sifma cybersecurity - small firms cybersecurity guidance ... · cybersecurity small firms...

12
CYBERSECURITY SMALL FIRMS CYBERSECURITY GUIDANCE HOW SMALL FIRMS CAN BETTER PROTECT THEIR BUSINESS JULY 2014

Upload: vukhanh

Post on 14-Jul-2018

276 views

Category:

Documents


12 download

TRANSCRIPT

CYBERSECUR I TY

SMALL FIRMS CYBERSECURITY GUIDANCEHOW SMALL FIRMS CAN BETTER PROTECT THEIR BUSINESSJULY 2014

3

SMALL F IRM CYBERSECURITY

DISCLAIMERThis document was prepared as an account of work within the private and public sector. Neither SIFMA or any of this members, or any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by SIFMA.

EXECUTIVE SUMMARYSmall businesses are becoming increasingly dependent on devices, services and applications that connect to the internet such as smartphones, email, social media, and cloud computing services in an effort to increase effi-ciency and revenues. Through this dependence they become larger targets for cybercriminals looking to exploit technological vulnerabilities. Cybersecurity firm Symantec reports that in 2012, 31% of all cyber attacks targeted businesses with fewer than 250 employees, up from 18% in 2011.1 Furthermore, in its 2013 Cost of Cyber Crime Study, research firm Ponemon Institute reported that smaller organizations incur a higher per capita cost than larger organizations ($1,564 and $371, respectively) due to cyber attacks.2 The SEC and FINRA have also begun examinations of cybersecurity preparedness among broker-dealers. As a result, it is crucial for small financial firms to take proper cybersecurity measures - measures to protect all computing devices, networks, and information - to ensure their business data remains secure. This guide builds upon the National Institute of Standards and Tech-nology’s (NIST) Cybersecurity Framework which is derived from existing industry standards. Firms should apply the best practices in this guide in a risk-based, threat-informed approach based on the resources available and in support of their firm’s overall business model. The end goal is not compliance to a standard but to increase their cybersecurity and ensure the protection of their customers.

THREATSCHEW (CRIMINAL - HACTIVIST - ESPIONAGE - WAR)Cybersecurity threats can vary in scale and motive. Understanding the likelihood of different cyber threats and their potential impacts should be the first step in helping firms understand what types of protections they need. Counter-terrorism expert Richard Clarke, who has worked as a Special Adviser to the President for Cyber Security, developed a simple way to classify the different “cyber threat actors” into four distinct categories – Crime, Hack-tivism, Espionage and War (CHEW).3

Small firms are at greatest risk of a criminal cyber attack, that could take the form of data theft, fraud or extortion. Criminal organizations profit greatly from these attacks and are continually seeking new firms to exploit and devel-oping methods of acquiring vital information. Hacktivism refers to actors seeking to make a political statement

1 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf2 http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf3 http://www.dtcc.com/~/media/Files/Downloads/Congressional%20Testimony/DTCC_Cyber-Security-Testimony_FI-NAL_6-01-12.ashx

User
Highlight
User
Highlight

4

CYBERSECURITY

through attacks that are generally disruptive in nature. These attacks often involve shutting down websites or defacing insecure websites to convey their message and can pose reputational risks to a firm’s brand. Espionage and War attacks are largely perpetrated with the support of nation states and aim to inflict serious financial or physical harm to the intended target and may look at a small firm as a gateway to disrupting the larger financial system or markets that they operate within.

In the case of a systemic attack or sector wide disruption the Financial Services Sector Coordinating Council (FSSCC) has created the Cyber Response Coordination Guide, which enumerates sector-wide procedures for addressing the technical aspects of an attack. SIFMA’s Capital Markets Response Committee will address the busi-ness impacts and make recommendations for market open and close decisions.

As a small firm, criminal actors will pose the greatest threat. In most cases, however, prior to making security investments, we recommend contacting your local US Secret Service or FBI field office from a law enforcement standpoint and the Office of Critical Infrastructure Protection at the US Department of the Treasury for the latest information on the specific threats your firm may be facing.

C.H.E.W. - Motivations and Capabilities

CRIMINAL HACTIVIST ESPIONAGE WAR

Definition Organized groups of criminals who hide in “cyber sanctuary” countries to launch broad based attacks against individuals and companies for financial gain.

