CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Transcription

1 CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

2 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and Compliance All Covered Financial Services Oversees Finance Practice Security & Compliance Team and Services Portfolio 20 years of IT security, compliance, risk management and policy development experience Formerly, TD Bank Group s Technology Risk Management and Information Security Governance, CIGNA Information Protection organization

3 COMPANY OVERVIEW All Covered, Financial Services 30+ years the leading provider for IT, Security, Compliance and Infrastructure Services Hundreds of Financial Institutions Clients National IT Security & Compliance Center National Remote Support Call Center Over 900 System Engineers across 35 Regional Office locations Active members of ISSA, ISACA, InfraGard, and AFT Konica Minolta Business Solutions Forbes Global 1,000 Company 12 billion in revenue, 3 billion US Established 1936

4 GOALS FOR TODAY Understand the current regulatory reality and cybersecurity challenges faced by financial institutions Discuss the top security and audit concerns of financial institutions and regulators Explore ways in which financial institutions are protecting their business Review the anatomy of an attack Review the NIST Cybersecurity Framework Steps you can take to prioritize and protect your financial institution

5 REGULATORY REALITY Improving Critical Infrastructure Cybersecurity Presidential Executive Order 2014 Community Banks receive Recommendations Identify a resource to function as an ISO Enhance cybersecurity 2015 Community Banks receive MRA s Not having an ISO, cybersecurity assessment Lack of proper vendor oversight

6 REGULATORY REALITY Presidential Executive Order Improving Critical Infrastructure Cybersecurity (February 12, 2013) Sharing Cybersecurity Threat Information (February 12, 2015) Represents the latest in federal policy on cybersecurity Cybersecurity Information Sharing Act (CISA) March 13, 2015 To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes Current Bill in the U.S. Senate Cyber Intelligence Sharing and Protection Act Allow sharing of Internet traffic information between the U.S. government and technology and manufacturing companies.

7 REGULATORY REALITY FFIEC - IT Booklets Audit Business Continuity Planning Development and Acquisition E-Banking Information Security Management Operations Outsourcing Technology Services Retail Payment Systems Supervision of Technology Service Providers (TSP) Wholesale Payment Systems

8 Gramm-Leach-Bliley Act (GLBA) Financial Privacy Rule Safeguards Rule Pretexting Protection

9 REGULATIONS AND AUDITS GLBA Gramm-Leach-Bliley Act (1999) Typically audited twice per year Examiner & 3rd Party Audit FFIEC Federal Financial Institutions Examination Council SEC Securities & Exchange Commission The U.S. Securities and Exchange Commission s Office of Compliance Inspections and Examinations (OCIE) SIPC Securities Investor Protection Corporation Created under the Securities Investor Protection Act as a nonprofit membership corporation Data Breach Disclosure Laws 45 States Data Encryption Law 201 CMR (2010) FDIC Federal Deposit Insurance Corporation Member of FFIEC FINRA Financial Industry Regulatory Authority Securities industry regulator PCI Payment Card Industry Data Security Standards Red Flags Rule Identity theft prevention Enforced by the Federal Trade Commission (FTC) SOX Sarbanes Oxley (2002) Section Internal controls for financial reporting

10 IT REGULATORY EXAM FOCUS 2013 Data Classification Business Continuity IT Risk Assessment Log Archiving BYoD DDoS Preparedness 2014 Vendor Management Cybersecurity Ongoing VA Scanning SIEM 2015 Cyber-Preparedness Cyber-Resiliency Incident Response Testing

11 PROTECTING YOUR BUSINESS IT Security Challenges: Wire Fraud ATM Machines Loss of Business Data Social Engineering Insider Fraud Loss of Client Data Breach of Customer Information Identity Theft Malware / Spyware Not Having a Plan Data Loss / Disasters

12 April 20, 2015 # ISSUE YOUR ANSWER Yes No TOTAL SCORE 1. Insufficient vetting of vendors was/is a leading cause of breach of your company. 2. Malware was involved in a breach. 3. Compromised passwords were involved in a breach. 4. A breach took more than a year to discover. 5. Insufficient funding for security was a leading cause of a breach. 6. Require third parties to comply with your company s privacy policies. 7. Encrypt messages. 8. Conduct security awareness training. 9. Use tools to detect unauthorized use or access to your systems. 10. Your company was unable to determine where a breach had occurred. 20% 44% 24% 33% 37% 54% 55% 51% 55% 55%

13 COMMON SECURITY CHALLENGES Going it alone can be very demanding IT RESPONSIBILITIES: Messaging Protection Website Security Web Content Filtering Virus Definitions Patching Backup and Recovery Mobile Devices and BYOD Compliance Management What s the highest priority?

