“Anyone who thinks if they are specifically targeted that they’re going to be able to keep the bad guys out, they’re naive to the point of stupidity,” says Mike Rothman, analyst and president at Securosis, a security consulting firm.
“If your organisation possesses something that is going to be of interest to a nation-state, you can pretty much guarantee you’re already compromised.”
A CISO’s perspective
Larry Whiteside, chief information security officer of the Visiting Nurse Service of New York, is responsible for information security at an organisation that has never been specifically targeted in an attack. But that hasn’t stopped the 38-year- old from being realistic about the current threat landscape – that he and his team are powerless to some extent.
“The big thing is [criminals are] getting smarter at a faster rate than security is,” Whiteside says. “It’s an uphill battle that we as security professionals are constantly striving to get ahead of. I just don’t know that we can.”
The company with about 8000 users, is the largest nonprofit home health care provider in the country. Its mission is to provide residential health aides to 10s of 1000s of patients, and it serves the five boroughs of New York and neighbouring Westchester
and Nassau counties. With no intellectual property to protect, the nurse service is no Google. But, with personal health information becoming increasingly attractive for cybercriminals wanting to conduct medical identity theft, it is a ripe target nonetheless. And while no malware has ever infiltrated the network in Whiteside’s 31⁄2- year tenure, he understands that relying on perimeter defences is an outmoded way to think about fortifying his network.
Instead, he entrusts a healthy chunk of his security arsenal to patch, configuration and standards management. “I don’t think putting an [advanced persistent threat] protection device in your environment is the answer,” he says. “I think that is one small part of a much larger issue. When I look at the tools, it’s not that the tools don’t have validity but there’s a good percentage of things you could stop right away if you have good patch management, configuration management, even turning on egress filtering. It’s a mandatory piece of my security infrastructure to be able to allow out only what needs to be allowed out.”
Whiteside has developed a standard model for how his organisation's systems should be configured and he uses a scanning tool from eEye Digital Security to profile ports, services, operating systems, vulnerabilities and patches to ensure they are compliant.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
