Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®
Tom Williams - Gladiator Business Continuity Strategy Manager
Testing Your Cyber Incident Response Plan
Presented byGladiator - A Division of Jack Henry & Associates And The Graduate School of Banking
August 8-9, 2018
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Agenda
• The FFIEC Guidelines on Cyber-Security
• Risk factors facing financial institutions
• Incident Response Plan components
• Incident Response Plan testing techniques
• Centurion Cyber Drill
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Nuggets of Wisdom
• Write them down, memorize
them, take pictures of them,
etc.
• Be prepared to answer:
“What nuggets of wisdom have
you learned?”
Takeaways Throughout the Day
© 2017 Jack Henry & Associates, Inc.®
Three Successful Brands
• Community and Multi-Billion Dollar Banks
• Core Processing Systems
• Integrated Complementary Products
• In-House or Outsourced Services
• Credit Unions of All Sizes
• Core Processing Systems
• Integrated Complementary Products
• In-House or Outsourced Services
• Financial Institutions of All Sizes
• Corporate Entities and Strategic Partnerships
• Core Processor Agnostic
• Best-of-Breed Niche Solutions
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Brief Introduction to Gladiator Services
Gladiator® CoreDEFENSEManaged Security
Services™
Gladiator® IT Regulatory Compliance/Policy
Products™
Centurion Business Continuity Planning™/
Centurion Disaster Recovery®
Gladiator® Hosted Network Solutions™
Gladiator® Managed IT Services™
© 2017 Jack Henry & Associates, Inc.®6© 2017 Jack Henry & Associates, Inc.®
Business Continuity / Incident Response
Plan Components
The FFIEC – Federal Financial Institution Examination Counsel Guidelines on BCP/IRP
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
FFIEC BCP Guidelines
Business Impact
Analysis (BIA)
Risk Assessment
Risk Management
Risk Monitoring
• Critical Business Functions
• Disaster Impacts• Prioritization• Recovery Windows• Recovery Strategies• Resources
• Threats– Natural– Human– Technical– Cyber Attacks
• Enterprise-wide BCP
• Emergency Plans• Crisis Management
Plans• IT & Business Unit
Plans• Family Disaster
Plan
• Plan Maintenance• Plan Testing
• Business Units
• Systems / Apps
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Top Concerns
• Regulatory
Compliance
• Cybersecurity
and IT
• Reputatio
n
© 2017 Jack Henry & Associates, Inc.®
Cybersecurity Threat Landscape
• Buffer Overflow
• Service Overwhelm
• Stealth Diagnostics
• DoS
• SQL Injections
• Phishing
• Web Browser Pop-Ups
• VBA, ActiveX Flash Tricks
• OS Specific Attack Tools
• Cross-site Scripting
• SSL-encrypted threats
• Zombie Bots
• RDP Exploits
• Memory
• Scrapping
• DDOS
• Ransomware
• APT’s
• Spear Phishing
• Targeted Attacks
• Drive-by Downloads
• Watering Hole Attacks
Pervasive
Limited
• Self Replicating Code
• Password Guessing
• Password Cracking
• Disabling Audits
Challenging
• Hijacking Sessions
• Exploit Known Vulnerabilities
• Packet Forging & Spoofing
• SPAM
• Back Doors
• Sweeper & Sniffers
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
IRP Basic Requirements
FFIEC’s IRP Minimum Components:
• Assess the nature and scope to identify systems and types
of information that have been accessed and/or misused
• Notification of primary regulator
• Completing a SAR and notification of law enforcement
• Take steps to contain the incident to prevent further
unauthorized access
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
IRP Basic Requirements
• Criteria that must be met before compromised systems
are returned
• Notification of employees when warranted
• Notification of customers when warranted
• Intrusion response team in place
• Important pieces, but do not provide details to respond in
the most effective manner.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Key Best Practices to Supplement Requirements
Consider the following:
– What happened and when?
– Performance?
– Was the Recovery process inhibited?
– What could be done differently?
– Corrective steps for similar future incidents?
– Other tools or resources?
– Use this as an opportunity to improve upon what you already
have in place.
