View
7
Download
0
Category
Preview:
Citation preview
TESTING YOUR CYBER SECURITY INCIDENT RESPONSE PLAN
Thomas E. Williams Gladiator Business Continuity Strategy Manager
Jack Henry & Associates Centurion Disaster Recovery Services
Northville, MI ToWilliams@jackhenry.com
800-299-4411
August 9 & 10, 2018
© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®
Tom Williams - Gladiator Business Continuity Strategy Manager
Testing Your Cyber Security Incident Response PlanPresented by
Gladiator - A Division of Jack Henry & Associates And The Graduate School of Banking
August 8-9, 2018
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Agenda
• The FFIEC Guidelines on Cyber-Security• Risk factors facing financial institutions• Incident Response Plan components• Incident Response Plan testing techniques• Centurion Cyber Drill
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Nuggets of Wisdom• Write them down, memorize
them, take pictures of them, etc.
• Be prepared to answer:
“What nuggets of wisdom have you learned?”
Takeaways Throughout the Day
© 2017 Jack Henry & Associates, Inc.®
Three Successful Brands
• Community and Multi-Billion Dollar Banks
• Core Processing Systems
• Integrated Complementary Products
• In-House or Outsourced Services
• Credit Unions of All Sizes
• Core Processing Systems
• Integrated Complementary Products
• In-House or Outsourced Services
• Financial Institutions of All Sizes
• Corporate Entities and Strategic Partnerships
• Core Processor Agnostic
• Best-of-Breed Niche Solutions
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Brief Introduction to Gladiator Services
Gladiator® CoreDEFENSEManaged Security
Services™
Gladiator® IT Regulatory Compliance/Policy
Products™
Centurion Business Continuity Planning™/
Centurion Disaster Recovery®
Gladiator® Hosted Network Solutions™
Gladiator® Managed IT Services™
© 2017 Jack Henry & Associates, Inc.®6© 2017 Jack Henry & Associates, Inc.®
Business Continuity / Incident Response Plan Components
The FFIEC – Federal Financial Institution Examination Counsel Guidelines on BCP/IRP
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
FFIEC BCP Guidelines
Business Impact
Analysis (BIA)
Risk Assessment
Risk Management
Risk Monitoring
• Critical Business Functions
• Disaster Impacts• Prioritization• Recovery Windows• Recovery Strategies• Resources
• Threats– Natural– Human– Technical– Cyber Attacks
• Enterprise-wide BCP
• Emergency Plans• Crisis Management
Plans• IT & Business Unit
Plans• Family Disaster
Plan
• Plan Maintenance• Plan Testing
• Business Units
• Systems / Apps
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
IRP Basic RequirementsFFIEC’s IRP Minimum Components:• Assess the nature and scope to identify systems and types
of information that have been accessed and/or misused• Notification of primary regulator• Completing a SAR and notification of law enforcement• Take steps to contain the incident to prevent further
unauthorized access
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
IRP Basic Requirements
• Criteria that must be met before compromised systems are returned
• Notification of employees when warranted• Notification of customers when warranted• Intrusion response team in place• Important pieces, but do not provide details to respond in
the most effective manner.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Key Best Practices to Supplement RequirementsConsider the following:
– What happened and when?– Performance?– Was the Recovery process inhibited?– What could be done differently?– Corrective steps for similar future incidents?– Other tools or resources?– Use this as an opportunity to improve upon what you already
have in place.
© 2017 Jack Henry & Associates, Inc.®12© 2017 Jack Henry & Associates, Inc.®
Risk Factors Facing Financial Institutions
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cybersecurity Challenges
• Cybercrime cost in the trillions
• Segregation of InfoSec oversight from IT
• Cyber incident management and resiliency
• Qualified InfoSec personnel
• Ever changing Risk Landscape
* salary.com
© 2017 Jack Henry & Associates, Inc.®14 © 2017 Jack Henry & Associates, Inc.®
.
