THE EVOLUTION OF CYBERSECURITY

Transcription

1 THE EVOLUTION OF CYBERSECURITY Identifying Best Practices June 2, 2015 Cerone F. Cy Sturdivant Managing Consultant Nashville, TN 1

2 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided If you are viewing this webinar in a group Complete group attendance form with Title & date of live webinar Your company name Your printed name, signature & address All group attendance sheets must be submitted to [email protected] within 24 hours of live webinar Answer polls when they are provided If all eligibility requirements are met, each participant will be ed their CPE certificates within 15 business days of live webinar TODAY S AGENDA Formally defining cybersecurity Assessing your cybersecurity preparedness Cybersecurity program development Regulatory expectations 2

3 DEFINING CYBERSECURITY In recent security discussions, there are references to both cybersecurity & information security. The terms are often used interchangeably, but in reality, cybersecurity is a part of information security Note: The interconnected nature of critical infrastructure systems has introduced a host of new vulnerabilities. All of these factors have influenced the shift from information security to cybersecurity DEFINING CYBERSECURITY Information security deals with protecting information, regardless of its format: physical documents, digital, intellectual property in people s minds & verbal or visual communications Cybersecurity is concerned with protecting digital assets everything from networks to hardware & information processed, stored or transported by internetworked information systems 3

4 DEFINING CYBERSECURITY NIST has a very appropriate definition for financial institutions The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Identifying attacks: For financial institutions, employee training & customer awareness are key 4

5 DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Defending against attacks is in design & operation of network & application environment; most banks we work with do this well DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Responding to attacks refers to your institution s incident response plans 5

6 DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Recovering from attacks should be covered by your Disaster Recovery/Business Continuity Plan CYBERSECURITY CONCEPTS Objective of cybersecurity is threefold, involving the critical components of confidentiality, integrity & availability Confidentiality Integrity Availability 6

7 CONFIDENTIALITY, INTEGRITY & AVAILABILITY Confidentiality is protection of information from unauthorized access or disclosure Integrity is protection of information from unauthorized modification Availability ensures timely & reliable access to & use of information & systems FFIEC Cyber Preparedness Assessment Pilot cybersecurity examination work program (Cybersecurity Assessment) conducted in June 2014 at over 500 community financial institutions with less than $1 billion in assets to evaluate their preparedness to mitigate cyber risks FFIEC regulators released initial results of their assessment in November

8 CYBERSECURITY PREPAREDNESS In addition to cybersecurity inherent risk, the Cybersecurity Assessment reviewed financial institutions current practices & overall preparedness, focusing on the following Risk management & oversight Threat intelligence & collaboration Cybersecurity controls External dependency management Cyber incident management & resilience BREAKING NEWS - Preliminary observations indicate most banks do not fully understand specific threats that face them 15 CYBERSECURITY PREPAREDNESS UTILIZING NIST FRAMEWORK Framework can be used to help identify & prioritize actions for reducing cybersecurity risk, & it is a tool for aligning policy, business & technological approaches to managing that risk Framework enables organizations regardless of size, cyber risk or cybersecurity sophistication to apply principles & best practices of risk management to improving cybersecurity & securing critical infrastructure 16 8

9 NIST FRAMEWORK OVERVIEW 17 CYBERSECURITY PROGRAM A cybersecurity program should integrate all aspects of bank s existing programs GLBA Information Security Program Business Continuity & Disaster Recovery Incident Response & Crisis Management Plans Third-Party Risk Management 9

10 EXAMPLE OF A CYBER ATTACK WIRE FRAUD Money Israel Bank United States Bank Money Manufacturer: Israel Product Money Re-Seller: United States 19 EXAMPLE OF WIRE FRAUD PART TWO Kuala Lumpur Bank What Money??? Israel Bank United States Bank Where is my money??? Money Manufacturer: Israel Product Re-Seller: United States What did I do????? 20 10

11 CYBER ATTACK WHAT COULD HAVE BEEN DONE? Technical Content/spam filter to prevent phishing People Awareness training Management review of change to wiring instructions Phone verification of change INCIDENT RESPONSE Technical Design of network and infrastructure Monitoring IDS/IPS Testing People Training to recognize attack Don t get distracted Recognize it for what it is Management oversight 11

12 BUSINESS RESUMPTION Technical Separate DR site Additional equipment Backup strategy Regular testing Vendor management People Third-party resources, if needed, on call Core & IT engineers Training in resumption EXAMINER EXPECTATIONS Incorporate cybersecurity into all existing programs & policies Enhance IT-related risk assessments to identify & address cyber-specific threats Enhance training efforts employees, board & customers Strengthen monitoring controls Strengthen incident response efforts 12

13 CONCLUSION Financial institutions have to be careful they aren't tempted to make their reviews for cyber-resilience a checkbox compliance exercise. Ensuring cyber-resilience of their internal networks & people, as well as networks of their third-party service providers & vendors, requires going beyond simply implementing recommendations in new guidelines CYBERSECURITY RESOURCES FFIEC Cybersecurity Awareness - Bank Info Security - ABA Center for Payments and Cybersecurity - NIST Framework - FS-ISAC

14 QUESTIONS? CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: The information in BKD webinars is presented by BKD professionals, but applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered in these webinars. 14

15 THANK YOU! FOR MORE INFORMATION Cerone F. Cy Sturdivant, CISA Managing Consultant BKD, LLP One American Center 3100 West End Ave, Suite 850 Nashville, TN , Ext