Podcast: Galvanizing Cyber Security In Healthcare And Fin-tech Industries To Avoid Data Breaches

Hello everyone, I am Sowmiya Rajamanickam, and you are listening to Secure Insights — A Series of conversations with industry experts, influencers, and leaders in the IT Security space. In this podcast I have with me Alissa Valentina Knight — a market analyst focusing on research into cybersecurity issues. She has more than 20 years of experience in cyber security and recognized as having published the first advisory on hacking VPN appliances in 2000. Her ultimate goal is to produce strategic plans to many organizations and mitigate the risks across them.

Hi Alissa. welcome to this podcast, it’s very great to have you here …

1. Nowadays, there is a rapid increase in the adoption of fintech, but so does the security threats. Does using Artificial Intelligence anyway prevent these vulnerabilities?

Yeah. So, right now, you know, there is definitely this move towards machine learning and AI within cybersecurity controls. I think it’s definitely radically changing the, it’s radically transforming the cybersecurity landscape, whereas 15, 20 years ago, a lot of the security controls like network intrusion detection systems, either in, you know, legacy antivirus at this point, the relied on signatures or patterns to detect threats and machine learning and AI, which of course are two completely separate things are definitely changing the efficacy of those security controls.

You know, with FinTech it’s, there’s definitely an advancements being made in this area. And you know, as far as machine learning is concerned, I’ll speak to, that I just recently published a report on the entire cybersecurity landscape of machine learning powered solutions. Everything from network threat analytics to endpoint detection response, even monitoring solutions. So, the neat thing about machine learning is it’s even allowing security controls to become more predictive. So, you know, there’s some great security solutions out there. For example, Kenna, which is using machine learning to predict the future weaponization of vulnerabilities. And so, I think it’s definitely changing the game. I don’t think that there is any silver bullet in cybersecurity. So, your question of is, is AI preventing these vulnerabilities? I hesitate to use the word prevention, versus assisting in the remediation and detection of vulnerables that were previously wrought with false positives and other noise as a result of using patterns or signatures. So, yes, it is definitely improving the efficacy of these tools, but, you know, it’s that whole thing of, you know, there is no silver bullet and if an adversary has enough time and willingness to want to get in, they will. Um, but it is definitely improving the efficacy of these tools.

2. Data breach is happening everywhere, and I see that Most of the financial service companies are the major target for cybercrimes. What do you think are the effective fin-tech security measures to keep the data safe?

You know, I’m always talking about how data is now more valuable than oil. And you know, with financial services, there’s definitely a lot there for adversaries to monetize. You know, I feel like there definitely needs to be more done, especially in a mobile app attack surface. I’m sure you and your listeners have heard about my recent research into the 30 financial services mobile app. Sorry, I reverse engineered and found API keys and tokens for and hard-coded credentials for these fintechs and financial services companies. And I, think there we definitely need to be doing better when it comes to mobile app security and API security, especially in financial services. I think what we need to be doing is financial services organizations need to not only just be doing cyber security awareness training regularly with their employees, but they also need to be doing cyber security secure development training for their developers who are writing code.

And I don’t think enough of that is being done. And I think financial services organizations need to start adopting actual frameworks and building information security management systems. So it’s a continuous plan, do check act process where their cybersecurity program is continuously measured using in monitor using KPIs, uh, the reporting of that performance to the board of directors and the leadership within the organization and continuously testing their security controls, adopting a test centric security model and are using breaching a tech simulation solutions or just making sure that their security controls are, that have been implemented, are properly configured and are continuously improved over time. I don’t think enough of the planning and checking is being done. I think there’s too much doing an acting. I just, I feel like there just really isn’t enough planning happening and continuous monitoring and improvement. I feel like even in 2019 a lot of organizations are still just implementing set it and forget it. You know, I think there’s definitely been more of a move to outsource, you know, whether it’s cm as a service or managed security services providers. But, you know, I think there’s more that organizations need to do in the areas of continuous improvement with their cybersecurity program. Establishing metrics, establishing KPIs and actually monitoring against them.

3. Yeah, that’s actually true too. Security has been the second, I mean, the least important thing in the industry. So, why Are Healthcare Information Systems a Target for Security Threats?

You know, I think what it is, is they’re being targeted knowing that probably very little backups are being done. You see these really large ransomware payouts with health care organizations. And that’s indicative of course, that the healthcare, it’s pretty endemic within the sector that backups are not either reliable or not being done. And most areas understand that are seeing that they’re seeing significantly large payouts for ransomware and you know, they’re going to continue to go back to the, well, if it’s, if it’s full. And I think the reason why is, you know, there’s very poor, very little cyber hygiene when a health care industry where, you know, patient data, patient records are invaluable. You know, if you’ve successfully implement, if you’ve successfully caused a ransomware outbreak in a healthcare system and been able to successfully encrypt healthcare and patient data and that healthcare organization needs immediate access to it and there are no backups being done, I think that’s going to be worth a lot of money in the end.

