Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Transcription

1 Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1

2 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices User Awareness Vendor Management Cloud Computing Mobile Devices Emerging Technologies R A J P AT E L P A R T N E R I T C O N S U L T I N G R A J. P A T E P L A N T E M O R A N. C O M w w w. p l a n t e m o r a n. c o m 2

3 2013 Verizon Data Breach Investigations Report Who are the victims? Who s perpetrating breaches? 3

4 2013 Verizon Data Breach Investigations Report How do breaches occur? What commonalities exist? 4

5 External Threats Profile 5

6 Internal Threats Profile For smaller organizations, employees directly handling cash/payments, like cashiers, waiters, and tellers are often more responsible for breaches. In larger organizations, it is the administrators that take the lead. 6

7 Top 20 Threats 7

8 9 7 % o f B r e a c h e s We r e Av o i d a b l e Most victims aren t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them. Verizon Data Breach Investigations Report Weak Infrastructure Weak design (firewalls, wireless routers) Weak user authentication (users, passwords) Encryption (VPN, secure portals) Out-dated (patch management / anti-virus) Lack of periodic testing User Ignorance Weak user passwords Poor judgment Social media Phishing attacks Third Party Vendors Weak due diligence Breach notification Annual breach confirmation Technology Advances Mobile devices Cloud computing / public portals 8

9 Information Security Framework Different organizations view information security differently. Some of the differences are related to varied risk and threat profiles impacting an organization based on factors such as industry, location, products/services, etc. Other differences are related to management s view of security based on their experience with prior security incidents. 9

10 How to secure your IT infrastructure S o u r c e : S A N S C r i t i c a l S e c u r i t y C o n t r o l s 10

11 User Access Management 11

12 Importance of Patch Management If you don t patch your systems timely, you continue to stay exposed. As other organizations patch their systems, your exposed network will stand out. 12

13 Security Processes 13

14 User Security Awareness Who are your users? Strong password practices Device security Accessing from public places Loss of hardware Disposal of devices Use of mobile technology Social media risks DATA BREACH I m flattered, really I am. But you probably shouldn t use my name as your password. 14

15 Security Awareness Posters 15

16 Cyber Security Blog 16

17 Vendor Due Diligence As per FFIEC guidelines, Banks should perform due diligence over the following areas for any vendors that can access customer s private data: Existence and corporate history, strategy and reputation Qualifications, backgrounds, and reputations of company principals, including criminal background checks References from other companies using similar services from the vendor Financial status, including reviews of audited financial statements Technology and systems architecture Internal controls environment, security history, and audit coverage Legal complaints, litigation, or regulatory actions Reliance on and success in dealing with third party service providers Insurance coverage Ability to meet disaster recovery and business continuity requirements The depth and formality of the due diligence performed may vary according to the risk of the outsourced relationship and the institution's familiarity with the prospective service providers. 17

18 Foreign Vendor Due Diligence When banks contract with foreign vendors, the following additional due diligence activities need to be considered: Country risk Compliance risk U.S. regulations (e.g. GLBA, BSA) still apply. Foreign data privacy and compliance requirements might also apply Export controls (U.S. Export Administration Regulations) restrict the export of software, including all aspects of encryption usage Security, confidentiality and ownership of bank s data Choice of law Which countries law controls the contractual relationship Regulatory access to information - U.S. regulatory authorities must have the ability to examine (in English) the services performed by an organization's third-party service provider regardless of whether it is foreign or domestically based Regulatory authority Contracts should have provisions acknowledging the authority of U.S. regulatory authorities Financial institutions must not share U.S. regulatory examination reports or information contained therein with either foreign regulators or foreign-based service providers without the express written approval of the appropriate U.S. regulatory authority 18

19 Vendor Management - Other Remote Access Deploy a single central remote access solution for employees and vendors to remotely access your network Bank should manage remote access tool and not the third-party vendor Block access from any unapproved remote access tools used by third-party vendors Require each third-party vendor to use unique credentials to access your network Log and review third-party activities on your network Breach Notification Contract language should include breach notification requirement (i.e. if there is a breach at the third-party, they need to notify the bank within 48 hours Annual confirmation of breaches by CEO or other C-level executive at the vendor 19

20 Cloud Computing Choosing a Cloud Vendor Internal controls at cloud provider Secure connections / encryption User account management Other third-parties involved Policy vs. process HR hiring policies at the vendor Service Organization Controls (SOC) reports Independent network security / penetration testing (ask for summary report) Web application testing (if applicable) Vendor Contracts Responsibility over confidentiality and data security controls Security breach notification, including hardware / data loss at the vendor s facility Written annual security breach / data loss confirmation from Vendor s CEO 20

21 Mobile Devices Device Security Physical security of device Passwords not pins Enable auto lock Secure / calendar (including sync) Keep Bluetooth devices to nondiscoverable (will not impact authenticated connections) Remote wipe Failed attempts lock/wipe Secure backup data on mobile device Keep all system/applications patches up-to-date Keep apps version current GPS location services can be a security risk Provide a safe application store for family members Encryption Passwords enable native encryption Encrypted transmission Memory encryption Encrypted transmission Mobile Device Management Great way to manage bank owned devices 21

22 Emerging Technologies Touch Computing Voice / Spatial Gestures Mobile, Tablets and Beyond Near Field Communication Social User Experience Internet of Everything 22

23 THANK YOU R A J P AT E L P A R T N E R I T C O N S U L T I N G R A J. P A T E P L A N T E M O R A N. C O M 23