Duties and Obligations of Paying Bankers and Collecting Bankers
The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers...
Transcript of The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers...
The Building Blocks of a Strong ISP
Dr. Kevin Streff
Founder, Secure Banking Solutions
www.protectmybank.com
Iowa Bankers Association
2015 IBA Technology Conference
Agenda
• Emerging Technologies and Security Threats in Banks
• Designing an Effective Information Security Program
• Conducting World-Class Risk Assessments
2
Hot Technologies
Banking Technologies
• Branch of the Future• Advanced Payment
Systems• Mobile Delivery Systems• Remote Deposit Products• Customer Relationship
Management (CRM)
Infrastructure Technologies
• Cloud• Virtualization• Cybersecurity Products
– DLP– MSS– ERM Tools
• Continuous Monitoring
3
Core replacement projects are important
Technology
Driving the need for a well managed information security program that starts with risk assessment
• Leads to all kinds of issues– Document retention– I.T. examination– Compliance– Financial– Support– Expertise– Security– Data Privacy
• Your bank needs to get good with technology
• Your bank needs to get good at information protection– Not individual heroism
©Secure Banking Solutions 2015
Online vs. Mobile
• Online banking is commodity
• Mobile banking revolution is over
5
©Secure Banking Solutions 2015
Layered Security Approach
6
©Secure Banking Solutions 2015
7
Gramm-Leach-Bliley Act
• Management must develop a written information security program meeting the security standards of Part 364, Appendix B
• What is the “M” in the CAMEL rating?
The Information Security Program is the way management demonstratesto regulators that information security is being managed at the bank
©Secure Banking Solutions 2015
8
Regulator Requirements:Current Framework
• Management Focused Examination
• Documented risk-based Information Security Program (ISP) that provides sufficient controls – as determined by the Risk Assessments
• Independent review of controls for compliance and adequacy – as verified by IT Audit, Penetration Test and
Vulnerability Assessment
©Secure Banking Solutions 2015
9
Written Information Security Program
• Includes administrative, technical, & physical safeguards appropriate to the bank’s size and complexity and the nature and scope of activities
• Represented by a set of policies, procedures and standards that implement controls identified in the risk assessment
• ISP = Documentation + Activities
Top Security Threats
1. Hacking
2. Data Leakage
3. Social Engineering
4. Corporate Account Takeover
5. Vendor Risk
6. ATM
“Small and medium sized banks are in the cross-hairs of the cyber criminal”
Howard Schmidt, Cybersecurity Secretary for the White House10
Hacking
Threat #1
11
©Secure Banking Solutions 2015
Hacking
• Small and medium-sized businesses are the new target– Won’t get caught, won’t get prosecuted, fewer
security controls, etc.
• Hackers are Organized– Used to be for fun, now it is for profit
• How it works– Find a computer/network vulnerability and
exploit it12
©Secure Banking Solutions 2015
Hacker Tools Examples
• Tools to hack your bank are downloadable– http://sectools.org/
• Default passwords are all available– http://www.phenoelit.org/dpl/dpl.html
• Economy is available to sell stolen data (“underground markets”)– http://krebsonsecurity.com/2013/12/cards-stol
en-in-target-breach-flood-underground-markets/
13
©Secure Banking Solutions 2015
14
©Secure Banking Solutions 2015
• How much time would it take to recover if all of your computers got a virus tomorrow?– Data Loss– Down Time– Cost to replace vs. fix
Threat: Downtime
“Of those businesses that experience a disaster and have no emergency plan, 43% never reopen; of those that do reopen, only 29% are still operating two years later.”
©Secure Banking Solutions 2015
RansonWare
• Demand payments or will destroy your data and/or your machine
17
©Secure Banking Solutions 2015
Critical Infrastructure Protection
• White House is concerned that our nation’s critical electronic infrastructure
• PDD63
• APT
• "Terrorism remains the FBI's top priority. But in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country“– Ex-FBI Director Robert Mueller
18
Data Leakage
Threat #2
19
©Secure Banking Solutions 2015
Data Leakage
• Data Leakage is about insiders leaking customer information out of your bank
• Most attention is paid to outsiders breaking into your network (aka hackers)
• Malicious Behavior
• Accidental
20
Social Engineering
Threat #3
21
©Secure Banking Solutions 2015
22
Social Engineering
• What is Social Engineering?– Exploitation of human nature for
the gathering of sensitive information.
