The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers...

The Building Blocks of a Strong ISP

Dr. Kevin Streff

Founder, Secure Banking Solutions

www.protectmybank.com

Iowa Bankers Association

2015 IBA Technology Conference

http://www.protectmybank.com/

Agenda

• Emerging Technologies and Security Threats in Banks

• Designing an Effective Information Security Program

• Conducting World-Class Risk Assessments

2

Hot Technologies

Banking Technologies

• Branch of the Future• Advanced Payment

Systems• Mobile Delivery Systems• Remote Deposit Products• Customer Relationship

Management (CRM)

Infrastructure Technologies

• Cloud• Virtualization• Cybersecurity Products

– DLP– MSS– ERM Tools

• Continuous Monitoring

3

Core replacement projects are important

Technology

Driving the need for a well managed information security program that starts with risk assessment

• Leads to all kinds of issues– Document retention– I.T. examination– Compliance– Financial– Support– Expertise– Security– Data Privacy

• Your bank needs to get good with technology

• Your bank needs to get good at information protection– Not individual heroism

©Secure Banking Solutions 2015

Online vs. Mobile

• Online banking is commodity

• Mobile banking revolution is over

5


Layered Security Approach

6


7

Gramm-Leach-Bliley Act

• Management must develop a written information security program meeting the security standards of Part 364, Appendix B

• What is the “M” in the CAMEL rating?

The Information Security Program is the way management demonstratesto regulators that information security is being managed at the bank


8

Regulator Requirements:Current Framework

• Management Focused Examination

• Documented risk-based Information Security Program (ISP) that provides sufficient controls – as determined by the Risk Assessments

• Independent review of controls for compliance and adequacy – as verified by IT Audit, Penetration Test and

Vulnerability Assessment


9

Written Information Security Program

• Includes administrative, technical, & physical safeguards appropriate to the bank’s size and complexity and the nature and scope of activities

• Represented by a set of policies, procedures and standards that implement controls identified in the risk assessment

• ISP = Documentation + Activities

Top Security Threats

1. Hacking

2. Data Leakage

3. Social Engineering

4. Corporate Account Takeover

5. Vendor Risk

6. ATM

“Small and medium sized banks are in the cross-hairs of the cyber criminal”

Howard Schmidt, Cybersecurity Secretary for the White House10

Hacking

Threat #1

11


Hacking

• Small and medium-sized businesses are the new target– Won’t get caught, won’t get prosecuted, fewer

security controls, etc.

• Hackers are Organized– Used to be for fun, now it is for profit

• How it works– Find a computer/network vulnerability and

exploit it12


Hacker Tools Examples

• Tools to hack your bank are downloadable– http://sectools.org/

• Default passwords are all available– http://www.phenoelit.org/dpl/dpl.html

• Economy is available to sell stolen data (“underground markets”)– http://krebsonsecurity.com/2013/12/cards-stol

en-in-target-breach-flood-underground-markets/

13

http://sectools.org/

http://www.phenoelit.org/dpl/dpl.html

http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/




14


• How much time would it take to recover if all of your computers got a virus tomorrow?– Data Loss– Down Time– Cost to replace vs. fix

Threat: Downtime

“Of those businesses that experience a disaster and have no emergency plan, 43% never reopen; of those that do reopen, only 29% are still operating two years later.”


RansonWare

• Demand payments or will destroy your data and/or your machine

17


Critical Infrastructure Protection

• White House is concerned that our nation’s critical electronic infrastructure

• PDD63

• APT

• "Terrorism remains the FBI's top priority. But in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country“– Ex-FBI Director Robert Mueller

18

Data Leakage

Threat #2

19


Data Leakage

• Data Leakage is about insiders leaking customer information out of your bank

• Most attention is paid to outsiders breaking into your network (aka hackers)

• Malicious Behavior

• Accidental

20

Social Engineering

Threat #3

21


22

Social Engineering

• What is Social Engineering?– Exploitation of human nature for

the gathering of sensitive information.

– Tool attackers use to gain knowledge about employees, networks, vendors or other business associates.


23

Sample Social Engineering Methods

• Phishing/Pharming

• Telephone (Remote Impersonation)

• Dumpster Diving

• Impersonation

• E-mail Scams

• USB Sticks

Corporate Account Takeover

Threat #4

24


Small Business Security

• 70% lack basic security controls

• Conduct a risk assessment looking for these basic security controls

– Firewall,– Strong passwords,– Malware Protection– Etc.

25


Finger Pointing?

