Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
10 Questions on IT Security for Directors/Executives
©2016 Secure Banking Solutions, LLC www.protectmybank.com 1
Chad Knutson ◦ President, SBS Institute ◦ Senior Information Security Consultant ◦ Masters in Information Assurance ◦ CISSP, CISA, CRISC ◦ www.protectmybank.com ◦ [email protected] ◦ Cell: (605) 480-3366
SBS Institute ◦ [email protected] ◦ 605-269-0909
Presenter Info
©2016 Secure Banking Solutions, LLC www.protectmybank.com 2
11 Years Community Bank Consulting at SBS
Experience in Risk Management, ISP Development, and Auditing
Developed the SBS Institute and teach certifications for CBSM, CBCM, CBSTP, and CBIH.
SBS has worked with over 900 banks in 45 states
Relationship with Dakota State University NSA & DHS National Center of Excellence in Information Assurance One of the only universities focusing on community banking security
Background
©2016 Secure Banking Solutions, LLC www.protectmybank.com 3
Our Experience PROCESS:
• Information Security Program design and roll-out
• IT Risk Management
• Vendor Management
• Technology Selection
• Business Continuity/ Disaster Recovery
• Incident Response
• Information Security Consulting
• IT Audit ◦ ISP Audit ◦ Controls Audit ◦ Wire Transfer Audit ◦ ACH Audit ◦ Internet Banking Audit
TECHNOLOGY:
• Penetration Testing
• Vulnerability Assessment
• System Configuration Assessment
• Acceptable Use Scanning
PEOPLE:
• Social Engineering
• Awareness Programs
• ISO Training
• CATO Training
• TRAC – Risk Mgmt. Suite • Verify ACH Whitelisting • Cyber-Risk • Anti-Phishing
©2016 Secure Banking Solutions, LLC www.protectmybank.com 4
What is “Cybersecurity”? Cyber Risk ◦ the increased probability that the very-high-impact,
internet-based risks and threats we once thought were improbably will harm our networks
Cybersecurity ◦ the controls and processes in place to protect our
networks and customer information from cyber risk
How does it relate to Information Security? ◦ discipline of Information Security, which not only
encompasses Cybersecurity, but also all of the traditional things we’ve done to protect our confidential customer information, including IT Risk Assessment, Vendor Management, Business Continuity Planning, Vulnerability Assessment, IT Audit, and much more
Images courtesy of ISACA and member Menny Barzilay http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=296
©2016 Secure Banking Solutions, LLC www.protectmybank.com 5
FFIEC IS Booklet - Cybersecurity: The process of protecting consumer and bank information by preventing, detecting, and responding to attacks.
Cybersecurity
“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.”
President Obama
©2016 Secure Banking Solutions, LLC www.protectmybank.com 6
U.S. Department of the Treasury Deputy Secretary Raskin 10 QUESTIONS FOR EXECUTIVES AND THEIR BOARDS
©2016 Secure Banking Solutions, LLC www.protectmybank.com 7
Deputy Secretary Raskin – 7/2015
Updated: http://www.treasury.gov/press-center/press-releases/Pages/jl0112.aspx Original: http://www.treasury.gov/press-center/press-releases/Pages/jl9711.aspx
©2016 Secure Banking Solutions, LLC www.protectmybank.com 8
How much do I need to know? Board involvement was a major point of the FFIEC Cybersecurity Assessment that were performed in the second half of 2014 and heavily mentioned in the General Observations
The Cybersecurity Assessment Tool specifically mentions Board involvement TWENTY-ONE (21) times in the Cybersecurity Maturity section, just in case you didn’t think the FFIEC is taking Board involvement seriously. ◦ Domain 1 - Cyber Risk Management and Oversight talks about Board
involvement on an increasing frequency to go with increasing maturity, particularly in the “Oversight” component of the “Governance” factor, mentioning the Board fourteen (14) times alone.
©2016 Secure Banking Solutions, LLC www.protectmybank.com 9
Cyberattacks Cyberattacks - and the harm caused by successful intrusions - have not decreased but are rather drawing more intense public focus.
