Embed Size (px)
Citation preview
Lecture Materials
MANAGING SECURITY RISK IN BANKING
Kevin Streff Professor of Cybersecurity
Dakota State University [email protected]
605-270-0790
&
Founder SBS Cybersecurity, LLC
[email protected] 605-270-0790
August 9 - 11, 2017
IT Risk Assessment2017 Graduate School of Banking at University of Wisconsin
Dr. Kevin StreffFounder: SBS Cybersecurity, LLCwww.sbscyber.com
1
Goals Understand the top risk assessment issues that cause problems and inefficiencies
Learn to expand and mature risk assessment programs: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management
Watch how leading tools enable quicker and better risk assessment
Review risk assessment best practices2
Regulator Requirements: Gramm‐Leach‐Bliley Act
• Gramm‐Leach‐Bliley Act requires you to develop and implement an Information Security Program and conduct Risk AssessmentsA comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank’s operations and the nature and scope of its activities.
Prior to implementing an information security program, a bank must first conduct a risk assessment which entails:
Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.
Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information.
Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks.
3
Gramm‐Leach‐Bliley Act Management must develop a written information security program
What is the “M” in the CAMELS rating? Don’t just do good security things, have a well managed program
Don’t rely on individual heroism, have a well managed program
4
The Information Security Program is the way management demonstratesto regulators that information security is being managed at the financial institution
Gramm‐Leach‐Bliley Act
• Gramm‐Leach‐Bliley Act requires your financial institution to develop and implement 1) an Information Security Programand 2) Risk Assessments Information Security Program: Defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a financial institution’s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a financial institution must first conduct a risk assessment
I.T. Risk Assessment Asset Management Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Business Continuity Incident Response I.T. Audit
6
Layered Information Security Program
Documentation
Boards & Committees
©2016 Secure Banking Solutions, LLC 7
Question
What is the OUTCOME of good IT risk assessment?
8
Exercise 1 – Allocating Resources
9
10
Exercise 1
Your bank has $25,000 of additional spending to put towards security in 2017.
You were just provided the chart
How would you allocate the $25,000?
11
Maturing Your Risk Assessment Bank
Internal & External
System & Organizational
Third Party Vendors
Business Partners
Downstream Partners
Commercial Merchant
Correspondent Banking
ACH Origination
Enterprise Risk Bank Secrecy Act Cyber Risk
12
Capability Maturity Model
Level 0 – Initial Any sort of process at all
Level 1 – Repeatable Processes are documented and practiced
Level 2 – Defined Processes are consistent and known within the organization
Level 3 – Quantitatively Managed Processes are measured quantitatively and evaluated
Level 4 – Optimized Processes continually improve with new technologies or methods
13
Level of Assessment(CMM Levels)
Level of Risk
0
1
2
3
4
Low Medium High
Bank Threats Goal
3rd Party Threats Goal
CommercialThreats Goal
14
Bank Assessments
15
What is IT Risk Assessment?
“The evaluation of the risks to information resources to determine adequacy of current controls so that management can allocate resources”‐ Streff, 2017
16
Exercise 2 – Reviewing a Risk Assessment
17
18
Traditional IT Risk Assessment Process View Core Processor example in attached spreadsheet
Asset Value Threat Likelihood Impact ControlOverall
Risk Rating
Core Processor High Unauthorized User Access High High Password Controls
High
Physical Access
End-User Responsibilities
Access Controls
Insurance
Unauthorized Physical Access Low Medium Motion Sensors and Alarm System
Medium
Security Cameras
Control Authorized Use
Hardware Security
Physical Security
Unauthorized Viewing Medium Medium Screen SaversMedium
Privacy Screens
Electrical Anomalies Medium High Electrical Services Contingency PlanHigh
Physical Security
Hardware Failure Medium High Data Integrity
HighBank Processing Hardware
EDP Contingency Procedures
Software Failure Medium High Data Software Availability
Medium
Bank Processing Software
Incident Response Plan
Host Processing Systems
Software Security
Data and Software Availability
Media Failure Medium Low Data Integrity
LowDisaster Recovery
Data and Software Availability
Communications Failure Low Medium Telecommunications Services Low
19
Traditional IT Risk Assessment Process View Core Processor example in attached spreadsheet
Asset Value Threat Likelihood Impact ControlOverall
Risk Rating
Natural Disaster Low High Contingency and Business Resumption Plan
MediumData Integrity
Incident Response Plan
Insurance
Other Disasters Low High Contingency and Business Resumption Plan
Medium
Data Integrity
Fire Control
Incident Response Plan
Insurance
Malicious Software Low Medium Anti-Virus/Malware Software Protection Medium
User Error Medium Low Dual Control Procedures Low
Accidental Disclosure, Social Engineering Medium Medium Dial-up Access
MediumEncryption
Information Requests
File Transfers
Fraudulent Transactions Medium High Separation of DutiesMedium
System Activity Logs
Maintenance Error Medium Low Modifications
LowModification Procedures
Software Change Control
Host Processing Systems
Improper Use Medium Medium System Activity Logs
MediumModifications, Dual Control Procedures
Acceptable Use
Exercise 2 ‐ Instructions
What do you agree with?
