東 京 電 機 大 学 国 際 化 サイバーセキュリティ 学 特 別 コース. Cyber Security in the Financial Sector

Transcription

1 東 京 電 機 大 学 国 際 化 サイバーセキュリティ 学 特 別 コース Cyber Security in the Financial Sector GREG J. THOMPSON CISSP CANADA 1

2 Agenda 1. Introductions About me About Scotiabank 2. Definition of Cyber Security 3. Risks and Challenges Why is Cyber Security so Important? The Threat Landscape Historical Context Factors influencing Cyber Security & Global Trends High level description of controls 4. Threat Intelligence and Analysis Threat intelligence & response process tactical to strategic 5. Questions, time permitting 2

3 About Me Professional Background Vice President Operational Governance, Scotiabank Vice President of Enterprise Security Services and Deputy Chief Information Security Officer, Scotiabank 2003-Present Chief Information Security Officer, Manulife Financial Corporation Network Engineer, Circuit Designer, Bell Canada

4 About Scotiabank - Quick Facts Scotiabank is a leading financial services provider in over 55 countries and Canada s most international bank. Through our team of more than 86,000 employees, Scotiabank and its affiliates offer a broad range of products and services, including personal and commercial banking, wealth management, corporate and investment banking to over 21 million customers Automated Banking Machines Worldwide 3321 Branches Globally 4

5 Definition of Cybersecurity Cybersecurity is the integration of people, technologies, processes and practices designed to safeguard Information Technology (IT) assets and systems from attack, damage and unauthorized access. 5

6 Threats/Risks & Challenges SUMMARY OF HISTORICAL RISK LANDSCAPE AND INHERENT CHALLENGES FACING BANKS 6

7 Why is Cyber Security so Important? Cyber Security has become more integral to an enterprise s success, as more users work with company data and new tools and technologies provide greater capabilities for data management. However, at the same time, data breaches are increasing in size and frequency. The new realities of information usage and access Changing Work Environment: 66% of employees now spend more time accessing and reviewing corporate information than 3years ago The rising strategic value of information: 79% of senior executives report that new uses of (digital) information are key to organizational growth. Attacks are becoming more costly and widespread 90% of organizations experienced at least one data breach in the past year. 66% of security breaches go undetected for at least three months. There has been an 18% increase in average financial losses, with big liabilities increasing faster than smaller losses. Rapidly evolving threats: 69% of executives believe that their companies cannot keep up with the increasing pace and sophistication of attacks. Growth of Cloud Computing: 68% of IT executives claim responsibility for technology usage and security but lack the authority to manage these effectively. Source: Corporate Executive Board 7

8 Threats Threats Threats Continue to Compound Over Time Key Concept: Threats continue to compound and increase over time, while the time required to respond is shrinking. Unauthorized access Accidental issues Malicious users Computer Viruses Increased interconnectivity Hackers (geeks) Unauthorized access Accidental issues Malicious users Organized Crime Software Vulnerabilities Worms Trojans Computer Viruses Increased interconnectivity Hackers (geeks) Unauthorized access Accidental issues Malicious users Hacktivists State-sponsored threats Mobile malware Data Loss & APT Zero-day threats Internet of Things Organized Crime Software Vulnerabilities Worms/Trojans/Ransomware Computer Viruses Increased interconnectivity Hackers (geeks) Unauthorized access Accidental issues Malicious users Mainframe Client/Server Internet Mobile/Always on Internet 1975 Timeline

9 Low Uncontrollability High The Threat Landscape Threats Causing Companies Most Concern Employee Use of Social Media BYOD Mobile Device Application Vulnerabilities Employee Carelessness Malicious Insiders Other Application Vulnerabilities Third-Party Risk: SaaS Web Application Vulnerabilities Hacktivists State-Sponsored Attacks Third-Party Risk Privilege Abuse Third-Party Risk: IaaS Social Engineering/ Phishing Organized Crime and Fraud Regulatory Non-Compliance Abbreviations Definitions BYOD Bring your own device IaaS Infrastructure as a service SaaS Software as a service SCADA Supervisory control and data acquisition Low Risk Rating High Source: CEB 2012 Information Security Threat Landscape Survey. 9

10 Summary of Threat Scenarios Facing Banks Account Takeovers Phishing / Pharming Targeting employees Targeting customers Attacks on Third Party Payment Processors Targeting personal information such as social security numbers Used to create fake debit / credit cards ATM Skimming and Point of Sale Attacks Targeting customers credit and debit card information Used to create fake debit / credit cards Malicious Insiders Third Party Supplier attacks Targeting weak security at third parties as pivot-points into Bank networks Network Disruption and Distributed Denial of Service (DDoS) Attacks DDoS attacks used to disrupt services or misdirect incident respond teams Malware continues to evolve Emergence of Ransomware 10

