cybersecurity governance update: new ffiec...

©2013

CliftonLarsonA

llen LLP

©2013

CliftonLarsonA

llen LLP

cliftonlarsonallen.com

Cybersecurity Governance Update: New FFIEC Requirements

©2013

CliftonLarsonA

llen LLP

Overview

• Up To Date Cybersecurity and Fraud Risks– Current threat environment– Industry examples and case studies

• FFIEC Cybersecurity Assessments and Governance Requirements

• Strategies to mitigate and manage risks

2

©2013

CliftonLarsonA

llen LLP

Cyber Fraud Risk Themes

• Hackers have “monetized” their activity– More hacking– More sophistication– More “hands‐on” effort– Smaller organizations targeted

• Social engineering on the rise

• Hackers targeting members and member businesses

3

©2013

CliftonLarsonA

llen LLP

Three Largest Cyber Fraud Trends

• Organized Crime– Wholesale theft of personal financial information

• CATO– Corporate Account Takeover– Use of online credentials for ACH, CC and wire fraud

• Ransomware– Your data held for ransom

4

©2013

CliftonLarsonA

llen LLP

• Target• Home Depot• Goodwill • Jimmy Johns

• Neiman Marcus• Dairy Queen• Sally Beauty• Harbor Freight

• University of Maryland• University of Indiana

• Olmsted Medical Center• Community Health Systems

Theft of PFI

5

©2013

CliftonLarsonA

llen LLP

Stolen Card Data

• Carder or Carding websites

• A peek inside a carding operation:

http://krebsonsecurity.com/2014/06/peek‐inside‐a‐professional‐carding‐shop/

6

©2013

CliftonLarsonA

llen LLP

Credit Card Data For Sale

7

©2013

CliftonLarsonA

llen LLP

• Catholic church parish• Hospice• Finance company• Main Street newspaper stand• Electrical contractor• Utility company• Industry trade association• Rural hospital• Mining company

• On and on and on and on……………..

Corporate Account Takeover

8

©2013

CliftonLarsonA

llen LLP

CATO Lawsuits ‐ UCC

a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

9

©2013

CliftonLarsonA

llen LLP

CATO Lawsuits ‐ UCC

• Choice Escrow vs BancorpSouth

• $440,000 stolen via single wire through CATO– CE passed on dual control offered by the bank

• Court ruled in favor of bank

• CE attorneys failed to demonstrate bank’s procedures were not commercially reasonable

10

©2013

CliftonLarsonA

llen LLP

CATO Defensive Measures

• Multi‐layer authentication• Multi‐factor authentication• Out of band authentication• Positive pay• ACH block and filter• IP address filtering• Dual control• Activity monitoring• Manual vs. Automated controls

11

©2013

CliftonLarsonA

llen LLP

Ransomware

• Malware encrypts everything it can interact with– i.e. anything the infected user has access to

• CryptoLocker• Kovter

– Also displays and adds child pornography images

May 20, 2014 – Ransomware attacks doubled in last month (7,000 to 15,000)http://insurancenewsnet.com/oarticle/2014/05/20/cryptolocker‐goes‐spear‐phishing‐infections‐soar‐warns‐knowbe4‐a‐506966.html

12

©2013

CliftonLarsonA

llen LLP

Ransomware

• Working (tested) backups are key13

©2013

CliftonLarsonA

llen LLP

Keys to Successful Breaches 2013 2014

14

https://www2.trustwave.com/GSR2014.

©2013

CliftonLarsonA

llen LLP

Keys to Successful Breaches…

15

Reliance/dependence on 3rd party service providers is at root of most breaches

©2013

CliftonLarsonA

llen LLP

How do hackers and fraudsters break in?