Loosely organized collections of hackers launching targeted campaigns against specific entities or web sites and able to cause embarrassment and financial damage.

Cyber espionage opera-tions are largely carried out by nation-states are extremely well-orga-nized and well-funded. They use this stolen intellectual property to enhance their own economies.

This is when the moti-vations of a nation-state or a terrorist group turn from intellec-tual property theft towards damage and destruction.

Motivation • Money• Information to sell

(e.g. credit card numbers)

• Protest• Revenge• Demonstration of

power

• Acquiring secrets• National security• Economic benefit

• Destroy, degrade, deny

• Political motivation

Capability • Large number of actors

• Basic to Advanced skills

• Present in nearly all countries

• Large number of actors

• Tend to have limited skills

• Few with advanced skill sets and motivations

• Small but growing number of countries with capability

• Larger array of ‘support’

• Limited number of actors

• Potential non-state actors

• Expensive to maintain

User
Highlight

5

SMALL F IRM CYBERSECURITY

COMPONENTS OF AN EFFECTIVE PROGRAM

STRATEGIC VIEW4

NIST has created an approach for firms of all sizes to improve their cyber protections. This framework was the result of a collaborative effort between NIST and leading industry professionals and companies, including SIFMA. The framework is specifically designed as a broad strategic overview of cybersecurity policies, written from a business context that allows both technical and non-technical individuals to discuss the topic. The Framework is comprised of five functional categories:

NIST Cybersecurity Framework

Function Summary Description

Identify- Identification of at-risk data (PII1, accounts, transactions, etc.)- Assess the threat to and vulnerability of existing infrastructure- Understand all devices connected to the network and network structure

Protect

- Limit network access to authorized users and devices- Educate all users on cybersecurity awareness and risk management- Employ programs and services that secure data and networks (e.g. firewalls, file

encryption, password protection, data backups)

Detect

- Exercise network monitoring to detect threats in a timely manner- Evaluate threat and understand potential impact- Look for anomalies in physical environment among users, including presence of

unauthorized users or devices

Respond

- Contain and mitigate the event to prevent further damage- Coordinate with stakeholders to execute a response plan and notify proper authorities.

Once detected, notification to proper authorities- Evaluate response effort to improve response plan

Recover

- Execute recovery systems to restore systems and data- Update response plan with lessons learned- Resume business activities with internal and external stakeholders and manage public

relations

This framework provides a holistic view of how small businesses can approach cybersecurity planning. We encourage firms to use these guidelines and the suggested approach to begin the dialogue of how to assess and improve their current cybersecurity protocols.

In order to cooperatively tackle the issue of cybersecurity across the financial industry, SIFMA strongly recom-mends participating in the Financial Services - Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC provides financial services firms a platform to share up-to-date threat information and best practices to mitigate these threats. As the cybersecurity threat to small businesses increases, cooperatives such as the FS-ISAC will continue to play a large role in mitigating, informing, and preventing cyber attacks.

4 http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

6

CYBERSECURITY

IMMEDIATE ACTION ITEMSAccording to Verizon’s 2013 Data Breach Investigations Report, 76% of network intrusions and the top five methods of hacking both utilized weak or stolen credentials.5 SIFMA has adapted from the NSA cybersecurity checklist and the SANS Institute “First Five” a list of eight low-cost actions that can be implemented with relative ease and limited technical experience to combat such intrusions.

While these recommendations are not exhaustive in that they will not protect against all types of attacks and human error, they will provide small firms with adequate defense against the most common ones. For more detailed guidance on further security measures, we suggest using the SANS Institute’s Top Twenty Critical Security Controls list or the NIST Small Business Information Security guide. Links to both are included in the Additional References section at the end of the guide.

Action Item Checklist

Function Summary Description

Username and Password Protection

Strictly enforce robust password security per NIST standards that include: - Upper and lower case letters, numbers, and symbols - A minimum of 8 characters, avoiding common words and dates- Password is not used for any other credential- Changing passwords regularly- Deploy multi-factor authentication

Control Administrative and Privileged Access

Restrict administrative and privileged access to systems and data through preventative and detective controls to prevent unauthorized access or alteration of systems and/or data.