And so, I think also the real-time nature of healthcare organizations where maybe backups aren’t being done, but there’ve been so many patients and so many changes to those patient records and healthcare data over the last hour. You just simply have a situation where either backups are not keeping up or access to, you know, the, there’s some sort of mitigating circumstance or factor that’s causing, the health care organizations to still have to pay for those, you know, for, to recover that data. You also, clearly have a systemic lack of endpoint detection response solutions. Uh, looking for things like ransomware. Maybe the healthcare organizations are running legacy antivirus, not keeping updated. Whatever it may be. Clearly something is broken because we continuously see news reports after news reports of, of healthcare organizations paying really large ransomware.

4. It’s also the most trending thing nowadays. So, with Fintech fueling the growth of healthcare industries. Does it make it more vulnerable to security threats?

You know, I think when you are increasingly trying to take legacy systems and connecting them or any sort of innovation, whether it’s healthcare, Finn, you know, financial services or connected car, you know, whenever you have innovation in something and something that was previously something that existed previous to a digital transformation strategy or prior to getting connectivity, you’re gonna open up vulnerabilities. When you open up communication, when you open up connectivity, you create ingress points, into that data and it’s, making it available to be exploited. So yes, I think any kind of technology transformation, any kind of increase in connectivity is going to create an attack surface, which, I have a series are always going to be there to exploit.

5. Limited resource and budget constraints for cybersecurity measures has always been a challenge in healthcare organizations. What’s your advice on how to approach cybersecurity and minimize the security threats?

You know, here’s the thing, I feel like there’s some, there’s really great solutions out there that for the tight budgets and the budget constraints organizations and you’ve got opens for security tools like CIS-CAT. You’ve got a huge open source community of developers continuously developing and putting out good projects, around tools that don’t cost anything. You have, for example, the Apache spot project, which is a free open source Apache foundation project, for security analytics. It’s basically a free open source ML powered analytics solution. And I think which is great and, I mean if you have the internal expertise, you have the internal staff to be able to adopt rollout and continuously give the current feeding open source security solutions require. I think you can build a pretty robust security control framework.

Purely off of open source. Look at security onion for example. I mean it’s a free open source SIEM solution that gives you network intrusion detection that gives you end point log, core, you know, aggregation, and capabilities and the end points. So, you know, an X log for example. I just, I feel like, there are so many cost-effective security controls out there for organizations that really don’t have the budget, especially healthcare organizations where there may not be a large budget for security control adoption and multi-million-dollar cybersecurity budgets. So, I feel like, there are tools available for those organizations. Even on the commercial side, you still have situations where you have more cost-effective solutions. You have companies that are catering to the SMBs and have SMB pricing. I just feel like in 2019 there really is no excuse whether you know, it’s, we don’t have enough money, or you know, whatever it may be.

There’s always something any size organization can do. If you look at my previous vulnerability research for example, what the financial services apps, I thought it would be reversed. I thought the smaller startups like the FinTech startups and the, you know, cryptocurrency wallet startups, that they would be less secure than the big banks with billions of dollars in assets under management. It was, it was flipped. It was actually, you know, a lot of the, the stronger apps, you know, with the fewest problems were actually the smaller, smaller companies and the larger banks, the larger financial services organizations had a lot of the more systemic problems. And so, you know, I just feel like today it’s really, difficult for an organization to raise their hand and say, Oh, I’m sorry, we don’t have the budget for that. That’s why we didn’t do anything. I just feel like that excuse doesn’t work anymore.

6. Do you think zero trust is better than trust by verify approach?

Yes, I do. I mean, if you look at the tenants of zero trust, whether it’s on the network or anything else, it’s, it’s something we’ve always kind of always done or should have been doing. Organizations should have been doing from the very beginning, but we just sort of wrapped this marketing term around it. I feel like, it’s definitely, I mean just because an employee works for the organization doesn’t mean we should automatically trust them. Yes, they have connectivity to the internal network, but we should ask that question just because they work here just because they have access to the network. Does that mean they should have access to this specific kind of data? And I feel like, I feel like that question should have always been asked and the internal network in the intranet should have always been considered as dirty as the internet and you have the ability in some organizations for who’ve not turned off their USB ports from place to plug USB sticks into their computers. You have BYOD, you have employees, VP ending from home. And so, I feel like, it was broken from the beginning, you know, it should have never been considered the internal trusted network. Yes, I am a huge proponent of zero trust security frameworks. And I believe in SDP. I believe in opower segmentation and identifying the identity, authenticating and authorizing the identity of the user, not just the node. So yes.

That’s it Alissa. Thank you so much for your time. Very much appreciate it. It’s been a pleasure having you here.

Thank you. I appreciate it Sowmiya. I appreciate you inviting me on the show and let’s talk again. I love nerding out about these kinds of things. I’m happy to do that on your show.

Thank you so much.