26

Vendor Attacks

Threat #6

27


Vendor Attacks

• Criminals understand that vast amounts of data are stored and transacted thru bank vendors

• TJX, Heartland, Target, etc.

• Target – RAM Scraping

• While you are outsourcing the task, your bank remains responsible for the data

• Vendor Management Program

28

ATM Fraud

Threat #6

29


ATM Fraud

• Skimmers

• Cyber heists

• Remote Access Issues

• Active Ports Being Compromised

30


31


32


Skimmer Overlay

33


Skimmer Camera

34


ATMs

• The ATM environment has changed

• Used to be most banks:– Closed network– Non Windows

• Today, most ATMs are on your bank’s network and run Windows

35


36


ATM Cyber Heists

37


38

Gramm-Leach-Bliley Act

• Management must develop a written information security

• What is the “M” in the CAMEL rating?

The Information Security Program is the way management demonstrates to regulators that

information security is being managed at the bank


IT Exam

• Verifies the bank’s Information Security Program– Assessments and audits

• Five areas:– Risk Management– Operations Security– Audit– Business Continuity– Vendor Management

39


Recent Regulation• FFIEC Authentication Supplement

• CSBS CATO Regulation

• FFIEC ATM Regulation

• FFIEC DDoS Regulation

• OCC and FDIC Vendor Management Regulation

• FFIEC Social Media Guidance

• Appendix J

• FFIEC Cybersecurity Assessment Tool40

Question for you…

What is your bank doing to mitigate the risks of:

– Hacking– Data Leakage– Social Engineering– Corporate Account

Takeover– ATM Fraud– Vendor Attacks

Answer Should Be:

• Layered Security Program1.Risk Assessment

2.Customer Awareness and Education

3.Business Continuity & Incident Response

4. Information Sharing

5.Effective Auditing

41


Asset Management

• Inventory assets• Policy and procedure for:

– Adding assets– Retiring assets– Cleansing assets

• ISO standard is big into asset management• Think about how many information leaks involve

not accounting for assets– Laptops– Tapes– Etc.

44


Vulnerability Assessment

DefinitionTechnical scan of your networked equipment that identifies vulnerabilities, conducted from inside the bank.

ScopeAll networked equipment, examples include:– Core Banking Server– Servers– Workstations– Voice Over IP

45


Penetration Testing

Definition• Technical scan conducted from outside the bank on any

equipment that is exposed to the internet. Simulates the process that a hacker would use to gain access to bank information.

ScopeInclude all your public IP addresses (even unused IP’s)–Email Server–Web Server–Internet Banking Server–VPN connections

46


Security Awareness

• Security Awareness is the degree or extent to which every member of staff understands:– the importance of security– the levels of security appropriate to the

organization– their individual security responsibilities– ... and acts accordingly.

47

Employees: Security Awareness

• Acceptable Use Policy• Annual Security Awareness Training• Email Reminders• Online Training System• Posters/Calendars• Security Awareness Day• Member Appreciation Day• Games• Social Engineering Tests• InfraGard Certification

48


Posters/Calendars

49


Posters/Calendars

50


Security Awareness Day

• Hold a “Security Awareness Day” at your bank to demonstrate to your customers how important this issue is to the bank

• Hand out materials that can help them safely bank with you

• Target audience: customers– HOWEVER: employees get involved and get

more security conscious as well

51

Security Awareness Training

11/22/2015

Welcome to… SECURITY FEUD!

52


Certification

• InfraGard– Training program for staff on information security

to promote awareness of front-line and support staff

– https://infragardawareness.com/– Tweleve lessons (4-9 minutes each)

• SBS– Six security certifications for board, management

and professionals at your bank– 14 hours per certification

53

https://infragardawareness.com/

https://infragardawareness.com/

Customers: Security Awareness

• Awareness Information on Website

• Posters

• Security Awareness Day

• Customer Appreciation Day

• Lunch and Learns

54


Emergency Preparedness

• Disaster Recovery

• Business Continuity

• Pandemic Bird Flu

• Incident Response

55


Incident Response

• Documenting how an organization will respond to security breaches– Who is in charge?– When do you notify customers?– Etc.

• The point is to have the activities planned out before an incident occurs and everyone is in crisis mode

56


Audit

Determine the presence of controls and test the effectiveness of those controls through an independent and objective evaluation.

• Risk assessment identifies the controls

• ISP = policies, procedures and guidelines that document controls

• IT audit reviews compliance and adequacy of controls

57


Organizational Chart

• Provides an overview of the personnel working at the bank

• Looking for the following roles (sample):– Information Security Officer– Information Technology– Auditor– Compliance Officer

• Who is doing what!