Social Engineering relies on the following:

• The appearance of “authority”

• People want to avoid inconvenience

• Timing, timing, timing…

“Amateurs hack systems, professionals hack people.”Bruce Schneier

16

©2013

CliftonLarsonA

llen LLP

Pre‐text Phone Calls• “Hi, this is Randy from Fiserv users support. I am working with Dave, and I need your help…”– Name dropping– Establish a rapport– Ask for help– Inject some techno‐babble– Think telemarketers script

• Home Equity Line of Credit (HELOC) fraud calls• Ongoing high‐profile ACH frauds

17

©2013

CliftonLarsonA

llen LLP

Email Attacks ‐ Spoofing and Phishing

• Impersonate someone in authority and:– Ask them to visit a web‐site– Ask them to open an attachment or run update

• Examples– Better Business Bureau complaint– http://www.millersmiles.co.uk/email/visa‐usabetter‐business‐bureaucall‐for‐action‐visa

– Microsoft Security Patch Download

18

©2013

CliftonLarsonA

llen LLPEmail Phishing – “Targeted Attack”

19

©2013

CliftonLarsonA

llen LLP

Strategies to Combat Social Engineering• (Ongoing) user awareness training• SANS “First Five” – Layers “behind the people”

1. Secure/Standard Configurations (hardening)2. Critical Patches – Operating Systems 3. Critical Patches – Applications4. Application White Listing5. Minimized user access rightsNo browsing/email with admin rights

• Logging, Monitoring, and Alerting capabilities – “The 3 R’s”: Recognize, React, Respond– More on this at the end…

20

©2013

CliftonLarsonA

llen LLP

©2013

CliftonLarsonA

llen LLP


FFIEC – Executive Leadership of Cybresecurity

21

©2013

CliftonLarsonA

llen LLP

Executive Order 13636

Improving Critical Infrastructure CybersecurityFebruary 2013

22

©2013

CliftonLarsonA

llen LLP

Executive Order 13636Improving Critical Infrastructure Cybersecurity• Issued on February 12, 2013• The cyber threat to critical infrastructure … represents one of

the most serious national security challenges…to the national and economic security of the US– Enhance the security and resilience of the Nation's critical

infrastructure – Maintain a cyber environment that encourages efficiency,

innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.

– Partnership with the owners and operators of critical infrastructure

23

©2013

CliftonLarsonA

llen LLP

Executive Order 13636Improving Critical Infrastructure Cybersecurity• Definition of Critical Infrastructure • Cybersecurity Information Sharing• Privacy and Civil Liberties Protections• Consultative Process• Baseline Framework to Reduce Cyber Risk to Critical

Infrastructure• Voluntary Critical Infrastructure Cybersecurity Program• Identification of Critical Infrastructure at Greatest Risk• Adoption of Framework

• Updates to NIST Framework (CSF)24

©2013

CliftonLarsonA

llen LLP

Executive Order

• Definition of Critical Infrastructure – Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

25

©2013

CliftonLarsonA

llen LLP

FFIEC Executive Leadership Cybersecurity Webinar

May 7, 2014

26

©2013

CliftonLarsonA

llen LLP

Cybersecurity Leadership ‐ FFIEC

• https://www.fdic.gov/news/news/financial/2014/fil14021.html

27

©2013

CliftonLarsonA

llen LLP



28

©2013

CliftonLarsonA

llen LLP

May 7, 2014 FFIEC Executive Leadership Cybersecurity webinar• Importance of identifying emerging cyber threats and the

need for Board/C‐suite involvement, including:– Setting the tone at the top and building a security culture – Identifying, measuring, mitigating, and monitoring risks – Developing risk management processes commensurate with the

risks and complexity of the institutions – Aligning cybersecurity strategy with business strategy and

accounting for how risks will be managed now and in the future – Creating a governance process to ensure ongoing awareness and

accountability – Ensuring timely reports to senior management that include

meaningful information addressing the institution's vulnerability to cyber risks

29

©2013

CliftonLarsonA

llen LLP



30

©2013

CliftonLarsonA

llen LLP



31

©2013

CliftonLarsonA

llen LLP



32

©2013

CliftonLarsonA

llen LLP



33

©2013

CliftonLarsonA

llen LLP

Cybersecurity Assessments

July – August 2014

34

©2013

CliftonLarsonA

llen LLP

Current FFIEC IT Examination Process• Each FFIEC agency (FDIC, Federal Reserve, OCC, NCUA) will

perform periodic information technology examinations at regulated financial institutions.

