Q: Are you concerned about the merge to electronic healthcare records? RC: Yes – part of the healthcare reform package has requirements that accelerate the reliance on electronic file records in medicine. There’s some real incentives in the bill that force the industry into doing it relatively quickly. The question in my mind is who the actor is in this case that would go after health care records. Is it a criminal or is it an espionage organization? I don’t know the motivation, but I do know that these enormous insurance companies and enormous medical centers have lots and lots of vulnerabilities because they’ve never looked systematically before and done real sophisticated security analysis – that’s the last thing a major medical center has been doing in the past. So yes it is a source of concern any time a new industry runs headlong into a reliance on IT systems it hasn’t been reliant before.
Q: Is it safe to assume that most attacks come from compromised servers? If so, are there any government agencies or companies that scan for vulnerabilities that notify that company of a server issue? RC: The simple answer to that is no. The government does not run around scanning private company servers. In fact, unless you specifically sign up with a provider to do that, no one’s going to automatically do it for you. Q: Would you please comment on what small businesses can do to learn more about what they can do to contribute to increasing security in their respective businesses? RC: I’m going to say something here that may be a little counter intuitive and a bit controversial. I think small businesses should think about the cloud. I know some people say, “Oh the cloud is automatically insecure,” or, “the cloud is automatically less secure.” Well it depends on what you ask the cloud provider to do. If you’re truly a small business, you don’t have the time, you don’t have the expertise, you don’t have the money to defend yourself to the level of perhaps what you would be satisfied with. But a bunch of small and medium-sized companies going to a cloud provider together can have much better security than they can have individually. If, and this is the key thing, if they ask for it, and if they compare offerings on the criteria of a service, and of security, because if you just go to a cloud provider, they’ll say, “Oh yea, we did all of the security stuff,” and that will be the end of it. You get these situations where you get the cloud provider kind of believing it’s up to you to do your own security, and you think the cloud provider is doing it, so you have to be careful, you have to be explicit, you have to ask them what additional security you can buy from them, and how you have compare the security offerings’ among the cloud providers. But I would urge a small business owner to try to do that rather than try and secure it themselves. Missed the webcast but still have questions and comments? We’d love to keep the discussion going, so please leave your comments below!