11 Internal & external trends make information security risk management more difficult Factors Magnifying Information Security Risk 2 76% of employees now spend more time accessing and reviewing corporate information than three years ago. Growth of Shadow (Business-Led) IT 68% of IT executives claim responsibility for technology usage and security but lack the authority to manage these effectively. Changing Work Environment Rise in Information Security Risk Rapidly Mutating Threat Environment 79% of senior executives report that new uses of (digital) information are key to growth. 4 Rising Strategic Value of Information 69% of executives believe that their companies can t keep up with the increasing pace and sophistication of attacks. Source: The Ponemon Institute; McKinsey; World Economic Forum; Avanade, Global Survey: What s Creating Tension Between IT and Business Leaders?, 2014; CEB 2012 High Performance Survey; CEB 2012 Employee Technology Value Survey. 11

12 Regulation & Cyber Security Factors Driving Concern About Cyber/Information Security Regulation 1 Volume A flood of new regulations are being implemented at local, national and international levels. 2 Impact New regulations affect collection, storage and protection of information across all areas of the enterprise. 3 Complexity Online business can expose companies to a wider range of regulations than expected. Source: CEB analysis. Recent Reviews - Cyber Security and related topics OSFI Cyber Security Self Assessment Oct/13 Cyber Security Comparative Review - current IT Governance and Risk Management- Jul/14 Monetary Authority of Singapore Technology Risk Management Questionnaire New York Department of Financial Services Cyber Security Evaluation program Puerto Rico FDIC On site exam IT Controls. Joint Operational Resiliency Management - Canadian Payments Association Nov/14 Investment Industry Regulation Organization of Canada Cyber Security planned Jan/15 Internal Scenario readiness and testing Ransom ware Nov/13 Cyber Security Communication & escalation 12

13 Cyber Security in the News A cyber attack in 2014 may have compromised information about 76 million households. That included customer names, addresses, phone numbers and contact information. In addition, the breach affected about seven million of J.P. Morgan s small businesses customers. Hackers accessed personal information about as many as 110 million consumers. The aftershocks are still reverberating for Target nearly a year later. In August, Target said the costs associated with the hacking added up to $148 million. Hackers broke into the computer system used by the company's development team to steal information from cash registers. That data then found its way onto a computer in Eastern Europe. Cyber-thieves stole up to 60 million card numbers. The attacks went on for five months before they were discovered. In September, the company said that anyone who used a credit card to shop in the U.S. or Canada over a six month period earlier this year could have been a victim. Source: 13

14 My Challenge Keep the bank safe! Why so challenging? 1. Massive geographic span of employees, infrastructure and data makes securing networkconnected assets inherently difficult. 2. Emerging employee and customer engagement models are rapidly evolving thanks to adoption of mobile technologies and improvements in cellular technology. 3. I do not control the banking customer s device. 4. Threats are evolving faster and threat actors are constantly changing. 5. My adversaries are highly motivated, highly organized, well funded and have a high tolerance for failure. This means they only need to have a very small percentage of successful attacks to make profit. 14

15 Operational Threats Our Daily Challenge Threat Rank Type of Threat Threat Description Impact if Successful Attempt Frequency 1 Advanced Persistent Threats (APTs) Malicious software which circumvents traditional controls such as A/V, IPS and other layers of defense. Designed to either steal data or provide remote access to malicious attackers. Target, JPMorgan, etc. Every second. 2 Distributed Denial of Service Attacks The flooding of internet infrastructure to render a server, or network unavailable. The bank depends on the Internet for , 3 rd party systems and the entire e-deliver channel (SOL, SCO, Enlinea, etc.) Every minute. 3 Third Party and Home employee (home computer) remote access. Infected/compromised computers connecting to the banks network. Very difficult to manage as control does not exist at the endpoint. Requires a defensive approach. Data leakage/theft is the primary threat. Everyday. 4 SPAM/WireFraud/So cial Engineering via . s are targeted against employees (executives in 2014) and designed to trick the user into installing software or performing wire transfers. 5 Virus Outbreaks A virus enters into the endpoint and is able to propagate through various means (open shares, windows exploitation, etc.) 6 Web Application Exploitation Hackers breaking into the bank through the front door (our websites). Endpoint compromise which leads to data exfiltration. Monetary client loss related to fraudulent wire fransfers. Happens less every year, but commodity and old viruses work on endpoints that do not have a working security stack. Loss of reputation, loss of data, a forensics nightmare and preventing a re-occurence. Everyday. Rare; due to proactive controls. Every minute. 15