58


Committees

• Is management involved in IT decisions?• Audit committee?• BOD?• Checks and balances…not just one person• Weekly, Monthly, or quarterly• Made up of people who can make decisions• Can work out issues before presenting to the board

(i.e., policy changes)• Can handle issues so that some things don’t need to

go to the board (procedure changes)

59


Network Diagram• Picture representation of your network• Includes connectivity to:

– Internet– Branches– Service Providers– Etc.

• Important because:– Communicates the network to staff and examiners– Support maintenance and troubleshooting network

issues– Plan for addition of new technology– Be helpful for business continuity

60


Use your ISP

• Any new technology is handled by your ISP – (EXAMPLE: Merchant Capture)

• Any new security threat is handled by your ISP – (EXAMPLE: Data Leakage)

62


Documentation

• Codifies management direction regarding layered security program– Policies, procedures, standards, etc.

• Provides evidence of a layered security program– Demonstrates compliance– Demonstrates good security

63


Information Security Program Documentation

Minimum ISP Documentation• Risk Assessment• Policies• Procedures• Standards• Guidelines• Plans

– Audit– Business Continuity– Incident Response

• Security Awareness Materials• Training Log• Vendor Assessments• Minutes

– Board of Director Meetings– I.T. Committee Meetings– Audit Committee Meetings

• Strategies• Test Results

– Audit– Penetration Test– Vulnerability Assessment– Social Engineering– Configuration Test– Web Test– Wireless Test

• Exams– State– Federal

• Misc.– Network Diagram– Organizational Chart– Contracts– Memos– Reports 65


Comprehensive Audit

• Audits will assess people, processes, and technology.

• A balanced audit program works as follows: – people are assessed with a social

engineering test, – processes are assessed with an IT audit, and– technology is assessed with a penetration

test and vulnerability assessment.66


Layered Audit Approach

67


Assessments

• I.T.

• Vendor

• Corporate Account

• BIA

• ERM

• Cyber

• Etc.

68


IT Risk Assessment Process

69

IT Assessment

70

Vendor Assessments

76


Vendor Management

• Given the increased reliance on outside firms for technology-related products and services, management must identify and mitigate risk in these technology decisions

• Vendor Management• Technology Service Provider Management• Just because you outsource your technology does not

mean you outsource your information protection responsibilities

• Need to manage your vendors to ensure they are protecting your nonpublic information (customer and financial information)

77

Policy Generation

Policy Sample

Third Party Information

Cost Benefit Analysis

Reference Evaluation

Comparing Threats

Documenting Controls

Residual Risk Score

• Pay attention to the residual risk• Notice that vendor 2 has done the most to

reduce the risk of information security threats


Due Diligence

Contract Review

Management

Commercial Account Assessments

Commercial Banking Fraud


92


CATO Guidance

• FFIEC’s “Interagency Supplement to Authentication in an Internet Banking Environment” states the following activities to mitigate commercial account takeover

• CSBS CATO Guidance

• FDIC CATO Guidance

93

BOTTOM LINE:Your bank must develop a process to assess the cybersecurity risk to your commercial accounts


94


95


Assessment Results

96

Enterprise Risk Management

Business Processes Threat areas

• Administrative• Affiliate• Back-Office• Customer Service• Finance• Lending• Marketing• Regulatory• Retail (Deposits)• Information Technology

• Operational

• Reputational

• Compliance

• Financial

• Strategic

98

Categories commonly used in FFEIC booklets.


ERM – Risk Mitigation Goals

99


ERM – Protection Profile

100


ERM - Threats

101


ERM - Controls

102


Report – Risk Mitigation

103


104

REPORT – PEER COMPARISON


Risk Assessment Best Practices

• Determine which kind of assessment is the most important for your bank and invest accordingly

• Mature your program• Have repeatable processes for each kind of

assessment• Assign an owner for each kind of assessment• Create a policy and program for each kind of

assessment• Leverage tools to promote consistency and good

decision-making• Don’t use the manual spreadsheet technique!• Produce your documentation along the way• Ensure management/board involvement


Overview




FFIEC CA Tool (3 parts)

• Three (3) major components1. Rating your Inherent Risk for Cybersecurity

threats based on your size and complexity

2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats

3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.



