Upload
clarissa-heath
View
218
Download
3
Tags:
Embed Size (px)
Citation preview
FFIEC Cybersecurity
Assessment Tool
Timothy Segerson, , Deputy DirectorOffice of Examination & Insurance
Utah Cybersecurity Session
2
Agenda
• Background – Why Now• Tool Overview• Mechanics of the Tool• Uses and Benefits• Next Steps for NCUA
3
Continuing saga of lost sensitive data
http://www.forbes.com/sites/katevinton/2015/06/12/report-new-government-data-breach-includes-sensitive-military-intelligence-personnel-data/
Every event enhances criminals ability to cross reference personal information.
Utah Cybersecurity Session
Cyber risk management is a volatile and fluid environment
Utah Cybersecurity Session
4
Congressional Scrutiny
Utah Cybersecurity Session
5
Critical Infrastructure Overview
Cyber Security is a Key Subset of the Critical Infrastructure for most Sectors
Ongoing Cyber Security Initiative
US Critical Infrastructure
Chemical - DHS
Defense Industrial Base - DOD
Commercial Facilities - DHS
Emergency Services - DHS
Communications - DHS
Energy - DOE
Critical Manufacturing - DHS
Financial Services - Treasury
Dams - DHS
Food & Agriculture – DHS&DOA&HHS
Transportation Systems – DHS&DOT
Water and Wastewater Systems - EPA
Government Facilities – DHS &GSA
Healthcare & Public Health - HHS
Information Technology - DHS
Nuclear Reactors, Materials, Waste - DHS
FBIIC
FFIEC
TFOS
CCIWGLegendFBIIC Chair FFIEC Members Other FBIIC Members
American Council of State Savings Supervisors Federal Reserve Bank of New York
Commodity Futures Trading Commission Federal Reserve Board
State Liaison Committee National Association of Insurance Commissioners
Consumer Financial Protection Bureau National Association of State Credit Union Supervisors
Department of the Treasury National Credit Union Administration
Farm Credit Administration North American Securities Administrators Association
Federal Deposit Insurance Corporation Office of the Comptroller of the Currency
Federal Housing Finance Agency Securities and Exchange Commission
Federal Reserve Bank of Chicago Securities Investor Protection Corporation
FBIIC Participation
Utah Cybersecurity Session
6
Important on Multiple Levels
• Consumers – Trust in institutions is critical for it all to work
• Employees/Officials – A credit union’s most valuable asset may be targets.
• Organization – Integrity and Reputation of your business is essential for success.
• Industry – CU = links in critical financial system chain
Utah Cybersecurity Session
7
The FFIEC Response
• Cybersecurity and Critical Infrastructure Working Group (CCIWG)
– Permanent FFIEC working group established in June 2013 to address Cybersecurity
– Coordinate enhanced Cybersecurity efforts across FFIEC agencies.
– CCIWG Reports to Council via Task Force on Supervision.
Increasing Risk to Credit Unions
Threat Environment
Utah Cybersecurity Session 8
9
Changing Threat Environment
Utah Cybersecurity Session
Utah Cybersecurity Session
10
Proliferation of Connectivity
Utah Cybersecurity Session
11
Growing ConnectivityShodan August 2014
Utah Cybersecurity Session
12
Connectivity Another ViewShodan August 2014
Utah Cybersecurity Session
13
Connectivity Another ViewShodan August 2014
Utah Cybersecurity Session
14
Connectivity Another ViewShodan August 2014
Utah Cybersecurity Session
15
Connectivity Another ViewShodan August 2014
Utah Cybersecurity Session
16
Growing Vulnerabilities
25 year trend demonstrates the increasing number of threats.
High risk vulnerabilities have been expansive in scope and danger (e.g Heartbleed and BASH).
Heartbleed and Shellshock are recent vulnerabilities triggering FFIEC alerts to the industry with an emphasis on timely patch management.
Utah Cybersecurity Session
17
A Big Part of the Problem Legacy Systems
What is old may not always be new, but when it comes to hacking, it's still effective.
44 percent of known breaches in 2014 came from vulnerabilities that were between two and four years old.
Utah Cybersecurity Session
18
Zero Day and Beyond
Unpatched Vulnerabilities and Exploits exposed – Second order/third order impacts.
