1:00 pm - Tax, Audit, Compliance, Financial Advisory FUNNEL - ATTENDEE PACKET 2015.pdfThursday, September 24, 2015 8:30 - 1:00 pm Breakfast & Lunch provided Meeting Location: The

Thursday, September 24, 20158:30 - 1:00 pm

* B r e a k fa s t & L u n c h p r ov i d e d *

Meeting Location : The University Club of Tampa - 201 N. Franklin Street, 38th Floor, Tampa, FL 33602

Parking Instructions : Parking is available in the Fort Brooke Garage at the NW corner of Florida and Whiting. The 3rd floor of the garage has a covered walk-over to the building.

Arrival : Please arrive 5-10 minutes prior to your session’s start time to allow yourself plenty of time to check in and get settled.

Dress : Business Casual. Please also consider bringing a sweater or jacket for your comfort.

CPE: 4 hours Technical business

Welcome from Saltmarsh & Program OverviewLee Bell, CPA, Saltmarsh, Cleaveland & Gund

8:30 Cybersecurity and Leadership Solutions James Risler, Cisco Systems

9:15 Cybersecurity Awareness David Fiedorek, FDIC Kishan Patel, FDIC

10:00 Break

10:15 Rise of the Underdark: An Introduction into the Deep Web and Stealing for a Living Tim Leonard, Commericial Bank of Texas

11:15 The Cybersecurity Assessment Tool and Technology Predictions for 2016 Stephen Reyes, CISA, Saltmarsh, Cleaveland & Gund

12:00 Lunch

September 24, 2015The University Club of Tampa

Keep the Conversation Going!Use #SaltmarshBankTalk before, during and after each session to share your questions,

feedback and event photos!

Speaker Biographies

James Risler | Cisco [email protected]

James Risler, CISSP and CCIE No. 15412, is a systems engineer and manager of security content development for Cisco Systems. His focus is on security technology and training development. He oversees a team of security course developers and is responsible for leading the security training courses product development efforts for Learning@Cisco. Risler has more than 20 years of experience in IP internetworking, including the design and implementation of security solutions for enterprise networks. His area of expertise is Cyber security, threat defense training, virtual private networks, and firewall configuration. Risler has spoken at numerous conferences on security topics and was named Distinguished Speaker for Cisco Live 2015.

Prior to joining Cisco Systems, Risler provided Cisco security training as a Certified Cisco Systems Instructor (CCSI) and consulted for Fortune 500 companies and government agencies. He has two bachelor’s degrees from University of South Florida and a MBA in Information Technology from The University of Tampa and is currently working on his Masters of Science in Cybersecurity.

David Fiedorek | Federal Deposit Insurance Corporation (FDIC)[email protected]

David Fiedorek joined the FDIC in 1987 first assigned to the Harrisburg, PA field office. He became a commissioned examiner in 1990 and has led and participated on many community bank and larger bank Safety & Soundness and Information Technology examinations over the course of his career. Currently a Senior Examiner, Mr. Fiedorek has worked in the Tampa/Gainesville, Florida territory within the FDIC Atlanta Region since relocating to this area in 2001 and is currently serving as a IT training program coach for other FDIC examiners seeking to gain a broader skill set in this area. He currently resides in Clearwater, Florida.

Kishan Patel | Federal Deposit Insurance Corporation (FDIC)[email protected]

Kishan G. Patel currently serves as an Information Technology Examination Analyst (ITEA) for the Risk Management Supervision (RMS) division at the Federal Deposit Insurance Corporation. Mr. Patel is responsible for examining small to large banks in the Atlanta region, which covers, Alabama, Florida, Georgia, North Carolina, South Carolina, West Virginia and Virginia.

Mr. Patel previously served as an Investigator for the Division of Resolutions and Receiverships at the FDIC at the Temporary Satellite Office in Jacksonville, Florida. He oversaw and helped to manage banks in Florida, Tennessee and Georgia.

Mr. Patel is a Florida licensed Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA) and holds numerous other certifications. Mr. Patel graduated from Victoria University, Wellington, New Zealand with a Bachelor of Commerce and Administration (BCA) and the University of North Florida, Jacksonville with a Bachelor of Science (BS) in Accounting.

2015 Financial Institution Techonology Funnel | Saltmarsh, Cleaveland & Gund

Financial Institution Technology FunnelSpeaker Biographies

Stephen Reyes, CISA | Saltmarsh, Cleaveland & [email protected]

Stephen is the shareholder in charge of the Information Technology Services Department of Saltmarsh, Cleaveland & Gund. He joined the firm in 1997 and has been practicing in this field since 1990. His experience includes computer networking and technology consulting. Stephen is a Certified Information Systems Auditor, Microsoft Certified Systems Engineer and a Cisco Certified Network Associate. He also holds certifications with ISACA, Novell, Citrix, and CompTIA. Stephen has assisted a number of financial institutions with IT compliance audits, security audits, as well as system selection, implementation and conversion.

Tim Leonard | Commercial Bank of [email protected]

Tim Leonard is the Chief Information Officer of Commercial Bank of Texas. Tim has over 15 years of banking experience and has served in various management positions including information technology, bookkeeping, proof and transit, operations and call center. His passion for banking and education has given him opportunities to speak at state and national conventions concerning IT infrastructure, management and information security. His style is a fantastic mix of high energy, humor and heart and his presentations consistently score high marks with attendees.

He graduated from Stephen F. Austin State University, in Nacogdoches Texas and married his high school sweetheart. They have two sons, ages 14 and 11.

