cybersecurity - securethevillage · cybersecurity assessment assessment methodology: • ffiec has...
TRANSCRIPT
![Page 1: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/1.jpg)
Cybersecurity
Robert J. Lipot, CRISCSenior IT Examiner
June 2016
1
![Page 2: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/2.jpg)
Discussion Topics
• Cybersecurity Issues
• Executive Order 13636
• States and Federal Regulators Promote Awareness
• Key Areas of Focus
• Cyber Assessment
• InTREx (exam procedures)
•Awareness & Information Activities
![Page 3: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/3.jpg)
Cybersecurity Issues
•Heightened Attacks-many commercial & financial services
•Accessibility of systems via Internet or wireless activity
•More mobile society wanting on-line access 24 x 7 from anywhere
•Global nature of business
![Page 4: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/4.jpg)
Info-Tech Survey
82% of companies surveyed don’t have a formal process for evaluation of disruptive technologies
![Page 5: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/5.jpg)
President’s Executive Order 13636(02/12/2013)
• Executive Order (EO) 13636-Improving Critical Infrastructure Cybersecurity
• The EO has gotten the attention of Congress and regulators regarding ability to protect technology and manage cyber risks
![Page 6: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/6.jpg)
Web 1.0 & 2.0
Web 1.0
• Dominated by published content
• Publicly accessible on-line
Web 2.0- Interactive Internet
• Collaborative environment that facilitates creation and exchange of user-generated content via dynamic channels, including social media
• Platforms include video sharing, search engines marketing and optimization, online newsrooms, mash-ups and viral and word-of-mouth (WOM) marketing
![Page 7: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/7.jpg)
Cybersecurity Awareness- Importance
• Cyber criminals are becoming more “active” towards financial entities and/or its customers
• Break-ins and attempted/actual thefts more prevalent
• Not a matter of “if”, but “when”
• Method(s) of determining awareness and preparedness at our licensees
![Page 8: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/8.jpg)
Finding/Determining/Addressing Key Areas of Focus
• Risk Assessment
• ID/value all enterprise assets/data
•Determine inherent risks-internal/external
• Evaluate controls
•Using CAT/other tools
•Mitigation strategies, as necessary
•DR/BCP-Incident Response
![Page 9: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/9.jpg)
Threat Environment/Key Areas of Focus
•Web Facing Devices and Apps
• Security Monitoring
• Connection Security
•Mobile Devices/IoT
•DLP
•ATMs
• Privileged Accounts
• Patch Management
![Page 10: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/10.jpg)
Issues/Concerns-Detection/Protection
•Common Security Mistakes
•Cybersecurity Assessment Tool (CAT)
•FFIEC Cyber Information
•Cyber Insurance
•Regulator Awareness
•FS-ISAC
![Page 11: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/11.jpg)
Web “Facing” Devices and Applications
Key Hacker targets:
Websites
All Mobile Devices
Online Banking
Mobile Banking
App Stores
Internet of Things (IoT)
![Page 12: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/12.jpg)
Security Monitoring-Internal & External Threats
• Continuous monitoring system and network activity from sensors, devices, tools, etc.:
–Firewalls
–Routers
– IDS/IPS
–Vulnerability Assessments/Pen Testing
–Audit Logs
–Anti-Malware (viruses, spyware, etc.)
![Page 13: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/13.jpg)
Connection Security
Knowledge of logical and physical connections, e.g.:
Core providers
Internet Service Providers
Wireless Networks
Virtual Private Networks
Wire Transfer/ACH Systems
Network/Core Processor Devices
Telecommunications Room
![Page 14: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/14.jpg)
Mobile Devices are Targeted-DLP
BYOD vs. Licensee-owned
Types, e.g.:
Smart/Mobile Phones
Tablets/Notebooks
Laptops
Thumb Drives
Data Permitted
Applications Allowed
Device Security
![Page 15: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/15.jpg)
Where are attacks coming from?