What do you disagree with?
What story is this risk assessment telling?
How would the bank allocate resources if you provided them with this assessment?
20
Risk Assessment is: A process A management process A management process to identify A management process to identify, measure A management process to identify, measure, mitigate A management process to identify, measure, mitigate and monitor
A management process to identify, measure, mitigate and monitor to allocate resources
21
5 Step IT Risk Assessment Process
22
Step 0 Inventory:
Step 1 Risk Identification
Step 2 Risk Measurement
Step 3Risk Mitigation
Step 4Risk Monitoring
Inherent Risk
Residual Risk
5 Step IT Risk Assessment Process
23
Step 1 - Inventory:Identify all assets,
vendors and service providers
Step 2 - Develop Priorities:
Protection Profile (CIAV)
Step 3 - Identify Threats: What are the threats to each asset (including impact and probability of each threat)?
Step 4 - System Controls:
What system safeguards does the bank want to
implement?
Step -5-Demonstrate Compliance:
ReportingImprove the process
Document Residual Risk
Inherent Risk
Residual Risk
IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them
BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information
and making decisions (not compiling a risk assessment spreadsheet)
24
Top Risk Assessment Products
25
Archer www.archer‐tech.com KansasbSECURE www.brintech.com TexasCoNetrix www.conetrix.com TexasModulo www.modulo.com Seattle
Riskkey www.riskkey.com Texas
RiskWatch www.riskwatch.com Maryland
Scout www.locknet‐inc.com WisconsinTRAC www.tracadvantage.com South Dakota
WolfPAC www.wolfandco.com Maryland
IT Assets
Protection Profile
Threats
Controls
Protection Profile Report
The more important the asset, the more risk you want to reduce risk.
Acceptable levels of risk are identified and measured against.
Risk Appetite
Commercial Account AssessmentsCommercial Banking Fraud
33
Commercial Account Takeover
• Cyber‐criminals are targeting commercial accounts
• Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E)
• Schumer Bill introduced in 2012 to Reg E “Schools and Municipalities”
34
Commercial Banking Fraud• January 22, 2009• Experi‐Metal Inc. ‐ Sterling Heights, MI• Sues Comerica Bank ($60M) ‐ Dallas, TX• An EMI employee opened and clicked on links within a
phishing email• $1.9M stolen, $560,000 was not recoverable• 47 wires in one day to foreign and domestic accounts which
EMI never wire to before• Ruling: Bank failed to detect the fraud and must pay Experi‐
Metal $560,000 in losses.
35
Small Business Security
70% lack basic security controls
Get to the basics with each small business
Conduct a risk assessment looking for these basic security controls
Firewall,
Strong passwords,
Malware Protection
Etc.
36
37
Finger Pointing and ACH Risk
38
Mitigating ACH Fraud in Community Banks
• Layered Information Security Program
• Enhanced Focus on Security Awareness
• Risk Assess Corporate Account Portfolio and Take Action
39
Commercial Account Takeover FFIEC Guidance
FFIEC’s “Interagency Supplement to Authentication in an Internet Banking Environment” states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging
threats. Increased multi‐factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness.
CSBS CATO Guidance
40
Bottom Line
Need to develop a way for your bank to assess the risk of commercial accounts
41
ACH Regulatory ComplianceREGULATION
Board of Directors at the bank are responsible to: Reduce/Control ACH Fraud
Meet FFIEC Guidance
Meet CSBS Guidance
Actions
Controls at the Bank Corporate account security is part of
your layered security program
Minimum list of 9 security controls in the FFIEC supplement
Controls at the Business CATO Risk Assessment
List of controls in the CSBS guidance
Customer Education
Contracts/Documentation
42
Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out‐Of‐Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment
recipients IP reputation‐based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education
Controls at Your Bank
43
How do You Assess Merchant Risk?
