PACB One-Day Cybersecurity Workshop

Transcription

1 PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1

2 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance - DSU Phone: jon@protectmybank.com 2

3 My Experience 9 Years Information Security Information Security Program Design and Implementation IT Risk Assessment Penetration Testing Vulnerability Assessments Awareness Programs Vendor Management Business Continuity Technology Selection Info Security Consulting IT Audit ISP audit Controls audit ISP GAP Analysis Internet banking audit Anything else you can imagine! 3

4 Secure Banking Solutions Offshoot of the national center of excellence in bank security at Dakota State University Provides the help bank needs to have good security and successful IT exams Experience in Risk Management, ISP Development, and Auditing 45 states; 850 community banks across the US 4

5 Dakota State Nationally Recognized National Security Agency Department of Homeland Security 4,000 universities in the country Only 100 named national centers in the past 10 years National Center of Excellence in Information Assurance 5

6 Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it s inevitable. How do I plan for and prepare to respond to incidents? 6

7 Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it s inevitable. How do I plan for and prepare to respond to incidents? 7

8 Overall Threats Bank Internal & External System & Organizational Third Party Vendors Business Partners Downstream Partners Commercial Merchant Correspondent Banking ACH Origination etc. Consumer Phone Banking Internet Banking Mobile Banking Consumer Capture etc. 8

9 Capability Maturity Model 9

10 Assessment Maturity 4 Commercial Threats Goal 3 3 rd Party Threats Goal Bank Threats Goal Level of Assessment (CMM Levels) Consumer Threats Goal Consumer Low Threats Medium High Level of Risk Bank Threats 3 rd Party Threats Commercial Threats 10

11 Gramm-Leach-Bliley Act 501 (b) FINANCIAL INSTITUTIONS SAFEGUARDS. In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. 11

12 FDIC - Appendix B to Part 364 A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank's information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and 4. Ensure the proper disposal of customer information and consumer information. 12

13 Apply to ISP Bank Risk Assessment Third Party Customer Audit Policy (ISP) 13

14 Cybersecurity WHAT IS CYBER SECURITY? WHAT DOES REGULATION SAY? 14

15 Agenda What is cybersecurity? What do I need to know about cybersecurity? What are some of today s cybersecurity threats? How do I build a useful Information Security Program? How do I build a Risk Assessment that helps me make decisions? People are the weakest link; how do I prepare and train my people to mitigate risk? Bad things are going to happen; it s inevitable. How do I plan for and prepare to respond to incidents? 15

16 What is Cybersecurity? Cyber Risk the increased probability that the veryhigh-impact, internet-based risks and threats we once thought were improbably will harm our networks Cybersecurity the controls and processes in place to protect our networks and customer information from cyber risk How does it relate to Information Security? discipline of Information Security, which not only encompasses Cybersecurity, but also all of the traditional things we ve done to protect our confidential customer information, including IT Risk Assessment, Vendor Management, Business Continuity Planning, Vulnerability Assessment, IT Audit, and much more Images courtesy of ISACA and member Menny Barzilay 16

17 Cybersecurity America s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas. President Obama 17

18 Nation Security Summary Cybersecurity Information Sharing Act of 2015 encourage the sharing of data between private companies and the government to prevent and respond to cybersecurity threats funnel corporate intelligence about cybersecurity threats and breaches through the Department of Homeland Security The Personal Data Notification & Protection Act This proposal clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard. The proposal also criminalizes illicit overseas trade in identities. 18

19 Growth in Banking New Products/Services Mobile Cash Management Consumer Capture Online Account Opening Integrative Teller Machines P2P Payment Systems Cybercrime Increasing Organized Crime Advance Persistent Threats Third Party Bank Customer 19

20 APT vs Organized Crime 20

21 New York State DFI Boards receiving updates less often than senior management. Specifically, 73% of institutions reported that the Board received information security updates quarterly or annually, whereas 33% of institutions reported that senior managers received monthly updates. The frequency of information security updates to CEO s varied dramatically amongst institutions, ranging from annually (30%), quarterly (24%), and monthly (22%) _cyber_security.pdf 21

