Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
What Scares Me About Healthcare & Electric Power Security
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jdickson782
jdickson782,
User Rank: Author
10/31/2014 | 5:29:24 PM
Re: Accounting standard or security standard?
My overarching thought here is that every organization should have a general controls/ISO-27002 security assessment, but that this is only a starting point. More sophisticated organizations have multiple layers of security defense and do much more focused security testing to validate what's been implemented.
jdickson782
jdickson782,
User Rank: Author
10/31/2014 | 5:26:29 PM
Re: Healthcare
See my comments to Gary's post - unfortunately, there will have to be more high-profile losses before healthcare providers rate security up there with other risk management issues.
jdickson782
jdickson782,
User Rank: Author
10/31/2014 | 5:25:15 PM
Re: Stop signs are installed AFTER a traffic accident occurs.
Sadly, I think you are correct here.  Absent of more high-profile losses, many in the healthcare industry will view the threat as remote.  My thoughts in the article were really based on ~20 years reviewing healthcare organizations and their high-level posture.
Gary Scott
Gary Scott,
User Rank: Strategist
10/31/2014 | 4:31:27 PM
Stop signs are installed AFTER a traffic accident occurs.
Action follows demand.  Until a majority of patients are negativley affected by a security issue nothing will be done.
rzw122
rzw122,
User Rank: Apprentice
10/29/2014 | 5:50:46 PM
Healthcare
OMG! I let out a yelp of agreement as I sprang from my seat and began clapping after reading this commentary. This is an affirmation that I've long needed in my seemingly-solo quest to help medical practitioners understand the importance and value of securing their networks. Conversations with this those in this industry- even about minor perimeter security measures- are often met with shrugs or blank stares, but even more maddening are the reactions of whatever tech staff that physicians have managed to loosely piece together. These individuals are an enigma, for it is they who are the ones that we might expect to hold a more profound understanding of the consequences of lax security, or, in some cases, no security at all. Thank you for this piece.
GonzSTL
GonzSTL,
User Rank: Ninja
10/29/2014 | 1:17:17 PM
Re: Accounting standard or security standard?
@Ed Telders: Agreed, and that is precisely why I have asked for either the SAS 70 or SSAE 16. I wanted to know how religiously they followed their controls and to judge their "level of maturity" as you had put it.
Ed Telders
Ed Telders,
User Rank: Apprentice
10/29/2014 | 11:41:23 AM
Re: Accounting standard or security standard?
The SAS 70 was sunsetted in 2011 and replaced by the SSAE16 auditing standards.  They come in three flavors in the SOC1, SOC2, and SOC3 audit reports.  For each of them the reports can be a Type 1 or a Type 2.  In a Type 1 the audit simply looks at documentation and assesses them based on policies and statements, the Type 2 is where the controls are actually tested.  Naturally you want the Type 2.  Also the SOC1 is essentially the same as the old SAS 70 in that it is used to measure financial transactions and financial reporting.  Many have used that in the past as a means to assess vendors for security, although the SAS 70/SOC1 was never intended to be a security tool.  It does not assess the CIA triad nor does it look at actual enterprise security, only a subset of that.  The SOC2 Type 2 is the tool you want to look for to actually make a determination of the security posture and maturity of a vendor you're considering.  I would also recommend you review the detailed findings and managment responses to those findings to determine if any of them are of concern to you.  If for example, the audit has a finding detecting servers that are not patched, managment then responds that they have remediated them since the audit field work it sounds pretty reasonable.  Unless the number of servers found unpatched is larger than a reasonable number (ex. 100 out of 500 total) which would indicate a material procedural problem with that vendors processes.  The details can be a gold mine of information that can help you make a solid decision between vendors.  And yes the smaller "boutique" vendors and "startups" frequently haven't created this level of maturity that would be more typical of larger well-established providers, so buyer beware.
GonzSTL
GonzSTL,
User Rank: Ninja
10/29/2014 | 11:29:30 AM
Re: Accounting standard or security standard?
Yes, SAS 70 is an auditing standard designed to perform an in-depth examination of control objectives and activities. During the performance of this audit by an independent accounting and auditing firm, an organization's written controls are verified by auditing the actual activities related to the controls. These controls also include those specific to Information Technology and related processes. What I wanted to see was whether or not potential business partners actually practiced the controls they had in place, especially those specific to IT.
DBAJRACHARYAN/A
DBAJRACHARYAN/A,
User Rank: Apprentice
10/29/2014 | 9:55:04 AM
Accounting standard or security standard?
Is not SAS70 an auditing standard? Are you looking for data security standard or financial stability of the organization?
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/29/2014 | 9:03:49 AM
Re: public safety
The theft of personal information in healthcare has been pretty well documented (the prices for PII on the black market are at a record high). But my guess it will ake some life threatening medical event to shake consumer confidence in Healthcare IT -- and spur more serious action . For the power grid, holding a nation to a ransom in order to turn the lights back on is a really scary scenario.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-30333
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-23066
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
CVE-2022-28463
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-28470
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
CVE-2022-1620
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.