NOTE: This was originally posted on LinkedIn.
Continuing the discussion on the state and future of #MyIndustry, the information security industry, I bring you commentary based on the most recent news.
UCLA Health may be ranked as one of the best healthcare facilities in the nation, but when it comes to information security it is as common as anyone else. On July 17, UCLA Health reported that the records for as many as 4.5 million people may have been accessed by “criminal hackers.”
What worries me is that their release said that “the attackers accessed parts of the computer network that contain personal and medical information” but that they have “no evidence at this time that the cyber attacker actually accessed or acquired any individual’s personal or medical information.” Later it says, “UCLA Health cannot conclusively rule out the possibility that the attackers may have accessed this information
UCLA Health does not know what was attacked because UCLA Health has the same security model that persists but has failed everyone else: the hard on the outside, soft on the inside.
I am sure that UCLA Health will point to their firewalls, network intrusion detection, and DMZ to show that they took security seriously. But what happens when the shell cracks. Like the shell of an egg, once the protection breaks the insides run out. Although UCLA Heath did not say what happened, but what they did say is telling:
In today’s information security environment, large, high-profile organizations such as UCLA Health are under near-constant attack. UCLA Health identifies and blocks millions of known hacker attempts each year.
That is all well and good, but what happens when the attacker gets past your perimeter defenses? What happens if it was not an attack but a mistake or an error that opened the door?
The “what happens if” questions are not just for UCLA Health but for everyone. Yet these questions go unanswered. For example, in the attack on Home Depot’s network, why were they not asked why the access point for a maintenance contractor able to access the cash register systems? In fact, why should a cash register on the east coast be able to communicate with a cash register on the west coast? Home Depot’s cashier in Atlanta does not have access to the cash draw in the next aisle over but virtually has access to the cash registers in California. Why?
UCLA Heath, Home Depot, and even the attack on the Office of Personnel Management show a deeper problem with understanding that information security is more than a checklist of controls. While a checklist can be a good start it should not be where the process ends. Understanding the risks and mitigating those risks are the only way to have a successful information security program.