22 New York State DFI Key pillars: 1) a written information security policy 2) security awareness education and employee training 3) risk management of cyber-risk, inclusive of identification of key risks and trends 4) information security audits 5) incident monitoring and reporting. General Statistics: only 62% of small institutions audit compliance of third party relationships 57% of small institutions have a DLP solution, compared to 78% of large institutions most reporting incidents involving malicious software (malware) (22%), phishing (21%), most frequent wrongful activity resulting from a cyber intrusion were account takeovers (46%) 22

23 CSBS Conference of State Banking Supervisors: The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely considered an IT problem, the rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of bank CEOs that management of a bank s cybersecurity risk is not simply an IT issue, but a CEO and Board of Directors issue. 23

24 FFIEC Cybersecurity Assessments (2014) Main Site: Board/Senior Management Video: Observations: sessment_observations.pdf 24

25 Cybersecurity Asst s 2 nd Half of 2014 Targeted Regulatory Exams June 2013, the FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG) Approximately 500 assessments on banks with $1 billion or less in assets approx man-hours = big deal! Information gathering and learning mode Finalized report in December 2014 for all exams moving forward 25

26 Cybersecurity Assessment Scope Exams build upon key aspects of existing supervisory expectations addressed in the FFIEC IT Handbook Assesses an institution s current practices and overall cybersecurity preparedness, with a focus on the following key areas: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience 26

27 Summary of Results Must develop a strong risk management program Enhanced vulnerability assessment program Share and collaborate cyber security information with other institutions Enhanced vendor management program Enhanced incident response plans Training and education on information (cyber) security is going to be emphasized Board participation and education involving information security is going to be EXAMINED and REGULATED Are you keeping your Boards appraised of cyber security issues and how your institution is responding? 27

28 Lots of Questions The Cybersecurity General Observations document was only four pages, and quite broad Three MAJOR take-aways: Board of Directors are going to be EXPECTED to be MUCH more involved in Information Security Program activities Banks are going to have to have comprehensive, valuable, and repeatable Risk Management processes More regulation is to come! 28

29 Additional Cybersecurity Guidance FFIEC released two (2) additional pieces of guidance in March 2015: Statement on Destructive Malware Cyber attacks are focusing on businesses and increasing in frequency and severity and predominantly involve malware, which comes in many forms Cyber Attacks Compromising Credentials Attacks that aim to steal credentials are increasing; not just going after passwords, but all types of information Attacks involve phishing, malvertizing, watering holes, and webased attacks 29

30 Similarities between statements Half of these two statements are IDENTICAL but WHY? Process reinforcement! This is a very deliberate statement on behalf of the FFIEC to make sure that institutions are: Following strong risk management practices Identifying risk, making decisions to mitigate risk, documenting those decisions in an ISP, and implementing those decisions within their institution Testing those decisions (risk mitigating controls) regularly Training and educating their employees (especially the Board and senior management) Collaborating and sharing information with other institutions What do those general statements align with? Cybersecurity Assessment General Observations? 30

31 Which leads us to the present FFIEC Cybersecurity Assessment Tool released on Tuesday June 30th, 2015 Not really a tool, as we have traditionally defined software or hardware More of a process to help banks perform a self-assessment on their Cybersecurity Preparedness Based on size-and-complexity Resulting from the 2014 Cybersecurity Assessment lessons-learned 31

32 Overview 32

33 FFIEC CA Tool (3 parts) Three (3) major components 1. Rating your Inherent Risk for Cybersecurity threats based on your size and complexity 2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats 3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity. 33

34 Cybersecurity Inherent Risk Very PRESCRIPTIVE Really getting to the Size and Complexity issue originally stated by GLBA Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats 34

35 Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats 35

36 36

37 Cybersecurity Maturity Measure Maturity in 5 Domains (+ Assessment Factors) 1. Cyber Risk Management and Oversight Governance, Risk Management, Resources, and Training 2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing 3. Cybersecurity Controls Preventative, Detective, and Corrective controls 4. External Dependency Management External Connections and (Vendor) Relationship Management 5. Cyber Incident Management and Resilience Incident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting 37

38 What is Cybersecurity Maturity? Determining whether an institution s behaviors, practices, and processes can support cybersecurity preparedness I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents? 38

39 How does Cybersecurity Maturity work? Measured by 5 Cybersecurity Maturity Levels 1. Baseline 2. Evolving 3. Intermediate 4. Advanced 5. Innovative 39