Cyber-attacks are uniquely devastating ◦ Prevention challenge ◦ Detection rates low ◦ Unknown financial losses ◦ Unknown reputational damages
©2016 Secure Banking Solutions, LLC www.protectmybank.com 10
Guidance and Regulatory Trends
In Summer 2014, the FFIEC completed pilot cybersecurity examination work programs on 500 community banks to evaluate their preparedness for cyber risks
The FFIEC Summary Assessment included the following: • Banks have a large dependence on IT to conduct business operations • Dependence risk includes sector interconnectedness and rapidly evolving cyber
threats • Assessment reinforces the need for engagement by the board of directors with
the following suggestions ◦ Routine discussion of cyber security issues in meetings ◦ Maintaining sufficient awareness of threats and vulnerabilities ◦ Managing connections to third parties ◦ Ensuring BCP and DR plans incorporate cyber incident scenarios
Cybersecurity Examinations FFIEC Release of the Cybersecurity Assessment Tool
©2016 Secure Banking Solutions, LLC www.protectmybank.com 11
Question 1 Does your bank embed cybersecurity into our governance, control, and risk management systems?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 12
Question 2 Have you remained vigilant about systematically identifying key assets, that is, those that provide high-value targets for malicious cyber actors?
What Are Your Crown Jewels?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 14
Question 2 Key Systems ◦ Online Banking ◦ Remote Merchant Capture ◦ Core Banking ◦ Mobile Banking ◦ BYOD
Asset Confidentiality Integrity Availability Volume Protection Profile
Core System H H H H 12
Business Online Banking H H M M 10
File Server M M M H 9
Statement Printer H L L H 8
Android Phone M M L L 6
©2016 Secure Banking Solutions, LLC www.protectmybank.com 15
Question 3 Are your security controls tailored to the specific cyber risks presented by each key network, system, or set of sensitive data?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 16
Question 3 Controls on specific systems.
What are others doing for controls?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 17
Question 4 How do you prioritize the implementing of enhanced controls around key networks, systems, and sensitive data?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 18
Question 4 Where do you apply your next control?
What is your risk goal “appetite”?
Next Control
©2016 Secure Banking Solutions, LLC www.protectmybank.com 19
Question 5 Have you reviewed the FFIEC Cybersecurity Assessment Tool and appropriately incorporated it into your approach to cyber risk management?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 20
Question 5 – Set Goals What are the next steps?
Have we reach our goal?
Your Here ©2016 Secure Banking Solutions, LLC
www.protectmybank.com 21
Question 5 – Fill Gaps
Y
Y
Y
Y
Y
Y Y Y N Fill The Gaps
©2016 Secure Banking Solutions, LLC www.protectmybank.com 22
Have you designated specific professionals to be responsible for the institution’s cybersecurity strategy?
Have you provided them with the authority, resources, and access they need to effectively perform their work?
Question 6
©2016 Secure Banking Solutions, LLC www.protectmybank.com 23
Do they have the time?
Is this their focus?
How trained are they?
Will they be proactive in identifying, remediating, and communicating risks?
Question 6
©2016 Secure Banking Solutions, LLC www.protectmybank.com 24
Question 7 Have you trained personnel on cybersecurity policies?
Risk Assessment
Policy (ISP)
Audit
©2016 Secure Banking Solutions, LLC www.protectmybank.com 25
Question 7 How do you train your organization on cybersecurity policies?
Annual Training?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 26
What does your cybersecurity insurance cover?
How do we ensure that our insurance coverage matches our cyber-related risks?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 27
Question 8
Question 8
Generally non-insurable items:
Reputational harm.
Loss of future revenue (for example, in the case of Target if sales were down due to customers staying away after data breach).
Costs to improve internal technology systems.
Lost value of your own intellectual property
©2016 Secure Banking Solutions, LLC www.protectmybank.com 30
Question 9 Does our cyber risk insurance impose “minimum required practices,” which may lead to denial of coverage if not followed?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 31
Question 9 What level of security must be maintained for coverage?
◦ If you were found negligent in patching, would it affect claim?
Look for sublimits for: ◦ Forensics ◦ Regulatory fines and penalties
Time restrictions for business interruptions (e.g. more than 8 hours of network downtime.
Many other areas of insurance are excluding technology or electronic fraud losses, carving a space for cyber insurance.
No standard for insurance, dramatic differences in pricing options and coverages.
