Cybersecurity. WBA Bank Executives Conference February 2 4, 2015 Milwaukee, WI

Transcription

1 Cybersecurity WBA Bank Executives Conference February 2 4, 2015 Milwaukee, WI Dr. Kevin Streff Founder: Secure Banking Solutions, LLC

2 Goals Understand IT cybersecurity law and regulation Understand the cybersecurity threats to community banks today View a comprehensive information security framework Learn to expand and mature risk assessment programs: IT risk assessment Third party vendors assessments Corporate account assessments (CATO) Enterprise Risk Management Set the tone at the top

3 Gramm Leach Bliley Act Management must develop a written information security program What is the M in the CAMEL rating? Don t just do good security things, have a well managed program Don t rely on individual heroism, have a well managed program The Information Security Program is the way management demonstrates to regulators that information security is being managed at the bank 3

4 Gramm Leach Bliley Act Gramm Leach Bliley Act requires your bank to develop and implement 1) an Information Security Program and 2) Risk Assessments Information Security Program: A comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a bank must first conduct a risk assessment

5 Other Important Regulation FFIEC Authentication Supplement Corporate Account Takeover Regulation Vendor Management Regulation Social Media Regulation ATM Guidance DDOS Guidance

6 Board of Directors and Management Team is Responsible for Security On a scale of 1 to 10, grade your ability to: Understand cyber risks Give attention & resources to cyber risks 6

7 Layered Security Approach 7

8 False Sense of Security 8

9 What Can You Do? Focus on the big 5 threats Focus on a comprehensive information security program Get good at risk assessment Create security metrics Management and Board training 9

10 Top Security Threats 1. Hacking 2. Data Leakage 3. Social Engineering 4. Corporate Account Takeover 5. ATM Most threats involve installing MALWARE Small and medium sized banks are in the cross-hairs of the cyber criminal Howard Schmidt, Cybersecurity Secretary for the White House10

11 Hacking Threat #1 11

12 Hacker Tools Examples Tools to hack your bank are downloadable Default passwords are all available Economy is available to sell stolen data ( underground markets ) stolen in target breachflood underground markets/ 12

13 Data Leakage Threat #2 13

14 Data Leakage Data Leakage is about insiders leaking customer information out of your bank 14

15 Social Engineering Threat #3 15

16 Social Engineering What is Social Engineering? Exploitation of human nature for the gathering of sensitive information. Tool attackers use to gain knowledge about employees, networks, vendors or other business associates. 16

17 Sample Social Engineering Methods Phishing/Pharming Telephone (Remote Impersonation) Dumpster Diving Impersonation E mail Scams USB Sticks 17

18 Corporate Account Takeover Threat #4 18

19 Corporate Account Takeover Hijacking/Impersonating an ACH or wire 70% of small businesses lack basic security controls Firewall, Strong passwords, Malware Protection Etc. 19

20 ATM Fraud Threat #5 20

21 Question How long does it take to install a skimmer? withatm skimmers part iii/ 21

22 Skimmer Camera 22

23 23

24 ATM Cyber Heists 24

25 Question for Boards & Mgmt Team What is your bank doing to mitigate the risks of: Hacking Data Leakage Social Engineering Corporate Account Takeover ATM Fraud Answer Should Be: 1.Layered Security Program 2.Risk Assessment 3.Awareness and Education 25

26 Layered Information Security Program I.T. Risk Assessment Asset Management Documentation Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Boards & Business Continuity Committees Incident Response I.T. Audit 26

27 27

28 28

29 Bank Assessments

30 Risk Assessment Evaluating technology risk to implement a comprehensive security program Bank may not have security experts on staff Manual approach time is spent creating the spreadsheet (versus making decision) Bottom Line Reality: Done to appease the regulators Does not drive value for the bank Does not tell me how to spend my next security $ 30

31 IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information and making decisions (not compiling a risk assessment spreadsheet) 31

32

33

34

35

36 Vendor Assessments Third Party Risk Management

37 Third Party Risk FIL Four Elements of a Risk Management Program: Due Diligence in Selecting a Third Party Risk Assessment Contract Structuring and Review Due Diligence in Vendor Oversight Risk Assessment Contract Structuring and Review

38 Cost Benefit Analysis

39 Reference Evaluation

40 Documenting Controls

41 Due Diligence

42 Residual Risk Score Pay attention to the residual risk Notice that DCI has done the most to reduce the risk of information security threats

43 Contract Review

44 Commercial Account Assessments Commercial Banking Fraud

45 Commercial Account Takeover FFIEC Guidance FFIEC s Interagency Supplement to Authentication in an Internet Banking Environment states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging threats. Increased multi factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness. CSBS CATO Guidance 45

46 Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts

47 47

48 48

49 Assessment Results 49

50 Enterprise Risk Management

51 ERM Risk Mitigation Goals 51

52 ERM Protection Profile 52

53 ERM Threats 53

54 ERM Controls 54

55 ERM Reporting 55

56 Report Risk Mitigation 56

57 Report Threat Source 57

58 REPORT PEERCOMPARISON 58 Sec ure Ban king Sol

59 Summary Understand IT cybersecurity law and regulation Understand the cybersecurity threats to community banks today Viewed a comprehensive information security framework Learned to expand and mature risk assessment programs: IT risk assessment Third party vendors assessments Corporate account assessments (CATO) Enterprise Risk Management

60 Dr. Kevin Streff Director: Center for Information Security at Dakota State University (605) Founder: Secure Banking Solutions (605)

61 2014 FFIEC Cybersecurity Assessments

62 Cybersecurity & Critical Infrastructure Working Group (CCWIG) Targeted Regulatory Exams June 2013, the FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG) Approximately 500 assessments with $1 billion or less in assets Information gathering and learning mode Finalized report in mid 2014 for all exams moving forward 62

63 Summary of Results Stronger risk management programs Enhanced vulnerability assessment program Share and collaborate cyber security information with other institutions Enhanced vendor management program Enhanced incident response plans Training and education on information (cyber) security is going to be emphasized Board participation and education involving information security is going to be EXAMINED and REGULATED Are you keeping your Boards appraised of cyber security issues and how your institution is responding? 63

64 Cybersecurity Training Routinely discussing cybersecurity issues in board and senior management meetings will help the financial institution set the tone from the top and build a security culture. Boards and Management are going to be held to a higher standard 64

65 Train Your Board, Staff & Management Team Involve in Awareness Program InfraGard Certification Program SBS Certification Program Certified Board Member CCBSP CCBTP 65

66 InfraGard Certification Training program for staff on information security The InfraGard Awareness information security awareness course is FREE to all individuals and small businesses with 25 or fewer employees. Send your Board thru this program! Tweleve lessons (4 9 minutes each) Optional certificate to hang in the workplace 66