– Tool attackers use to gain knowledge about employees, networks, vendors or other business associates.
©Secure Banking Solutions 2015
23
Sample Social Engineering Methods
• Phishing/Pharming
• Telephone (Remote Impersonation)
• Dumpster Diving
• Impersonation
• E-mail Scams
• USB Sticks
Corporate Account Takeover
Threat #4
24
©Secure Banking Solutions 2015
Small Business Security
• 70% lack basic security controls
• Conduct a risk assessment looking for these basic security controls
– Firewall,– Strong passwords,– Malware Protection– Etc.
25
©Secure Banking Solutions 2015
Finger Pointing?
26
Vendor Attacks
Threat #6
27
©Secure Banking Solutions 2015
Vendor Attacks
• Criminals understand that vast amounts of data are stored and transacted thru bank vendors
• TJX, Heartland, Target, etc.
• Target – RAM Scraping
• While you are outsourcing the task, your bank remains responsible for the data
• Vendor Management Program
28
ATM Fraud
Threat #6
29
©Secure Banking Solutions 2015
ATM Fraud
• Skimmers
• Cyber heists
• Remote Access Issues
• Active Ports Being Compromised
30
©Secure Banking Solutions 2015
31
©Secure Banking Solutions 2015
32
©Secure Banking Solutions 2015
Skimmer Overlay
33
©Secure Banking Solutions 2015
Skimmer Camera
34
©Secure Banking Solutions 2015
ATMs
• The ATM environment has changed
• Used to be most banks:– Closed network– Non Windows
• Today, most ATMs are on your bank’s network and run Windows
35
©Secure Banking Solutions 2015
36
©Secure Banking Solutions 2015
ATM Cyber Heists
37
©Secure Banking Solutions 2015
38
Gramm-Leach-Bliley Act
• Management must develop a written information security
• What is the “M” in the CAMEL rating?
The Information Security Program is the way management demonstrates to regulators that
information security is being managed at the bank
©Secure Banking Solutions 2015
IT Exam
• Verifies the bank’s Information Security Program– Assessments and audits
• Five areas:– Risk Management– Operations Security– Audit– Business Continuity– Vendor Management
39
©Secure Banking Solutions 2015
Recent Regulation• FFIEC Authentication Supplement
• CSBS CATO Regulation
• FFIEC ATM Regulation
• FFIEC DDoS Regulation
• OCC and FDIC Vendor Management Regulation
• FFIEC Social Media Guidance
• Appendix J
• FFIEC Cybersecurity Assessment Tool40
Question for you…
What is your bank doing to mitigate the risks of:
– Hacking– Data Leakage– Social Engineering– Corporate Account
Takeover– ATM Fraud– Vendor Attacks
Answer Should Be:
• Layered Security Program1.Risk Assessment
2.Customer Awareness and Education
3.Business Continuity & Incident Response
4. Information Sharing
5.Effective Auditing
41
42
43
©Secure Banking Solutions 2015
Asset Management
• Inventory assets• Policy and procedure for:
– Adding assets– Retiring assets– Cleansing assets
• ISO standard is big into asset management• Think about how many information leaks involve
not accounting for assets– Laptops– Tapes– Etc.
44
©Secure Banking Solutions 2015
Vulnerability Assessment
DefinitionTechnical scan of your networked equipment that identifies vulnerabilities, conducted from inside the bank.
ScopeAll networked equipment, examples include:– Core Banking Server– Servers– Workstations– Voice Over IP
45
©Secure Banking Solutions 2015
Penetration Testing
Definition• Technical scan conducted from outside the bank on any
equipment that is exposed to the internet. Simulates the process that a hacker would use to gain access to bank information.
ScopeInclude all your public IP addresses (even unused IP’s)–Email Server–Web Server–Internet Banking Server–VPN connections
46
©Secure Banking Solutions 2015
Security Awareness
• Security Awareness is the degree or extent to which every member of staff understands:– the importance of security– the levels of security appropriate to the
organization– their individual security responsibilities– ... and acts accordingly.