© 2017 Jack Henry & Associates, Inc.®14© 2017 Jack Henry & Associates, Inc.®
Risk Factors Facing Financial Institutions
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cybersecurity Challenges
• Cybercrime cost in the trillions
• Segregation of InfoSec oversight
from IT
• Cyber incident management and
resiliency
• Qualified InfoSec personnel
• Ever changing Risk Landscape
* salary.com
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cybercrime will Cost Businesses
Source: Juniper - The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation
• Consumers’ lives and records have been rapidly digitized
• Data breaches will cost $6.1 trillion globally by 2021
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cybercrime Elements
Source: Verizon Data Breach Investigations Report, 2017
• Money, Espionage,
Fun, Ideology, Grudge• Hacking, Malware, Social
Engineering schemes
• Email, Social Media,
Internet browsing
Means Motive
Opportunity
2017 VDBIR62% Hacking51% Malware43% Social
2017 VDBIR 73% Financial21%
Espionage6% FIG
© 2017 Jack Henry & Associates, Inc.®18 © 2017 Jack Henry & Associates, Inc.®
.
Regulators Making Cybersecurity a Priority
The FFIEC releases a revised Information Security
booklet - FFIEC, September 9, 2016
FFIEC Releases Updates to Cybersecurity
Assessment Tool- FFIEC, May 31, 2017
FFIEC Releases Cybersecurity
Assessment Tool - FFIEC, June 30, 2015
Financial Regulators Release Revised
Management Booklet - FFIEC, November 10, 2015
FFIEC Issues Statement on Safeguarding
the Cybersecurity of Interfinancial
institution Messaging and Payment
Networks - FFIEC, June 7, 2016
The FFIEC published frequently asked questions
(FAQ) guide related to the Cybersecurity Assessment
Tool - FFIEC, October 17, 2016
New York State Department of Financial Services
Proposed 23 NYCRR 500 - Cybersecurity
Requirements for Financial Services Companies
- NYSDFS, December 28, 2016
The FDIC launches the Information Technology
Risk Examination (InTREx) Program - FFIEC, June 30, 2016
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
InfoSec Regulatory Exam Focus
2014 – 2015• Business
Continuity
• IT Risk Assessments
• Log Archiving
2015 – 2016• Vendor Management
• CyberSecAssessment Tool
• Ongoing VA Scanning
2016 – 2017• Information Security
Officer
• SIEM & Breach Detection
• Cyber Resiliency
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Examiners position on ISO
Independent ISO or Committee
Sufficient knowledge and training
Separate InfoSec oversight from IT
Rightsized InfoSec program
Source: FFIEC Guidelines 2006
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.® Source: Deloitte. Beneath the surface of a cyberattack, 2016
Technical Investigation
Customer breach notification
Post-breachcustomer protection
Regulatory compliance
Public relations
Attorney fees and litigation
Cybersecurity improvements
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.® Source: Deloitte. Beneath the surface of a cyberattack, 2016
Insurance premium increases
Increase cost to raise debt
Impact of operation disruption
Lost value of customer relationships
Value of lost contract revenue
Devaluation of trade name
Loss of intellectual property
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Today’s Top 6 Cyber Threats Facing Financial Institutions
6
Social
Engineering
1
Encrypted
Traffic
2
Malicious
Code
Variants
3
Supply
Chain
Infections
4
Patches/
Vulnerabilities
5
Ransomware
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
1 - Encrypted Messages - Counter Measures
1. Decrypt Traffic for Inspection
2. Behavioral Analytics
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
AV Is Failing, and IPS Is Not Far Behind
Signature based “safety net”
APTs & zero-day attacks
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
2 - Malicious Code Variants - Counter Measures
1. DNS Protection
2. Deep Content Inspection / Sand Box
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.