Multitude of Attack VectorsSMS
Wi-Fi
Bluetooth
Infrared
Web Browser
Email Client
Third Party Apps
Operating System Vulnerabilities
Physical Access
![Page 16: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/16.jpg)
Current Mobile Threats: SMS Botnets
• SMS Spam Botnet:– Directs users to download
malware directly on their device1. An SMS is received containing a
URL2. When the users clicks on the
URL, a Trojan is installed on the device with the legitimate application
3. Trojan contacts C&C server to obtain spam message
4. The spam message is sent to the contacts stored in the phone
![Page 17: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/17.jpg)
Current Mobile Threats: Ransomware
• Ransomware:– Malware which
effectively holds a user’s device hostage until a fee is paid
– Can also happen to any computing device
– Banks and businesses have been impacted and it will continue…
![Page 18: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/18.jpg)
Internet of Things
Wearable technology, e.g.:
• Google Glass, Apple Watches, etc.
• Fitbits
• Many others……..
![Page 19: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/19.jpg)
Internet of Things
Many other “things”:
• Cars
• Appliances
• Security cameras/ security alarm sensors
• Printers
• List goes on……..
![Page 20: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/20.jpg)
Internet of ThingsFive Reasons IoT is Different than “Conventional” IT (Drue Reeves)
• IoT is business driven
• The volume, velocity and variety of data
• Combination of “operational tech” and “information tech”
• Unique risks created by end-to-end automation
• Integration, integration, integration
![Page 21: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/21.jpg)
ATMs Aren’t Exempt
Per Krebs on Security
• Bluetooth devices are “planted” in ATMs
• Captures all card and PIN data input
• Can capture Mega Bytes of data
• Crooks use Bluetooth to ex-filtrate captured data
![Page 22: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/22.jpg)
Hacked PC (Krebs on Security)
![Page 23: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/23.jpg)
Hacked Email (Krebs on Security)
![Page 24: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/24.jpg)
Privileged/Admin Access
• “Skeleton Key”- all access key
• Access to key functions such as add, delete, change, etc. employee rights and permissible activities- a key to gaining system control
• Access to key controls such as auditing, logging, etc. that would record a cyber event
![Page 25: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/25.jpg)
Privileged/Admin Access
• Could also permit “root” access which allows them to change operating system controls
• 80% of cyber theft committed w/privileged access-Sony, Target, etc.
![Page 26: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/26.jpg)
Common Security/Cyber Mistakes
• Not a “once and done” activity
• No knowing where the data is at all times
• Forgetting about “all” tech items employed
• Not ensuring security is entity-wide and everyone plays a roll
![Page 27: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/27.jpg)
Common Security/Cyber Mistakes
• Address different “age groups” and cultures
• Security is an afterthought
• Not knowing who is targeting the entity
• Not fully understanding the implications of third-party risks to the licensee
![Page 28: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/28.jpg)
Cybersecurity AssessmentAssessment methodology:
• FFIEC has provided a Cyber Assessment methodology for financial institution use- information at www.FFIEC.gov
• It assists in determining how much cybersecurity effort has been performed by the Licensee
• Based on NIST 800-53 (National Institution for Standards & Technology)
• For 2015/16, examiners are reviewing for Assessment “Baseline” and striving for higher levels
• Alternative methods to CAT that provide the same/similar results are acceptable
• CAT Includes information in previous slides
![Page 29: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/29.jpg)
FFIEC Cybersecurity Assessment Tool (cont.)