Company used them to successfully spy for clients
No known US institution implications, but large European institutions affected
Utah Cybersecurity Session
19
Staying Current
www.bankinfosecurity.com
Attack vector continues to vary and change up.
Small/medium businesses can be choice targets
Tools get more sophisticated are continually monetized as software for sale on Dark Web.
Darkreading.com
Databreachtoday.com
Utah Cybersecurity Session
20
DD4BC
www.bankinfosecurity.com
Utah Cybersecurity Session
21
Impact of Cyber Threats
Stolen Database of Customer Accounts & Credentials
$40 million stolen from one
institution
Core product intellectual
property stolen
Limited customer access to online
banking
INSIDER: Data theft through internal access
ORGANIZED CRIME: ATM Cash Out, wire fraud
NATION-STATE: Spear phishing to install malware
HACKTIVIST: Distributed Denial of Service
Financial & Public Confidence
Utah Cybersecurity Session
22
Changing Threat Landscape
APT
Advanced or Persistent
Neither Advanced nor Persistent
Well funded, organized and capable of compromising at willMajor exfiltration, disruption and damage
Capable of advanced attacks, less funding, less organization
Least organized and least funded. Shear numbers could strip mine vulnerabilities especially in unprepared institutions
Lower level threats – large and growing numbers - advanced tools APT/Nation States – Act like criminals and hacktivists Hacktivists - Act like terrorists and criminals Criminals (Guns for Hire i.e. Nation States/hacktivists)
Increasing Risk Increasing Cost
Exploit ToolkitsFor Sale
Utah Cybersecurity Session
23
Some Recent Examples• $80 million FICU victim of Cryptowall
– ($500 us bitcoin to get data systems released)– Other small FICUs (refused ransom, wiped the box and restored data successfully)
• $60 million FICU victim of Acct takeover– Corp CU recognized unusual transaction and halted auto wire
pending human confirmation.
• Medium institution(s) ID theft, tax return fraud with false identities
• Medium institution data exfiltration• DD4BC• Website Defacement
Utah Cybersecurity Session
24
Growing Exposure
Rising Community Institution Exposure
Lower Skills = Growing Attack #s
Lower Costs = Lower Return
Targets
Unique Attributes Increase
Attractiveness
Reliance on Outsourced
Providers & 3rd Parties
Utah Cybersecurity Session
25
US Credit Union Current Scope of Exposure
12/31/2014 FICUs %Website 5049 81%Transactional 4411 71%Internet Access 6068 98%Wireless Network 1483 24% Members 46,788,777 47%
• Increasing Points of Attack
• Many Less Sophisticated Shops
• Nearly 100% with Some level of Risk Exposure
• 6,206 Credit Unions
• $1.2 Trillion Assets
• Average Assets $187 Million
50% (3,103) of FICUs are smaller than $26 Million in Consolidated Assets (median assets = $25.4 million)
Utah Cybersecurity Session
26
Cybersecurity Assessment History
• June 2013: FFIEC CCIWG established
• June 2014: FFIEC pilots Cybersecurity Assessment exam work program– Informed Strategic Vision/Objectives (http://www.ffiec.gov/press/pr031715.htm)
– Observations Report Issued http://www.ffiec.gov/press/pr110314.htm
– Target Statements and Guidance– 3rd Party Service Providers
• June 2015: CCIWG releases financial institution Cybersecurity Assessment Tool
Utah Cybersecurity Session
27
Strong Industry Foundation and Benchmark
Comprehensive with a Relevant and Cross Referenced Foundation
• Common Structure to:• Communicate between Board and
Management• Communicate Throughout Organization• Communicate with Service Providers
Cybersecurity Assessment
Tool
NIST Cybersecurity Framework
FFIEC IT Handbook and Guidance
Public & Industry Guidance and
Models
Effective Cyber Risk Management
• Common Structure to:• Identify strengths and weaknesses (gaps)• Optimize your cybersecurity Investment• Evaluate Existing and New Products,
Services and Vendors
Utah Cybersecurity Session
28
Other Source Guidance & Models
• U.K. Prudential Regulation Authority 2014 cybersecurity assessment
• Canada’s Office of Superintendent of Financial Institutions 2013 cybersecurity assessment
• Department of Energy’s Cybersecurity Capability Maturity Model Program (C2M2)
• Capability Maturity Model (CMM)
• Payment Card Industry Data Security Standard (PCI DSS)
• Many others including SEC, FINRA, and NY DFI
Utah Cybersecurity Session
29
Cyber Risk Management Practice
Lowest Risk Highest RiskHighest Security
Optimal
Optimal
Lowest Acceptable Security
Optimal
Beyond Minimum Basic Regulatory Requirements and Agency Guidance - RM approach should scale to the credit unions level of risk exposure, appetite, complexity and percieved impact.