2015 Financial Institution Techonology Funnel | Saltmarsh, Cleaveland & Gund

Cyber Security and Leadership

SolutionsPresented By: JAMES RISLER

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Cyber Security and Leadership Solutions

James RislerManager – Security Content Development MBA, CISSP #456200, CCIE# [email protected]

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• The “Why”

• Trends

• Threat Landscape

• Examples of Cyber Attacks

• Business Challenge

• People Problem

• Recommendations

• Conclusion & Q&A


2


The “Why”

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Anthem

Home Depot

JP Morgan

Adobe

Target

Univ. of MD

Neiman Marcus

TJ Maxx

Sony

Zappos

LinkedIn

Citigroup

Florida Courts



3


• Over 15% of attacks are targeted at financial institutions

• Attacks include :

DDoS

Spyware

Ransomware

Mobile devices

SPAM

Web Exploits

• Source : IDC ™

Attacks per vertical segment


• 2008 – 100 Million Credit and debit card numbers stolen by spyware from Heartland Payment Systems

• 2014 – 76 Million household accounts and 7 million SMB accounts compromised at JP Morgan Chase

• 2015 - DDoS attack launched on OP-Pohjola and Danske Bank

• ... And more :European Central Bank extortion attempt

Multi-bank attack by Eurograbber


4


Increased Attack

Surface

APT’SCyberwar

Spyware and

RootkitsWorms

Antivirus(Host-Based)

IDS/IPS (Network

Perimeter)

Reputation (Global)

and Sandboxing

Intelligence and

Analytics (Cloud)

Enterprise

Response

20102000 2005 Tomorrow

Threat Landscape is Evolving…


It is a Communitythat hides in plain sight

Missed by Point-in-time Detection

Cisco

100 percent of companies surveyed by Cisco have connections to domains that are known

to host malicious files or services. (2014 CASR)


5


Social Engineering Technical Exploit Zero-day Attack

Phishing, Spam Malvertising

Patching, new vulnerabilities

Unknown code exploits

Top Cyber Risks for Users

Untrustworthy sources

Clickfraud and Adware

Outdated browsers

10% 64%IE requests running latest version

Chrome requests running latest version

vs

2015 Cisco Annual Security Report


6


20001990 1995 2005 2010 2015 2020

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs CyberwareToday +

Hacking Becomesan Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication

ILOVEYOUMelissaAnna Kournikova

NimdaSQL SlammerConficker

AuroraShady RatDuqu

BotnetsTedrooRustockConficker v2

Welcome to the Hackers’ Economy

Source: CNBC

Global Cybercrime

Market: $450B-$1T

How Industrial Hackers Monetize the Opportunity

Social Security

$1 MedicalRecord>$50

DDoSas a Service

~$7/hour

DDoS

CreditCard Data$0.25−$60

Bank Account Info>$1000

depending on account type and balance

$

Exploits$100k-$300K

Facebook Account$1 for an account

with 15 friends

Spam$50/500K emails

Malware Development

$2500(commercial malware)

Mobile Malware$150


7

YEARSMONTHS

Impact of a Breach

HOURS

Breach occurs data in breaches is stolen in

of breaches remain undiscovered for

Information of up to individuals on the

black market over last three

Source: Verizon Data Breach Report 2014

START

Examples of Cyber Attacks


8


• 4 Key South Korean Targets

Phishing against Hyundai Merchant Marine

• Infecting Systems

Trojan Dropper – DLL library against Windows 7

• Install Spying Modules

Key Stroke Logger, Directory Listing, Remote Control & Execution, Remote Control Access

• Disable Firewall

• Communication

Command and control Bot done through a Bulgarian web-based free email server

• Regular Reporting and RC4 Encryption and Exporting of Data



9


1. Phish HVAC VendorSteal credentials – Target hosted web server

2. Scan Network – Determine HVAC vendor access shared web server

1. Upload PHP Script to Web Server – Vulnerability in Application

1. Control of Webserver – Scan for relevant targets for propagation (MSSQLSvc/Billing)

1. Attack Microsoft AD Domain – Steal access tokens on Webserver (Pass-the-hash)


6. Create new Admin Account in MS AD Domain

7. Propagate to relevant computers (“Angry IP Scanner”) by pass security solutions (Tunneling with PsExec’s)

7. Attack SQL Server – Steal 70 Million PII records (no credit cards because PCI compliant) • Osql.exe• Isql.exe• Bcp.exe


10


9. Download POS Malware and install on POS (“Kaptoxa” Malware)

10.Send stolen Credit Card info to network share (FTP transfer)

10.Upload Credit Card information to FTP site


If you knew you were going to be compromised, would you do security differently?


11


Sophisticated Attackers

Complex Geopolitics

Boardroom Engagement

Misaligned Policies

Dynamic Threats

Defenders

Complicit Users


Industrializationof Hackers Evolving Borders Compliance

• Zeus, Phishing, Mules

• Targeted Attacks for Profit

• Advanced Persistent Threats (APT)

• Cyber and Economic Espionage

• Traditional Signature Enforcement less EffectiveInflux of Mobile Devices, BYOD

• Dual Profiles—Personal and Corporate

• Access Policy Inconsistent, Difficult to Maintain

• Rapid Growth of Regulatory Requirements: PCI, HIPAA, NERC CIP, FISMA, SOX, ISO

• Legal Liabilities Drive Internal Requirements

• Little to No Guidance On How to Meet New Standards


12


Security Breaches are Costly

23

Security is the #1 Issue for Your Customers

Protect Now the Value You Intend to Create Tomorrow

Cyber Security is a Boardroom Discussion


Summary Cisco 2015 Annual Security Report Key Findings

• Lack of Security Leadership in Small companies (only 22 percent respondents see security has high priority)

• Gap between CISO and SecOp Manager in terms of confidence

• Less than 50% of respondents use following tools:• Identity Administrator or user provisioning

• Patching and configuration

• Penetration testing or Endpoint Forensics

• Vulnerability scanning

• Only 40% of companies do Correlated event/log analysis

Solution

• New approaches to Security through alignment with People, Process and Technology


13


• “Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks.”

