Sunday, March 1, 2015

Health Care Audits are a Joke

It goes without saying that the Government even with their many billions of dollars on security have failed to stop the ex-filtration of highly classified material. Just look at Wikileaks and the Bradley Manning (or Chelsea to be correct now) case. While the Government performs background checks on individuals, facilities, etc. these leaks do happen. Think about how companies are being affected today. They have less money invested and the auditors that give them the all clear are not checking the very hacking vectors that are being used to steal peoples information, trade secrets and more.

It really irritates us when we see companies being breached that have hired these large security firms that only concentrate on the infrastructure, malware and viruses. You folks do realize that over85% of the time a successful attack is the result of successful social engineering or bypassing weak security features in products that are not usually checked in an audit.

While we won't give away all of our auditing steps we can tell you that the normal audit only covers about 30% of the areas that should be checked. And while you should be checking other areas before giving a certification we understand that you are there to do only one job. Keep hiring the Mandiants, the Dell SecureWorks and others (oh and by the way Dell's feed data is all out of date and inaccurate in most cases) and wonder why your companies still get breached. Your getting breached folks because your not checking the actual vectors that are being used and your not changing with the times.

Sure your employees may pickup on somebody calling them claiming to be from the help desk, or maybe they won't. And maybe your employees are using secure (truly insecure) corporate messaging products away from the office and leaving a clear way into your network (you are paying attention here right?). Have you checked to make sure what the company claims is in fact the case? Can their encryption be hijacked? I bet it can with the right knowledge and time. Stop taking these large companies at their word just because they are large companies that have been around for awhile.

Good luck folks. If you want a real audit conducted contact us. It will be extensive, concise and complete.

No comments:

Post a Comment