16 Pillars of Information Security Governance Continuous Monitoring Identity & Access Mgmt Business Continuity Control Validation Risk Assessment Strategy & Architecture Policies Standards Best Practices Audit Oversight Regulatory Oversight Compliance Vendor Management Security Operations Centre Intrusion Prevention Anti-Virus Threat Intelligence Incident Response Customer & Employee Entitlements Provisioning & Deprovisioning Access Certification Strong Authentication Planning Testing Validation Reporting Incident Response Gap Analysis Data Loss Prevention Asset Management Vulnerability Management Cyber Threat Scenario Planning Impact Assessments Root Cause Analysis Due Diligence Mission + Vision Budget & Planning Education, Awareness and Training Organization & Planning Emerging Technology 16

17 Sample of Cyber Security Controls Deployed Vulnerability Scanning Technology Scanning more than 150,000 assets in a two week cycle Scanners running 24/7/365 Intrusion Prevention Systems Global deployment of Host-Based Intrusion Prevention systems on approximately 90,000 endpoints Global deployment of Network-Based Intrusion Prevention Systems Implemented above in full block mode Global Anti-virus deployments at network/ gateways and on workstations/endpoints Ongoing Application & Database Vulnerability Scanning Penetration tests Code reviews Hardening & Compliance Application Whitelisting Firewall logging Logical Access logging Security Information & Event Management (SIEM) technology Data Loss Prevention , Web, Endpoint 17

18 Threat Intelligence and Analysis FROM TACTICAL RESPONSE TO STRATEGIC DESIGN 18

19 Threat Intelligence - Overview Threat intelligence can be obtained through both external and internal sources. External: Information sharing and collaboration is critical for meaningful collection of actionable threat intelligence There are credible subscription-based sources of threat intelligence Formal intelligence sharing amongst industry peers is a valuable source Personal and informal relationships with industry sources /peers can often yield meaningful intelligence Internal Big Data Analysis: Many organizations already own the data that, when correlated, can provide highly actionable intelligence Implementation of Security Information & Event Management (SIEM) solutions can help to distill the huge amounts of data (Big data?) into actionable intelligence Organizations must learn from their threat response and remediation to identify ongoing dynamic improvements in their systems of controls. 19

20 Big Data Analytics Threat Intelligence - Data Management & Response Cyber Security Data Inputs NIST Cyber Security Framework Alignment: 1. Identify 2. Protect 3. Detect 4. Respond 5. Recover Threat Intel Various Sources Tactical: Day to Day Response IPS/IDS Offenses React & Remediate Anti-Malware (AV + Whitelisting) Trends & Baselines Identify Design Gaps Active Directory Firewall Logs Vulnerability and Configuration Data Network Monitoring Forensics & DLP Unstructured Data Normalize data Manage / Reduce events per second Structured data feed SIEM Advanced Analytics Hunt teams Structured Data Strategic: Continuous Improvements KRIs KPIs Measure & Report Proactive Remediation Patch Update Upgrade Remove Identify Improvements Anti-Fraud Reduce Offenses

21 Threat Intelligence: Key Concepts 1. Leverage the data you already own: Leverage the data you already have you likely already have considerable threat intelligence at your disposal. External threat intelligence is valuable and must be part of your program, but do not underestimate the value of the data generated by your existing controls. 2. Invest in technology which supports the collection and analysis of data from many sources SIEM technology for example may help by providing such a platform. 3. Do not underestimate the effort required to implement SIEM or other big data solutions. Ingesting data from disparate systems can be challenging. 4. Learn & Innovate: Our adversaries tactics can highlight design weaknesses Threat intelligence and response should help us learn and identify not only policy or configuration improvements, but most importantly proactive design improvements. 21

22 In Summary The need for Cyber Security has never been higher. The threats we face continue to compound over time. Our adversaries continue to find innovative ways to exploit our vulnerabilities. The changing work environment continues to challenge security professionals A broad set of cyber security professionals, processes and technology are required to keep pace with the evolving threat landscape and the evolving work environment. We must harness the intelligence (both internal and external) to protect our data and to learn and evolve our defenses. We must constantly learn, adapt and innovate. 22

23 Questions 23

24 Thank you! Greg J. Thompson CISSP