• “Users’ careless behavior when using the Internet, combined with targeted campaigns by adversaries, places many industry verticals at higher risk of web malware exposure”

• People are part corporate system

Solution

• Training Programs

• Leadership from Executives on down


New Focus - Attack Continuum

Visibility and ContextMission Critical Business Systems and Solutions

BEFOREDiscoverEnforce Harden

DiscoverEnforce Harden

AFTERScope

ContainRemediate

ScopeContain

Remediate

Detect Block

Defend

Detect Block

Defend

DURING

Policies, Process and People

Response Policyand

Communication Strategy

Monitoring Impact MitigationIdentification


14


• Develop a Cybersecurity Management Framework

• 3 Distinct Layers with seven discret focus area

1. Strategy – Define, document, and publish

2. Operational – develop operational standards, process, and proceedures

3. Tactical – implement security controls and monitoring with defined metrics

• Critical – Executive Sponsorship

• Plane for … Before During and After the Attack

What is the critical components of the business?

Have you done a risk assessment?

Use existing business cases (Target, Home Depot, etc)

How will the board respond to a Cyber attack?


• Threat Landscape Rapidly Changing

• Business Leaders must drive security

• Business Challenge - Tools, Process, and People

• Cybersecurity Framework is critical


15


Cisco 2015 Annual Security Report

Now available:

cisco.com/go/asr2015

Verizon 2015 Data Breach Investigation Report

http://www.verizonenterprise.com/DBIR/

Questions/Discussion?

Thank You


16


http://www.cisco.com/c/dam/en/us/products/collateral/security/cybersecurity-management-programs.pdf

http://www.datacenterdynamics.com/security/ciscos-2015-security-report-its-a-people-problem/94536.fullarticle

Cyber Security AWARENESS

Presented By: DAVID FIEDOREK & KISHAN PATEL

9/17/2015

1

Cybersecurity Awareness

ObjectivesCybersecurity

Discuss the Evolution of Data Security Define Cybersecurity Review Threat Environment Discuss Information Security Program

Enhancements for Cyber Risk Threat Intelligence

Third-Party Management

Resilience

Incident Response

Describe Cybersecurity Assessment Tool

2

9/17/2015

2

3

Evolution of Data SecurityCybersecurity

Evolution of Data Security Cybersecurity

4

9/17/2015

3


Emerging

ATM

5

The National Institute of Standards and Technology (NIST) defines cybersecurity as:

“The process of protecting information by preventing, detecting, and responding to

attacks.”

NIST Framework for CybersecurityIdentify Detect Respond

Protect Recover

6

DefinitionCybersecurity

9/17/2015

4

Appendix B to Part 364Cybersecurity

II. Standards for Information Security Ensure the security and confidentiality of customer

information;

Protect against any anticipated threats or hazards to the security or integrity of such information;

Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and

Ensure the proper disposal of customer information and consumer information.

7

Information Security IncidentsCybersecurity

201442.8 million

201328.9 million2012

24.9 million201122.7 million

2010 9.4 million2009

3.4 million

Source: PwC.com8

9/17/2015

5

People and PatchesCybersecurity

“…a campaign of just ten e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey…”

“…11% of recipients of phishing messages click on attachments.”

9

Source: Verizon 2015 Data Breach Investigations Report

People and PatchesCybersecurity

“99.9% of the exploited vulnerabilities had been compromised more than a year after the associated [patch] was published.”

“Ten [vulnerabilities] accounted for almost 97% of the exploits observed in 2014.”

“In 2014, there were 7,945 security vulnerabilities identified. That is 22 new vulnerabilities a day. Nearly one an hour.”

10

Sources: Verizon 2015 Data Breach Investigations ReportNopSec

9/17/2015

6

Threat EnvironmentCybersecurity

11

Growing Vulnerabilities Interconnected systems

New delivery channels

Legacy products

Emerging/Unknown

Increasing Threats Number/types of actors

Nature/volume of attacks

Level of sophistication

Emerging/Unknown

Threat Environment: VulnerabilitiesCybersecurity

Technological Weakness in hardware, software, network, or system

configurations

Organizational Lack of awareness of threats/vulnerabilities, incomplete asset

inventories, weaknesses in/over-reliance on third parties

Human Exploitation of human behavior such as trust and curiosity

Lack of effective security awareness training

Physical Theft, tampering, device failure, or introduction of infected media

12

9/17/2015

7

Threat Environment: ActorsCybersecurity

Cyber Criminals - Financially motivated; attacks include account takeovers, ATM cash-outs, and payment card fraud.

Nation States - Attempt to gain strategic advantage by stealing trade secrets and engaging in cyber espionage.

Hacktivists - Maliciously use information technologies to raise awareness for specific causes.

Insiders - Abuse their position and/or computer authorization for financial gain or as a response to a personal grievance with the organization.

13

Threat Environment: Attacks Cybersecurity

Malware/Destructive Malware e.g., Key Loggers, Trojans, Ransomware, Wiper

Phishing/Spear Phishing Distributed Denial of Service (DDoS) Compound Attacks e.g., DDoS/Corporate Account Takeover,

Phishing/Trojan

The Unknown

14

9/17/2015

8

Threat Environment: ExampleCybersecurity

This image cannot currently be displayed.

