Top 10 Baseline Cybersecurity Controls Banks Aren't Doing SECURE BANKING SOLUTIONS 1
Contact Information Chad Knutson President, SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC chad@protectmybank.com Cell: (605) 480 3366 SBS Institute sbsinstitute@protectmybank.com 605 269 0909 2
Background 11 Years Community Bank Consulting at SBS Experience in Risk Management, ISP Development, and Auditing SBS has worked with over 800 banks in 45 states Relationship with Dakota State University NSA & DHS National Center of Excellence in Information Assurance One of the only universities focusing on community banking security 3
Our Experience PROCESS: Information Security Program design and roll out IT Risk Management Vendor Management Technology Selection Business Continuity/ Disaster Recovery Incident Response Information Security Consulting IT Audit ISP Audit Controls Audit Wire Transfer Audit ACH Audit Internet Banking Audit TECHNOLOGY: Penetration Testing Vulnerability Assessment System Configuration Assessment Acceptable Use Scanning PEOPLE: Social Engineering Awareness Programs ISO Training CATO Training TRAC Risk Mgmt. Suite Verify ACH Whitelisting Cyber Risk Anti Phishing 4
Agenda 1. Cybersecurity Background 2. Top 10 Missing Baseline Controls 3. Beyond Completion of Assessment 5
What is Cybersecurity? Cyber Risk the increased probability that the very high impact, internet based risks and threats we once thought were improbably will harm our networks Cybersecurity the controls and processes in place to protect our networks and customer information from cyber risk How does it relate to Information Security? discipline of Information Security, which not only encompasses Cybersecurity, but also all of the traditional things we ve done to protect our confidential customer information; including IT Risk Assessment, Vendor Management, Business Continuity Planning, Vulnerability Assessment, IT Audit, and much more Images courtesy of ISACA and member Menny Barzilay http://www.isaca.org/knowledge Center/Blog/Lists/Posts/Post.aspx?ID=296 6
Technology & Cybercrime New Products/Services Mobile Solutions Mobile Cash Management Mobile Payments Mobile Capture Virtualization Electronic Payments Cloud Online Account Opening Interactive Teller Machines Bank Technology Cybercrime Third Party Customer 7
GLBA Interpretation A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank's information security program shall be designed to: Ensure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer Ensure the proper disposal of customer information and consumer information https://www.fdic.gov/regulations/laws/rules/2000 8660.html 8
Federal Reserve SR 15 9 In particular, the Federal Reserve will work to tailor expectations to minimize burden for financial institutions with low cybersecurity risk profiles and, potentially, supplement expectations for financial institutions with significant cybersecurity risk profiles. Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions cybersecurity preparedness in information technology and safety and soundness examinations and inspections. http://www.federalreserve.gov/bankinforeg/srletters/sr1509.htm 9
OCC Bulletin 2015 31 The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts. While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution s inherent risk, risk management practices, and controls related to cybersecurity. OCC examiners will begin incorporating the Assessment into examinations in late 2015. http://www.occ.treas.gov/news issuances/bulletins/2015/bulletin 2015 31.html 10
FDIC FIL 28 2015 Use of the Cybersecurity Assessment Tool is voluntary. FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions. https://www.fdic.gov/news/news/financial/2015/fil15028.html 11
FFIEC CAT Overview https://www.ffiec.gov/pdf/cybersecurity/ffiec_cat_june_2015_pdf2.pdf 12
Do we need to do the CAT? What does GLBA require? Are we asking the right question? 13
Risk Management Approach Tier 1 FFIEC CAT = Organizational Risk Assessment Cyber Risk: https://cyber risk.protectmybank.com/ Tier 3 TRAC = Asset Based Risk Assessment TRAC: https:///products/software/it risk assessment/ 14
SBS Cyber Risk Web based FFIEC Cybersecurity Assessment Tool Complimentary Access 1311 active users 717 completed assessments 100% Follows FFIEC CAT 15
Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats 49% 35% 12% 3% <1% Number shows average ratings for the 700+ assessments completed 16
Risk Ratings per Category 17
Baseline Controls Domain 1Domain 2Domain 3Domain 4Domain 5Total Baseline 31 8 51 16 17 123 Evolving 34 7 39 13 20 113 Intermediate 33 11 39 9 21 113 Advanced 28 11 25 7 15 86 Innovative 15 12 20 6 10 63 141 49 174 51 83 498 18