Prog
ram
Dev
elop
men
t
Organizational Risk ExposureCyber Risk vs level of investment/ effort
Enterprise Approach Toward Cyber Risk Management
Higher Investment - Possible Inefficiencies
Under Investment - Too Much Risk For Measures taken
Utah Cybersecurity Session
30
Year of the Data Breach – A Moving “Target”
Some dubbed 2013 the year of the data breach after the Target breach.
Then came 2014:• Home Depot: POS system compromise allowed breach of 56 million payment card
numbers and 53 million email addresses.• JPMorgan Chase: Hack affecting more than 50% of all households in the United
States, personal information of 76 million households and 7 million businesses compromised.
• iCloud: Hackers leaked private images of many famous celebrities.• Sony Pictures: Hackers stole intellectual, corporate, and personal information from
Sony Pictures’ computer networks in retaliation for the movie “The Interview.”
Then came 2015 (YTD):• Anthem: 80 million insured• Premera Blue Cross: 11 million insured• OPM: over 20 million federal employees• Hacking Team
Utah Cybersecurity Session
31
ObjectiveTo help institutions identify their risks and determine their cybersecurity maturity.
The Assessment provides a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.
FFIEC Cybersecurity Assessment Tool
Utah Cybersecurity Session
32
Consistent with the principles in
• FFIEC Information Technology Examination Handbook (IT Handbook)
• National Institute of Standards and Technology (NIST) Cybersecurity Framework
• Industry accepted cybersecurity practices
FFIEC Cybersecurity Assessment Tool
33
Consists of two parts
Part One: Inherent Risk ProfilePart Two: Cybersecurity Maturity
FFIEC Cybersecurity Assessment Tool
Utah Cybersecurity Session
Utah Cybersecurity Session
34
Inherent Risk Profile Categories
• Technologies and Connection Types• Delivery Channels• Online/Mobile Products and Technology Services• Organizational Characteristics• External Threats
FFIEC Cybersecurity Assessment Tool
Utah Cybersecurity Session
35
Inherent Risk Profile Risk Levels
Type, volume, and complexity of operations and threats directed at the institution
FFIEC Cybersecurity Assessment Tool
Least Inherent
Risk
Minimal Inherent
Risk
Moderate Inherent
Risk
Significant Inherent
Risk
Most Inherent
Risk
Utah Cybersecurity Session
36
Category: Technologies and Connection Types
Risk Levels
Least Minimal Moderate Significant Most
Total number of internet service provider (ISP) connections (including branch connections)
No connections Minimal complexity (1–20 connections)
Moderate complexity (21–100 connections)
Significant complexity (101–200 connections)
Substantial complexity (>200 connections)
Unsecured external connections, number of connections not users (e.g., file transfer prototype (FTP), Telnet, rlogin)
None Few instances of unsecured connections (1–5)
Several instances of unsecured connections (6–10)
Significant instances of unsecured connections (11–25)
Substantial instances of unsecured connections (>25)
FFIEC Cybersecurity Assessment Tool
Risk LevelsActivity, Service
or Product
Inherent Risk Profile Excerpt
Utah Cybersecurity Session
37
Cybersecurity Maturity
• Cyber Risk Management and Oversight• Threat Intelligence and Collaboration• Cybersecurity Controls• External Dependency Management• Cyber Incident Management and Response
FFIEC Cybersecurity Assessment Tool
Utah Cybersecurity Session
38
Cybersecurity Maturity
Domains
Assessment Factors
Components
Declarative Statements
FFIEC Cybersecurity Assessment Tool
Utah Cybersecurity Session
39
FFIEC Cybersecurity Assessment Tool
Domain Assessment Factors1 Cyber Risk Management & Oversight • Governance
• Risk Management• Resources• Training and Culture
2 Threat Intelligence & Collaboration • Intelligence Sourcing• Monitoring and Analyzing• Information Sharing
3 Cybersecurity Controls • Preventative Controls• Detective Controls• Corrective Controls
4 External Dependency Management • Connections• Relationships Management
5 Cyber Incident Management & Resilience • Incident Resilience Planning and Strategy• Detection, Response and Mitigation• Escalation and Reporting
Utah Cybersecurity Session
40
Cybersecurity Assessment Tool
Domain 1: Cyber Risk Management and OversightAssessment Factor: Governance
Y, N
OVERSIGHT
Baseline Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs.
Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory alerts.
Management provides a written report on the overall status of the information security and business continuity programs with the board or an appropriate committee of the board at least annually.
Budgeting process includes information security related expenses and tools.
Management considers the risks posed by other critical infrastructures (e.g., telecom, energy) to the institution.
Domain
Maturity Level
Declarative Statement
Component
Assessment Factor
Cybersecurity Maturity Excerpt
Utah Cybersecurity Session
41
FFIEC Cybersecurity Assessment Tool
Maturity LevelsInnovative
Advanced
Intermediate
Evolving
Baseline
Utah Cybersecurity Session
42
Determine Cybersecurity Investment
Inherent Risk Levels
Least Minimal Moderate Significant Most
Cybersecurity Maturity Level
for Each Domain
Innovative
Advanced
Intermediate
Evolving
Baseline
Utah Cybersecurity Session
43
Cyber Risk Management & Oversight
Cyber risk management and oversight addresses the board’s development and implementation of an effective enterprise wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.
Nine Components, 31 Baseline questions
Strategy/Policy Audit Staffing
IT Asset Management Risk Assessment TrainingOversight Risk Management Culture
Utah Cybersecurity Session
44
Threat Intelligence & Collaboration
• Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.
Three Components, 8 Baseline Statements
Threat Intelligence and Information
Monitoring and Analyzing
Information Sharing
45
Cybersecurity Controls
Preventat
ive Controls
• Prevent a threat from exploiting an associated weakness. May be physical (door locks, card access) or logical (firewalls, antivirus, website filtering/whitelisting.
Detective Controls
• Identify the presence of a vulnerability or threat. Includes scanning for vulnerabilities, intrusion detection or prevention systems, log monitoring, independent vulnerability assessments or pen tests
Correctiv
e Controls
• Assist with recovering from unwanted occurrences or mitigate the effects of a threat being manifested. Includes patch management and timely resolution of penetration test findings.
Ten Components, 51 Baseline questions
53Utah Cybersecurity Session
Utah Cybersecurity Session
46
External Dependency Management
External dependency management involves establishing and maintaining a comprehensive program to oversee external connections and third party relationships with access to the organization’s technology assets and information.
Four Components, 16 Baseline questions
Connections Contracts
Due Diligence Ongoing Monitoring
Utah Cybersecurity Session
47
Cyber Incident Management & Resilience
Cyber incident management includes establishing processes to identify and analyze cyber events, prioritize the organization’s response to contain or mitigate, and escalate information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.
