Cybersecurity and Other IT Related Focus Areas. Francis Tam, Partner

Transcription

1 Cybersecurity and Other IT Related Focus Areas Francis Tam, Partner

2 Agenda Cybersecurity Payment Card Industry (PCI) Outsourced Cloud Computing 2

3 Cybersecurity $45 million cyberheist and ATM cash out scheme of December 2012, May 2013, and November Twenty five suspects detained in an international cybercrime ring in April Hijack of domain name service (DNS) of Federal Reserve Bank of St. Louis to redirect (research.stlouisfed.org ) visitors to look alike sites that were under attackers control in April In January 2015, Morgan Stanley fired an employee who they claim stole account data for hundreds of thousands of their wealth management clients. Stolen information for approximately 900 of those clients was posted online for a brief period of time, the company says.

4 Cybersecurity ebay May 2014: 145 million user accounts impacted; $200 million hit to revenue Anthem Health Insurance February 2015: PII for 80 million customers stolen; $100+ million to fix Home Depot September 2014: 109 million customer records stolen (56 million payment card, 53 million e mails) icloud, Sony, Neiman Marcus, UPS, Jimmy Johns, and on, and on, and on..

5 Cybersecurity Heightened awareness of cybersecurity Legislation and regulations on cybersecurity and privacy o SB 1386 California Security Breach Information Act o Red Flag Act o PCI DSS o Cybersecurity Information Sharing Act of 2014 (CISA) (proposed)

6 Cybersecurity New Federal agencies on cybersecurity o Cyber Threat Intelligence Integration Center (CTIIC; pronounced see tick), which culls cyberthreat information from a variety of sources within the government and business community and then produces timely intelligence about the latest threats and threat actors o The Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC; pronounced n kick) is an around the clock cyber situational awareness, incident response, and management center that's at the nexus of cyber and communications integration for the federal government, intelligence community, and law enforcement

7 Cybersecurity

8 Cybersecurity FFIEC members include: ( Board of Governors of the Federal Reserve System Consumer Financial Protection Bureau Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency State Liaison Committee

9 Cybersecurity: Evolution of Technology in FI

10 Cybersecurity: Current Threats

11 Cybersecurity: Current Threats

12 Cybersecurity: Cyber Risk Management Governance Threat intelligence Third party/vendor management Incident response and resilience

13 Cybersecurity: Governance

14 Cybersecurity: Threat Intelligence Internal Resources Internal audit reports Fraud detection tools Anti Money Laundering/ Office of Foreign Assets Control/Bank Secrecy Act tools External Resources Financial Services Information and Sharing Analysis Center (FS ISAC) FBI InfraGard United States Secret Service (USSS) Electronic Crimes Task Forces Conferences Vendor Reports CTIIC NCCIC 14

15 Cybersecurity: Third Party/Vendor Management

16 Cybersecurity: Third Party/Vendor Management The latest FFIEC guidance builds on updated third party risk guidance the OCC issued in August 2014 On February 6, 2015, the FFIEC added a 16 page appendix to its Business Continuity Planning (BCP) Booklet, which was first issued in March 2003 and included in the FFIEC's IT Examination Handbook The new appendix, "Strengthening the Resilience of Outsourced Technology Services," specifically calls out key cybersecurity risks, such as distributed denial ofservice attacks, the need for more due diligence of third parties, and infrastructural interdependencies

17 Cybersecurity: Third Party/Vendor Management Appendix J of the BCP Booklet discusses the following four key elements of BCP that a financial institution should address to ensure that their technology service providers (TSPs) are providing resilient technology services: Third Party Management Third Party Capacity Testing with Third Party TSPs Cyber Resilience

18 Cybersecurity: Third Party/Vendor Management Cybercriminals leapfrog through Bank information supply chains A bank's cybersecurity is often only as good as the cybersecurity of its vendors; unfortunately, those third party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data NYDFS expects to move forward by end of 2015 on regulations strengthening cybersecurity standards for banks' third party vendors, including potential measures related to the representations and warranties banks receive about the cybersecurity protections in place at those firms Federal guidance, including FFIEC, will mirror soon

19 Cybersecurity: Incident Response and Resilience Preparation o Incident response plan and policy o Incident response team Escalation: Internal Notification: External

20 Cybersecurity: Strategy People security awareness training, constant education, instill in the culture Process SOPs, SDLC, change management, provisioning/ deprovisioning, access authorization Policy acceptable use policy, e mail security, BYOD policy, system acquisition, incident response and escalation, business continuity Technology firewall(s), network design, IDS/IPS, AV/DLP, MDM, encryption, system alerting Monitoring ongoing review, awareness and risk assessment/ business impact analysis Governance Tone at the top, IT strategy, and cybersecurity insurance

