FFIEC Cybersecurity Assessment Tool Timothy Segerson,, Deputy Director Office of Examination & Insurance

FFIEC Cybersecurity

Assessment Tool

Timothy Segerson, , Deputy DirectorOffice of Examination & Insurance

Utah Cybersecurity Session

2

Agenda

• Background – Why Now• Tool Overview• Mechanics of the Tool• Uses and Benefits• Next Steps for NCUA

3

Continuing saga of lost sensitive data

http://www.forbes.com/sites/katevinton/2015/06/12/report-new-government-data-breach-includes-sensitive-military-intelligence-personnel-data/

Every event enhances criminals ability to cross reference personal information.


Cyber risk management is a volatile and fluid environment


4

Congressional Scrutiny


5

Critical Infrastructure Overview

Cyber Security is a Key Subset of the Critical Infrastructure for most Sectors

Ongoing Cyber Security Initiative

US Critical Infrastructure

Chemical - DHS

Defense Industrial Base - DOD

Commercial Facilities - DHS

Emergency Services - DHS

Communications - DHS

Energy - DOE

Critical Manufacturing - DHS

Financial Services - Treasury

Dams - DHS

Food & Agriculture – DHS&DOA&HHS

Transportation Systems – DHS&DOT

Water and Wastewater Systems - EPA

Government Facilities – DHS &GSA

Healthcare & Public Health - HHS

Information Technology - DHS

Nuclear Reactors, Materials, Waste - DHS

FBIIC

FFIEC

TFOS

CCIWGLegendFBIIC Chair FFIEC Members Other FBIIC Members

American Council of State Savings Supervisors Federal Reserve Bank of New York

Commodity Futures Trading Commission Federal Reserve Board

State Liaison Committee National Association of Insurance Commissioners

Consumer Financial Protection Bureau National Association of State Credit Union Supervisors

Department of the Treasury National Credit Union Administration

Farm Credit Administration North American Securities Administrators Association

Federal Deposit Insurance Corporation Office of the Comptroller of the Currency

Federal Housing Finance Agency Securities and Exchange Commission

Federal Reserve Bank of Chicago Securities Investor Protection Corporation

FBIIC Participation


6

Important on Multiple Levels

• Consumers – Trust in institutions is critical for it all to work

• Employees/Officials – A credit union’s most valuable asset may be targets.

• Organization – Integrity and Reputation of your business is essential for success.

• Industry – CU = links in critical financial system chain


7

The FFIEC Response

• Cybersecurity and Critical Infrastructure Working Group (CCIWG)

– Permanent FFIEC working group established in June 2013 to address Cybersecurity

– Coordinate enhanced Cybersecurity efforts across FFIEC agencies.

– CCIWG Reports to Council via Task Force on Supervision.

Increasing Risk to Credit Unions

Threat Environment

Utah Cybersecurity Session 8

9

Changing Threat Environment



10

Proliferation of Connectivity


11

Growing ConnectivityShodan August 2014


12

Connectivity Another ViewShodan August 2014


13



14



15



16

Growing Vulnerabilities

25 year trend demonstrates the increasing number of threats.

High risk vulnerabilities have been expansive in scope and danger (e.g Heartbleed and BASH).

Heartbleed and Shellshock are recent vulnerabilities triggering FFIEC alerts to the industry with an emphasis on timely patch management.


17

A Big Part of the Problem Legacy Systems

What is old may not always be new, but when it comes to hacking, it's still effective.

44 percent of known breaches in 2014 came from vulnerabilities that were between two and four years old.


18

Zero Day and Beyond

Unpatched Vulnerabilities and Exploits exposed – Second order/third order impacts.

Company used them to successfully spy for clients

No known US institution implications, but large European institutions affected


19

Staying Current

www.bankinfosecurity.com

Attack vector continues to vary and change up.

Small/medium businesses can be choice targets

Tools get more sophisticated are continually monetized as software for sale on Dark Web.

Darkreading.com

Databreachtoday.com


20

DD4BC

www.bankinfosecurity.com


21

Impact of Cyber Threats

Stolen Database of Customer Accounts & Credentials

$40 million stolen from one

institution

Core product intellectual

property stolen

Limited customer access to online

banking

INSIDER: Data theft through internal access

ORGANIZED CRIME: ATM Cash Out, wire fraud

NATION-STATE: Spear phishing to install malware

HACKTIVIST: Distributed Denial of Service

Financial & Public Confidence


22

Changing Threat Landscape

APT

Advanced or Persistent

Neither Advanced nor Persistent

Well funded, organized and capable of compromising at willMajor exfiltration, disruption and damage

