Cybersecurity Governance Update on New FFIEC Requirements

Transcription

1 Cybersecurity Governance Update on New FFIEC Requirements cliftonlarsonallen.com Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, Professional Services Firm with three lines of business: Wealth Management Outsourcing Traditional Assurance and Consulting Information Security offered as specialized service offering for over 15 years 1

2 Overview Three most common cyber fraud scenarios we see affecting our banks customers Theft of PII and PFI Corporate Account Take Overs Ransomware Defensive Measures to support Incident Response Examples and Case Studies 3 Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Be Prepared Monitoring, Incident Response, and Forensic Capabilities 4 2

3 Cyber Fraud Risk Themes Hackers have monetized their activity More hacking More sophistication More hands on effort Smaller organizations targeted Social engineering on the rise Hackers targeting YOUR businesses customers In the News Theft of PFI and PII Active campaigns involving targeted phishing and hacking focused on common/known vulnerabilities. Target Goodwill Jimmy Johns University of Maryland University of Indiana Anthem Blue Cross Primera Olmsted Medical Center Community Health Systems 6 3

4 Timeline of a Breach and Missed Opportunities 1. Attacked/compromised vendor remote access 2. Missed AV/IDS warnings Attacked/compromised internal vulnerabilities 4. Missed IDS warnings Credit Card Data For Sale A peek inside a carding operation: inside a professional carding shop/ 4

5 Corporate Account Takeover Catholic church parish Hospice Finance company Main Street newspaper stand Electrical contractor Utility company Industry trade association Rural hospital Mining company On and on and on and on.. CATO Lawsuits UCC a payment order received by the [bank] is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. 5

6 CATO Lawsuits UCC Electrical Contractor vs Bank > $300,000 stolen via ACH through CATO Internet banking site was down DOS? Contractor asserting Bank processed bogus ACH file without any call back CATO Lawsuits UCC Escrow company vs Bank > $400,000 stolen via single wire through CATO CE passed on dual control offered by the bank Court ruled in favor of bank Companies attorneys failed to demonstrate bank s procedures were not commercially reasonable 6

7 Case Study Please Wire $ to. CEO asks the CFO Common mistakes 1. Use of private 2. Don t tell anyone cybercrime/omahas scoular co loses 17 million afterspearphishing attack.html 13 CATO Defensive Measures Multi layer authentication Multi factor authentication Out of band authentication 14 7

8 CATO Defensive Measures Positive pay ACH block and filter IP address filtering Dual control Defined processes for payments Activity monitoring Manual vs. Automated controls Combination of preventative and detective controls 15 Ransomware Malware encrypts everything it can interact with i.e. anything the infected user has access to CryptoLocker May 20, 2014 Ransomware attacks doubled in last month (7,000 to 15,000) goes spearphishing infections soar warns knowbe4 a html 16 8

9 Ransomware Zip file is preferred delivery method Helps evade virus protection Working (tested) backups are key Keys to Successful Breaches

10 Keys to Successful Breaches Reliance/dependence on 3 rd party service providers is at root of most breaches 19 How do hackers and fraudsters break in? Amateurs hack systems, professionals hack people. Bruce Schneier Social Engineering relies on the following: The appearance of authority People want to avoid inconvenience Timing, timing, timing 10

11 Pre text Phone Calls Hi, this is Randy from Fiserv users support. I am working with Dave, and I need your help Name dropping Establish a rapport Ask for help Inject some techno babble Think telemarketers script Home Equity Line of Credit (HELOC) fraud calls Ongoing high profile ACH frauds Attacks Spoofing and Phishing Impersonate someone in authority and: Ask them to visit a web site Ask them to open an attachment or run update Examples Better Business Bureau complaint usabetterbusiness bureaucall for action visa Microsoft Security Patch Download 11

12 Phishing Targeted Attack Strategies to Combat Social Engineering (Ongoing) user awareness training SANS First Five Layers behind the people 1. Secure/Standard Configurations (hardening) 2. Critical Patches Operating Systems 3. Critical Patches Applications 4. Application White Listing 5. Minimized user access rights No browsing/ with admin rights Logging, Monitoring, and Alerting capabilities The 3 R s : Recognize, React, Respond More on this at the end 12

13 Key Defensive Strategies cliftonlarsonallen.com 25 Strategies Our information security strategy should have the following objectives: Users who are more aware and savvy Networks that are resistant to malware Be Prepared Monitoring, Incident Response, and forensic Capabilities 13

14 Ten Keys to Mitigate Risk 1. Strong policies 6. Perimeter security layers 2. Defined user access roles Minimum Access 3. Hardened internal systems and end points 4. Encryption strategy data centered 5. Vulnerability management process 7. Centralized logging, analysis and alerting capabilities 8. Incident response capabilities 9. Know / use online banking tools 10.Test, Test, Test Independent validation that it works Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered highly difficult. 14

15 Centralized Logging, Analysis, and Alerting Centralized audit logging, analysis, and automated alerting capabilities (SIEM) Firewalls Security appliances Routing infrastructure Network authentication Servers Applications *** Archiving vs. Reviewing FFIEC Executive Leadership of Cybresecurity cliftonlarsonallen.com 30 15

16 Cybersecurity Leadership FFIEC 31 Cybersecurity Leadership FFIEC

17 Cybersecurity Leadership FFIEC Governance and Threat Intelligence 33 Cybersecurity Leadership FFIEC

18 Cybersecurity Leadership FFIEC 35 Cybersecurity Leadership FFIEC

19 Very Recent Examiner Supplemental Cyber Security Request List 37 Very Recent Examiner Supplemental Cyber Security Request List 38 19

20 Very Recent Examiner Supplemental Cyber Security Request List 39 Call To Action Policies to set foundation Train your users Thoroughly assess your risks Three R s: Recognize, React, Respond Thoroughly validate your controls High expectations of your vendors Penetration testing and vulnerability assessment Social engineering testing People Tools ` Rules 40 20

21 Questions? Randy Romes, CISSP, CRISC, MCP, PCI QSA Principal Information Security Services cliftonlarsonallen.com twitter.com/ CLA_CPAs facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 42 21

22 Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor neutral hardening resources Microsoft Security Checklists us/library/dd aspx Most of these will be from the BIG software and hardware providers Three Security Reports Trends: Sans 2009 Top Cyber Security Threats cyber security risks/ Intrusion Analysis: TrustWave (Annual) Intrusion Analysis: Verizon Business Services (Annual) 22