Sean Lowder, Interim Chief Security Officer at BlueCross BlueShield of Louisiana, outlined what questions to ask to test the strength of enterprise cybersecurity.
In his keynote presentation at the 2016 Chief Information Security Officer Leadership Forum held on September 13 in Dallas, Lowder used the example of the healthcare industry to talk about security attacks. “Healthcare is under attack because our information is much more valuable than that of retailers—we have complete profiles of people, including their medical information. This information can be used to open fraudulent lines of credit or to execute medical insurance fraud such as ordering and reselling medical equipment, submitting false claims, committing healthcare fraud, or blackmailing and extorting high-profile people based on their health status. In healthcare, the big problem in security is that it’s tremendously difficult to remediate once compromised,” said Lowder.
“Healthcare is under attack because our information is much more valuable than that of retailers—we have complete profiles of people, including their medical information.”
The healthcare threat landscape comprises:
• “Personally identifiable information (PII), which is still the number-one target. Prices on the black market make healthcare the most attractive target,” said Lowder.
• “State-sponsored actors want PII but also want to know how we do our business. Some send mules into the US for purposes of fraud.”
Lowder continued, “The cost of an attack in healthcare is higher than in any other industry—$355 per record, and $65 million is the average cost of a data breach.”
“The cost of an attack in healthcare is higher than in any other industry—$355 per record, and $65 million is the average cost of a data breach.”
“Data is everywhere,” noted Lowder, “and the castle-and-moat approach is no longer viable to protect company data. Why? There’s the Cloud, which has Microsoft, Google, Amazon, and others. We’re doing a lot of hosting and data analytics. Big data for healthcare is the new thing. We want to know trends and make predictions, but our rate of spinning up a data warehouse in healthcare is about at the speed of molasses. Lastly, we need to consider what data we don’t know about (Dropbox, etc.) and how confident we are about our data-loss prevention implementation. What about CASB—Cloud Access Security Brokers? We need to have a healthy dose of paranoia and know what our capabilities are and aren’t, as well as our weaknesses.”
Lowder urged CISOs to play the long game: “Make incremental improvements, because changing culture is difficult and we’ll only succeed with improvements that our business can support.” Threat intelligence means:
• Knowing what your threats are
• Knowing how mature your threat-management program is
• Getting threat briefings as often as you need them
“Having a framework is a great start (ISO 27000, NIST, HiTrust). This is the base level of security that shows you where you have control gaps. But don’t fall for ‘but the control says…’,” warned Lowder. “Don’t lawyer up when implementing controls. Check-box security isn’t security! And, just because you get it past your auditors doesn’t mean it’s good security.”
Lowder then presented his assumption-of-breach thought process. “Once you have your base-level controls in place, focus on what’s important. Focus on the detection of events. Keep your focus on detection-response technologies. Assume you’re breached (because it’s likely true) and find the attackers with ‘hunt’ teams. Test your incident-response plan. Do your table tops, monthly, and do full exercises. Use penetration assessments to test your SOC/SIRT,” he stated.
“Identity is the last boundary,” observed Lowder. “Ask yourself these questions: Where are your IDs? Consider cloud applications and SSO/federation partners. Who holds the keys? Who are your ‘privileged’ users and how do they use their privileges? Who has access to all the data? It’s OK to trust the person, but don’t trust the ID. Often it isn’t the person who’s behind the breach; their ID has been compromised. Are you monitoring activities to determine what’s normal and what’s not? Are you managing the IDs of those privileged users? Password vaulting is huge.”
“Who are your ‘privileged’ users and how do they use their privileges? Who has access to all the data? It’s OK to trust the person, but don’t trust the ID.”
In conclusion, Lowder talked about cyber insurance. “After a breach, cyber insurance is helpful for response and forensic assistance, communications, and controlling brand damage. You need to determine what’s catastrophic—how many records can you afford to lose? Lastly, have incident responders on retainer.”
ABOUT SEAN LOWDER:
Sean K. Lowder is the Interim Chief Security Officer at Blue Cross Blue Shield of Louisiana. He’s responsible for all cybersecurity and process-controls functions including security systems, architecture, IAM (identity and access management), threat management, security incident response, and technology governance, risk and compliance management.
Mr. Lowder has been in the computer industry for over 20 years and has specialized in cybersecurity for the last 16 years. He has various industry certifications including Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Security Professional (CISSP), and many others. He received his Bachelor of Science in Information Technology (with Honors) from University of Phoenix.
During the last few years, Mr. Lowder has focused the Information Security Office of Blue Cross Blue Shield of Louisiana to mature the risk and compliance management practices and develop the strategic plan and technology roadmap for all information security technologies and practices.
Since becoming the Interim Chief Security Officer, Sean has worked with other BCBSLA leaders to form the Corporate Security Governance Committee that helps to ensure BCBSLA is properly protecting the corporation’s assets from internal and external threats. He represents the company on the BCBSA CISO Workgroup and is the Treasurer of the BCBSA Information Security Roundtable (ISRT).