Malware & Attacks are more diverse
Source: 2018 Symantec Internet Security Threat Report
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
DNS Protection: Phishing
1. Threat sends malware to user
2. User clicks to view MalwareDL.com
3. Gladiator® analyzes threat;rejects
4. Gladiator® redirects unsafe request to safe landing page
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
DNS Protection: Drive-by Download
1. User types in website
2. Website has been hacked and redirects to malicious site
3. Gladiator® detects malicious site
4. Gladiator® Redirects
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
3 - Supply Chain
Sup p lyCha i n
L o g i s t i c s
C o n s u m e r
S u p p l i e r
D i s t r i b u t e r
Ma n u f a c t u r e r
R e t a i l e r
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
3 - Supply Chain - Counter Measures
1. Vendor Due Diligence
2. Vendor Management
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
4 - Patching - Counter Measures
1. Weekly Patching or as Needed
2. Weekly Vulnerability Scanning
3. Data Access Governance
4. Managed IT Services
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
CNN HeadlineMarch 23rd
NBC affiliate WXIA reported that the city received a ransom demand in bitcoin for $6,800 per unit or $51,000 to unlock the entire system.
The FBI is investigating a ransomware attack on the city of Atlanta
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
5 – Ransomware Counter Measures
1. Data Access Governance
2. Actively Managed Endpoint Security
3. Modern Era Backup Strategy
4. Sandbox Technology
© 2017 Jack Henry & Associates, Inc.®
Top Threats (June – December 2017)
Top threats detected by Microsoft Office 365 ATP
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
6 – Social Engineering Counter Measures
1. Security Awareness Training
2. Principle of Least Privilege
3. Application Whitelisting
© 2017 Jack Henry & Associates, Inc.®37© 2017 Jack Henry & Associates, Inc.®
Incident Response Plan Components
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• This document establishes the plan, procedures, forms and other
steps Cashmere Valley Bank will use when responding to a
computer security related incident.
• A computer security incident is an information related event where
there appears to be:
– The misuse or unauthorized use of information or computing
resources;
– An impact or potential impact to the confidentiality, integrity or
availability of information.
• The incident may be due to an external intruder or may be caused
by a disgruntled employee.
38Incident Response Plan – Purpose
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Indications or symptoms of a computer security infraction, event or incident
that deserves special attention could be the following:
– System crashes
– New user accounts or high activity on a previously low usage account;
– New files (usually with novel or strange file names);
– Data modification or deletion (files start to disappear);
– Denial of service (users become locked out of a system);
– Unexplained or poor system performance;
– Suspicious probes (there are numerous unsuccessful login attempts);
– Suspicious access (someone accesses files on many user accounts).
39Incident Response Plan – Purpose
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cyber Risk Appetite
• Management position on cyber risk
• Cyber risk appetite is not static
• Not a one-size-fits-all
• Based on business strategy
• Actionable and specific
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
LOW
RISK
HIGH
RISK
What is the Bank’s Cyber-Security Risk Mitigation
Profile?
BSA/AML
No Incident
Response
Plan
Internal Fraud
Incident
Response
Plan
MODERATE
RISK
Each organization should continually
strive to move toward the Low Risk area
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cyber Incident Response Plan Components
Monitoring Identification /
Detection
Investigation / Decision Making
Evidence Collection /
Forensic Analysis
Communications –
Employees -Members
Media – Legal –Insurance
Management
Vendor / Resource
Management
Business Resumption
© 2017 Jack Henry & Associates, Inc.®
Incident Response Process
Cyber Incident
1.Report Incident
• Technical Support / Help Desk
2.Incident
Classification
• Validation and Severity of Incident
3.Notification/
Escalation
• Who to contact, internal-external
4.Assessment
• Entry point of virus• Systems affected• Time to close incident• Regulatory - Law agencies
5.Documentation
• Phone conversations• System logs• Meeting minutes• Screen shots
6.Containment
• Shut down system• Disconnect from network• Monitor system/network• Set traps• Disable functions, etc.
© 2017 Jack Henry & Associates, Inc.®
Incident Response Process
7.Protecting Evidence
• Preserving hard drives• Documenting incidents
8.
Eradication & Recovery
• Anti-virus software• System rebuilds
9.Follow-up Analysis
• System monitoring• Sequence of events• Method of discovery• Lessons learned
10.Incident Prevention
• Technology
• Policies, procedures
• Training on security awareness
• Technical configurations• Access permissions, logs, etc.
