PACB One-Day Cybersecurity Workshop

Transcription

1 PACB One-Day Cybersecurity Workshop CYBERSECURITY AWARENESS AND TRAINING! PRESENTED BY: JON WALDMAN, SBS CISA, CRISC Secure Banking Solutions, LLC 1

2 Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it s inevitable. How do I plan for and prepare to respond to incidents?

3 Security Awareness Training HOW DO YOU SECURE THE HUMAN?

4 Security Awareness Security Awareness is the degree or extent to which every member of staff understands: the importance of security the levels of security appropriate to the organization their individual security responsibilities... and acts accordingly.

5 Social Engineering The manipulation of people, rather than machines, to successfully breach the security systems of an enterprise or a consumer". People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioral tendencies that can be exploited with careful manipulation. Rich Mogull, research director for information security and risk at Gartner, said social engineering is more of a problem than hacking. We believe social engineering is the single greatest security risk in the decade ahead."

6 Regulatory Requirements The Federal Reserve says: The Security Guidelines require a financial institution to train staff to prepare and implement its information security program. III.C.2 of the Security Guidelines. The institution should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program. For example, an institution should: Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members responsible for building or maintaining computer systems and local and wide-area networks with adequate training, including instruction about computer security; and Train staff to properly dispose of customer information. FDIC says Train staff to implement the bank's information security program.

7 Regulatory Requirements The FFIEC Info Security booklet says: Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials for desktop and workstation users would typically review the acceptable use policy and include issues like desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

8 Document a Policy Define target and purpose Define the number of hours annually Documentation requirements for attendance Define general topics Require additional details in a program (ISAP)

9 Sample ISAP Program

10 ISAP Program Topics Training Topics Training Videos Information Security Day/Week Security Posters Trainer/Outsourcing Reporting/Documentation Integration of Acceptable Use

11 Meeting FFIEC Compliance: Customer Awareness and Education 1.Handouts / Pamphlets 2.Posters / Calendars 3.Security Awareness Day 4.InfraGard Certification 5.Social Engineering Tests 6.Games 7.Resources 8.Commercial Customer Roundtable

12 Posters

13 Awareness Brochures

14 Regular Notifications From the ISO Test your Phishing IQ: For more general information about protecting yourself from Internet Fraud, please read this article:

15 Securing the Human

16 Infragard Awareness

17 Security Awareness Day

18 Onsite or Online Education

19 Customer Auditing Controls Audit Onsite visits Self Assessment / Evidence Social Engineering Tests On customers? USB/Media Dumpster Diving Phishing Impersonation Physical and phone

20 Physical Security And Social Engineering Examples Physical Impersonation

21 Physical Security And Social Engineering Examples Pretext Calling

22 Physical Security And Social Engineering Examples Phishing, Spear Phishing, and Whaling

23 Physical Security And Social Engineering Examples Dumpster Diving

24 Physical Security And Social Engineering Examples Unknown Media or Baiting