Capable of advanced attacks, less funding, less organization

Least organized and least funded. Shear numbers could strip mine vulnerabilities especially in unprepared institutions

Lower level threats – large and growing numbers - advanced tools APT/Nation States – Act like criminals and hacktivists Hacktivists - Act like terrorists and criminals Criminals (Guns for Hire i.e. Nation States/hacktivists)

Increasing Risk Increasing Cost

Exploit ToolkitsFor Sale


23

Some Recent Examples• $80 million FICU victim of Cryptowall

– ($500 us bitcoin to get data systems released)– Other small FICUs (refused ransom, wiped the box and restored data successfully)

• $60 million FICU victim of Acct takeover– Corp CU recognized unusual transaction and halted auto wire

pending human confirmation.

• Medium institution(s) ID theft, tax return fraud with false identities

• Medium institution data exfiltration• DD4BC• Website Defacement


24

Growing Exposure

Rising Community Institution Exposure

Lower Skills = Growing Attack #s

Lower Costs = Lower Return

Targets

Unique Attributes Increase

Attractiveness

Reliance on Outsourced

Providers & 3rd Parties


25

US Credit Union Current Scope of Exposure

12/31/2014 FICUs %Website 5049 81%Transactional 4411 71%Internet Access 6068 98%Wireless Network 1483 24% Members 46,788,777 47%

• Increasing Points of Attack

• Many Less Sophisticated Shops

• Nearly 100% with Some level of Risk Exposure

• 6,206 Credit Unions

• $1.2 Trillion Assets

• Average Assets $187 Million

50% (3,103) of FICUs are smaller than $26 Million in Consolidated Assets (median assets = $25.4 million)


26

Cybersecurity Assessment History

• June 2013: FFIEC CCIWG established

• June 2014: FFIEC pilots Cybersecurity Assessment exam work program– Informed Strategic Vision/Objectives (http://www.ffiec.gov/press/pr031715.htm)

– Observations Report Issued http://www.ffiec.gov/press/pr110314.htm

– Target Statements and Guidance– 3rd Party Service Providers

• June 2015: CCIWG releases financial institution Cybersecurity Assessment Tool

http://www.ffiec.gov/press/pr031715.htm





27

Strong Industry Foundation and Benchmark

Comprehensive with a Relevant and Cross Referenced Foundation

• Common Structure to:• Communicate between Board and

Management• Communicate Throughout Organization• Communicate with Service Providers

Cybersecurity Assessment

Tool

NIST Cybersecurity Framework

FFIEC IT Handbook and Guidance

Public & Industry Guidance and

Models

Effective Cyber Risk Management

• Common Structure to:• Identify strengths and weaknesses (gaps)• Optimize your cybersecurity Investment• Evaluate Existing and New Products,

Services and Vendors


28

Other Source Guidance & Models

• U.K. Prudential Regulation Authority 2014 cybersecurity assessment

• Canada’s Office of Superintendent of Financial Institutions 2013 cybersecurity assessment

• Department of Energy’s Cybersecurity Capability Maturity Model Program (C2M2)

• Capability Maturity Model (CMM)

• Payment Card Industry Data Security Standard (PCI DSS)

• Many others including SEC, FINRA, and NY DFI


29

Cyber Risk Management Practice

Lowest Risk Highest RiskHighest Security

Optimal

Optimal

Lowest Acceptable Security

Optimal

Beyond Minimum Basic Regulatory Requirements and Agency Guidance - RM approach should scale to the credit unions level of risk exposure, appetite, complexity and percieved impact.

Prog

ram

Dev

elop

men

t

Organizational Risk ExposureCyber Risk vs level of investment/ effort

Enterprise Approach Toward Cyber Risk Management

Higher Investment - Possible Inefficiencies

Under Investment - Too Much Risk For Measures taken


30

Year of the Data Breach – A Moving “Target”

Some dubbed 2013 the year of the data breach after the Target breach.

Then came 2014:• Home Depot: POS system compromise allowed breach of 56 million payment card

numbers and 53 million email addresses.• JPMorgan Chase: Hack affecting more than 50% of all households in the United

States, personal information of 76 million households and 7 million businesses compromised.

• iCloud: Hackers leaked private images of many famous celebrities.• Sony Pictures: Hackers stole intellectual, corporate, and personal information from

Sony Pictures’ computer networks in retaliation for the movie “The Interview.”

Then came 2015 (YTD):• Anthem: 80 million insured• Premera Blue Cross: 11 million insured• OPM: over 20 million federal employees• Hacking Team


31

ObjectiveTo help institutions identify their risks and determine their cybersecurity maturity.

The Assessment provides a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.

