Cybersecurity WBA Bank Executives Conference February 2 4, 2015 Milwaukee, WI Dr. Kevin Streff Founder: Secure Banking Solutions, LLC www.protectmybank.com
Goals Understand IT cybersecurity law and regulation Understand the cybersecurity threats to community banks today View a comprehensive information security framework Learn to expand and mature risk assessment programs: IT risk assessment Third party vendors assessments Corporate account assessments (CATO) Enterprise Risk Management Set the tone at the top
Gramm Leach Bliley Act Management must develop a written information security program What is the M in the CAMEL rating? Don t just do good security things, have a well managed program Don t rely on individual heroism, have a well managed program The Information Security Program is the way management demonstrates to regulators that information security is being managed at the bank 3
Gramm Leach Bliley Act Gramm Leach Bliley Act requires your bank to develop and implement 1) an Information Security Program and 2) Risk Assessments Information Security Program: A comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a bank must first conduct a risk assessment
Other Important Regulation FFIEC Authentication Supplement Corporate Account Takeover Regulation Vendor Management Regulation Social Media Regulation ATM Guidance DDOS Guidance
Board of Directors and Management Team is Responsible for Security On a scale of 1 to 10, grade your ability to: Understand cyber risks Give attention & resources to cyber risks 6
Layered Security Approach 7
False Sense of Security 8
What Can You Do? Focus on the big 5 threats Focus on a comprehensive information security program Get good at risk assessment Create security metrics Management and Board training 9
Top Security Threats 1. Hacking 2. Data Leakage 3. Social Engineering 4. Corporate Account Takeover 5. ATM Most threats involve installing MALWARE Small and medium sized banks are in the cross-hairs of the cyber criminal Howard Schmidt, Cybersecurity Secretary for the White House10
Hacking Threat #1 11
Hacker Tools Examples Tools to hack your bank are downloadable http://sectools.org/ Default passwords are all available http://www.phenoelit.org/dpl/dpl.html Economy is available to sell stolen data ( underground markets ) http://krebsonsecurity.com/2013/12/cards stolen in target breachflood underground markets/ 12
Data Leakage Threat #2 13
Data Leakage Data Leakage is about insiders leaking customer information out of your bank 14
Social Engineering Threat #3 15
Social Engineering What is Social Engineering? Exploitation of human nature for the gathering of sensitive information. Tool attackers use to gain knowledge about employees, networks, vendors or other business associates. 16
Sample Social Engineering Methods Phishing/Pharming Telephone (Remote Impersonation) Dumpster Diving Impersonation E mail Scams USB Sticks 17
Corporate Account Takeover Threat #4 18
Corporate Account Takeover Hijacking/Impersonating an ACH or wire 70% of small businesses lack basic security controls Firewall, Strong passwords, Malware Protection Etc. 19
ATM Fraud Threat #5 20
Question How long does it take to install a skimmer? http://krebsonsecurity.com/2010/05/fun withatm skimmers part iii/ 21
Skimmer Camera 22
23
ATM Cyber Heists 24
Question for Boards & Mgmt Team What is your bank doing to mitigate the risks of: Hacking Data Leakage Social Engineering Corporate Account Takeover ATM Fraud Answer Should Be: 1.Layered Security Program 2.Risk Assessment 3.Awareness and Education 25
Layered Information Security Program I.T. Risk Assessment Asset Management Documentation Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Boards & Business Continuity Committees Incident Response I.T. Audit 26
27
28
Bank Assessments
Risk Assessment Evaluating technology risk to implement a comprehensive security program Bank may not have security experts on staff Manual approach time is spent creating the spreadsheet (versus making decision) Bottom Line Reality: Done to appease the regulators Does not drive value for the bank Does not tell me how to spend my next security $ 30
IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information and making decisions (not compiling a risk assessment spreadsheet) 31
Vendor Assessments Third Party Risk Management
Third Party Risk FIL 44 2008 Four Elements of a Risk Management Program: Due Diligence in Selecting a Third Party Risk Assessment Contract Structuring and Review Due Diligence in Vendor Oversight Risk Assessment Contract Structuring and Review
Cost Benefit Analysis
Reference Evaluation
Documenting Controls
Due Diligence
Residual Risk Score Pay attention to the residual risk Notice that DCI has done the most to reduce the risk of information security threats
Contract Review
Commercial Account Assessments Commercial Banking Fraud
Commercial Account Takeover FFIEC Guidance FFIEC s Interagency Supplement to Authentication in an Internet Banking Environment states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging threats. Increased multi factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness. CSBS CATO Guidance 45
Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts
47
48
Assessment Results 49
Enterprise Risk Management
ERM Risk Mitigation Goals 51
ERM Protection Profile 52
ERM Threats 53
ERM Controls 54
ERM Reporting 55
Report Risk Mitigation 56
Report Threat Source 57
REPORT PEERCOMPARISON 58 Sec ure Ban king Sol
Summary Understand IT cybersecurity law and regulation Understand the cybersecurity threats to community banks today Viewed a comprehensive information security framework Learned to expand and mature risk assessment programs: IT risk assessment Third party vendors assessments Corporate account assessments (CATO) Enterprise Risk Management
Dr. Kevin Streff Director: Center for Information Security at Dakota State University Kevin.streff@dsu.edu (605) 256 5698 Founder: Secure Banking Solutions www.protectmybank.com kevin@protectmybank.com (605) 270 0790
2014 FFIEC Cybersecurity Assessments
Cybersecurity & Critical Infrastructure Working Group (CCWIG) Targeted Regulatory Exams June 2013, the FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG) Approximately 500 assessments with $1 billion or less in assets Information gathering and learning mode Finalized report in mid 2014 for all exams moving forward 62
Summary of Results Stronger risk management programs Enhanced vulnerability assessment program Share and collaborate cyber security information with other institutions Enhanced vendor management program Enhanced incident response plans Training and education on information (cyber) security is going to be emphasized Board participation and education involving information security is going to be EXAMINED and REGULATED Are you keeping your Boards appraised of cyber security issues and how your institution is responding? 63
Cybersecurity Training Routinely discussing cybersecurity issues in board and senior management meetings will help the financial institution set the tone from the top and build a security culture. Boards and Management are going to be held to a higher standard 64
Train Your Board, Staff & Management Team Involve in Awareness Program InfraGard Certification Program SBS Certification Program Certified Board Member CCBSP CCBTP 65
InfraGard Certification Training program for staff on information security The InfraGard Awareness information security awareness course is FREE to all individuals and small businesses with 25 or fewer employees. Send your Board thru this program! https://infragardawareness.com/ Tweleve lessons (4 9 minutes each) Optional certificate to hang in the workplace 66