#1 Firewall Rules (22%) Firewall rules are audited or verified at least quarterly. (FFIEC Information Security Booklet, page 82) High risk systems should be subject to an independent test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution s network and other networks should be audited and verified at least quarterly. The quarterly auditing and verification need not be by an independent source. (NIST 800 41) Each review should include a detailed examination of all changes since the last regular review, particularly who made the changes and under what circumstances. It is also useful to occasionally perform overall ruleset audits by people who are not part of the normal policy review team to get an outside view of how the policy matches the organization s goals. Suggestions: Formal configuration management process Quarterly change review Quarterly rule evaluation 19
#2 Diagrams (22%) Data flow diagrams are in place and document information flow to external parties. (FFIEC Information Security Booklet, page 10) The institution s analysis should include a system characterization and data flow analysis of networks (where feasible), computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems. Some systems and data stores may not be readily apparent. For example, backup tapes, portable computers, personal digital assistants, media such as compact disks, micro drives, and diskettes, and media used in software development and testing should be considered. 20
#3 Testing Patches (18%) Patches are tested before being applied to systems and/or software. (FFIEC Operations Booklet, page 22) Management should establish procedures to stay abreast of patches, to test them in a segregated environment, and to install them when appropriate. Suggestions: Documented Approach Non production testing environment Dedicated environment Reductant backup site Duplicate VM s Staged Deployment Back Out Plan 21
#4 Unauthorized Devices (17%) Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. (FFIEC Information Security Work Program, Objective II: M 9) Determine whether appropriate detection capabilities exist related to: Network related anomalies, including: Blocked outbound traffic Unusual communications, including communicating hosts, times of day, protocols, and other header related anomalies Unusual or malicious packet payloads Host related anomalies, including: System resource usage and anomalies User related anomalies Operating and tool configuration anomalies File and data integrity problems Anti virus, anti spyware, and other malware identification alerts Unauthorized access Privileged access Sans Top 20 (CIS CSC standard, #1 control) 22
#5 Network Baseline (16%) A normal network activity baseline is established. (FFIEC Information Security Booklet, page 77) Pg. 84 (typo?) Network Intrusion Detection Systems The anomaly based detection method generally detects deviations from a baseline. The baseline can be either protocol based, or behaviorbased. The protocol based baseline detects differences between the detected packets for a given protocol and the Internet s RFCs (Requests for Comment) pertaining to that protocol. 23
#6 Customer Awareness (16%) Customer awareness materials are readily available (e.g., DHS' Cybersecurity Awareness Month materials). (FFIEC E Banking Work Program, Objective 6 3) Review the website content for inclusion of the following information which institutions should consider to avoid customer confusion and communicate customer responsibilities: Security policies and customer usage responsibilities (including security disclosures and Internet banking agreements); Suggestions Website and Process: DHS: https://www.dhs.gov/stopthinkconnect Cybersecurity Month: https://www.dhs.gov/national cyber security awareness month NIST 7621: http://csrc.nist.gov/publications/nistir/ir7621/nistir 7621.pdf Annual CATO Training Phishing Brochures Self Assessments: https:///products/software/commercialaccount risk/ 24
#7 Removable Media (15%) Controls are in place to restrict the use of removable media to authorized personnel. (FFIEC Information Security Work Program, Objective I: 4 1) Review security policies and standards to ensure that they sufficiently address the following areas when considering the risks identified by the institution. If policy validation is necessary, consider performing Tier II procedures. Authentication and Authorization Acceptable use policy that dictates the appropriate use of the institution s technology including hardware, software, networks, and telecommunications. Administration of access rights at enrollment, when duties change, and at employee separation. Physical controls over access to hardware, software, storage media, paper records, and facilities Media handling procedures and restrictions, including procedures for securing, transmitting and disposing of paper and electronic information 25