15

ExecutionInstallationEmail

• Account Takeover• Ransomware• Data Theft• Data Destruction

Potential Concerns

PatchesPeople Detection

Information Security ProgramCybersecurity

16

Information

Security

Program

Governance Structure and

Policies

Threat Intelligence

Audit Program


Risk Assessment and Control Structure

Incident Response

Business Continuity/ Disaster Recovery

Resilience/ Restoration

9/17/2015

9

GovernanceCybersecurity

Board and Senior Management Responsibilities and Duties Ensure strategic planning and budgeting provide sufficient

resources.

Provide sufficient authority, resources, and independence for information security.

Ensure policies and procedures address cybersecurity.

Incorporate cyber risk into the risk-based audit plan.

Provide reporting that assures the Board the ISP is working and included cybersecurity.

Cyber Risk is a Business Risk!

17


18

Information

Security

Program


Policies

Threat Intelligence

Audit Program



Incident Response



9/17/2015

10

Risk AssessmentCybersecurity

Governance and accountability

Enterprise-wide asset inventory

Multi-disciplinary approach

Threat analysis including cyber risks

Identify inherent risk, determine controls, quantify residual risk

Assesses changes in technology, operations, and cyber threat environment

19

Control StructureCybersecurity

Cyber Hygiene Security Awareness Training

Patch Management

Information Security Staff

Access Controls (Privileged Access)

Authentication

Detection Programs

20

9/17/2015

11


Security Awareness Training Enterprise-wide

Role-specific

Customers/Merchants

Third Parties

Cybersecurity Culture

21

“Think Before You Click”


Patch Management Formal written policy and procedures

Develop system for identifying, prioritizing, applying, and testing patches

Create/maintain asset inventories Software (Microsoft and Non-Microsoft)

Firmware (routers and firewalls)

Integrate threat intelligence

Mitigate risk from unsupported operating systems and applications

Report to board and senior management

BE TIMELY

IT Audit and internal reviews should validate22

9/17/2015

12


Information Security Staff Evaluate Staffing Adequacy

Organizational Chart

• Independent functions

Job Descriptions

Certifications

• e.g., Microsoft Certified Professional, CCNA, CISA, CISSP

Annual Training

• Internal Training

• External Training: e.g., ISACA, MISTI, Learning Tree, RSA Conference, NACHA Conference

23


Access Controls

Administered by an independent group

Emphasis on review of privileged access

Annual or regular, independent review of user access

24

9/17/2015

13


FFIEC Supplement to Authentication in an Internet Banking Environment Annual Risk Assessments

Layered Security• Anomaly Detection (Retail/Business Accounts)

– Initial Login/Authentication and Funds Transfers

• Administrative Controls (Business Accounts)

Customer Awareness and Education

25

FIL-50-2011


Detection Programs Anti-virus Software/Malware Detection

Intrusion Detection/Intrusion Prevention

Activity Logging• Systems• Frequency/Content/Retention• Review/Automation• Reporting

26

9/17/2015

14


27

Information

Security

Program


Policies

Threat Intelligence

Audit Program



Incident Response



Disaster Recovery/Business Continuity PlanningCybersecurity

Ensure cyber threats are added to business impact analysis (BIA) Include probability and impact to critical applications and

systems identified in BIA

Ensure cyber threats identified in BIA are incorporated in recovery plans

Include cyber scenarios in business continuity tests

28

9/17/2015

15


29

Information

Security

Program


Policies

Threat Intelligence

Audit Program



Incident Response



Program

Charter/Policy

Committee

Universe (Scope)• Risk Assessment• Cybersecurity

Plan/Budget

Reporting

Findings/Tracking

30

AuditCybersecurity

Types

General Controls

GLBA

Vulnerability Assessment

Penetration Test

ACH/Wires

Social Engineering

9/17/2015

16

Information Security Program: RefocusedCybersecurity

31

Information

Security

Program


Policies

Threat Intelligence

Audit Program



Incident Response



FFIEC Guidance: “Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement,” dated November 3, 2014 “Financial institution management is expected to monitor and

maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly.”

Participation in Financial Services Information Sharing and Analysis Center (FS-ISAC) is encouraged.

FFIEC Business Continuity Planning Handbook, Appendix J released on February 6, 2015 –Strengthening the Resilience of Outsourced Technology Services

32


9/17/2015

17


33

Information

Security

Program


Policies

Threat Intelligence

Audit Program



Incident Response


Resilience/

Restoration

Threat Intelligence: FS-ISACCybersecurity

• iSight Partners

• Secunia

• Wapack Labs

• NC4 Phy Sec

• MSA Phy Sec

Pri

vate

So

urc

es

34

9/17/2015

18

Alert Types

ANC: Announcements

CYT:Cyber Threat

CYI: Cyber Incidents

COI: Collective Intelligence

CYV: Cyber Vulnerability

PHT:Physical Threats

PHI: Physical Incidents

Depending on your role, you don’t have to follow every update, but FS-ISAC

recommends following these key reports. Doing so will limit emails to about 10/day.

Step 2: Understand the Criticality and Priority

• ANC = Priority 1-10, 8-10 is high priority• CYT = Risk 1-10, 8-9 is Urgent, 10 is Crisis• CYI = Risk 1-10, 8-9 is Urgent, 10 is Crisis• COI = No Criticality Metric• CYV = Risk 1-10, 8-9 is Urgent, 10 is Crisis• PHT = Risk 1-10, 8-9 is Urgent, 10 is Crisis• PHI = Informational, Minimal Impact, Moderate Impact,

Significant Impact, Major Business Disruption

Step 3: Make Choices Based on Role

• Analysts and those involved in risk assessment or vulnerability/patch management should receive CYV alerts.