11Vendor Management
• Tier 1 vendors must report all Incidents to CVB
• T1 vendors must have Incident Response Plans• T1 Vendors must have Business Continuity Plans
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Severity Levels
Level
1
• Not a computer security condition – Low Impact
• The incident may be another type of issue
• The CIO may redirect the issue back to the Help Desk
Level
2
Security Infraction or Event – Moderate Impact
A security infraction is non-compliance with security policy or standard
In many cases does not require formal investigation or tracking
Infractions are addressed according to policy and enforcement
Level
3
• Information Security Incident – High Impact
• An information security incident appears significant upon initial reporting and additional investigation is deemed appropriate.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Testing
• Annual requirement
• Validates that the IRP will work
• Appropriate response
• Incident reporting requirements
• Severity ranked scenarios
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Plan Testing Considerations
• Testing is a necessity and should be completed annually.
• Size and complexity matter in testing.
• Assemble your team.– Validate response capabilities.
– Consider a vendor representative.
– Vendors assist with testing efforts-Centurion.
• Determine your testing scenario.– Variety of severity levels with technical and non-technical
incidents.
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
The Impact of Cybersecurity and Technology
Service Providers
• Technology Service Providers (TSPs)
– Cyber resilience becomes a factor
– TSP’ are now a part of your Incident Response Team
– Vendor Management
• Relationship between vendor management and incident response
• Information Sharing
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
FFIEC-Information Security Officer Responsibilities
Incident
Response
Management
& Training
Information
Security
Strategy &
Policies
Information
Systems
Risk
Assessment
IT Audits &
Interaction
with
Examiners
Business
Continuity /
Disaster
Recovery
Vendor
ManagementVulnerability
Assessments
© 2017 Jack Henry & Associates, Inc.®
vISO (Virtual Information Security Officer)
Service Elements
Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation
Written Information Security ProgramPolicies, Procedures, Forms
Ongoing Compliance ManagementAudit Support, Monthly Meetings
ReportingInformation Security Program Status
© 2017 Jack Henry & Associates, Inc.®51© 2017 Jack Henry & Associates, Inc.®
Centurion Cyber Drill
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Better understand your financial institution’s vulnerability toward cyber incidents.
• Assess your financial institution’s Incident Response Plan (IRP).
• Identify the major milestones associated with a cyber incident.
• Collaborate with your peers to share approaches to dealing with cyber incidents.
Cyber Incident Response Drill Objectives
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Avoid becoming a victim like the following companies:
Cyber Incident Response Drill Objectives
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• This is a test exercise, based on the probability of a real-
world scenario.
• Treat scenario details as fact.
• Think about how your bank’s cyber program would
measure up to a similar, but real incident.
• Consider what improvements may be required to your
IRP resulting from the drill.
Cyber Attack Drill Information
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Provide an interactive experience based on decisions associated with a cyber incident.
• You are assigned to the Incident Response Team (IRT) of The Financial Institution of Madison.
• Your team will be given a scenario resulting in a cyber incident to The Financial Institution of Madison.
• Please assume the role that you are assigned to as an Incident Response Team Member.
Cyber Attack Drill Information
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Team Introduction
FRONT OF Room
Chief Operations Manager /Compliance Manager
Chief Information Security OfficerChief Executive Officer
Marketing / HR Manager
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Incident Response Drill Challenges
Situational events that your IRT has to make decisions on
Share ideas and learn from your peers
Challenges are derived from real-world situations
Poll Everywhere will display team challenge results
Creates group discussion and collaboration
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• $757 million in assets
• Main office is located in downtown Madison, WI
• 9 additional branch office locations throughout Madison
• 211 employees and 511,000 customers
Financial Institution of Madison Bank Profile
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
• Core processing – Outsourced
• Windows® infrastructure runs at main office
• VMware Snapshots taken once per day and replicated off-site at another branch twenty-five miles away
• Uses a MPLS common network between branches
• Thirty days of historical backups
Financial Institution of Madison Technology Profile
© 2017 Jack Henry & Associates, Inc.®
Let’s Get Started!
© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®
Cyber-Exercise Slides
• To maintain the integrity of the cyber-exercise, we
elected not to include the actual slides of the drill until
after the drill is completed in class.
• For those that elect to attend the class the slide for the
cyber-exercise will be made available immediately after
attending the class.