Ed McMurray, CISA, CISSP, CTGA CoNetrix

Transcription

1 Ed McMurray, CISA, CISSP, CTGA CoNetrix

2 AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats (if we have time)

3 DISCLAIMER The information contained in this session may contain privileged and confidential information. This presentation is for information purposes only. Before acting on any ideas presented in this session; security, legal, technical, and reputational risks should be independently evaluated considering the unique factual circumstances surrounding each institution. No computer system can provide absolute security under all conditions. Any views or opinions presented do not necessarily state or reflect those of CoNetrix or ICBA NM. The following information presented is confidential and/or proprietary and is intended for the express use by attendees. Any unauthorized release of this information is prohibited. All original CoNetrix material is Copyright 2015 CoNetrix

4 CoNetrix

5

6 CYBERSECURITY RECENT HISTORY Feb Presidential Executive Order June 2013 FFIEC forms Cybersecurity and Critical Infrastructure Working Group Aug Council on Cybersecurity launched Feb NIST Released Cybersecurity Framework May 2014 NY Report on Cybersecurity in the Banking Sector May 2014 FFIEC Cybersecurity webinar June 2014 FFIEC Launches Cybersecurity Web Page June July 2014 FFIEC Commences Cybersecurity Assessments Nov FFIEC Released Observation from Cybersecurity Assessment Feb FFIEC Revised BCP IT Exam Booklet Mar FFIEC Provides Overview of Cybersecurity Priorities Mar Office of Inspector General releases report on FDIC s Supervisory Approach to Cyberattack Risks Mar FFIEC Releases 2 Statements on Compromised Credentials and Destructive Malware June 2015 FFIEC Releases Cybersecurity Assessment Tool

7

8

9 FEDERAL RESERVE SR 15-9 In particular, the Federal Reserve will work to tailor expectations to minimize burden for financial institutions with low cybersecurity risk profiles and, potentially, supplement expectations for financial institutions with significant cybersecurity risk profiles. Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions cybersecurity preparedness in information technology and safety and soundness examinations and inspections.

10 OCC BULLETIN The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts. While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution s inherent risk, risk management practices, and controls related to cybersecurity. OCC examiners will begin incorporating the Assessment into examinations in late 2015.

11 FDIC FIL Use of the Cybersecurity Assessment Tool is voluntary. FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.

12 CONFERENCE OF STATE BANK SUPERVISORS (CSBS) The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely considered an IT problem, the rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of bank CEOs that management of a bank s cybersecurity risk is not simply an IT issue, but a CEO and Board of Directors issue. - CSBS Cybersecurity 101

13 NY STATE REPORT ON CYBER SECURITY

14 CHALLENGE PCI DSS We are now have multiple information security frameworks. How do they fit together? NACHA Security IT/GLBA Information Security Program NIST Cybersecurity Framework HIPAA FFIEC Cybersecurity Assessment Tool

15 HOPEFULLY... We would like to see integration. One information security program with components addressing malicious attacks, credit/debit threats, ACH threats, medical info threats, etc. IT/GLBA Information Security Program FFIEC Cybersecurity Assessment Tool PCI DSS NACHA Security HIPAA More alignment NIST Cybersecurity Framework

16 REQUEST FOR ALIGNMENT OF FFIEC & NIST CYBERSECURITY DOCUMENTS

17

18 CALL FOR CYBERSECURITY FRAMEWORK Voluntary riskbased set of industry standards & best practices Methodology to protect individual privacy & civil liberties through cybersecurity activities Framework for Improving Critical Infrastructure Cybersecurity v1.0 (NIST)

19 NIST CYBERSECURITY FRAMEWORK CORE

20 NIST CYBERSECURITY FRAMEWORK

21 FRAMEWORK CORE Identify Recover Protect Respond Detect

22 IMPLEMENTATION TIERS Partial Risk Informed Repeatable Adaptive

23

24 PROCESS FLOW

25 FFIEC CYBERSECURITY ASSESSMENT TOOL Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity Interpreting & Analysis Senior management and Board reporting

26 PART ONE: INHERENT RISK PROFILE Consists of 78 questions across 5 categories: Technology and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats

27 INHERENT RISK PROFILE LAYOUT

28 DETERMINE INHERENT RISK PROFILE

29 PART TWO: CYBERSECURITY MATURITY Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience

30 CYBERSECURITY MATURITY LEVELS Services

31 CYBERSECURITY MATURITY

32 MATURITY MODEL Domain > Assessment Factor > Contributing Components > Declarative Statements

33 CYBERSECURITY MATURITY EXCERPT

34 MATURITY

35 CYBERSECURITY MATURITY LEVELS

36 SETTING MATURITY LEVELS All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain s maturity level. While management can determine the institution s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.

37 MATURITY

38 INTERPRETING & ANALYZING RESULTS

39 INTERPRETING AND ANALYZING RESULTS

40 BENEFITS Identifying factors contributing to and determining the institution s overall cyber risk. Assessing the institution s cybersecurity preparedness. Evaluating whether the institution s cybersecurity preparedness is aligned with its risks. Determining risk management practices and controls that could be enhanced and actions that could be taken to achieve the institution s desired state of cyber preparedness. Informing risk management strategies.