14 SECURITY & AUDIT CONCERNS You don t need to be a company the size of Target to be impacted by a security breach 40% of small and mid-size businesses that manage their own security will have their network accessed by a hacker, and more than 50% won t even know they were attacked. (Source: Gartner Group)

15 SECURITY & AUDIT CONCERNS Lack of awareness at Board and Executive level Bottom up, not top down, security culture Risk Concerns: Reputational Financial Regulatory

16 SECURITY & AUDIT CONCERNS Are we protected? How do we know? How do we demonstrate it? Who on staff is responsible? Accountable? Who has Cybersecurity responsibilities outside of IT?

17 What is the average cost of a breach? a) $37 b) $350 c) $3,790 d) $350,000 e) $3,790,000 f) $35,000,000 The average cost of a computer breach at large companies globally was $3.79 million, a survey released recently found. For U.S.-based companies, the average cost was much higher: $6.5 million. (Source: Ponemon Institute and IBM)

18 What does the web know about you? SECURITY & AUDIT CONCERNS

19 IS YOUR BUSINESS AT RISK? IBM Cyber Security Report on the Threat Landscape 1,400 is the average # of attacks on a single organization, weekly 1.7 is the average # of incidents, weekly 2 most common attacks: Malicious code Sustained probe/scan Breaches bottom line: ~80% human-factor based

20 IS YOUR BUSINESS AT RISK? Without effective internal security precautions Revenue Innovation Reputation Compliance are at huge risk

21 INFORMATION SECURITY PROGRAM Information Security Policies Access Management IT Risk Assessment Cybersecurity Risk Assessment IT Risk Mitigation IT Audit Oversight IT Steering Committee Interface with Examiners & Auditors Monitoring Security Events Business Continuity Planning Disaster and Recovery Management Vendor Management Vulnerability Assessments Incident Response Board of Director Reporting Physical Security Management Information Security Awareness Training

22 Anthem s Massive Data Breach Attackers get access to PII Suspicious activity first noticed on Jan 27, Unauthorized activity since Dec 10, 2014 Discovery of IP & addresses associated with the threat actors Compromised former & current employees (names, birthdays, SSNs, home/ addresses, employment and income data) Good news (if there is any): Anthem discovered the breach itself and had quick incident response Anthem offered victims 2 years of free credit monitoring, ID theft insurance, & identity repair monitoring The database was not encrypted

23 Chase Bank Breach Attacks started in June 2014 Breach detected as a result of a routine scan Hackers compromised flaw in bank website Hackers reached deep into enterprise infrastructure END Layers of malware from Russia (likely) installed on compromised systems Attack routed through several countries, including Brazil, redirected to Russia Gigabytes of customer account and other data siphoned slowly

24 TYPES OF SECURITY THREATS Attackers use a number of tactics to gain access to your data. Among the most common tactics are: Malware Spyware Adware Phishing Data Theft Ransomware Viruses Password Hacking Vulnerability Scanners Packet Sniffers And don t forget about Insider Activity

25 TYPES OF SECURITY THREATS Ransomware: CryptoWall $200 to $2,000 in ransom to unlock their files In 5 months: 80k+ more machines infected (in 3 months less time) than CryptoLocker 625,000 victims worldwide 5.25 billion files encrypted $1.1 million in ransoms collected (Source: Dell SecureWorks Counter Threat Unit )

26 Ransomware: CryptoWall TYPES OF SECURITY THREATS

27 Phishing Data Compromise Through Phishing

28 Vulnerability Exploit Java Adobe Linux Microsoft Unix Mac

29 Cyber Attack Lifecycle

30 ADDITIONAL THREATS TO CONSIDER Unfortunately, threats to your business are not only security breaches and cyber attacks; your business can also fall victim to DATA LOSS.?