FFIEC Cybersecurity Assessment Tool


32

Consistent with the principles in

• FFIEC Information Technology Examination Handbook (IT Handbook)

• National Institute of Standards and Technology (NIST) Cybersecurity Framework

• Industry accepted cybersecurity practices


33

Consists of two parts

Part One: Inherent Risk ProfilePart Two: Cybersecurity Maturity




34

Inherent Risk Profile Categories

• Technologies and Connection Types• Delivery Channels• Online/Mobile Products and Technology Services• Organizational Characteristics• External Threats



35

Inherent Risk Profile Risk Levels

Type, volume, and complexity of operations and threats directed at the institution


Least Inherent

Risk

Minimal Inherent

Risk

Moderate Inherent

Risk

Significant Inherent

Risk

Most Inherent

Risk


36

Category: Technologies and Connection Types

Risk Levels

Least Minimal Moderate Significant Most

Total number of internet service provider (ISP) connections (including branch connections)

No connections Minimal complexity (1–20 connections)

Moderate complexity (21–100 connections)

Significant complexity (101–200 connections)

Substantial complexity (>200 connections)

Unsecured external connections, number of connections not users (e.g., file transfer prototype (FTP), Telnet, rlogin)

None Few instances of unsecured connections (1–5)

Several instances of unsecured connections (6–10)

Significant instances of unsecured connections (11–25)

Substantial instances of unsecured connections (>25)


Risk LevelsActivity, Service

or Product

Inherent Risk Profile Excerpt


37

Cybersecurity Maturity

• Cyber Risk Management and Oversight• Threat Intelligence and Collaboration• Cybersecurity Controls• External Dependency Management• Cyber Incident Management and Response



38

Cybersecurity Maturity

Domains

Assessment Factors

Components

Declarative Statements



39


Domain Assessment Factors1 Cyber Risk Management & Oversight • Governance

• Risk Management• Resources• Training and Culture

2 Threat Intelligence & Collaboration • Intelligence Sourcing• Monitoring and Analyzing• Information Sharing

3 Cybersecurity Controls • Preventative Controls• Detective Controls• Corrective Controls

4 External Dependency Management • Connections• Relationships Management

5 Cyber Incident Management & Resilience • Incident Resilience Planning and Strategy• Detection, Response and Mitigation• Escalation and Reporting


40

Cybersecurity Assessment Tool

Domain 1: Cyber Risk Management and OversightAssessment Factor: Governance

Y, N

OVERSIGHT

Baseline Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs.

Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory alerts.

Management provides a written report on the overall status of the information security and business continuity programs with the board or an appropriate committee of the board at least annually.

Budgeting process includes information security related expenses and tools.

Management considers the risks posed by other critical infrastructures (e.g., telecom, energy) to the institution.

Domain

Maturity Level

Declarative Statement

Component

Assessment Factor

Cybersecurity Maturity Excerpt


41


Maturity LevelsInnovative

Advanced

Intermediate

Evolving

Baseline


42

Determine Cybersecurity Investment

Inherent Risk Levels


Cybersecurity Maturity Level

for Each Domain

Innovative

Advanced

Intermediate

Evolving

Baseline


43

Cyber Risk Management & Oversight

Cyber risk management and oversight addresses the board’s development and implementation of an effective enterprise wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.

Nine Components, 31 Baseline questions

Strategy/Policy Audit Staffing

IT Asset Management Risk Assessment TrainingOversight Risk Management Culture


44

Threat Intelligence & Collaboration

• Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.

Three Components, 8 Baseline Statements

Threat Intelligence and Information

Monitoring and Analyzing

Information Sharing

45

Cybersecurity Controls

Preventat

ive Controls

• Prevent a threat from exploiting an associated weakness. May be physical (door locks, card access) or logical (firewalls, antivirus, website filtering/whitelisting.

Detective Controls

• Identify the presence of a vulnerability or threat. Includes scanning for vulnerabilities, intrusion detection or prevention systems, log monitoring, independent vulnerability assessments or pen tests

Correctiv

e Controls

• Assist with recovering from unwanted occurrences or mitigate the effects of a threat being manifested. Includes patch management and timely resolution of penetration test findings.

Ten Components, 51 Baseline questions

53Utah Cybersecurity Session


46

External Dependency Management

External dependency management involves establishing and maintaining a comprehensive program to oversee external connections and third party relationships with access to the organization’s technology assets and information.

Four Components, 16 Baseline questions

Connections Contracts

Due Diligence Ongoing Monitoring


47

Cyber Incident Management & Resilience

Cyber incident management includes establishing processes to identify and analyze cyber events, prioritize the organization’s response to contain or mitigate, and escalate information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.