• Intelligence analysts may also want to participate on the Cyber Intel listserv. POCs are automatically added, but a portal account is not necessary if you wish to add additional analysts to the distribution

• Provide portal accounts to your staff based on each individual’s role. This will allow them to employ portal filtering for their unique assignments

• Provide summary reports for mangers and technical reports for analysts. Making informed choices based on your role eliminates unneeded emails

Step 1: Understand the Alert Type

35

Threat Intelligence: FS-ISACCybersecurity

Be aware of FS-ISAC’s Traffic Light Protocol.

The abbreviation and criticality level will always appear in the subject

line, along with the title.

Following the TLP Color, the alert will go into more detail such as the

type of threat, summary, and handling instructions.

36

White Share freely but copyrighted

GreenShare among FS‐ISAC members and

partners only. Not public.

Amber Share among FS‐ISAC members only.

Red Restricted to a defined group.

Threat Intelligence: FS-ISAC AlertCybersecurity

9/17/2015

19

Threat Intelligence: US-CERT AlertCybersecurity

CVE Patching InformationAffected Products

37

Threat Intelligence: FBI Flash AlertsCybersecurity

38

9/17/2015

20

Threat Intelligence: FDIC Communications Cybersecurity

Prevention:

TO: Institution CIO and CISO

Detection:

Response:

Vendors have released patches for all seven of these vulnerabilities.

39

Threat IntelligenceCybersecurity

External Sources FS-ISAC

US-CERT

Third-Party Servicers• e.g., core, telecommunications,

managed security services

Internal Sources Reports

• Operational Reports

• Internal Audit Reports

• Fraud Detection Reports

• Logs

Security

Board

Operations

Tellers

Committees

Executives

Audit

Fraud

Network Administrator

HR

40

9/17/2015

21


41

Information

Security

Program

GovernanceStructure and

Policies

Threat Intelligence

Audit Program



Incident Response



Third-Party ManagementCybersecurity

Core Transactional Internet Banking

Mobile Banking

Managed Network Security

42

9/17/2015

22

Appendix J: Third-Party ManagementCybersecurity

Relationship Management Due Diligence

Contracts

Ongoing Monitoring

Resiliency and Testing Mission Critical Services

Capacity

Service Provider Continuity Scenarios

Evaluate/Understand Gaps

Service Provider Alternatives

43


44

Information

Security

Program


Policies

Threat Intelligence

Audit Program



Incident Response



9/17/2015

23

Appendix J: ResilienceCybersecurity

Incorporate the following risks/controls into business continuity plans:

Data backup architecture and technology

Data integrity controls

Independent, secondary communication providers

Layered security strategies

Enhanced planning for the possibility of simultaneous attacks

Increased awareness of insider threats

Prearranged third-party forensic and incident management services

45

Appendix J: Incident ResponseCybersecurity

Enhance and test incident response plans to incorporate potential cyber threats

Integrate service providers into incident response planning

FFIEC Guidance: “Final Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” dated April 1, 2005 Assess nature/scope and contain/control the incident

Notify primary federal regulator

File Suspicious Activity Report (SARs) and notify law enforcement

Notify customers if there is a reasonable likelihood the information will be misused

46

9/17/2015

24


47

Information

Security

Program


Policies

Threat Intelligence

Audit Program



Incident Response



FFIEC Cybersecurity Assessment ToolCybersecurity

FFIEC Press Release: Cybersecurity Assessment Tool, dated June 30, 2015

Voluntary tool to assist banks in identifying their risk profile and assessing their cybersecurity preparedness

Provides banks with a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness over time

48

9/17/2015

25


Inherent Risk Profile Technologies and Connection Types

Delivery Channels

Online/Mobile Products and Technology Services

Institution Characteristics

External Threats

Cybersecurity Maturity Cyber Risk Management and Oversight

Threat Intelligence and Collaboration

Cybersecurity Controls

External Dependency Management

Cyber Incident Management and Response

49


Maturity Levels: Baseline

Evolving

Intermediate

Advanced

Innovative

50

9/17/2015

26

Cyber Incident ReportingCybersecurity

RMS is updating its technology incident reporting guidance. RD Memo 25-2001, Technology Incident Report

IT ViSION Help Document

Interim procedures: Report time sensitive, cyber incidents affecting critical operations of

a bank or servicer provider to your appropriate IT Examination Specialist (ITES), Case Manager, or Regional management.

For significant incidents, the ITES should report the incident to the appropriate Washington Office RMS staff.

RMS staff should first consult with the Washington Office prior to reporting bank incidents to parties outside of RMS.

Record the incident in ViSION per outstanding guidance.

51


Emerging

ATM

52

9/17/2015

27

Summary Cybersecurity

Understand Cybersecurity Acknowledge Threat Environment Enhance Information Security Program

for Cyber Risk Threat Intelligence


Resilience

Incident Response

Incorporate Cybersecurity Assessment Tool

53

Financial Services-Information Sharing and Analysis Center (FS-ISAC) www.fsisac.com/

United States Computer Emergency Readiness Team (US-CERT) www.us-cert.gov/

InfraGard www.infragard.org/

U.S. Secret Service Electronic Crimes Task Forcewww.secretservice.gov/ectf.shtml

The Top Cyber Threat Intelligence Feedswww.thecyberthreat.com/cyber-threat-intelligence-feeds/

54

Threat Intelligence ResourcesCybersecurity

9/17/2015

28

ResourcesCybersecurity

FFIEC IT Handbookshttp://ithandbook.ffiec.gov

FFIEC Cybersecurity Awarenesshttp://ffiec.gov/cybersecurity.htm

Financial Stability Oversight Council 2015 Annual Reporthttp://www.treasury.gov/initiatives/fsoc/studies-reports/Pages/2015-Annual-Report.aspx