Five Components, 17 Baseline questionsPlanning Detection
Testing Response & Mitigation
Escalation & Reporting
Utah Cybersecurity Session
48
Supporting Materials
• User’s Guide
• Overview for CEOs and Boards of Directors
• Appendix A: Mapping Baseline Statements to FFIEC IT Handbook
• Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework
• Appendix C: Glossary
FFIEC Cybersecurity Assessment Tool
49
Benefits to Institutions• Identify Risk Drivers
• Assess Level of Preparedness
• Identify Misalignments in Risk
• Determining Optimal Enhancements to Align
• Informing Risk Management Strategies
• Understanding Risk with Third Parties and Partners
• Measuring and Monitoring Progress
• Connect Strategic with Operational Functions
FFIEC Cybersecurity Assessment Tool
Utah Cybersecurity Session
Some of the model mechanics
CAT Topics
Utah Cybersecurity Session 50
Utah Cybersecurity Session
51
Comprehensive RM Process
• Governance, Risk Management, Resources, Training & Culture
1) Cyber Risk Management & Oversight
• Intelligence Gathering, Monitoring & Analyzing, Information Sharing
2) Threat intelligence & Collaboration
• Preventative Controls, Detective Controls, Corrective Controls
3) Cybersecurity Controls
• Connections, Relationships Management
4) External Dependency Management
• Incident Resilience Planning/Strategy, Detection/Response/Mitigation, Escalation & Reporting
5) Cyber Incident Management & Resilience
Utah Cybersecurity Session
52
Cybersecurity Maturity/Risk Relationship
Highest Maturity
Lowest MaturityLowest Risk Institutions
Highest Risk Institutions
Utah Cybersecurity Session
53
Additive Model StructureINNOVATIVE
ADVANCED
• Threat Analysis Team• Investment in
Transformational Threat Intelligence Technology
INTERMEDIATE
• Cyber Intelligence Model
• Multi-source Real-Time Threat Intelligence
• Threat Intel on Geopolitical Events
EVOLVING
• Formal Threat Intelligence Program
• Collection Protocols• Read-only
repository
BASELINE
• Analyze Tactics, Perform Risk Mitigation
• Threat Info Source(s)
• Active Monitoring• Enhance Risk
Management
Items to review
• List of threat intelligence resources (e.g. industry groups, consortiums, threat and vulnerability reporting services).• Management reports on cyber intelligence.• Verify FI has conducted interviews with vendors as needed.
54
FFIEC Cybersecurity Assessment Tool
Inherent Risk Levels
Least Minimal Moderate Significant Most
Cybersecurity Maturity Level for Each Domain
Innovative
Advanced
Intermediate
Evolving
Baseline
Elevated Investment
Underinvestment
Optimal
Utah Cybersecurity Session
Utah Cybersecurity Session
55
FS-ISAC Basic Membership
Utah Cybersecurity Session
56
FS-ISAC Membership
Utah Cybersecurity Session
57
Summary of Assessment Process
• Calibrate Risk Appetite
• Identify Critical Functions/Vendors
• Complete Inherent Risk Profile
• Assess Maturity
• Determine Target State
• Develop Action Plan
• Allocate Resources
– Cybersecurity Investment
• Adjust Program
– Mitigate Cyber Risks
• Involve Board of Directors Throughout
– Ongoing reporting
Utah Cybersecurity Session
58
Assessment Process
3. AssessMaturity
7. Adjust Program
8. ReportProgress To
Board
1. Identify Critical Functions & Vendors
4. Determine Target State
2. Complete Inherent
Risk Profile
6. AllocateResources
Establish Risk
Appetite
5. Develop Plan to Address Gaps
Utah Cybersecurity Session
59
Cyber Risk Mitigation Approaches
• Change risk profile (streamline risk)
• Increase Cybersecurity Investment (staff, infrastructure, services)
• Increase Capital (accept the risk)
• Alternative risk management approaches
• Cyber Insurance (insure, what you can’t control)
Most Institutions will use most or all of these options in a combined risk management process.
Utah Cybersecurity Session
60
NCUA Implementation Timeline
• 12 month Industry Implementation– National outreach efforts through 3/31/16– No formal exam or evaluation using tool until 6/2016– Select webinars informing/training
• 12 month Exam Implementation– Staff Training – Tool and Exam Aid Development– Field Testing– System Development
Utah Cybersecurity Session
62
Helpful Web Resources
• www.ncua.gov/Resources/Pages/cyber-security-resources.aspx
• www.ffiec.gov/cybersecurity.htm
• www.us-cert.gov
• csrc.nist.gov
• www.fsisac.com
• www.isaca.org
• www.owasp.org
• www.sans.org
• www.cert.org
• www.whitehouse.gov/issues/technology
• www.whitehouse.gov/issues/foreign-policy/cybersecurity
• www.dhs.gov/topic/cybersecurity
• www.dhs.gov/stopthinkconnect
• www.fbi.gov/about-us/investigate/cyber
• www.ic3.gov/default.aspxwww.secretservice.gov/ectf.shtml
• www.secretservice.gov/ntac.shtml
Utah Cybersecurity Session
63
THANK YOU FOR ATTENDING!