Mitchell Parker sees a great deal wrong with information security, especially in the healthcare industry, where he has worked for more than a decade.
As the chief information security officer for Indiana University Health, he has seen a spectrum of issues: information overload from risk assessments, ancient — in Internet years — computers managing physical systems and devices, a chaotic mess of password systems that don't interoperate, and legacy data that cannot be decrypted, he said during a virtual Black Hat USA presentation on Aug. 5.
Many of these problems were self-inflicted by security teams finding their way. Other issues occurred because of a common problem: vendors overpromising, even straight-out selling snake oil. From data security companies threatening that government fines would befall those who didn't use their products, to proprietary encryption providers that stop supporting their decryption products, a variety of pitfalls await less-than-skeptical security teams, Parker said.
"If someone says that you can try and solve all your problems for you instantly, that's how you know that you have snake oil," he said during his presentation. "Or someone claims they can fix everything without talking to you or analyzing or trying to meet your needs."
Well-implemented policies, some specific technologies, and a communicative security group can provide organizations with a strong cyber defense, he said during the briefing.
As an example, he describes a strategy for fighting business email compromise: adding a mandatory callback for a published number whenever an exec ..
Support the originator by clicking the read the rest link below.