108


Cybersecurity Inherent Risk

• Very PRESCRIPTIVE

• Really getting to the Size and Complexity issue originally stated by GLBA

• Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats



109


Cybersecurity Inherent Risk

• Five Inherent Risk Areas1. Technologies and Connection Types

2. Delivery Channels

3. Online/Mobile Products and Technology Services

4. Organizational Characteristics

5. External Threats



110




111


Cybersecurity MaturityMeasure Maturity in 5 Domains (+ Assessment Factors)

1. Cyber Risk Management and Oversight• Governance, Risk Management, Resources, and Training

2. Threat Intelligence and Collaboration • Threat Intelligence, Monitoring & Analyzing, and Info Sharing

3. Cybersecurity Controls • Preventative, Detective, and Corrective controls

4. External Dependency Management• External Connections and (Vendor) Relationship

Management

5. Cyber Incident Management and Resilience• Incident Resilience Planning, Detection, Response, &

Mitigation, and Escalation & Reporting



112


What is Cybersecurity Maturity?

• Determining whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness

• I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents?



113


How does Cybersecurity Maturity work?

Measured by 5 Cybersecurity Maturity Levels

1.Baseline

2.Evolving

3.Intermediate

4.Advanced

5.Innovative



114


Determining Maturity Level

• Within each component, “declarative statements” describe activities supporting the assessment factor at each maturity level

• “All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level“

• What this actually means:– Identify the controls you have in place, starting

with “baseline” controls and escalating up in order to determine maturity levels



115




116


Determining Maturity



117


Domains and Assessment Factors



118


Inherent Risk vs. Maturity

• All good Risk Management processes help make decisions and set goals

• How does one determine Inherent Risk versus Cybersecurity Maturity?

• And more importantly, what is the right Inherent Risk vs. Maturity level?



119


Increasing Maturity




Inherent Risk vs. Maturity

• “No single expected level for an institution”• “An institution’s inherent risk profile and

maturity levels will change over time as threats, vulnerabilities, and operational environments change.”

• “Management should consider reevaluating the institution’s inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile.”



121


Other IMPORTANT take-aways

• Is this new FFIEC Cybersecurity Assessment Tool (CAT) a replacement for my IT Risk Assessment?– Absolutely not! This FFIEC CAT is a self-

assessment of cybersecurity preparedness only, not a determination of risks and controls around your confidential non-public information

• The assessment process is not a one-time project or process, but rather an ongoing assessment that the institution will be expected to keep up and utilize on an ongoing basis.



122


Who is responsible for the CAT?

• It is an expectation that C-Level Management and/or Board of Directors install a top-down approach to cybersecurity

• The President/CEO will be expected to DRIVE this Cybersecurity Assessment process and the Board of Directors needs to understand what the results of this Cybersecurity Assessment mean



123


SBS Tool

• Introducing:–FREE SBS Cyber-RISK™ Tool to Aid

in Capture and Reporting–Did I mention it is FREE?



124


Cyber-RISK Tool

• Goals of the FREE Cyber-RISKtm tool:1. Automate the Cybersecurity Assessment Tool2. Save you from creating your own spreadsheet3. Make your life easier and more efficient4. Provide you with one-click reports5. Improve the process by tying the Inherent Risk

and Cybersecurity Maturity processes together more intuitively

6. Get you peer comparison data (down the road)7. Access to your own personal Information

Security Expert if you need us!



125


Additional Cyber Security Resources

• SBS Cybersecurity Assessment Blog: – https://www.protectmybank.com/ffiec-cyberse

curity-assessment-resources/

• Pre-register for the Cyber-RISK tool:– https://www.protectmybank.com/register/

• SBS Institute Certifications:– https://www.protectmybank.com/sbsinstitute/



126

https://www.protectmybank.com/ffiec-cybersecurity-assessment-resources/

https://www.protectmybank.com/ffiec-cybersecurity-assessment-resources/

https://www.protectmybank.com/register/

https://www.protectmybank.com/sbsinstitute/

SUMMARY

127

10 Steps Your Bank Can TakeFind the right partner…

1. Focus on and invest in mitigating the big 5

2. Implement a layered security program

3. Automate I.T. risk assessment

4. Work with merchants regarding CATO risks

5. Mature education/training program

6. Evaluate cyber security

7. Mature vendor management

8. Produce minimum documentation

9. Run effective committees

10.Investigate tools and partners to help

128

Contact Info

• Dr. Kevin Streff

– Dakota State University• [email protected]• 605.256.5259

– Secure Banking Solutions, LLC• www.protectmybank.com• [email protected]• 605.270.0790

129

mailto:[email protected]

http://www.protectmybank.com/

mailto:[email protected]

The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers...

Documents

Transcript of The Building Blocks of a Strong ISP Dr. Kevin Streff Founder, Secure Banking Solutions Iowa Bankers...