• Examination procedures are based on the FFIEC IT Handbooks (http://ithandbook.ffiec.gov/) and supplemented by periodic agency guidance.

• IT Examinations review the financial institution’s Information Security Program.

35

©2013

CliftonLarsonA

llen LLP

Information Security Program• Section 501(b) of the Gramm‐Leach‐Bliley Act of 1999 (GLBA)

for the safeguarding of customer information– Board of Directors will develop an Information Security Program that

addresses the requirements of:◊ Section 501(b) of the GLBA;◊ Federal Financial Institutions Examination Council’s (FFIEC) “Interagency Guidelines

Establishing Information Security Standards” (501[b] Guidelines); and ◊ Agency‐specific guidelines (i.e. Appendix B to Part 364 of the FDIC’s Rules and

Regulations)

• The Information Security Program (ISP) is comprised of: – Risk Assessment– Risk Management– Audit– Business Continuity/Disaster Recovery/Incident Response– Vendor Management– Board and Committee Oversight

36

©2013

CliftonLarsonA

llen LLP

• Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data and/or availability of systems.

• Risk is determined based on the likelihood of a given threat‐source’s ability to exercise a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

• The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative, technical, and physical controls to reduce or eliminate the impact of the threat.

Information Security ProgramRisk Assessment and Risk Management

37

©2013

CliftonLarsonA

llen LLP

Information Security ProgramAudit• ISP‐related Audits/Reviews

– ISP Review/IT General Controls Review– External/Internal Vulnerability and Penetration Assessments– Social Engineering Assessments

• E‐Banking Reviews– ACH Audit– Wire Transfer Audit– Remote/Mobile Deposit Capture Audit

• Audit/Exam Recommendation Tracking and Reporting

38

©2013

CliftonLarsonA

llen LLP

Information Security ProgramBusiness Continuity/Disaster Recovery Incident Response• Business Continuity/Disaster Recovery Plan

– Annual Testing of Critical Systems– Annual Employee Tabletop/Scenario Testing– Board Reporting

• Incident Response Plan– Compromise of customer information– Annual Testing– FS‐ISAC– Cybersecurity Examinations?

39

©2013

CliftonLarsonA

llen LLP

Information Security ProgramVendor Management

• Vendor Management Policy

• Vendor Risk Assessment– Access to Customer Information– Criticality to Bank Operations– Ease of Replacement

• New Vendor Due Diligence and Annual Reviews

• Continuous Monitoring40

©2013

CliftonLarsonA

llen LLP

FFIEC Cybersecurity Assessments• In the summer of 2014, the Federal Financial Institutions

Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks.

• Integrated into regular IT Examination process– Cyber Risk Management and Oversight– Cyber Security Controls– External Dependency Management– Threat Intelligence and Collaboration– Cyber Resilience

• Launched a cybercrime website https://www.ffiec.gov/cybersecurity.htm

41

©2013

CliftonLarsonA

llen LLP

FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Threat and Vulnerability Monitoring

and Sharing Statement (11/3/14)

• All FIs AND their critical technology service providers must have appropriate threat identification, information sharing, and response procedures.

• Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS‐ISAC)

– Improved identification and mitigation of attacks – Better identification and understanding of specific vulnerabilities and

necessary mitigating controls for systems– Sharing information to help other FIs

42

©2013

CliftonLarsonA

llen LLP

FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Threat and Vulnerability Monitoring

and Sharing Statement (11/3/14)• FI Management should:

– Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly

– Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization◊ FS‐ISAC: www.fsisac.com◊ FBI Infragard: www.infragard.org◊ U.S. Computer Emergency Readiness Team at US‐CERT: www.us‐cert.gov◊ U.S. Secret Service Electronic Crimes Task Force:

www.secretservice.gov/ectf.shtml

43

©2013

CliftonLarsonA

llen LLP

FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Assessment

General Observations• Cybersecurity Inherent Risk– Management must understand the FIs INHERENT RISK when

assessing cybersecurity preparedness◊ Connection Types: identify and assess the threats to all access points to the internal network• VPN• Wireless• Telnet/FTP• Vendor LAN/WAN access• BYOD

44

©2013

CliftonLarsonA

llen LLP


General Observations• Cybersecurity Inherent Risk (cont.)