Five Components, 17 Baseline questionsPlanning Detection

Testing Response & Mitigation

Escalation & Reporting


48

Supporting Materials

• User’s Guide

• Overview for CEOs and Boards of Directors

• Appendix A: Mapping Baseline Statements to FFIEC IT Handbook

• Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework

• Appendix C: Glossary


49

Benefits to Institutions• Identify Risk Drivers

• Assess Level of Preparedness

• Identify Misalignments in Risk

• Determining Optimal Enhancements to Align

• Informing Risk Management Strategies

• Understanding Risk with Third Parties and Partners

• Measuring and Monitoring Progress

• Connect Strategic with Operational Functions



Some of the model mechanics

CAT Topics

Utah Cybersecurity Session 50


51

Comprehensive RM Process

• Governance, Risk Management, Resources, Training & Culture

1) Cyber Risk Management & Oversight

• Intelligence Gathering, Monitoring & Analyzing, Information Sharing

2) Threat intelligence & Collaboration

• Preventative Controls, Detective Controls, Corrective Controls

3) Cybersecurity Controls

• Connections, Relationships Management

4) External Dependency Management

• Incident Resilience Planning/Strategy, Detection/Response/Mitigation, Escalation & Reporting

5) Cyber Incident Management & Resilience


52

Cybersecurity Maturity/Risk Relationship

Highest Maturity

Lowest MaturityLowest Risk Institutions

Highest Risk Institutions


53

Additive Model StructureINNOVATIVE

ADVANCED

• Threat Analysis Team• Investment in

Transformational Threat Intelligence Technology

INTERMEDIATE

• Cyber Intelligence Model

• Multi-source Real-Time Threat Intelligence

• Threat Intel on Geopolitical Events

EVOLVING

• Formal Threat Intelligence Program

• Collection Protocols• Read-only

repository

BASELINE

• Analyze Tactics, Perform Risk Mitigation

• Threat Info Source(s)

• Active Monitoring• Enhance Risk

Management

Items to review

• List of threat intelligence resources (e.g. industry groups, consortiums, threat and vulnerability reporting services).• Management reports on cyber intelligence.• Verify FI has conducted interviews with vendors as needed.

54


Inherent Risk Levels


Cybersecurity Maturity Level for Each Domain

Innovative

Advanced

Intermediate

Evolving

Baseline

Elevated Investment

Underinvestment

Optimal



55

FS-ISAC Basic Membership


56

FS-ISAC Membership


57

Summary of Assessment Process

• Calibrate Risk Appetite

• Identify Critical Functions/Vendors

• Complete Inherent Risk Profile

• Assess Maturity

• Determine Target State

• Develop Action Plan

• Allocate Resources

– Cybersecurity Investment

• Adjust Program

– Mitigate Cyber Risks

• Involve Board of Directors Throughout

– Ongoing reporting


58

Assessment Process

3. AssessMaturity

7. Adjust Program

8. ReportProgress To

Board

1. Identify Critical Functions & Vendors

4. Determine Target State

2. Complete Inherent

Risk Profile

6. AllocateResources

Establish Risk

Appetite

5. Develop Plan to Address Gaps


59

Cyber Risk Mitigation Approaches

• Change risk profile (streamline risk)

• Increase Cybersecurity Investment (staff, infrastructure, services)

• Increase Capital (accept the risk)

• Alternative risk management approaches

• Cyber Insurance (insure, what you can’t control)

Most Institutions will use most or all of these options in a combined risk management process.


60

NCUA Implementation Timeline

• 12 month Industry Implementation– National outreach efforts through 3/31/16– No formal exam or evaluation using tool until 6/2016– Select webinars informing/training

• 12 month Exam Implementation– Staff Training – Tool and Exam Aid Development– Field Testing– System Development


61

NCUA Support

Support:

[email protected]


62

Helpful Web Resources

• www.ncua.gov/Resources/Pages/cyber-security-resources.aspx

• www.ffiec.gov/cybersecurity.htm

• www.us-cert.gov

• csrc.nist.gov

• www.fsisac.com

• www.isaca.org

• www.owasp.org

• www.sans.org

• www.cert.org

• www.whitehouse.gov/issues/technology

• www.whitehouse.gov/issues/foreign-policy/cybersecurity

• www.dhs.gov/topic/cybersecurity

• www.dhs.gov/stopthinkconnect

• www.fbi.gov/about-us/investigate/cyber

• www.ic3.gov/default.aspxwww.secretservice.gov/ectf.shtml

• www.secretservice.gov/ntac.shtml


63

THANK YOU FOR ATTENDING!

Documents

FFIEC Cybersecurity Assessment Tool Timothy Segerson,, Deputy Director Office of Examination & Insurance