41 FFIEC PRIORITIES Cybersecurity Self-Assessment Tool Incident Analysis Crisis Management Training Policy Development Technology Service Provider Strategy Collaboration with Law Enforcement and Intelligence Agencies

42 RESOURCES FFIEC Cybersecurity Awareness Web Page: NCUA Cyber Security Resources: NIST Cybersecurity Framework: Financial Services Information Sharing and Analysis Center (FS-ISAC): InfraGard: US Computer Emergency Readiness Team: US Secret Service Electronic Crimes Task Force: ISACA Cybersecurity NEXUS: Council on CyberSecurity: CSBS Conference of State Bank Supervisors

43 FDIC CYBER CHALLENGE VIDEOS

44 QUESTIONS Ed McMurray CoNetrix

45 CASE STUDY A review of high risk and common repeat findings from IT Audits, Penetration Tests, and Cybersecurity Assessments.

46 SOCIAL ENGINEERING TESTS 99 TESTS 99 Social Engineering Tests in % 87% Passed Failed

47 SOCIAL ENGINEERING TESTS 90 Social Engineering Tests conducted in Phishing Failed Passed Social Engineering Call

48 SOCIAL ENGINEERING TESTS - DETAILS Type of Test Total Tests Total Responses % Failure Phishing 5,935 1, % Social Engineering Call %

49 MODEMS DISCOVERED Modems Discovered from 91 tests in % 51% Yes No

50 REVIEW OF IT AUDIT OBSERVATIONS 50 IT Audits and Assessments conducted in between 8/2014-2/ IT/GLBA Audit & Assessments 4 IT Security Reviews 1 Network Assessments

51 REVIEW OF IT AUDIT OBSERVATIONS DEMOGRAPHICS Customers by Regulating Body: 53% FDIC 31% OCC 16% Other Customers by Asset Size: 10% <100M 42% 100M-300M 23% 300M-500M 11% 500M-1B 6% >1B 8% N/A

52 IT AUDIT OVERALL STATUS Overall Security and Compliance Rating 11% 2% 53% 34% Strong Satisfactory Needs Improvement Weak

53 % OF FINDINGS REPEAT Repeat 18% 82% Yes No

54 RISK LEVELS DEFINED In the determination of risk levels associated with deficiencies discovered in the audit process, consideration is given to: The likelihood a deficiency is exploited The impact on the bank or its customers Any existing controls used to mitigate associated risk levels Risk levels are defined as follows: High: A deficiency posing a direct threat to availability, integrity, and/or confidentiality of customer or bank information due to little or no mitigating controls Medium: A deficiency posing a direct threat to availability, integrity, and/or confidentiality of customer or bank information whose mitigating controls are not sufficient to reduce risk to an acceptable level Low:A deficiency posing a possible threat to the availability, integrity, and/or confidentiality of customer or bank information

55 FIREWALL OBSERVATIONS Router/Firewall Findings 14% 2% 16% 68% High Risk Medium Risk Low Risk No Finding

56 PATCH MANAGEMENT OBSERVATIONS Patch Management Findings 22% 4% 44% 30% High Risk Medium Risk Low Risk No Finding

57 LOCAL ADMINISTRATOR OBSERVATIONS Users Running as Local Administrator 2% 38% 32% 28% High Risk Medium Risk Low Risk No Finding

58 ANTIVIRUS OBSERVATIONS Antivirus Findings 2% 26% 54% 18% High Risk Medium Risk Low Risk No Finding

59

60 MOBILE DEVICE OBSERVATIONS Mobile Device Findings 8% 10% 14% 68% High Risk Medium Risk Low Risk No Finding

61 LAPTOP ENCRYPTION OBSERVATIONS Laptops Not Encrypted Findings 4% 8% 10% 78% High Risk Medium Risk Low Risk No Finding

62 REMOVABLE MEDIA OBSERVATIONS Removable Media Findings 2% 20% 64% 14% High Risk Medium Risk Low Risk No Finding

63 PASSWORD OBSERVATIONS

64 PASSWORD OBSERVATIONS Password Findings 6% 32% 26% 36% High Risk Medium Risk Low Risk No Finding

65 AUTHENTICATION OBSERVATIONS Multi-factor Authentication Findings 4% 10% 86% High Risk Medium Risk Low Risk No Finding

66 THIRD PARTY OVERSIGHT OBSERVATIONS Vendor Management Findings 6% 30% 38% 26% High Risk Medium Risk Low Risk No Finding

67 BUSINESS CONTINUITY OBSERVATIONS

68 BUSINESS CONTINUITY OBSERVATIONS BCP/DR Findings 18% 10% 30% 42% High Risk Medium Risk Low Risk No Finding

69 INCIDENT RESPONSE OBSERVATIONS

70 INCIDENT RESPONSE OBSERVATIONS Incident Response Findings 22% 64% 14% High Risk Medium Risk Low Risk No Finding

71 RISK MANAGEMENT OBSERVATIONS Risk Assessment Findings 4% 40% 28% 28% High Risk Medium Risk Low Risk No Finding