#8 Elevated Privileges (14%) Elevated privileges are monitored. (FFIEC Information Security Booklet, page 19) The concepts of least permissions and least privileges are used to provide functionality while limiting potentially harmful actions. They generally involve restricting authorizations at the network, server, and client level. For example, a user could be allowed access to only certain network resources and denied access to others. A user could be allowed access to some program functions or file areas and not allowed access to others. A program could be allowed access to some of a computer s or network s resources and disallowed access to others. Authorization for users most often is managed by assigning a user to a group, and granting permissions to the group. Suggestion: limiting privileges gives fewer areas to monitor that have privileges needed to successfully compromise systems and data. Focus log monitoring and review to elevated accounts. Your (Local Admin) User Gets Admin Rights Gets Virus 26
#9 Anomalous Activities (13%) The institution is able to detect anomalous activities through monitoring across the environment. (FFIEC Information Security Booklet, page 32) Pg.37 (typo?) Network Access Institutions should: Group network servers, applications, data, and users into security domains (e.g., untrusted external networks, external service providers, or various internal user systems); Establish appropriate access requirements within and between each security domain; Implement appropriate technological controls to meet those access requirements consistently; and Monitor cross domain access for security policy violations and anomalous activity. Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident response efforts. Network administrators implement the policies, standards, and procedures in their day to day operational role. (More in the New Management Booklet) 27
#10 Policies (13%) The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (FFIEC EBanking Booklet, page 28) Summary: Implement security program that, 1) identified and assess risk 2) written policies/procedures to control risk 3) Implement plan and test 4) adjust (Plan, Do, Check, Act). Ongoing knowledge of attack sources, scenarios, and techniques. Financial institutions should maintain an ongoing awareness of attack threats through membership in information sharing entities such as the Financial Services Information Sharing and Analysis Center (FS ISAC), Infragard, the CERT Coordination Center, private mailing lists, and other security information sources. Risk Assessment Audit Policy (ISP) 28
Improving ISP INFORMATION SECURITY PROGRAMS 29
Next steps? 1. Determine Inherent Risk 2. Determine Domain Maturity 3. Identify Goals 4. Identify Gaps 5. Implement additional controls 6. Increase maturity 7. Repeat 30
Identify Gaps Y Identify Gaps Y N Y Y Y Y Y Y 31
Build Action Plan 32
Overall Process Cybersecurity Plan Board Involvement Create Cybersecurity Policy Board level education Establish Risk Appetite Management level education Complete FFIEC Cybersecurity Assessment Remediation Conduct Gap Analysis Build Action Items Report to Board Monthly Action Items Report Update existing Information Security Program FFIEC Cyber Tool Education and Awareness Additional Employee, management, and board training Cybersecurity Focused Audit Updated components of ISP Cybersecurity Policy effectiveness Annual Board Cybersecurity Report 33
Cybersecurity Plan 34
Cybersecurity Policy Roles/Responsibilities Board CEO ISO or Cybersecurity Officer Management https://www.ffiec.gov/pdf/cybersecurity/ffiec_cat_ceo_board_overview_ju ne_2015_pdf1.pdf http://ithandbook.ffiec.gov/media/210375/managementbooklet2015.pdf Cybersecurity Assessment Inherent Risk Assessment Cybersecurity Maturity Integration with Information Security Program Verification with Audits Education for board, management, and employees 35