• Currently- voluntary
• Licensee awareness-discuss the “Tool”
• Inform management of FFIEC link
• As usual, expect more information- stay tuned………………………
![Page 30: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/30.jpg)
FFIEC- CAT Domains
![Page 31: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/31.jpg)
Highlight- FFIEC’s Cyber Maturity
![Page 32: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/32.jpg)
Risk/Maturity Relationship
![Page 33: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/33.jpg)
Definitions of Maturity Levels
![Page 34: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/34.jpg)
FFIEC Cyber Web Page
![Page 35: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/35.jpg)
IT Exam Procedures- InTREx
• InTREx = Information Technology Risk Examination
• Four main WPs- Audit, Management, Development & Acquisition, and Support & Delivery
• The other WPs- Cybersecurity, EFT, and Information Security Standards (GLBA)
• WPs Includes CAT
![Page 36: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/36.jpg)
IT Exam Procedures- InTREx (cont.)
• Each WP is targeted to provide analysis to assess a URSIT component rating (1-5)
• Other WPs provide supplemental information to assist in the URSIT component and composite ratings
• Like IT-RMP, InTREx results will still weight heavily on the S&S management CAMELS component
![Page 37: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/37.jpg)
IT Exam Procedures- InTREx (cont.)• InTREx is in the “test” phase until
June 2016
• Each state will need to determine/ approve if they will use InTREx or facsimile going forward
• Federal regulators- FRB and FDIC-have already made such determination
• Large banks, depending on state/ federal guidelines, may use the FFIEC WPs from the IT Handbooks
![Page 38: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/38.jpg)
Cyber Risk Insurance• Has been around for 11 years
• Used as a “Transfer Risk” option
• As of Jan 2015, 46 of 50 US states have mandatory data breach notification standards
• Expenses of handling /covering such losses are increasing -may be an option for our Licensees
• Some states are looking at examinations to include cyber insurance, e.g. NY
• Is expected to grow substantially
![Page 39: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/39.jpg)
Cyber Risk Ins. Coverage
• Theft or manipulation of sensitive or private information
• Computer viruses, malware, etc.
• Computer fraud
• Could have a “high” deductible and only a percentage of coverage after that
• May only be obtained from some insurance companies
• Ins. Coverage will require certain conditions
![Page 40: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/40.jpg)
Cyber Insurance Summary
• Not all policies are “created equal”
• Certain cyber risks may be covered, some not
• Licensees need to “shop around” for terms, conditions, coverages, and deductibles
• Costs will vary depending on size and complexity of our Licensees along with items in bullet #2
• Need due diligence in looking for appropriate coverage specific to the Licensee
![Page 41: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/41.jpg)
Regulators Promote Awareness and Information Activities (some examples)
• FFIEC Cybersecurity webinar for Board and senior management and guidance
• FFIEC Cyber awareness (link on main web page)
![Page 42: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/42.jpg)
Regulators Promote Awareness and Information Activities (some examples)
• State Example: Cybersecurity in the Golden State-Kamala Harris Cyber Doc: https://oag.ca.gov/cybersecurity
• CSBS Corporate Account Takeover (CATO) webinar and guidance (on CSBS website)
![Page 43: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/43.jpg)
FS-ISAC• Financial Services-
Information Sharing and Analysis Center
• Provides a wealth of information to Licensees
• FFIEC encourages becoming a member for certain benefits
• Website: https://www.fsisac.com/
![Page 44: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/44.jpg)
Quick Cybersecurity Recap
•Need for management to realize the importance of awareness, preparation, training, and ongoing alertness
• Thus, Cybersecurity efforts should be discussed at key management committees and reported to Board
![Page 45: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/45.jpg)
Cybersecurity Summary
• IT systems need to be updated regularly
• Staff training and vigilance are key components for prevention
• Licensees can’t be caught asleep at the switch!!
![Page 46: Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has provided a Cyber Assessment methodology for financial institution use- information](https://reader030.vdocuments.site/reader030/viewer/2022040615/5f0f2b9b7e708231d442d59a/html5/thumbnails/46.jpg)
References
• www.FFIEC.gov
• www.nist.gov
• www.fsisac.com
• www.whatis.techtarget.com
• www.fdic.gov - RD Memo 2015-11