44
5 Step IT Risk Assessment Process
45
Step 0 Inventory:
Step 1 Risk Identification
Step 2 Risk Measurement
Step 3Risk Mitigation
Step 4Risk Monitoring
Inherent Risk
Residual Risk
Commercial Account AssessmentsCommercial Banking Fraud
Bottom Line
Need to develop a way for your bank to assess the risk of commercial accounts
48
49
Assessment Results
50
Track Progress
51
Easily Create a campaign
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
52
Choose from a huge library of phishing templates
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
53
Realistic Templates
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
54
Educate them WHEN they click
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
55
Other Phishing Tools
Wombat Phishme QuickPhish Tandem Phishing
Most of these tools offer a free trial
© SBS CyberSecurity, LLC www.sbscyber.com
Consulting Networ
k Security
56
Enterprise Risk Management
57
Enterprise Risk Management (ERM)
58
ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (FDIC Internal ERM Program and COSO)
ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management in a changing operating environment. (Protiviti consulting firm)
Business Processes
59
Administrative Affiliate Back‐Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology
Threat Areas
60
Operational Reputational Compliance Financial Strategic
Categories commonly used in FFEIC booklets.
ERM – Risk Mitigation Goals
61
ERM – Protection Profile
62
ERM ‐ Threats
63
ERM ‐ Controls
64
ERM ‐ Reporting
65
Report – Risk Mitigation
66
Report – Threat Source
67
68
REPORT – PEER COMPARISON
Bank Secrecy Act Assessments
69
Bank Secrecy Act (BSA)
70
The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the “Bank Secrecy Act” or “BSA”) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in 1970. The BSA is sometimes referred to as an “anti‐money laundering” law (“AML”) or jointly as “BSA/AML.” Several AML acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC 5311‐5330 and 31 CFR Chapter X [formerly 31 CFR Part 103] ).
BSA Program Components
71
Program is driven by a risk assessment. A system of internal controls to ensure ongoing compliance. Independent testing of BSA compliance. A specifically designated person or persons responsible for
managing BSA compliance (BSA compliance officer). Training for appropriate personnel.
http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_008.htm
Risk Driven BSA Program
72
BSA – Account Types
73
BSA – Risk Areas
74
BSA – Controls
75
BSA – Reports
76
Report – Account Risk
77
Cyber Security Assessment
www.protectmybank.com
©2015 Secure Banking
FFIEC CA Tool (3 parts)
Three (3) major components1. Rating your Inherent Risk for Cybersecurity threats based
on your size and complexity
2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats
3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.
www.protectmybank.com
©2015 Secure Banking 79
Cybersecurity Inherent Risk
Very PRESCRIPTIVE
Really getting to the Size and Complexity issue originally stated by GLBA
Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats
www.protectmybank.com
©2015 Secure Banking 80
Cybersecurity Inherent Risk
Five Inherent Risk Areas1. Technologies and Connection Types
2. Delivery Channels
3. Online/Mobile Products and Technology Services
4. Organizational Characteristics
5. External Threats
www.protectmybank.com
©2015 Secure Banking 81
www.protectmybank.com
©2015 Secure Banking 82
Cybersecurity Maturity
Measure Maturity in 5 Domains (+ Assessment Factors)1. Cyber Risk Management and Oversight
Governance, Risk Management, Resources, and Training
2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing
3. Cybersecurity Controls Preventative, Detective, and Corrective controls
4. External Dependency ManagementExternal Connections and (Vendor) Relationship Management
5. Cyber Incident Management and ResilienceIncident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting
www.protectmybank.com
©2015 Secure Banking 83
What is Cybersecurity Maturity?
Determining whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness
I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents?
www.protectmybank.com
©2015 Secure Banking 84
Determining Maturity Level Within each component, “declarative statements” describe activities supporting the assessment factor at each maturity level
“All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level“
What this actually means: Identify the controls you have in place, starting with “baseline” controls and escalating up in order to determine maturity levels
www.protectmybank.com
©2015 Secure Banking 85
www.protectmybank.com
©2015 Secure Banking 86
Increasing Maturity
©2015 Secure Banking www.protectmybank.com
Risk Assessment Best Practices Determine which kind of assessment is the most important for your
bank and invest accordingly Mature your program Have repeatable processes for each kind of assessment Assign an owner for each kind of assessment Create a policy and program for each kind of assessment Leverage tools to promote consistency and good decision‐making Don’t use the manual spreadsheet technique! Produce your documentation along the way Ensure management/board involvement
100
Review of Goals Understand IT risk assessment law and regulation Understand the top risk assessment issues that cause problems and
inefficiencies Learn how to expand and mature:
IT risk assessment
Corporate account assessments (CATO)
Enterprise Risk Management
BSA Risk Management
Review effective risk assessment policy Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices Big 5: Tools, KnowB4, repeatable processes, policies, schedules
101
Risk Assessment Schedule
102
Dr. Kevin Streff
– Professor of Cybersecurity at Dakota State University
• [email protected]• (605) 270‐0790
– Founder: SBS Cybersecurity, LLC.• www.sbscyber.com• [email protected]• (605) 270‐0790
