cybersecurity - idob. kevin... · incident response 5. information sharing 6. ... • most of these...

CYBERSECURITY

Dr. Kevin StreffFounder and Chief Security StrategistSBS Cybersecurity, LLC

Building Your Cyber

Security Program

Dr. Kevin Streff

Founder & Chief Security Strategist,

SBS Cybersecurity, LLC

www.sbscyber.com

Iowa's Day with the Superintendent

http://www.protectmybank.com/

What is Cyber Security?

Protecting

• Confidentiality

• Integrity

• Availability

Where

• Networks

• Vendors

• Customers

• Buildings

• Enterprise

• Endpoints

www.sbscyber.com 34/17/2017

How?

Layered Security Approach

4www.sbscyber.com4/17/2017

Top Security Threats

• Hacking

• Data Leakage – Insider Threat

• Social Engineering

• Corporate Account Takeover

• ATM

• Spear Phishing

• Ransomware

• DDoS


Hacking

Threat #1

Hacker Tools Examples

• Tools to hack your bank are downloadable

– http://sectools.org/

• Default passwords are all available

– http://www.phenoelit.org/dpl/dpl.html

• Economy is available to sell stolen data

(“underground markets”)

– http://krebsonsecurity.com/2013/12/cards-

stolen-in-target-breach-flood-underground-

markets/7www.sbscyber.com4/17/2017

http://sectools.org/

http://www.phenoelit.org/dpl/dpl.html

http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/

Data Leakage – Insider Threat

Threat #2

Data Leakage

• Data Leakage is about insiders leaking

customer information out of your bank

• Most attention is paid to outsiders breaking

into your network (aka hackers)

• Malicious Behavior

• Accidental


Social Engineering

Threat #3

Sample Social Engineering

Methods

• Phishing/Pharming

• Telephone (Remote Impersonation)

• Dumpster Diving

• Impersonation

• E-mail Scams

• USB Sticks


Corporate Account Takeover

Threat #4

Small Business Security

• 70% lack basic security controls

• ACH fraud and wire fraud

• Conduct a risk assessment looking for

these basic security controls– Firewall,

– Strong passwords,

– Malware Protection

– Etc.


ATM Fraud

Threat #5

ATMs

• The ATM environment has changed

• Used to be most banks:

– Closed network

– Non Windows

• Today, most ATMs are on your bank’s

network and run Windows


Spear Phishing

Threat #6

• 91% of cyberattacks and the resulting data breach

begin with a “spear phishing” email – Trend Micro

• The IRS saw an approximate 400 percent surge in

phishing and malware incidents in the 2016 tax

season.

• IRS has issued “guidance”. – https://www.irs.gov/uac/newsroom/phishing-schemes-lead-the-irs-dirty-dozen-

list-of-tax-scams-for-2017-remain-tax-time-threat

– https://www.irs.gov/uac/tax-scams-consumer-alerts

Phishing Trends


https://www.irs.gov/uac/newsroom/phishing-schemes-lead-the-irs-dirty-dozen-list-of-tax-scams-for-2017-remain-tax-time-threat

https://www.irs.gov/uac/tax-scams-consumer-alerts

Insider Threat

Concern - Growing


Spear Phishing


Ransomware

Threat #7

Ransomware

• Cyber extortion

• A ransom message is displayed on the

victim’s screen that demands a

particular sum (usually between $100-

1,500 for ordinary users) in exchange

for a decryption key (usually claimed

to be unique), thus completing a

vicious cycle of cyber extortion crime

done with the help of malware.23www.sbscyber.com4/17/2017

Webcam

• Malware can even take control of a

webcam and record its owner.

Hundreds of Australian visitors of adult

websites were literally caught with

their pants down and later

blackmailed.


Pornography

• Malware planted child pornography,

which cannot be deleted easily, and

asked for a fee, otherwise a

notification would be forwarded to the

authorities.


Catching and Punishing

• Identification and arrest of cyber

extortionists are low because they

usually operate from countries other

than those of their victims and use

anonymous accounts and fake e-mail

addresses.


Bitcoins

• Even the process of collecting

payments from victims - often payable

in bitcoins - and providing decryption

keys can be automated.

• Criminals prefer Bitcoin because it's

easy to use, fast, publicly available,

decentralized and provides a sense of

heightened security/anonymity


DDoS

Threat #8

• Amassing a large number of compromised hosts to send useless packets to jam a victim or its Internet connection or both.

