A Conversation With Richard Clarke – Part II

Saturday, February 04, 2012

Fergal Glynn


Article by Zack Cronin

In continuation Chris Wysopal’s discussion with cyber-security guru Richard Clarke, this second installment focuses on questions asked by webinar participants. (Part I Here).

Q: Are you concerned about the merge to electronic healthcare records?

RC: Yes – part of the healthcare reform package has requirements that accelerate the reliance on electronic file records in medicine. There’s some real incentives in the bill that force the industry into doing it relatively quickly. The question in my mind is who the actor is in this case that would go after health care records.

Is it a criminal or is it an espionage organization? I don’t know the motivation, but I do know that these enormous insurance companies and enormous medical centers have lots and lots of vulnerabilities because they’ve never looked systematically before and done real sophisticated security analysis – that’s the last thing a major medical center has been doing in the past.

So yes it is a source of concern any time a new industry runs headlong into a reliance on IT systems it hasn’t been reliant before.

Q: Is it safe to assume that most attacks come from compromised servers? If so, are there any government agencies or companies that scan for vulnerabilities that notify that company of a server issue?

RC: The simple answer to that is no. The government does not run around scanning private company servers. In fact, unless you specifically sign up with a provider to do that, no one’s going to automatically do it for you.

Q: Would you please comment on what small businesses can do to learn more about what they can do to contribute to increasing security in their respective businesses?

RC: I’m going to say something here that may be a little counter intuitive and a bit controversial. I think small businesses should think about the cloud. I know some people say, “Oh the cloud is automatically insecure,” or, “the cloud is automatically less secure.” Well it depends on what you ask the cloud provider to do.

If you’re truly a small business, you don’t have the time, you don’t have the expertise, you don’t have the money to defend yourself to the level of perhaps what you would be satisfied with. But a bunch of small and medium-sized companies going to a cloud provider together can have much better security than they can have individually.

If, and this is the key thing, if they ask for it, and if they compare offerings on the criteria of a service, and of security, because if you just go to a cloud provider, they’ll say, “Oh yea, we did all of the security stuff,” and that will be the end of it.

You get these situations where you get the cloud provider kind of believing it’s up to you to do your own security, and you think the cloud provider is doing it, so you have to be careful, you have to be explicit, you have to ask them what additional security you can buy from them, and how you have compare the security offerings’ among the cloud providers.

But I would urge a small business owner to try to do that rather than try and secure it themselves.

We’d love to keep the discussion going, so please leave your comments below!

Cross-posted from Veracode Blog

Possibly Related Articles:
Enterprise Security Vulnerabilities Small Business Cyber Crime Attacks Information Security Medical Records Richard Clarke Cyber Espionage Chris Wysopal Zack Cronin
Post Rating I Like this!
Don Jackson I have a question regarding Mr. Clarke and his credentials as a "Cyber-Security Guru"... did I miss something. I know that he severed as National Security Advisory and is an expert on counter-terrorism and Co-writer of Cyber-War, but I beg to differ with calling him a "Cyber-Security Guru". As an information security professional I took the time to read the book and was happy that he tried to sound the alarm as he did, especially in the area of SCADA, but surely lending his name to a book and becoming CEO of security company does not qualify him as a "guru" of any sort.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.