47
Employees: Security Awareness
• Acceptable Use Policy• Annual Security Awareness Training• Email Reminders• Online Training System• Posters/Calendars• Security Awareness Day• Member Appreciation Day• Games• Social Engineering Tests• InfraGard Certification
48
©Secure Banking Solutions 2015
Posters/Calendars
49
©Secure Banking Solutions 2015
Posters/Calendars
50
©Secure Banking Solutions 2015
Security Awareness Day
• Hold a “Security Awareness Day” at your bank to demonstrate to your customers how important this issue is to the bank
• Hand out materials that can help them safely bank with you
• Target audience: customers– HOWEVER: employees get involved and get
more security conscious as well
51
Security Awareness Training
11/22/2015
Welcome to… SECURITY FEUD!
52
©Secure Banking Solutions 2015
Certification
• InfraGard– Training program for staff on information security
to promote awareness of front-line and support staff
– https://infragardawareness.com/– Tweleve lessons (4-9 minutes each)
• SBS– Six security certifications for board, management
and professionals at your bank– 14 hours per certification
53
Customers: Security Awareness
• Awareness Information on Website
• Posters
• Security Awareness Day
• Customer Appreciation Day
• Lunch and Learns
54
©Secure Banking Solutions 2015
Emergency Preparedness
• Disaster Recovery
• Business Continuity
• Pandemic Bird Flu
• Incident Response
55
©Secure Banking Solutions 2015
Incident Response
• Documenting how an organization will respond to security breaches– Who is in charge?– When do you notify customers?– Etc.
• The point is to have the activities planned out before an incident occurs and everyone is in crisis mode
56
©Secure Banking Solutions 2015
Audit
Determine the presence of controls and test the effectiveness of those controls through an independent and objective evaluation.
• Risk assessment identifies the controls
• ISP = policies, procedures and guidelines that document controls
• IT audit reviews compliance and adequacy of controls
57
©Secure Banking Solutions 2015
Organizational Chart
• Provides an overview of the personnel working at the bank
• Looking for the following roles (sample):– Information Security Officer– Information Technology– Auditor– Compliance Officer
• Who is doing what!
58
©Secure Banking Solutions 2015
Committees
• Is management involved in IT decisions?• Audit committee?• BOD?• Checks and balances…not just one person• Weekly, Monthly, or quarterly• Made up of people who can make decisions• Can work out issues before presenting to the board
(i.e., policy changes)• Can handle issues so that some things don’t need to
go to the board (procedure changes)
59
©Secure Banking Solutions 2015
Network Diagram• Picture representation of your network• Includes connectivity to:
– Internet– Branches– Service Providers– Etc.
• Important because:– Communicates the network to staff and examiners– Support maintenance and troubleshooting network
issues– Plan for addition of new technology– Be helpful for business continuity
60
61
©Secure Banking Solutions 2015
Use your ISP
• Any new technology is handled by your ISP – (EXAMPLE: Merchant Capture)
• Any new security threat is handled by your ISP – (EXAMPLE: Data Leakage)
62
©Secure Banking Solutions 2015
Documentation
• Codifies management direction regarding layered security program– Policies, procedures, standards, etc.
• Provides evidence of a layered security program– Demonstrates compliance– Demonstrates good security
63
©Secure Banking Solutions 2015
Information Security Program Documentation
Minimum ISP Documentation• Risk Assessment• Policies• Procedures• Standards• Guidelines• Plans
– Audit– Business Continuity– Incident Response
• Security Awareness Materials• Training Log• Vendor Assessments• Minutes
– Board of Director Meetings– I.T. Committee Meetings– Audit Committee Meetings
• Strategies• Test Results
– Audit– Penetration Test– Vulnerability Assessment– Social Engineering– Configuration Test– Web Test– Wireless Test
• Exams– State– Federal
• Misc.– Network Diagram– Organizational Chart– Contracts– Memos– Reports 65
©Secure Banking Solutions 2015
Comprehensive Audit
• Audits will assess people, processes, and technology.
• A balanced audit program works as follows: – people are assessed with a social
engineering test, – processes are assessed with an IT audit, and– technology is assessed with a penetration
test and vulnerability assessment.66
©Secure Banking Solutions 2015
Layered Audit Approach
67
©Secure Banking Solutions 2015
Assessments
• I.T.