• Typical methods:

– To exploit system design weaknesses such as ping to death.

– Impose computationally intensive tasks on the victim such as encryption and decryption

– Flooding based DDoS Attack.

30

DDoS

www.sbscyber.com4/17/2017

• 38% - suffered one or more DDoS attacks

in the past 12 months

• $5-$100 – amount needed per hour to

down a target.


Agenda

Item

• Top Security Threats

• Technology Regulation

• What Do You Need To Do?

Time

20 minutes

5 minutes

35 minutes


Banking Method Trends


34

Gramm-Leach-Bliley Act

• Management must develop a written

information security

• What is the “M” in the CAMEL rating?

The Information Security Program is the way

management demonstrates to regulators that

information security is being managed at the bank


Important Guidance

• FFIEC ATM

• FFIEC DDoS

• FFIEC Social Media Guidance

• FFIEC Cybersecurity Assessments

• FFIEC Business Continuity Handbook

(Appendix J)

• FFIEC Retail Payment System (Appendix

E – Mobile Financial Services)


Sample Regulation

• Review with banking leaders


New Bills

• MAIN STREET Cybersecurity Act of 2017

• Cyber Disclosure Act of 2017

• Amendment to Cybersecurity Act of 2002

4/17/2017 www.sbscyber.com 37

Successful I.T. Exam

Supervisory Expectations:

1. Layered Security Program

2. Risk Assessments

3. Awareness and Education

4. Incident Response

5. Information Sharing

6. Audits38www.sbscyber.com4/17/2017

Agenda

Item

• Top Security Threats

• Technology Regulation

• What Do You Need To Do?

Time

20 minutes

5 minutes

35 minutes


Question for you…What is your bank

doing to mitigate:

• Hacking

• Data Leakage


• CATO

• ATM Fraud

• Ransomware

• Spear Phishing

• DDoS

Answer Should Be:

1.Layered Security

Program

2.Risk Assessment

3.Customer Awareness

and Education

4.Effective Auditing




• Assessments

• Asset Management

• Vendor Management

• Penetration Testing

• Vulnerability Assessment

• Security Awareness

• Business Continuity

• Incident Response

• Audits

41

Layered Information Security

Program for Your Bank

Documentation

Boards &

Committees


I.T. Risk Management Practices

• Your layered information security program

starts with a management process to

evaluate the use of technology at your

bank (to assess the cyber risk)


IT Risk Management

• Financial institution management should develop an effective ITRM process that supports the broader risk management process to perform the following: – Identify risks to information assets within the financial

institution or controlled by third-party providers.

– Categorize the risk.

– Measure the level of risk quantitatively.

– Mitigate the risks to an acceptable residual risk level in conformance with the board’s risk appetite.

– Monitor changing risk levels and report the results of the process to the board and senior management.


Top Risk Assessment Products

45

Archer KansasbSECURE TexasCoNetrix TexasModulo Seattle

Riskkey Texas

RiskWatch Maryland

Scout WisconsinTRAC South Dakota

WolfPAC Marylandwww.sbscyber.com4/17/2017

IT Assets

Protection Profile

Threats

Controls

Protection Profile Report

• The more important the asset, the more

risk you want to reduce risk.

• Acceptable levels of risk are identified and

measured against.

Risk Appetite

Commercial Account

Assessments

Commercial Banking Fraud

Bottom Line

• Need to develop a way for your bank to

assess the risk of commercial accounts


Anti-Phishing Call to Action

Layered Security Program (blueprint)

Phishing Tests - Management

CATO Assessment Tool – Bank and

Customers

Continuous and Specific Cyber Training

Phishing Posters

Phishing Metrics

Social Engineering and Penetration Tests

- Audit www.sbscyber.com 554/17/2017

ANTI-PHISHING

4/17/2017 www.sbscyber.com 56

Easily Create a campaign


Choose from a huge library of

phishing templates


Realistic Templates


Educate them WHEN they click


Other Phishing Tools

• Wombat

• Phishme

• QuickPhish

• Tandem Phishing

• Most of these tools offer a free trial


Phishing Posters


Phishing Metrics

• Businesses manage through establishing quantitative goals. Phishing can be managed this way

• Conduct a baseline test

• Establish a goal

• Run specific campaigns– Software

– Posters

– Training

– Etc.