Financial Institution Letters www.fdic.gov/regulations/resources/director/risk/it-security.htm

55

Director’s Resource CenterCybersecurity

Director’s Resource Center www.fdic.gov/regulations/resources/director/

Technical Assistance Video Program Information Technology (IT)

Corporate Governance

Third-Party Risk

Vendor Management (Coming Soon)

Cybersecurity 101 (Coming Soon)

Cyber Challenge: A Community Bank Cyber Exercise• Vignette 1: Item processing failure scenario

• Vignette 2: Customer account takeover scenario

• Vignette 3: Phishing and malware problem

• Vignette 4: Problem with the bank’s technology service provider

• Vignettes 5-7: Coming Soon56

9/17/2015

29

Regional ContactsCybersecurity

Atlanta Region Richard Snitzer – [email protected] Lenna Escosa – [email protected]

57

Question/AnswersCybersecurity

Questions?

E-mail Questions to:[email protected]

58

Tiina K.O. RodrigueGWU 2nd‐year Doctoral Student, Cybersecurity Leadership

Program Director, Professional Services, CipherCloudPMP, CISSP, CISM, CCNP, CCDP, CCSP, InfoSec, ITIL, CEA, A+

Agenda Cyber Risk is Business Risk Cybersecurity is not Technology Assessment Tool Great Start Boards are Key, but not Enough Resiliency = Strength via Adversity Education isn’t an Annual Test Cloud Risk – How is it Different? Cyber Insurance – Necessary? Protect Data at the Source

Cyber Risk is Business Risk Cybercrime costs estimated $445B each year (Lohrmann, 2015)

Internal threat riskier than external attack (Schneier, 2008) Payment systems are targeted focus of attack (Fischer, 2014) Enterprise and Cloud systems underlie all transactions

Probability isn’t a question any more – when breached, not if Impact includes more than just monetary loss:

Goodwill • Data Integrity Reputation • Lawsuits Criminal Action • Insolvency

CRO and Risk Committees need to include cyber risk in every risk analysis – prioritize cyber as key threat vector

Cybersecurity is not Technology Technology alone will undermine security posture (Batteau, 2011) Cyber Risk needs to also examine holistic approach to:

Policy – How regularly are policies: Created and Reviewed by the board, Updated after incidents and testing?

Process – Are the appropriate resources & steps in place to: Record the event (simulated or real) Take appropriate action Maintain chain of evidence Record root cause, lessons learned, time to remediate

People – Are they trained and tested regularly in: Cross‐duty situations? Appropriate separation of duties? Internal threat awareness?

(Bagchi‐Sen, Rao, Upadhyaya and Chai, 2010)

Assessment Tool Great Start FFIEC created a terrific assessment tool for banks (June 2015) Great start as first step on cyber‐risk journey Includes Risk Profile and Maturity Assessment Directs CEOs and Boards towards Gaps and Risks Prescriptive steps are logical follow‐on

Need to work with banks to create action, not POA&Ms Gaps need to be more than goals, but funded efforts

Boards are Key, but not Enough 80% of boards do not review risks at each meeting The majority of board’s risk committees don’t review cybersecurity plans at all (51%)

Most cyber budgets are 1% of revenues or less More than 1/3 of banks didn’t have a CISO 73% of boards were not conversant on cyber issues Boards assumed vendors had sufficient protections, and were moderately to heavily dependent upon them

(McCormick, 2015)

Resiliency = Strength via Adversity Banks are increasingly complex, adaptive systems

Need to leverage adversity to grow stronger Anticipate incidents will happen Respond and document root‐cause, remediation Correct issues, apply lessons learned holistically

Adopt improved processes, training, methods Between incidents, audit, test, train and repeat Include all staff on simulations and tests Ensure cross training between duty assignments (Egli, 2013)

Education isn’t an Annual Test Cyber Risk needs a standard curriculum

Similar to investment analysis and risk management Needs to be regular, repeated, required, refined

Boards need to focus on known and emerging risks Preparation for the breach should be well established Acknowledgement that the incident could be caused either by internal or external actors is a key issue

All aspects of technology, policy and processes should be included

Cloud Risk – How is it different?

time], (repeat as necessary) (Iorga, NIST, 2015)

Cyber Insurance – Necessary? Banks should ensure they have appropriate D&O and cyber coverage to include all areas of impact Ensure PR and Disclosure remediation efforts are included in the costs, as they can endure beyond technology resolution requirements

Ensure fiduciary duty and class‐action litigation are also covered if caused by cyber incidents

Forensics and Incident Response that ensures chain of evidence and responsibility to ensure due care should be included in the cyber plan to include appropriate insurance

(Weil, Gotshal & Manges, 2015)

Protect Data at the Source Encryption or Tokenization should cover:

Data at Rest Data in Transit Data in Process

Separation of Duties should ensure data administrators and key managers are not same person

Key management role should be held by the bank, not service provider, not shared

Need to ensure minimal impact to business functionality

9/17/2015

1

FDIC Talking Points

FDIC Cybersecurity Talking Points

“Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber

threat to critical infrastructure continues to grow and represents one of the most serious national security

challenges we must confront.”

Executive Order 13636

2Federal Deposit Insurance Corporation

9/17/2015

2

Agenda

Agenda• Information Security + Cybersecurity

• Why Cybersecurity is Important

• Current Threats

• Cybersecurity Basics

• What institutions Should Do

• FFIEC Cybersecurity Assessment

• FFIEC Cybersecurity Assessment Key Elements• Identify Inherent Risks

• Cybersecurity Preparedness

• FFIEC Cybersecurity Assessment Key Elements

• Future FFIEC Cybersecurity Work

• Summary

• Questions

• Some Cybersecurity Sources/References


Information Security + Cybersecurity


As noted in several recent FFIEC Cybersecurity press releases, many of the building blocks for an effective cybersecurity program are similar to those for any well‐planned information security risk management program, including controls to prevent, detect, and respond to threats.