• Vendor
• Corporate Account
• BIA
• ERM
• Cyber
• Etc.
68
©Secure Banking Solutions 2015
IT Risk Assessment Process
69
IT Assessment
70
Vendor Assessments
76
©Secure Banking Solutions 2015
Vendor Management
• Given the increased reliance on outside firms for technology-related products and services, management must identify and mitigate risk in these technology decisions
• Vendor Management• Technology Service Provider Management• Just because you outsource your technology does not
mean you outsource your information protection responsibilities
• Need to manage your vendors to ensure they are protecting your nonpublic information (customer and financial information)
77
Policy Generation
Policy Generation
Policy Sample
Third Party Information
Cost Benefit Analysis
Reference Evaluation
Comparing Threats
Documenting Controls
Residual Risk Score
• Pay attention to the residual risk• Notice that vendor 2 has done the most to
reduce the risk of information security threats
©Secure Banking Solutions 2015
Due Diligence
Contract Review
Contract Review
Management
Commercial Account Assessments
Commercial Banking Fraud
©Secure Banking Solutions 2015
92
©Secure Banking Solutions 2015
CATO Guidance
• FFIEC’s “Interagency Supplement to Authentication in an Internet Banking Environment” states the following activities to mitigate commercial account takeover
• CSBS CATO Guidance
• FDIC CATO Guidance
93
BOTTOM LINE:Your bank must develop a process to assess the cybersecurity risk to your commercial accounts
©Secure Banking Solutions 2015
94
©Secure Banking Solutions 2015
95
©Secure Banking Solutions 2015
Assessment Results
96
Enterprise Risk Management
Business Processes Threat areas
• Administrative• Affiliate• Back-Office• Customer Service• Finance• Lending• Marketing• Regulatory• Retail (Deposits)• Information Technology
• Operational
• Reputational
• Compliance
• Financial
• Strategic
98
Categories commonly used in FFEIC booklets.
©Secure Banking Solutions 2015
ERM – Risk Mitigation Goals
99
©Secure Banking Solutions 2015
ERM – Protection Profile
100
©Secure Banking Solutions 2015
ERM - Threats
101
©Secure Banking Solutions 2015
ERM - Controls
102
©Secure Banking Solutions 2015
Report – Risk Mitigation
103
©Secure Banking Solutions 2015
104
REPORT – PEER COMPARISON
©Secure Banking Solutions 2015
Risk Assessment Best Practices
• Determine which kind of assessment is the most important for your bank and invest accordingly
• Mature your program• Have repeatable processes for each kind of
assessment• Assign an owner for each kind of assessment• Create a policy and program for each kind of
assessment• Leverage tools to promote consistency and good
decision-making• Don’t use the manual spreadsheet technique!• Produce your documentation along the way• Ensure management/board involvement
FFIEC Cybersecurity Assessment Tool
©2015 Secure Banking Solutions, LLC
www.protectmybank.com
©Secure Banking Solutions 2015
Overview
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
©Secure Banking Solutions 2015
FFIEC CA Tool (3 parts)
• Three (3) major components1. Rating your Inherent Risk for Cybersecurity
threats based on your size and complexity
2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats
3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
108
©Secure Banking Solutions 2015
Cybersecurity Inherent Risk
• Very PRESCRIPTIVE
• Really getting to the Size and Complexity issue originally stated by GLBA
• Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
109
©Secure Banking Solutions 2015
Cybersecurity Inherent Risk
• Five Inherent Risk Areas1. Technologies and Connection Types
2. Delivery Channels
3. Online/Mobile Products and Technology Services
4. Organizational Characteristics
5. External Threats
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
110
©Secure Banking Solutions 2015
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
111
©Secure Banking Solutions 2015
Cybersecurity MaturityMeasure Maturity in 5 Domains (+ Assessment Factors)
1. Cyber Risk Management and Oversight• Governance, Risk Management, Resources, and Training
2. Threat Intelligence and Collaboration • Threat Intelligence, Monitoring & Analyzing, and Info Sharing
3. Cybersecurity Controls • Preventative, Detective, and Corrective controls
4. External Dependency Management• External Connections and (Vendor) Relationship
Management
5. Cyber Incident Management and Resilience• Incident Resilience Planning, Detection, Response, &
Mitigation, and Escalation & Reporting
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
112
©Secure Banking Solutions 2015
What is Cybersecurity Maturity?