31 TYPES OF DATA LOSS THREATS Fires Floods Earthquakes Hurricanes Tornadoes Data Corruption Hardware / System Malfunction Software Corruption Human Error Brownouts Theft

32 Cybersecurity Framework Identify: Assess Business Context Recover: Resume Operations Cybersecurity Framework Protect: Select Security Controls Framework for Improving Critical Infrastructure Cybersecurity February 12, 2014 Respond: Take Action Detect: Limit the Impact

33 NIST Cybersecurity Framework IDENTIFY Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts. Administrative Outcome Categories Technical Risk Management Risk Assessment Governance Asset Management

34 NIST Cybersecurity Framework PROTECT Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Supports the ability to limit or contain the impact of a potential cybersecurity event. Outcome Categories Administrative Awareness and Training Background/Sanction/ Maintenance checks Information Protection Policies and Procedures Technical Data Security Access Control Protective Technology

35 NIST Cybersecurity Framework DETECT Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Enables timely discovery of cybersecurity events. Outcome Categories Administrative Anomalies and Events Monitoring: Threshold levels for Capacity Monitoring: Threshold levels for Performance Log review policy and procedures Technical Change detection controls System and application Privileged user activity logs Baseline configuration Monitoring tools

36 NIST Cybersecurity Framework RESPOND Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Outcome Categories Administrative Response Planning Communication Improvements: Lessons learned Technical Technical response tools Analysis Mitigation: Risk reduction activities

37 NIST Cybersecurity Framework RECOVER Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Administrative Recovery Planning Improve the process Communication Outcome Categories Technical RTO/RPO values Patch affected systems Add specific event to signature list Post-mortem and lessons learned

38 FFIEC: Cybersecurity Assessment Tool Objective To help institutions identify their risks and determine their cybersecurity maturity. The Assessment provides institutions with a repeatable and measureable process to inform management of their institution s risks and cybersecurity preparedness.

39 FFIEC: Cybersecurity Assessment Tool Inherent Risk Profile 5 Categories and Levels Cybersecurity Maturity Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency management Cyber Incident Management and Response

40 INFORMATION SECURITY SCORECARD Information Security Program Governance IT Risk Management Compliance Audits Assessments Regulations SLA Vulnerability Management Monitoring Projects & Cost Controls Testing Project & Cost Training Projects & Cost

41 STEPS YOU CAN TAKE NOW 1. ADOPT A CYBERSECURITY FRAMEWORK Cybersecurity Framework Cybersecurity Program Policies Procedures Reporting Regulatory Compliance GLBA FFIEC SOX FINRA SEC Information Security Cybersecurity

42 STEPS YOU CAN TAKE NOW 2. ASSESS YOUR RISK Cybersecurity Risk Assessments Vulnerability Assessments Penetration Testing Social Engineering Assessments External Internal Discovering Vulnerabilities Phishing On-site Firewall/DMZ Wireless

43 STEPS YOU CAN TAKE NOW 3. MANAGE VENDORS Implement a Vendor Management program Know (and Trust) your vendors Know the contract Communicate well Encourage performance CONSIDER OUTSOURCING If you need help, get help! Assess your potential vendors

44 STEPS YOU CAN TAKE NOW 4. IMPLEMENT A CYBERSECURITY INCIDENT RESPONSE PLAN Preparation Detection & Analysis Containment, Eradication, and Remediation Post Incident Activities

45 STEPS YOU CAN TAKE NOW 5. EDUCATE EMPLOYEES Security Awareness training has proven to be effective in handling cyber attacks Do s and Don'ts Public Wireless /Attachments Quickly Reporting Losses Everyone s role in security Communicate policies and procedures Establish accountability

46 STEPS YOU CAN TAKE NOW 6. SHARE INFORMATION Financial Services ISAC Information Sharing & Analysis Center InfraGard A partnership between the FBI and the private sector. It is an association dedicated to sharing information and intelligence to prevent hostile acts against the U.S.

47 STEPS YOU CAN TAKE NOW 1. Adopt a Framework: Consider mapping to Cybersecurity Frameworks: ISO 2700x, NIST, PCI. 2. Assess your Risk: Perform an IT risk assessment and build a comprehensive security program that includes written policies and procedures. 3. Manage Vendors: Implement a vendor management program to protect against third party losses. 4. Implement an Incident Response Plan: Establish (and Test!) a Cybersecurity Incident Response Plan 5. Educate Employees: Promote a security culture by educating your employees on their responsibilities to protect your business. 6. Share Information: Join an Information Sharing and Analysis Center (ISAC).

48 Thanks! Bill Lodovico Sr. IT Security and Compliance Consultant, All Covered Financial Services Division Viviana Campanaro CISSP Director of Security and Compliance, All Covered Financial Services Division