Information Security

“Information security is the process by which an institution protects and secures its systems, media, and facilities that process and maintain information vital to its operations. “

(SOURCE: FFIEC IT Handbooks –Information Security)

Cybersecurity

Cybersecurity is “the process of protecting information by preventing, detecting, and responding to attacks.”

(SOURCE: National Institute of Standards and Technology (NIST) Framework

9/17/2015

3

Why Cybersecurity Is Important

Cybersecurity risks translate into business risks, and those risks can ultimately have a negative financial effect on the institution.

Data must be secured to safeguard the institution’s:

• Customer information,

• financial information, and

• reputation.


Current Threats

• Threat Actors:

o Nation‐states

o Hacktivists

o Terrorism

o Organized criminals

o Insiders

• Today’s Threat Actors deploy:

o More sophisticated attacks

o More targeted attacks

o More persistent attacks


9/17/2015

4

Cybersecurity Basics


Institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology –based attacks.

Confidentiality, Integrity and Availability (CIA)

CIA is a model designed to guide risk management practices for information security and cybersecurity within an institution.

What institutions Should Do


• Setting the tone from the top and building a security culture;

• Identifying, measuring, mitigating, and monitoring risks;

• Developing risk management processes commensurate with the risks and complexity of the institutions;

• Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed both now and in the future;

• Creating a governance process to ensure ongoing awareness and accountability.

9/17/2015

5

What institutions Should Do (Continued)

• Ensuring timely reports to senior management that include meaningful information addressing the institution’s vulnerability to cyber risks.

• Practicing their response to a cyber event just as they do for a physical event through their business continuity plan. The Cyber Challenge program.

• Talking about cyber security with their staff and their customers.

• Establishing relationships with experts so institutions know who to call in the event of a problem o regulator o local FBI contact.


FFIEC Cybersecurity Assessment

During the summer of 2014, Federal Financial Institutions Examination Council (FFIEC) members piloted a cybersecurity examination work program (Cybersecurity Assessment). Significant findings included:

• Financial institutions have numerous access points and use a variety of connection types.

• Financial institutions use several products and services which may introduce specialized cybersecurity risks.

• Financial institutions use a vast array of technologies to support their customers and employees.

• Cybersecurity inherent risk and overall cybersecurity preparedness were reviewed.


9/17/2015

6

FFIEC Cybersecurity Assessment Key Elements

The Cybersecurity Assessment reviewed financial institutions’ current practices and overall preparedness, focusing on the determination of:

• Cybersecurity Inherent Risk

• Cybersecurity Preparednesso Cyber Risk management and oversight o Threat intelligence and collaboration o Cybersecurity controls o External dependency management o Cyber incident management and resilience


Future FFIEC Cybersecurity Work


• Cybersecurity Self‐Assessment Tool

• Incident Analysis

• Crisis Management

• Training

• Policy Development

• Technology Service Provider Strategy

• Collaboration with Law Enforcement and Intelligence Agencies

9/17/2015

7

Summary

• Cybersecurity risks translate into business risks, and those risks can ultimately have a negative financial effect on the institution.

• The building blocks of an effective cybersecurity program are similar to those for any well‐planned information security risk management program, including controls to prevent, detect, and respond to threats.

• Engagement by the board of directors and senior management to include understanding of the institution’s cybersecurity inherent risk is required.

• Institution Management should Include discussion of cybersecurity issues in meetings.

• Monitoring and maintaining sufficient awareness of threats and vulnerabilities.

• Establishing and maintaining a dynamic control environment.

• Managing connections to third parties.

• Developing and testing business continuity and disaster recovery plans that incorporate cyber incident scenarios.


Questions


9/17/2015

8

Some Cybersecurity Sources/References

Financial institutions should have a good go‐to source for information about cyber threats. • FBI Infragard at www.infragard.org• U.S. Computer Emergency Readiness Team at US‐CERT at www.us‐

cert.gov• U.S. Secret Service Electronic Crimes Task Force at

www.secretservice.gov/ectf.shtml• FFIEC Information Technology Examination Handbook, “Development

and Acquisition” http://ithandbook.ffiec.gov/it‐booklets/development‐and‐acquisition.aspx

• FFIEC Information Technology Examination Handbook, “Information Security” http://ithandbook.ffiec.gov/it‐booklets/information‐security.aspx

• FFIEC Information Technology Examination Handbook, “Operations”http://ithandbook.ffiec.gov/it‐booklets/operations.aspx


Rise of the underdark

Presented By: tim leonard

9/17/2015

1

Rise of the Underdark

This presentation was created by Tim Leonard and is protected via the Bitcoin BlockChain by www.proofofexitence.com.

This presentation is designed to help bankers understand thesophistication carders and thieves use to acquire data and avoiddetection. All local laws apply and nothing in this presentationshould be used for illegal or malicious purposes. The imagesused in this presentation are for educational purposes only. Fairuse applies. Tim Leonard is providing this education for thegreater good.

The views and opinions expressed, in this presentation, are notthose of Commercial Bank of Texas.

9/17/2015

2

Objectives

• Opsec and Tradecraft• Anonymous IDs• Burner Phones• Tails Operating System• TOR• Onion Browsers• Anon Emails and PGP• Bitcoins• The Dark Web / Underdark• Carding and Agent Handling

OpSecProcesses used to protect information that can be used against us. OPSEC challenges us to look at ourselves through the eyes of

an adversary .