40 Determining Maturity Level Within each component, declarative statements describe activities supporting the assessment factor at each maturity level All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain s maturity level What this actually means: Identify the controls you have in place, starting with baseline controls and escalating up in order to determine maturity levels 40

41 41

42 Determining Maturity 42

43 Domains and Assessment Factors 43

44 Inherent Risk vs. Maturity All good Risk Management processes help make decisions and set goals How does one determine Inherent Risk versus Cybersecurity Maturity? And more importantly, what is the right Inherent Risk vs. Maturity level? 44

45 Inherent Risk vs. Maturity Guide to determining Inherent Risk vs. Maturity: Step 1: Determine organizational Inherent Risk What was your Inherent Risk after completing the first part of the assessment? Step 2: Determine Cybersecurity Maturity Level for each Domain (there are 5 of them) Use the following Risk vs. Maturity Relationship chart to determine where your organization falls There are a range of goals for each Domain vs. Inherent Risk; do you meet those goals? 45

46 Increasing Maturity 46

47 Meeting goals Now that you ve determined your goals, does that mean you re done? Nope! Are you meeting these goals? Are you the bottom rung? Is that ok? How to you continue to increase your maturity? 47

48 Inherent Risk vs. Maturity No single expected level for an institution An institution s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. Management should consider reevaluating the institution s inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile. 48

49 Other IMPORTANT takeaways Is this new FFIEC Cybersecurity Assessment Tool (CAT) a replacement for my IT Risk Assessment? Absolutely not! This FFIEC CAT is a self-assessment of cybersecurity preparedness only, not a determination of risks and controls around your confidential customer information The assessment process is not a one-time project or process, but rather an ongoing assessment that the institution will be expected to keep up and utilize on an ongoing basis. 49

50 Who is responsible for the CAT? It is an expectation that C-Level Management and/or Board of Directors install a top-down approach to cybersecurity The President/CEO will be expected to DRIVE this Cybersecurity Assessment process (read: not necessarily complete each question), and the Board of Directors needs to understand what the results of this Cybersecurity Assessment mean from a high-level 50

51 How much does the Board need to know? Board involvement was a major point of the FFIEC Cybersecurity Assessment that were performed in the second half of 2014 and heavily mentioned in the General Observations The Cybersecurity Assessment Tool specifically mentions Board involvement TWENTY-ONE (21) times in the Cybersecurity Maturity section, just in case you didn t think the FFIEC is taking Board involvement seriously. Domain 1 - Cyber Risk Management and Oversight talks about Board involvement on an increasing frequency to go with increasing maturity, particularly in the Oversight component of the Governance factor, mentioning the Board fourteen (14) times alone. So pretty involved, at least with knowing what is going on 51

52 What is the goal of this CAT? 1. Highlight areas of weakness and strength regarding how you are or will be able to handle a cybersecurity attack Also highlight how you can mitigate this risk and implement additional controls 2. Give regulators and examiners an idea of how capable your institution is regarding cybersecurity preparedness Based on size and complexity! Also seriously your institution is taking this new cybersecurity initiative. 52

53 What should I expect from examiners? The FFIEC says this is optional, but I think we know better The FDIC states that participation is voluntary However, the OCC and Federal Reserve have stated that they WILL begin including this in their exam procedures yet in

54 Next steps? 1. Determine Inherent Risk 2. Determine Domain Maturity 3. Identify Goals 4. Identify Gaps 5. Implement additional controls 6. Increase maturity 7. Repeat 54

55 Ties to NIST The FFIEC has mapped all of the processes in the Cybersecurity Assessment tool to the NIST Cybersecurity Framework 55

56 SBS Cyber-RISK tm Tool Goals of the FREE Cyber-RISK tm tool: 1. Automate the Cybersecurity Assessment Tool 2. Save you from creating your own spreadsheet 3. Make your life easier and more efficient 4. Provide you with one-click reports 5. Improve the process by tying the Inherent Risk and Cybersecurity Maturity processes together more intuitively 6. Get you peer comparison data (down the road) 7. Access to your own personal Information Security Expert if you need us! 56

57 Additional Cyber Security Resources SBS Cybersecurity Assessment Blog: Sign up for the FREE Cyber-RISK tool: SBS Institute Certifications: 57