Regulators Making Cybersecurity a Priority
The FFIEC releases a revised Information Security booklet - FFIEC, September 9, 2016
FFIEC Releases Updates to Cybersecurity Assessment Tool
- FFIEC, May 31, 2017
FFIEC Releases Cybersecurity Assessment Tool - FFIEC, June 30, 2015
Financial Regulators Release Revised Management Booklet - FFIEC, November 10, 2015
FFIEC Issues Statement on Safeguarding the Cybersecurity of Interfinancialinstitution Messaging and Payment Networks - FFIEC, June 7, 2016
The FFIEC published frequently asked questions (FAQ) guide related to the Cybersecurity Assessment Tool - FFIEC, October 17, 2016
New York State Department of Financial ServicesProposed 23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies
- NYSDFS, December 28, 2016
The FDIC launches the Information Technology Risk Examination (InTREx) Program - FFIEC, June 30, 2016
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.® Source: Deloitte. Beneath the surface of a cyberattack, 2016
Technical Investigation
Customer breach notification
Post-breachcustomer protection
Regulatory compliance
Public relations
Attorney fees and litigation
Cybersecurity improvements
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.® Source: Deloitte. Beneath the surface of a cyberattack, 2016
Insurance premium increases
Increase cost to raise debt
Impact of operation disruption
Lost value of customer relationships
Value of lost contract revenue
Devaluation of trade name
Loss of intellectual property
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Today’s Top 6 Cyber Threats Facing Financial Institutions
6Social
Engineering
1Encrypted
Traffic
2Malicious
Code Variants
3Supply Chain
Infections
4Patches/
Vulnerabilities
5 Ransomware
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
1 - Encrypted Messages - Counter Measures
1. Decrypt Traffic for Inspection2. Behavioral Analytics
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
AV Is Failing, and IPS Is Not Far Behind
Signature based “safety net”
APTs & zero-day attacks
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
2 - Malicious Code Variants - Counter Measures
1. DNS Protection2. Deep Content Inspection / Sand Box
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
DNS Protection: Phishing
1. Threat sends malware to user
2. User clicks to view MalwareDL.com
3. Gladiator® analyzes threat;rejects
4. Gladiator® redirects unsafe request to safe landing page
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
DNS Protection: Drive-by Download
1. User types in website
2. Website has been hacked and redirects to malicious site
3. Gladiator® detects malicious site
4. Gladiator® Redirects
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
3 - Supply Chain
Sup p lyCha i n
L o g i s t i c s
C o n s u m e r
S u p p l i e r
D i s t r i b u t e r
M a n u f a c t u r e r
R e t a i l e r
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
3 - Supply Chain - Counter Measures
1. Vendor Due Diligence2. Vendor Management
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
4 - Patching - Counter Measures
1. Weekly Patching or as Needed2. Weekly Vulnerability Scanning3. Data Access Governance4. Managed IT Services
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
CNN HeadlineMarch 23rd
NBC affiliate WXIA reported that the city received a ransom demand in bitcoin for $6,800 per unit or $51,000 to unlock the entire system.
The FBI is investigating a ransomware attack on the city of Atlanta
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
5 – Ransomware Counter Measures
1. Data Access Governance2. Actively Managed Endpoint Security3. Modern Era Backup Strategy4. Sandbox Technology
© 2017 Jack Henry & Associates, Inc.®
Top Threats (June – December 2017)
Top threats detected by Microsoft Office 365 ATP
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
6 – Social Engineering Counter Measures
1. Security Awareness Training2. Principle of Least Privilege3. Application Whitelisting
© 2017 Jack Henry & Associates, Inc.®30© 2017 Jack Henry & Associates, Inc.®
Incident Response Plan Components
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• This document establishes the plan, procedures, forms and other steps Cashmere Valley Bank will use when responding to a computer security related incident.
• A computer security incident is an information related event where there appears to be: – The misuse or unauthorized use of information or computing
resources;– An impact or potential impact to the confidentiality, integrity or
availability of information.• The incident may be due to an external intruder or may be caused
by a disgruntled employee.
31Incident Response Plan – Purpose
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Indications or symptoms of a computer security infraction, event or incident that deserves special attention could be the following:– System crashes– New user accounts or high activity on a previously low usage account;– New files (usually with novel or strange file names);– Data modification or deletion (files start to disappear);– Denial of service (users become locked out of a system);– Unexplained or poor system performance;– Suspicious probes (there are numerous unsuccessful login attempts);– Suspicious access (someone accesses files on many user accounts).
32 Incident Response Plan – Purpose
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cyber Risk Appetite
• Management position on cyber risk
• Cyber risk appetite is not static
• Not a one-size-fits-all
• Based on business strategy
• Actionable and specific
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
LOWRISK
HIGHRISK
What is the Bank’s Cyber-Security Risk Mitigation Profile?
BSA/AML
No Incident Response
Plan
Internal Fraud
Incident Response
Plan
MODERATE RISK
Each organization should continually strive to move toward the Low Risk area
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cyber Incident Response Plan Components
Monitoring Identification /
Detection
Investigation / Decision Making
Evidence Collection /
Forensic Analysis
Communications –
Employees -Members
Media – Legal –Insurance
Management
Vendor / Resource
Management
Business Resumption
© 2017 Jack Henry & Associates, Inc.®
Incident Response Process
Cyber Incident
1.Report Incident
• Technical Support / Help Desk
2.Incident
Classification• Validation and Severity of
Incident
3.Notification/
Escalation• Who to contact,
internal-external
4.Assessment
• Entry point of virus• Systems affected• Time to close incident• Regulatory - Law agencies
5.Documentation
• Phone conversations• System logs• Meeting minutes• Screen shots
6.Containment
• Shut down system• Disconnect from network• Monitor system/network• Set traps• Disable functions, etc.