◊ Products and Services: identify and assess threats to all products and services currently offered and planned• Online ACH and Wire Transfer origination• External funds transfers (A2A, P2P, bill pay)

45

©2013

CliftonLarsonA

llen LLP


General Observations• Cybersecurity Inherent Risk (cont.)

◊ Technologies Used: identify and assess threats to all technologies currently used and planned• Core systems• ATMs• Internet and mobile applications• Cloud computing

46

©2013

CliftonLarsonA

llen LLP


General Observations• Cybersecurity Preparedness – Current cybersecurity practices and overall preparedness

should include:◊ Cybersecurity Controls: Preventive, detective, or corrective procedures for mitigating identified cybersecurity threats • Patching, encryption, limited user access• Intrusion detection/prevention systems, firewall alerts• Formal audit program with scope and schedule based on an

asset’s inherent risk, prompt and documented remediation of findings, regular activity report reviews

47

©2013

CliftonLarsonA

llen LLP


General Observations• Cybersecurity Preparedness (cont.)–

◊ Cyber Incident Management and Resilience: Incident detection, response, mitigation, escalation, reporting, and resilience • Formal Incident Response Programs, including regulatory and

customer notification guidelines and procedures• Senior management and board incident reporting

48

©2013

CliftonLarsonA

llen LLP

FFIEC Cybersecurity AssessmentsFFIEC Cybersecurity Assessment Implications?

• Increased Board and C‐Suite Involvement• Participation in information‐sharing group(s)• Cybersecurity scenario testing with employees and

management• Increased oversight of third‐party service providers• Documentation on how FI is addressing the FFIEC Cybersecurity

Assessment findings

49

©2013

CliftonLarsonA

llen LLP

Strategies

Our information security strategy should have the following objectives:

• Users who are more aware and savvy

• Networks that are resistant to malware

• Be Prepared… Monitoring, Incident Response, and forensic Capabilities

54

©2013

CliftonLarsonA

llen LLP

1. Strong policies

2. Defined user access roles Minimum Access

3. Hardened internal systems and end points

4. Encryption strategy – data centered

5. Vulnerability management process

Ten Keys to Mitigate Risk

6. Perimeter security layers

7. Centralized logging, analysis and alerting capabilities

8. Incident response capabilities

9. Know / use online banking tools

10.Test, Test, Test – Independent validation that it works…

55

©2013

CliftonLarsonA

llen LLP

Centralized Logging, Analysis, and AlertingCentralized audit logging, analysis, and automated alerting capabilities (SIEM)•Firewalls•Security appliances•Routing infrastructure•Network authentication•Servers•Applications ***•Archiving vs. Reviewing

56

©2013

CliftonLarsonA

llen LLP

Call To Action

57

Policies to set foundationTrain your usersThoroughly assess your risksThree R’s: Recognize, React, RespondThoroughly validate your controls

– High expectations of your vendors– Penetration testing– Application testing– Vulnerability scanning– Social engineering testing

People Rules

`

Tools

©2013

CliftonLarsonA

llen LLP

59

©2013

CliftonLarsonA

llen LLP


twitter.com/CLA_CPAs

facebook.com/cliftonlarsonallen

linkedin.com/company/cliftonlarsonallen

Jim Kreiser, CISA, CRMA, CFSAPrincipalBusiness Risk and Information Security [email protected]‐453‐0900

59

cybersecurity governance update: new ffiec...

Documents