• Re-measure results

• Repeat


• Employees and customers

• Having all employees watch a 60-minute video on phishing once a year = not good enough

• What can you do to keep Cybersecurity and other banking threats on their minds?

• Have you documented a formal, ongoing Information Security Awareness Program?

• Does your Board and executive team participate in training?

• What about… customers?

Ongoing Training


KnowB4 Training Modules

• Augment Phishing Tests

– Provides specific training to those who fail

specific tests / scams

– https://www.youtube.com/watch?v=UZe2Kdk

AfiU


https://www.youtube.com/watch?v=UZe2KdkAfiU

Corporate Training Sessions

• Inviting corporate customers to cyber

security training

• Using KnowB4 to test and train

• Offering community training session (i.e.,

identity theft, tax fraud, etc.)

• People (customers, employees,

community, etc.) don’t think it will happen

to them


False Sense of Security


SECURITY AWARENESS


Employees: Security Awareness

Ideas

• Acceptable Use Policy

• Annual Security Awareness Training

• Email Reminders

• Online Training System

• Posters/Calendars

• Security Awareness Day

• Customer Appreciation Day

• Games

• Social Engineering Tests

• InfraGard Certification69www.sbscyber.com4/17/2017

Posters/Calendars


Security Awareness Training

April, 2017

Welcome to…

SECURITY FEUD!

Social Engineering Tests

• USB/Media Tests

• Dumpster Diving

• Phishing Tests

• E-Mail Scams

• Physical Impersonation

• Phone Impersonation


Customers: Security Awareness

Ideas

• Awareness Information on Website

• Posters

• Security Awareness Day

• Customer Appreciation Day

• Lunch and Learns

MAIN STREET Cybersecurity Act of 2017


https://sbscyber.com/sbsinstitute/certifications/

https://sbscyber.com/sbsinstitute/certifications/

AUDITING


Layered Audit Approach


Comprehensive Audit

• Audits will assess people, processes,

and technology.

• A balanced audit program works as

follows:

– people are assessed with a social

engineering test,

– processes are assessed with an IT audit, and

– technology is assessed with a penetration

test and vulnerability assessment.


Minimum ISP Documentation• Risk Assessment

• Policies

• Procedures

• Standards

• Guidelines

• Plans– Audit

– Business Continuity

– Incident Response

• Security Awareness Materials

• Vendor Assessments

• Minutes– Board of Director Meetings

– I.T. Committee Meetings

– Audit Committee Meetings

• Strategies

• Test Results– Audit

– Penetration Test

– Vulnerability Assessment

– Social Engineering

– Configuration Test

– Web Test

– Wireless Test

• Exams– State

– Federal

• Misc.– Network Diagram

– Organizational Chart


Action Tracking


Firewall Review

• Independence

• CIS Hardening Checklist (CIS)

– Example in System Configuration Section

• Verify changes and rules

– Verify change control forms against

configuration of firewall

– Review firewall rules for applicability and

accuracy


User Access Review

• Driven by your risk assessment

• Compare HR Employee list against active

system users


Continuous Auditing

• Continuous auditing is a method used by

the IT audit and assurance professional to

perform control and risk assessments on a

more frequent basis.

• It is a method allows IT audit and

assurance professionals to monitor

controls and risk on a continuous basis.

• “security with a heartbeat”


Boards and Committees

• If you don’t have a security expert on

staff, get someone for your I.T. committee

• If you don’t have a security expert on

staff, have someone annually report to

your board (Cyber Disclosure Act of 2017)

• Keep minutes

• Set audits up on a schedule (see

handout)


Risk Assessment Schedule


Auditing Results

86


What did we learn?What is your bank

doing to mitigate:

• Hacking

• Data Leakage


• CATO

• ATM Fraud

• Ransomware

• Spear Phishing

• DDoS

Answer Should Be:

1.Layered Security

Program

2.Risk Assessment

3.Customer Awareness

and Education

4.Effective Auditing




Contact Info

• Dr. Kevin Streff

– Dakota State University

• [email protected]

• 605.270.0790

– SBS Cybersecurity, LLC

• www.sbscyber.com

• [email protected]

• 605.270.0790


mailto:[email protected]

http://www.protectmybank.com/

mailto:[email protected]

cybersecurity - idob. kevin... · incident response 5. information sharing 6. ... • most of these...

Documents