Application Whitelisting

Allow only trusted software to execute on operating systems. Prevent the execution of all other software through the use of application whitelists.

Anti-Virus, Email and Website Filters

Updated anti-virus software, in addition to web security software, greatly reduces the risk of unintentional and intentional computer infection. Additionally, personal vigilance against suspicious emails and attachments greatly reduces cyber threats.

Secure Standard Operating Systems

Standardize on trusted operating systems that meet Common Criteria. Using unsupported or outdated operating systems, such as Windows XP, presents risks to the network and critical data.

Automated Patching Tools and Processes

Utilize automatic software updates and spot-check that updates are applied frequently to ensure software currency and reduce the risks associated with out-of-date, vulnerable software.

Back Up Data Regularly

Investing in and using cloud or physical external hard-drive backup systems provides an additional level of security for important data in the event that information is destroyed.

Mobile Device Security and Encryption of Data

Ensure that mobile devices are secure with passwords and the data is encrypted in the event of loss.

5 http://www.tripwire.com/state-of-security/security-data-protection/five-quick-wins-from-verizons-2013-data-breach-investigations-report-2/

7

SMALL F IRM CYBERSECURITY

TECHNICAL SOLUTIONSFirms in most cases need third party solutions to enable an effective cybersecurity program. In order to enable the seven suggested actions above we’ve listed below a few cybersecurity solutions within each category firms should consider to jumpstart their search for the correct solution to fit their needs. It is important to note that third party vendors must be held to high standards, especially if they have access sensitive information or are critical to busi-ness operations.

BUSINESS CYBERSECURITY SOLUTIONS6:

Resources

USERNAME AND PASSWORD

PROTECTION

LastPassDashlane Roboform Keeper Passpack Common KeyZoho (Vault)

CONTROL ADMINISTRATIVE

PRIVILEGES

BeyondTrust (PowerBroker) Cyber-Ark (PIM) Dell SecureWorks (eDMZ) HP Enterprise Security (ArcSight ESM, ArcSight Identity View) Intellitactics (SecurityManager) nCircle (CCM) Security Compliance Corp (Access Auditor)Symantec (CCS) Tripwire (Enterprise, Log Center) Xceedium (Xsuite)

APPLICATION WHITELISTING

Bit9 IBM (Tivoli Endpoint Manager {BigFix}) Lumension (Vulnerability Management) Microsoft (System Center) Tripwire (Enterprise, Log Center)

ANTI-VIRUS, EMAIL AND WEBSITE

FILTERS

Bromium (vSentry) Invincea (Enterprise)Kaspersky (Administration Kit) McAfee (ePolicy Orchestrator) Microsoft (Forefront, System Center) Sophos (Endpoint Protection) Symantec (SEP)

6 Vendors sourced from the SANS Institute

8

CYBERSECURITY

Resources

SECURE STANDARD OPERATING

SYSTEM

Tripwire (Enterprise)

NETWORK SECURITY ANALYSIS

Algosec (Firewall Analyzer & FireFlow) Athena (FirePAC) Firemon (Security Manager) RedSeal Networks (Network Advisor) SolarWinds (Network Configuration Manager)

VULNERABILITY SCANNING &

MANAGEMENT

Dell SecureWorks (Managed Web App Firewall, Web Application Testing) Qualys (Qualys Guard WAS) NTO (NTO Spider) WhiteHat Security (Sentinel) Tenable (Nessus, Security Center) nCircle (CCM, IP360) Qualys (QualysGuard Policy Compliance Module) Secunia (Corporate Software Inspector)

SECURE APPLICATION DEVELOPMENT

Cenzic (Hailstorm Enterprise) Checkmarx (Checkmarx) Coverity (Save) Hp (Fortify 360, Fortify on Demand, WebInspect) IBM (Ounce Labs Core, Appscan) Veracode (Static/Dynamic)

FORENSIC TOOLS

AccessData (AccessData FTK and PRTK) ElcomSoft (ElcomSoft EFDD – Bitlocker, Guidance Software (Encase Enterprise Edition) Mandiant (Mandiant Platform)

BACKUP TOOLS

Acronis Backup & Recovery Genie Backup Manager Paragon Backup & Recovery NTI Backup Now Rebit Acronis TrueImage Norton GhostParagon Hard Disk Manger Suite ShadowProtect Desktop NovaBACKUP