What if errors are documented in those long questionnaires used for cyber applications?
https://www.mcguirewoods.com/Client-Resources/Alerts/2013/10/Buyers-Guide-to-Cyber-Insurance.aspx
http://www.wsandco.com/about-us/news-and-events/cyber-blog/cyber-basics
©2016 Secure Banking Solutions, LLC www.protectmybank.com 32
Question 9 What if errors are documented in those long questionnaires used for cyber applications?
◦ Any complaints or lawsuits regarding privacy/security violations been filed against you? ◦ Have losses or disruptions in service happened in the past? ◦ Have you implemented firewall, malware protection, and system patching? ◦ Do you manage vendor/service provider’s security controls? ◦ Do you perform periodic risk assessments? ◦ Do you have standard security configurations on all critical systems? ◦ Do you implement physical security controls? ◦ Do you implement logical access controls? ◦ Do you have written security policies, incident response programs, and disaster
recovery programs? ◦ Are system backups created, stored offsite, and tested? ◦ Are log files reviewed? ◦ Do you have a regular audit conducted on your security controls? ◦ What types of data do you have? ◦ What compliance areas are you required to follow (GLBA, HIPAA, PCI)? ◦ Are your employees trained on security polices and procedures?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 33
http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/
Cyber Insurance War Starting?
©2016 Secure Banking Solutions, LLC www.protectmybank.com 34
Question 10
Does your Bank engage in cyber-hygiene?
Most important of the 10: basic cyber hygiene may prevent 80 percent of all known incidents.
©2016 Secure Banking Solutions, LLC www.protectmybank.com 35
Question 10 Cyber Hygiene Priority:
COUNT: Know what’s connected to your network CONFIGURE: Protecting your systems by implementing key security settings. CONTROL: Protecting your systems by properly managing accounts and limiting user and administrator privileges to only what they need to do their job. PATCH: Protecting your systems by keeping current! REPEAT: Regularize the Top Priorities to form a solid foundation of cybersecurity for your organization.
http://cisecurity.org/about/CHToolkits.cfm
©2016 Secure Banking Solutions, LLC www.protectmybank.com 36
Risk Assessment
Information Security Program
Audit
©2016 Secure Banking Solutions, LLC www.protectmybank.com 37
SBS Questions
Bank
Customer Third Party
How do we address this issue in our? How do we address this in with the?
Corporate Account Takeover
FBI Reports BEC losses in 2014/2015 = $1.2 billion
Business System Compromised Business Email Compromise
Federal Reserve Atlanta stated losses in 2012 = $4.9 billion
©2016 Secure Banking Solutions, LLC www.protectmybank.com 41
ATM Fraud 2) Magstripe Shimmer 1) Traditional Magstripe Skimmer
5) EMV Shimmer 3) Drill to insert USB w/ Malware or Mobile Device
4) Hacker in the network
©2016 Secure Banking Solutions, LLC www.protectmybank.com 43
How to monitor Cyber Security Issues and Take Action? ◦ Conferences and Conventions
◦ Technology & Security Conferences from http://www.iowabankers.com/
◦ Webinars ◦ Regular Hot Topics from http://www.iowabankers.com/
◦ Banking Schools ◦ Graduate Banking Schools such as www.gsb.org
◦ Certifications: Deep dive into Cybersecurity: ◦ Management Level:
◦ Cybersecurity Manager (CBCM) ◦ Security Executive (CBSE) ◦ Security Manager (CBSM) ◦ Vendor Manager (CBVM) ◦ Incident Handler (CBIH)
◦ Technical Level: ◦ Security Technical Professional (CBSTP) ◦ Ethical Hacker (CBEH) ◦ Mobile Administrator (CBMA) ◦ Forensic Investigator (CBFI)
◦ And more info at www.protectmybank.com/sbsinstitute/
Education
©2016 Secure Banking Solutions, LLC www.protectmybank.com 45
Chad Knutson ◦ President SBS Institute ◦ Senior Information Security Consultant ◦ Masters in Information Assurance ◦ CISSP, CISA, CRISC ◦ www.protectmybank.com ◦ [email protected] ◦ Cell: (605) 480-3366
Robb Nielson ◦ Regional Sales Representative ◦ [email protected] ◦ Cell: (712)369-0139
Questions & Contact Information
©2016 Secure Banking Solutions, LLC www.protectmybank.com 46