• Determining whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness
• I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents?
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
113
©Secure Banking Solutions 2015
How does Cybersecurity Maturity work?
Measured by 5 Cybersecurity Maturity Levels
1.Baseline
2.Evolving
3.Intermediate
4.Advanced
5.Innovative
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
114
©Secure Banking Solutions 2015
Determining Maturity Level
• Within each component, “declarative statements” describe activities supporting the assessment factor at each maturity level
• “All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level“
• What this actually means:– Identify the controls you have in place, starting
with “baseline” controls and escalating up in order to determine maturity levels
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
115
©Secure Banking Solutions 2015
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
116
©Secure Banking Solutions 2015
Determining Maturity
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
117
©Secure Banking Solutions 2015
Domains and Assessment Factors
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
118
©Secure Banking Solutions 2015
Inherent Risk vs. Maturity
• All good Risk Management processes help make decisions and set goals
• How does one determine Inherent Risk versus Cybersecurity Maturity?
• And more importantly, what is the right Inherent Risk vs. Maturity level?
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
119
©Secure Banking Solutions 2015
Increasing Maturity
©2015 Secure Banking Solutions, LLC
www.protectmybank.com
©Secure Banking Solutions 2015
Inherent Risk vs. Maturity
• “No single expected level for an institution”• “An institution’s inherent risk profile and
maturity levels will change over time as threats, vulnerabilities, and operational environments change.”
• “Management should consider reevaluating the institution’s inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile.”
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
121
©Secure Banking Solutions 2015
Other IMPORTANT take-aways
• Is this new FFIEC Cybersecurity Assessment Tool (CAT) a replacement for my IT Risk Assessment?– Absolutely not! This FFIEC CAT is a self-
assessment of cybersecurity preparedness only, not a determination of risks and controls around your confidential non-public information
• The assessment process is not a one-time project or process, but rather an ongoing assessment that the institution will be expected to keep up and utilize on an ongoing basis.
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
122
©Secure Banking Solutions 2015
Who is responsible for the CAT?
• It is an expectation that C-Level Management and/or Board of Directors install a top-down approach to cybersecurity
• The President/CEO will be expected to DRIVE this Cybersecurity Assessment process and the Board of Directors needs to understand what the results of this Cybersecurity Assessment mean
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
123
©Secure Banking Solutions 2015
SBS Tool
• Introducing:–FREE SBS Cyber-RISK™ Tool to Aid
in Capture and Reporting–Did I mention it is FREE?
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
124
©Secure Banking Solutions 2015
Cyber-RISK Tool
• Goals of the FREE Cyber-RISKtm tool:1. Automate the Cybersecurity Assessment Tool2. Save you from creating your own spreadsheet3. Make your life easier and more efficient4. Provide you with one-click reports5. Improve the process by tying the Inherent Risk
and Cybersecurity Maturity processes together more intuitively
6. Get you peer comparison data (down the road)7. Access to your own personal Information
Security Expert if you need us!
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
125
©Secure Banking Solutions 2015
Additional Cyber Security Resources
• SBS Cybersecurity Assessment Blog: – https://www.protectmybank.com/ffiec-cyberse
curity-assessment-resources/
• Pre-register for the Cyber-RISK tool:– https://www.protectmybank.com/register/
• SBS Institute Certifications:– https://www.protectmybank.com/sbsinstitute/
www.protectmybank.com
©2015 Secure Banking Solutions, LLC
126
SUMMARY
127
10 Steps Your Bank Can TakeFind the right partner…
1. Focus on and invest in mitigating the big 5
2. Implement a layered security program
3. Automate I.T. risk assessment
4. Work with merchants regarding CATO risks
5. Mature education/training program
6. Evaluate cyber security
7. Mature vendor management
8. Produce minimum documentation
9. Run effective committees
10.Investigate tools and partners to help
128
Contact Info
• Dr. Kevin Streff
– Dakota State University• [email protected]• 605.256.5259
– Secure Banking Solutions, LLC• www.protectmybank.com• [email protected]• 605.270.0790
129