9/17/2015

3

LEO and LEA

Tradecraft“Tradecraft, within the intelligence community, refers to the techniques used in modern espionage and generally, the activity of intelligence.” ‐ Wikipedia, September, 2014

Agent Handling Eaves Dropping

Concealment

Analytics

Dead Drops

Black Bag Ops INTERROGATION

Cryptography

Front Organization

Surveillance

Computer Espionage

9/17/2015

4

Deep Web | Dark Web | Underdark

• Drugs, Human trafficking, copyrighted media, pornography, weapons, political dissidents, stolen credit cards

• Websites end in .onion

• Only accessible with Tor

***** WARNING *****

Keep Your Mouth Shut!

9/17/2015

5

There is no such thing as a safe computer or cell phone.

Anon IDs

9/17/2015

6

Anon IDs

• A separate email is not enough

• Build elaborate online personas

• Understand the Psychology of IDs

• Lighting, Sounds, Clothes, Smells

• Writing styles ( Stylometrics)

• Believe your own lies

Allen Anderson

9/17/2015

7

Anon IDs

• Keep Separate “Golden Rule”

• Operate in large metropolitan areas

• Burner Phones, Laptops, Tails

• Public Wifi

• Anon Emails / Social Networking

• Encrypt Everything 4096 if Possible

• Dead Drops

Anon IDs“It only takes one slip to compromise your true identity”

I don’t know those fools.

9/17/2015

8

Burner Phones

Burner Phone Rules

• Cash only + No loyalty cards

• Purchase far from home

• No smart phones or GPS (getting harder)

• Removable battery!

• 60+ days till activate

• Personal “No Call List”

• Leave your regular phone at home

• Buy other stuff with only cash

9/17/2015

9

Tracking Cell Phones

• Cell Towers

• GPS

• Wifi Networks

• Bluetooth

Accuracy

Tracking: Cell Towers

Antenna Density and Location Antennae

50 – 100 M

9/17/2015

10

Tracking: Tower Dumps

A

B

C

Red = BurnerBlue = Personal

Tracking: Tower Dumps

9/17/2015

11

Burner Laptop Rules

• Pay Cash• DBAN old hard drive• Never use at house• Walk away if needed• Removable HDs are nice• Legit O.S. can decoy• Be aware of identifying info• Use Public Wifi

www.dban.org

Burner Laptop

1 2 3

9/17/2015

12

THE ONION BROWSER

Https EverywhereNever use real creds !!

THE ONION BROWSER

Tails

9/17/2015

13

Verify Tails and Build USB

9/17/2015

14

Burner PhoneBurner LaptopTails USB KeyPublic WifiCashCoffee !!

Let’s Recap

Stanford University Surveillance Lawby Jonathon Mayer

9/17/2015

15

Stanford University Surveillance Lawby Jonathon Mayer

Deep Web

9/17/2015

16

Two Rules When Operating In The

Deep Web

1. No pornography2. No politics

9/17/2015

17

9/17/2015

18

Anon Emails

• Create multiple emails across different providers.

• Create a PGP key for each email address to encrypt traffic. Use at least 4096 bit.

• Do not publish your public key to key servers.

• Never mail to or from your personal email.

• Use separate burner phones to authenticate.

9/17/2015

19

Pretty Good Privacy (PGP)

Private Key

Public Key

Private Key

Public Key

A uses B’s public key to encrypt document

A and B agree to exchange public keys

A emailes Encrypted document emailed to B

B decrypts document with private key

PGP Cont.

• Encrypt everything!

• Encryption is worthless with weak passwords.

• If your private keys are compromised so is you encryption.

• Never use any personal identifying info even if it is encrypted.

• Change your keys often.

9/17/2015

20

PGP Encrypted Email

Burner PhoneBurner LaptopTails USB KeyPublic WifiCashTorAnon EmailsPGP KeysCoffee !!

Let’s Recap

9/17/2015

21

BitCoin

Satoshi Nakamoto

What Bitcoin Is

• A decentralized digital currency

• Not under control of any govt. or central authority

• You can obtain them P2P, by selling services or products, or from on ramps.

• 1CvSGR947LmbRzRNciDmJcXyVoTGfJxdEg

9/17/2015

22

Bitcoin Cont.

Bitcoin Mixing Services

9/17/2015

23

Carding

www.tyner.com !!Clear Net!!

There are other places in the deep web

9/17/2015

24

Card Encoder

Dead Drops

• Packages should be shipped to vacant houses

• Track packages online and get quickly

• Use Tor to track packages

• Remember “Golden Rule”

• Use Mules/Runners to get packages for you

• The more layers the more anon. but more complex to manage

• Don’t get lazy!

9/17/2015

25

Counter Surveillance Routes

Agent Handling“It only takes one slip to compromise your true identity”

You Case Officer

Case Officer

Case Officer

Agents Use Cards

Agents Use Cards

9/17/2015

26

Good Side of the Darknet

Privacy and Anonymity = Freedom

9/17/2015

27

Demo

the cybersecurity assessment tool & 2016 technology predictions

Presented By: Stephen reyes

Documents

1:00 pm - Tax, Audit, Compliance, Financial Advisory FUNNEL - ATTENDEE PACKET 2015.pdfThursday, September 24, 2015 8:30 - 1:00 pm *Breakfast & Lunch provided* Meeting Location: The

1:00 pm - Tax, Audit, Compliance, Financial Advisory FUNNEL - ATTENDEE PACKET 2015.pdfThursday, September 24, 2015 8:30 - 1:00 pm Breakfast & Lunch provided Meeting Location: The