© 2017 Jack Henry & Associates, Inc.®
Incident Response Process7.
Protecting Evidence
• Preserving hard drives• Documenting incidents
8.
Eradication & Recovery
• Anti-virus software• System rebuilds
9.Follow-up Analysis
• System monitoring• Sequence of events• Method of discovery• Lessons learned
10.Incident Prevention
• Technology• Policies, procedures• Training on security awareness• Technical configurations• Access permissions, logs, etc.
11Vendor Management
• Tier 1 vendors must report all Incidents to CVB • T1 vendors must have Incident Response Plans• T1 Vendors must have Business Continuity Plans
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Severity Levels
Level1
• Not a computer security condition – Low Impact• The incident may be another type of issue• The CIO may redirect the issue back to the Help Desk
Level2
Security Infraction or Event – Moderate ImpactA security infraction is non-compliance with security policy or standardIn many cases does not require formal investigation or tracking Infractions are addressed according to policy and enforcement
Level3
• Information Security Incident – High Impact• An information security incident appears significant upon initial
reporting and additional investigation is deemed appropriate.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Testing
• Annual requirement
• Validates that the IRP will work
• Appropriate response
• Incident reporting requirements
• Severity ranked scenarios
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Plan Testing Considerations
• Testing is a necessity and should be completed annually.• Size and complexity matter in testing.• Assemble your team.
– Validate response capabilities.– Consider a vendor representative.– Vendors assist with testing efforts-Centurion.
• Determine your testing scenario.– Variety of severity levels with technical and non-technical
incidents.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
The Impact of Cybersecurity and Technology Service Providers
• Technology Service Providers (TSPs)– Cyber resilience becomes a factor– TSP’ are now a part of your Incident Response Team– Vendor Management
• Relationship between vendor management and incident response
• Information Sharing
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
FFIEC-Information Security Officer Responsibilities
Incident Response
Management & Training
Information Security
Strategy & Policies
Information Systems
Risk Assessment
IT Audits & Interaction
with Examiners
Business Continuity /
Disaster Recovery
Vendor Management
Vulnerability Assessments
© 2017 Jack Henry & Associates, Inc.®
vISO (Virtual Information Security Officer) Service Elements
Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation
Written Information Security ProgramPolicies, Procedures, Forms
Ongoing Compliance ManagementAudit Support, Monthly Meetings
ReportingInformation Security Program Status
© 2017 Jack Henry & Associates, Inc.®44© 2017 Jack Henry & Associates, Inc.®
Centurion Cyber Drill
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Better understand your financial institution’s vulnerability toward cyber incidents.
• Assess your financial institution’s Incident Response Plan (IRP).
• Identify the major milestones associated with a cyber incident.
• Collaborate with your peers to share approaches to dealing with cyber incidents.
Cyber Incident Response Drill Objectives
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Avoid becoming a victim like the following companies:
Cyber Incident Response Drill Objectives
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• This is a test exercise, based on the probability of a real-world scenario.
• Treat scenario details as fact.• Think about how your bank’s cyber program would
measure up to a similar, but real incident.• Consider what improvements may be required to your
IRP resulting from the drill.
Cyber Attack Drill Information
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Provide an interactive experience based on decisions associated with a cyber incident.
• You are assigned to the Incident Response Team (IRT) of The Financial Institution of Madison.
• Your team will be given a scenario resulting in a cyber incident to The Financial Institution of Madison.
• Please assume the role that you are assigned to as an Incident Response Team Member.
Cyber Attack Drill Information
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Team Introduction
FRONT OF Room
Chief Operations Manager /Compliance Manager
Chief Information Security OfficerChief Executive Officer
Marketing / HR Manager
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Drill Challenges
Situational events that your IRT has to make decisions on
Share ideas and learn from your peers
Challenges are derived from real-world situations
Poll Everywhere will display team challenge results
Creates group discussion and collaboration
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• $757 million in assets
• Main office is located in downtown Madison, WI
• 9 additional branch office locations throughout Madison
• 211 employees and 511,000 customers
Financial Institution of Madison Bank Profile
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Core processing – Outsourced
• Windows® infrastructure runs at main office• VMware Snapshots taken once per day and replicated off-site at
another branch twenty-five miles away
• Uses a MPLS common network between branches• Thirty days of historical backups
Financial Institution of Madison Technology Profile
© 2017 Jack Henry & Associates, Inc.®
Let’s Get Started!
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cyber-Exercise Slides
• To maintain the integrity of the cyber-exercise, we elected not to include the actual slides of the drill until after the drill is completed in class.
• For those that elect to attend the class the slide for the cyber-exercise will be made available immediately after attending the class.
Recommended