Cybersecurity

Robert J. Lipot, CRISCSenior IT Examiner

June 2016

1

Discussion Topics

• Cybersecurity Issues

• Executive Order 13636

• States and Federal Regulators Promote Awareness

• Key Areas of Focus

• Cyber Assessment

• InTREx (exam procedures)

•Awareness & Information Activities

Cybersecurity Issues

•Heightened Attacks-many commercial & financial services

•Accessibility of systems via Internet or wireless activity

•More mobile society wanting on-line access 24 x 7 from anywhere

•Global nature of business

Info-Tech Survey

82% of companies surveyed don’t have a formal process for evaluation of disruptive technologies

President’s Executive Order 13636(02/12/2013)

• Executive Order (EO) 13636-Improving Critical Infrastructure Cybersecurity

• The EO has gotten the attention of Congress and regulators regarding ability to protect technology and manage cyber risks

Web 1.0 & 2.0

Web 1.0

• Dominated by published content

• Publicly accessible on-line

Web 2.0- Interactive Internet

• Collaborative environment that facilitates creation and exchange of user-generated content via dynamic channels, including social media

• Platforms include video sharing, search engines marketing and optimization, online newsrooms, mash-ups and viral and word-of-mouth (WOM) marketing

Cybersecurity Awareness- Importance

• Cyber criminals are becoming more “active” towards financial entities and/or its customers

• Break-ins and attempted/actual thefts more prevalent

• Not a matter of “if”, but “when”

• Method(s) of determining awareness and preparedness at our licensees

Finding/Determining/Addressing Key Areas of Focus

• Risk Assessment

• ID/value all enterprise assets/data

•Determine inherent risks-internal/external

• Evaluate controls

•Using CAT/other tools

•Mitigation strategies, as necessary

•DR/BCP-Incident Response

Threat Environment/Key Areas of Focus

•Web Facing Devices and Apps

• Security Monitoring

• Connection Security

•Mobile Devices/IoT

•DLP

•ATMs

• Privileged Accounts

• Patch Management

Issues/Concerns-Detection/Protection

•Common Security Mistakes

•Cybersecurity Assessment Tool (CAT)

•FFIEC Cyber Information

•Cyber Insurance

•Regulator Awareness

•FS-ISAC

Web “Facing” Devices and Applications

Key Hacker targets:

Websites

All Mobile Devices

Online Banking

Mobile Banking

App Stores

Internet of Things (IoT)

Security Monitoring-Internal & External Threats

• Continuous monitoring system and network activity from sensors, devices, tools, etc.:

–Firewalls

–Routers

– IDS/IPS

–Vulnerability Assessments/Pen Testing

–Audit Logs

–Anti-Malware (viruses, spyware, etc.)

Connection Security

Knowledge of logical and physical connections, e.g.:

Core providers

Internet Service Providers

Wireless Networks

Virtual Private Networks

Wire Transfer/ACH Systems

Network/Core Processor Devices

Telecommunications Room

Mobile Devices are Targeted-DLP

BYOD vs. Licensee-owned

Types, e.g.:

Smart/Mobile Phones

Tablets/Notebooks

Laptops

Thumb Drives

Data Permitted

Applications Allowed

Device Security

Where are attacks coming from?

Multitude of Attack VectorsSMS

Wi-Fi

Bluetooth

Infrared

Web Browser

Email Client

Third Party Apps

Operating System Vulnerabilities

Physical Access

Current Mobile Threats: SMS Botnets

• SMS Spam Botnet:– Directs users to download

malware directly on their device1. An SMS is received containing a

URL2. When the users clicks on the

URL, a Trojan is installed on the device with the legitimate application

3. Trojan contacts C&C server to obtain spam message

4. The spam message is sent to the contacts stored in the phone

Current Mobile Threats: Ransomware

• Ransomware:– Malware which

effectively holds a user’s device hostage until a fee is paid

– Can also happen to any computing device

– Banks and businesses have been impacted and it will continue…

Internet of Things

Wearable technology, e.g.:

• Google Glass, Apple Watches, etc.

• Fitbits

• Many others……..

Internet of Things

Many other “things”:

• Cars

• Appliances

• Security cameras/ security alarm sensors

• Printers

• List goes on……..

Internet of ThingsFive Reasons IoT is Different than “Conventional” IT (Drue Reeves)

• IoT is business driven

• The volume, velocity and variety of data

• Combination of “operational tech” and “information tech”

• Unique risks created by end-to-end automation

• Integration, integration, integration

ATMs Aren’t Exempt

Per Krebs on Security

• Bluetooth devices are “planted” in ATMs

• Captures all card and PIN data input

• Can capture Mega Bytes of data

• Crooks use Bluetooth to ex-filtrate captured data

Hacked PC (Krebs on Security)

Hacked Email (Krebs on Security)

Privileged/Admin Access

• “Skeleton Key”- all access key

• Access to key functions such as add, delete, change, etc. employee rights and permissible activities- a key to gaining system control

• Access to key controls such as auditing, logging, etc. that would record a cyber event

Privileged/Admin Access

• Could also permit “root” access which allows them to change operating system controls

• 80% of cyber theft committed w/privileged access-Sony, Target, etc.