Board Roles and Responsibilities FFIEC Management Book While the board may delegate the design, implementation, and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities and should provide a credible challenge to management. The role of the board, or an appropriate board committee, may include the responsibility to do the following: Engage management in establishing the institution s vision, risk appetite, and overall strategic direction. Approve plans to use the Assessment. Review management s analysis of the Assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results. Review management s determination of whether the institution s cybersecurity preparedness is aligned with its risks. Review and approve plans to address any risk management or control weaknesses. Review the results of management s ongoing monitoring of the institution s exposure to and preparedness for cyber threats. 36
CEO Roles and Responsibilities FFIEC Management Book Executive management, including the chief executive officer (CEO), the chief operating officer (COO), and often the chief information officer (CIO), plays a significant role in IT management at a financial institution. Executive management develops the strategic plans and objectives for the institution and sets the budget for resources to achieve these objectives. To carry out its responsibilities, executive management should understand at a high level the IT risks faced by the institution and ensure that those risks are included in the institution s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance. The role of the chief executive officer (CEO), with management s support, may include the responsibility to do the following: Develop a plan to conduct the Assessment. Lead employee efforts during the Assessment to facilitate timely responses from across the institution. Set the target state of cybersecurity preparedness that best aligns to the board of directors (board) stated (or approved) risk appetite. Review, approve, and support plans to address risk management and control weaknesses. Analyze and present results for executive oversight, including key stakeholders and the board, or an appropriate board committee. Oversee the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk. Oversee changes to maintain or increase the desired cybersecurity preparedness. 37
Cybersecurity Policy 38
39
Cybersecurity Policy Types DIAGRAM Cyber Risk Man. Governance REQUIREMENTS Need Policy to Govern Cyber (right side) Risk Management Controls Cybersecurity Governance Of Cyber Cybersecurity Policy Requires Cybersecurity Assessments (left side) Cybersecurity Assessment drives ISP improvements. ISP improvements documented in ISP Policies/Procedures. ISP Policy/Procedures ISP Controls Audit Cyber security Policy/Program Cyber Annual Report ISP Controls (specifically Cyber) need auditing. Need Overall Annual Cyber Report Cyber Governance Policy needs auditing. Cyber Governance Audit 40
Results of GAP Likely create new policies or controls in existing policies Improvements to existing programs, plans, procedures Implementation of action technology, physical, or administrative controls 41
Formalize Action Tracking Audits Conduct Activities Exams Cyber Risk Assessment IT Audit Findings Penetration Test Findings Incident Reports/SARS Action List Risk Assessments IT Risk Assessment Policy Reviews Committee Actions Contract Reviews 42
Track to Completion Assign an owner Assign a due date Periodically report on the status Report when it is completed Close the item Action List Difference between Managed and Chaos: You will literally have hundreds of security tasks to track each year. Do you have a well managed process? 43
Monthly Board Report 44
Education and Awareness Annual Cybersecurity Training Board / Executive Team Training Employee Training Customer Acceptable Use Training Social Engineering Testing/Training Regular/Monthly Email Updates Security Posters October Cybersecurity Month Regular Quizzes & Tips Threat Alerts securingthehuman.org 45
1) Audit Cyber Policy 2) Audit Cyber ISP Controls 46
Annual Cybersecurity Report 47
Overall Process Diagram 48
Basic Questions to Directors Can Ask 1) Were is this in our Risk Assessment, ISP, and Audit processes 2) How are we, our third parties, and our customers addressing it? Risk Assessment Bank Audit Policy (ISP) Third Party Customer 49
https:///sbsinstitute/ 50
Education How to monitor Cyber Security Issues and Take Action? Conferences and Conventions Technology & Security Conferences from your Association Webinars Regular Hot Topics from your Association Banking Schools Graduate Banking Schools such as www.gsb.org Certifications: Deep dive into Cybersecurity: Management Level: Cybersecurity Manager (CBCM) Security Executive (CBSE) Security Manager (CBSM) Vendor Manager (CBVM) Incident Handler (CBIH) Technical Level: Security Technical Professional (CBSTP) Ethical Hacker (CBEH) Mobile Administrator (CBMA) Forensic Investigator (CBFI) And more info at /sbsinstitute/ 51