9

SMALL F IRM CYBERSECURITY

TRAININGThere are a variety of service providers that offer comprehensive training in cybersecurity best practices. Recur-ring cybersecurity training helps ensure a uniform understanding of policies and practices within the company and limits human error. InfraGard is a cooperative between the FBI and private companies that operate over 80 chapters across the United States and offer free membership to businesses seeking to learn more about cyberse-curity issues and training. Along with becoming a member of the FS-ISAC it is recommended that that firm join this organization in order to gain access to threat alerts and regular briefings from law enforcement. Additional IT training is available through a variety of organizations and certification programs.

DHS/FEMA STATE CYBERSECURITY TRAINING PROGRAM

Cybersecurity for Everyone – Non-Technical Courses:AWR 175 – Information Security for Everyone AWR 174 – Cyber EthicsAWR 168 – Cyber Law and White Collar Crime

Cybersecurity for Business Professionals – Business Managers Courses:AWR 176 - Business Information ContinuityAWR 177 - Information Risk ManagementAWR 169 - Cyber Incident Analysis and Response

For a complete list of courses visit: http://teex.com/teex.cfm?pageid=NERRTCprog&area=NERRTC&templateid=1856

CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE (SEI) CERT TRAINING

Risk Assessment Courses:Introduction to the CERT Resilience Management Model Practical Risk Management: Framework and Methods

CENTER FOR INFORMATION SECURITY AWARENESS (CFISA) COURSES

InfraGard Awareness Course / Information Security Awareness In The Workplace Course

ADDITIONAL TRAINING RESOURCES:

MS-ISAC – https://msisac.cisecurity.org/resources/videos/free-training.cfmStay Safe Online – http://staysafeonline.org/business-safe-online/train-your-employees

10

CYBERSECURITY

POINTS OF CONTACTIn the event of a security breach, it is important to alert authorities and have an business continuity or disaster recovery plan, including internal points of contact. File a report with the local law enforcement so there is an official record of the incident. Further more, firms should report online crime or fraud to their local office of the United States Secret Service (USSS) or FBI. In addition, make sure your primary regulator is aware as well.

Points of Contact

Agency Contact

FBI Field Offices www.fbi.gov/contact-us/field

USSS Field Offices www.secretservice.gov/field_offices.shtml

CY-WATCH (FBI/USSS) Phone : 855.292.3937

SIFMA Market Emergency Phone : 646.934.6406

FS-ISAC Security Operations Center Phone : 877.612.2622

Department of Homeland Security National Cybersecurity and Communications Integration Center (NCCIC)

Phone : 703.235.8832

US Department of the Treasury Office of Critical Infrastructure Protection and Compliance Policy (OCIP)

[email protected]

In addition, 47 states have enacted laws that outline who must be notified in the event of a security breach. The list below indicates the reporting requirements per state.

National Conference of State Legislatures Security Breach Notification Laws

FEEDBACKPlease direct any questions or comments about this product to the Operations, Technology and Business Conti-nuity team at SIFMA via Karl Schimmeck at [email protected].

11

SMALL F IRM CYBERSECURITY

ADDITIONAL RESOURCES

• Australian Department of Defense Strategies to Mitigate Targeted Cyber Intrusions

• FBI InfraGard Program

• FCC Cybersecurity for Small Businesses

• FCC Cybersecurity Planner

• FINRA Cybersecurity Targeted Examination Letter

• FINRA Cybersecurity Targeted Examination Letter Questions

• Financial Services-Information Sharing and Analysis Center

• FFIEC Cybersecurity Resource Center

• National Cyber Security Alliance

• NIST Computer Security Resource Center

• NIST Cybersecurity Framework

• NIST Small Business Corner

• NIST Small Business Information Security: The Fundamentals

• NSA/IDA Top 10 Information Assurance Mitigation Strategies

• On Guard Online

• Sans Top 20 Critical Security Controls

• Securities and Exchange Commission Office of Compliance Inspections and Examinations Cybersecurity

Initiative (SEC OCIE)

• US Chamber of Commerce Internet Security Essentials for Small Business

• US Computer Emergency Readiness Team (CERT) Home Network Security Guide

WWW.SIFMA.ORG