Common Security/Cyber Mistakes

• Not a “once and done” activity

• No knowing where the data is at all times

• Forgetting about “all” tech items employed

• Not ensuring security is entity-wide and everyone plays a roll

Common Security/Cyber Mistakes

• Address different “age groups” and cultures

• Security is an afterthought

• Not knowing who is targeting the entity

• Not fully understanding the implications of third-party risks to the licensee

Cybersecurity AssessmentAssessment methodology:

• FFIEC has provided a Cyber Assessment methodology for financial institution use- information at www.FFIEC.gov

• It assists in determining how much cybersecurity effort has been performed by the Licensee

• Based on NIST 800-53 (National Institution for Standards & Technology)

• For 2015/16, examiners are reviewing for Assessment “Baseline” and striving for higher levels

• Alternative methods to CAT that provide the same/similar results are acceptable

• CAT Includes information in previous slides

FFIEC Cybersecurity Assessment Tool (cont.)

• Currently- voluntary

• Licensee awareness-discuss the “Tool”

• Inform management of FFIEC link

• As usual, expect more information- stay tuned………………………

FFIEC- CAT Domains

Highlight- FFIEC’s Cyber Maturity

Risk/Maturity Relationship

Definitions of Maturity Levels

FFIEC Cyber Web Page

IT Exam Procedures- InTREx

• InTREx = Information Technology Risk Examination

• Four main WPs- Audit, Management, Development & Acquisition, and Support & Delivery

• The other WPs- Cybersecurity, EFT, and Information Security Standards (GLBA)

• WPs Includes CAT

IT Exam Procedures- InTREx (cont.)

• Each WP is targeted to provide analysis to assess a URSIT component rating (1-5)

• Other WPs provide supplemental information to assist in the URSIT component and composite ratings

• Like IT-RMP, InTREx results will still weight heavily on the S&S management CAMELS component

IT Exam Procedures- InTREx (cont.)• InTREx is in the “test” phase until

June 2016

• Each state will need to determine/ approve if they will use InTREx or facsimile going forward

• Federal regulators- FRB and FDIC-have already made such determination

• Large banks, depending on state/ federal guidelines, may use the FFIEC WPs from the IT Handbooks

Cyber Risk Insurance• Has been around for 11 years

• Used as a “Transfer Risk” option

• As of Jan 2015, 46 of 50 US states have mandatory data breach notification standards

• Expenses of handling /covering such losses are increasing -may be an option for our Licensees

• Some states are looking at examinations to include cyber insurance, e.g. NY

• Is expected to grow substantially

Cyber Risk Ins. Coverage

• Theft or manipulation of sensitive or private information

• Computer viruses, malware, etc.

• Computer fraud

• Could have a “high” deductible and only a percentage of coverage after that

• May only be obtained from some insurance companies

• Ins. Coverage will require certain conditions

Cyber Insurance Summary

• Not all policies are “created equal”

• Certain cyber risks may be covered, some not

• Licensees need to “shop around” for terms, conditions, coverages, and deductibles

• Costs will vary depending on size and complexity of our Licensees along with items in bullet #2

• Need due diligence in looking for appropriate coverage specific to the Licensee

Regulators Promote Awareness and Information Activities (some examples)

• FFIEC Cybersecurity webinar for Board and senior management and guidance

• FFIEC Cyber awareness (link on main web page)

Regulators Promote Awareness and Information Activities (some examples)

• State Example: Cybersecurity in the Golden State-Kamala Harris Cyber Doc: https://oag.ca.gov/cybersecurity

• CSBS Corporate Account Takeover (CATO) webinar and guidance (on CSBS website)

FS-ISAC• Financial Services-

Information Sharing and Analysis Center

• Provides a wealth of information to Licensees

• FFIEC encourages becoming a member for certain benefits

• Website: https://www.fsisac.com/

Quick Cybersecurity Recap

•Need for management to realize the importance of awareness, preparation, training, and ongoing alertness

• Thus, Cybersecurity efforts should be discussed at key management committees and reported to Board

Cybersecurity Summary

• IT systems need to be updated regularly

• Staff training and vigilance are key components for prevention

• Licensees can’t be caught asleep at the switch!!

References

• www.FFIEC.gov

• www.nist.gov

• www.fsisac.com

• US-CERT@ncas.us-cert.gov

• www.whatis.techtarget.com

• www.fdic.gov - RD Memo 2015-11