21 Cybersecurity: Technology Areas Technical: Network topology, architecture, and design Network device security DMZ and VLAN segmentation External connections and extranets Wireless access point security Web server security Internet content filtering and scanning Intrusion detection/prevention systems Remote access, VPN connectivity, and modem access Citrix/Terminal Services Logging, monitoring, and alerting Server security and baselines Virtual environment security Workstation security and hardening Operating system security and configuration Application security Database security E mail security Mobile device security, including BYOD strategy Virus, spyware, spam, and other malware filtering Containment measures Data leakage protections (DLP) Data encryption (in transit and at rest) Data backup, restoration, and backup media storage Physical: Physical system placement and protection Data center physical access and security controls Access logging and auditing Environmental controls Administrative: Information security management Information security policies Organizational controls including staffing External party risks (e.g., hosting, cloud service providers, etc.) Compliance with information security laws and regulations (e.g., CJIS, HIPAA, PCI DSS, etc.) Software development lifecycle (SDLC) Source code management Change management of systems and security components Testing and development procedures Configuration management Authentication/login management Identity management and authorization User awareness and training Segregation of duties Information leakage Security incident response Disaster recovery planning Asset management Media disposal, including paper records Software licensing compliance Self auditing procedures (e.g., account reviews, penetration testing, etc.) Remediation procedures Human Resources security Software and hardware asset tracking Software/firmware patch management Equipment leasing agreements and processes Social Engineering: Phishing Security awareness 21

22 Payment Card Industry (PCI) Europay, MasterCard, Visa (EMV) smartcards were designed and introduced to reduce fraud occurring in magnetic stripe face to face environments, by using integrated circuit (IC) based cards that use secret cryptographic keys to generate authentication and authorization data. Currently, card present counterfeit losses are generally the responsibility of the issuing bank.

23 Payment Card Industry (PCI) However, on October 1, 2015, the card companies are changing the rules. As of that date, the entity responsible for the EMV information will be held financially responsible for certain card present counterfeit losses. That means that if the bank issued a card without the microchip, it may be responsible for any card present fraudulent card losses. However, if the card had the microchip and the provider did not process the information, then the provider may be responsible for any losses.

24 Payment Card Industry (PCI) EMV compliance is required for credit card acquirers and issuers, though it s not mandated for merchants and processors. But merchants who don t meet compliance by October 2015 will assume liability for fraudulent purchases a shift that is poised to drive many to adopt the new standards and avoid the risk Therefore, the first decision merchants need to make is whether they want the financial responsibility for these chargebacks or, alternatively, if they want to invest in the proper POS device to read and transmit EMV chip card information

25 Payment Card Industry (PCI) It will reduce cloned cards but will not necessarily reduce fraud It's widely acknowledged, based on global experience, that once face to face transactions become more difficult to compromise because of the EMV chip, attackers will move to the next most profitable outlet: card not present (CNP) or e commerce realm

26 Payment Card Industry (PCI) To combat against CNP fraud, an extra layer of authentication will be needed. For example, a financial institution offers through a mobile app or online banking application a tool that allows a cardholder to create rules that notify the cardholder when online (CNP) transactions are initiated. Once notified, the transaction can be required to go through an extra authentication step to authorize a CNP transaction. The process puts more onus on the cardholder.

27 Payment Card Industry (PCI) Attacks can move to the third party service providers, such as payment processors, where authentication data can still move in clear text. Your service providers need a three pronged approach: EMV, tokenization, and end to end encryption.

28 Payment Card Industry (PCI) PCI DSS v3.0 issued on November 7, 2013, and did not take effect until January 2015 More emphasis on user education and awareness Expanded daily operational requirements Flexibility on passwords, log, and alerts More oversight of third party responsibilities Penetration testing guidance and validation of segmentation More robust testing and verification of SDLC process

29 Outsourced Cloud Computing

30 Outsourced Cloud Computing: Cloud Drivers Access on demand services Gain flexibility and speed in implementations Scalability quickly provision capacity as needed Cost containment Sustainability and resiliency Eliminate hardware failure and upgrades Availability of disaster recovery zones Leverage IT technology evolution Access professional infrastructure management

31 Outsourced Cloud Computing: FFIEC Informational Guidance

32 Outsourced Cloud Computing: Concerns Loss of control Hidden costs renewal rates rise, obscure costs, etc. Integration costs and vendor lock in Service reliability (emerging vendors) Physical location of data storage (crossing state and national borders, with varying privacy laws) Unclear who owns rights to the data Inability to customize Infrastructure limitations

33 Outsourced Cloud Computing: Top Threats Abuse and nefarious use of cloud computing Account or service hijacking Insecure interfaces and APIs Data breaches Data loss, leakage, or theft Denial of service Malicious insiders Unknown risk profile Insufficient due diligence

34 Outsourced Cloud Computing: Preparations Appoint a compliance lead Become familiar with SOC 2 reporting requirements Select the relevant principles Define controls to meet criteria Leverage existing materials Perform proper planning with subservice providers Provide ongoing monitoring of controls Maintain and deliver sufficient audit evidence Provide management assertion and representations

35 Outsourced Cloud Computing: Due Diligence Conduct regular formal due diligence Periodically monitor the cloud provider s system Assess policies, procedures, and information security controls in place Examine the inputs and outputs being provided; conduct regular audits Inquire and assess how legal, regulatory, and reputational considerations apply Assess business continuity planning

36 Questions? Francis Tam Moss Adams LLP

37