Defending Against Cyber Security Threats to the Payment and Banking Systems



Similar documents
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

ABUSE OF PAYMENT SYSTEMS IN FRAUD, MONEY LAUNDERING, AND OTHER FINANCIAL CRIMES

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Update On Smart Grid Cyber Security

Cybersecurity The role of Internal Audit

Security and Privacy

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Cyber-Security. FAS Annual Conference September 12, 2014

Combating a new generation of cybercriminal with in-depth security monitoring

Information Security and Risk Management

How To Protect Yourself From Cyber Threats

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

CYBER SECURITY SERVICES PWNED

KEY TRENDS AND DRIVERS OF SECURITY

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Cyber Security. John Leek Chief Strategist

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Overcoming PCI Compliance Challenges

Defending Against Data Beaches: Internal Controls for Cybersecurity

RSA Archer Risk Intelligence

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cybersecurity and internal audit. August 15, 2014

Cybersecurity: Protecting Your Business. March 11, 2015

CYBER SECURITY INFORMATION SHARING & COLLABORATION

CYBER SECURITY, A GROWING CIO PRIORITY

Cyber Security Metrics Dashboards & Analytics

Business Continuity for Cyber Threat

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Italy. EY s Global Information Security Survey 2013

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

How GCs And Boards Can Brace For The Cybersecurity Storm - Law360

Franchise Data Compromise Trends and Cardholder. December, 2010

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Managed Security Services for Data

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

PCI Compliance Top 10 Questions and Answers

PCI DSS. Payment Card Industry Data Security Standard.

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

NATIONAL CYBER SECURITY AWARENESS MONTH

Information Technology

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Secure by design: taking a strategic approach to cybersecurity

PCI DSS Overview and Solutions. Anwar McEntee

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

Cybersecurity: What CFO s Need to Know

The session is about to commence. Please switch your phone to silent!

Modular Network Security. Tyler Carter, McAfee Network Security

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

RETHINKING ORC: NRF S CYBER SECURITY EFFORTS. OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015

NETWORK SECURITY. 3 Key Elements

Cybersecurity Global status update. Dr. Hamadoun I. Touré Secretary-General, ITU

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

The Onslaught of Cyber Security Threats and What that Means to You

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

EC-Council. Certified Ethical Hacker. Program Brochure

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Internet threats: steps to security for your small business

Privacy Governance and Compliance Framework Accountability

A Decision Maker s Guide to Securing an IT Infrastructure

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

AppGuard. Defeats Malware

Effective Methods to Detect Current Security Threats

I ve been breached! Now what?

PCI Compliance. Top 10 Questions & Answers

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

RETHINKING CYBER SECURITY Changing the Business Conversation

Transcription:

NYU Leonard N. Stern School of Business Master of Science Risk Management RISK MANAGEMENT SYMPOSIUM 2015 Defending Against Cyber Security Threats to the Payment and Banking Systems Andrew Koh Class of 2010 MSRM Class of 2009 MSGF 1

LINKEDIN Profile: https://sg.linkedin.com/in/andrewkohmw Thought leader, speaker, moderator, panelist, writer, advisor Selected conferences: World Cards & Payments; Financial Times; RiskMinds Asia; Bloomberg; Cards & Payments Asia; The Asian Banker. Presented to central banks, regulators, government agencies, financial institutions, varsities, private equity & fin-tech firms. Published articles for award winning magazine: Strategic Risk Asia. 25 years in banking, finance, payment & cards sectors Experiences in Basel, ERM, GRC, Fraud, Outsourcing, RCSA, KRIs, Stress Testing, Incident Response, BCP, Audit frameworks & systems. Currently, he is the Deputy Chief Manager of Risk Control in China Construction Bank, S'pore. and was Vce President of ERM for NETS. Avid Lifelong Learner Class of 2010 MS Risk Managment (Stern) Class of 2009 MS Global Finance (Stern + HKUST) 2

AGENDA Part 1 - Cyber Security Threats High risk, high profile threats to payments & banking systems. Increasing sophistication and scale of threats. Defense and Attack Technologies Using data, analytics and intelligence to combat threats. Power of collaboration and the role of regulators. Part 2 - Defending against Cyber Threats/ORM Perspective Defining roles and responsibilities in cyber risk governance. Identifying and protecting information assets most important to your firm and susceptible to cyber threats. How can Key Risk Indicators (KRIs) effectively interact with other tools to monitor attempts of cyber-attacks? Interplay of Incident Response and Business Continuity planning. Questions & Answers 3

Part 1 - Cyber Security Threats 4

High risk, High profile threats to payments & banking systems. 5

High risk, High profile threats to payments & banking systems. DATA IS THE NEW CURRENCY! 6

High risk, High profile threats to payments & banking systems. CYBERSECURITY THREATS FOR 2015 & BEYOND! 7

High risk, High profile threats to payments & banking ystems Top 5 Threats Identified By NETS - Singapore national payment operator Cyber-Terrorist Groups 1 Politically motivated Groups 2 Hackers / Hacking Incidents 3 Cyber Loss Incidents 4 Payments Disruptions due to cyber-attacks and related incidents 5 8

High risk, High profile threats to payments & banking ystems Top 5 Threats Identified CCB Singapore Cybercriminals and their actions 1 Insider Threats 2 Brand & Reputational risks 3 Non compliance to regulatory requirements on cybersecurity. Business Disruptions 5 4 9

Increasing Sophistication & Scale of Threat Sony Hack / North Korea Govt. link Turbotax hack / 18 U.S. states JP Morgan Chase hack / 83mio records 10

Increasing Sophistication & Scale of Threat(NETS & CCB S'pore) ( Feb 2014 MTGOX 150,000 DDoS attacks per second for several days Nov 2014 Sony Its like 1,000 robberies done in 50 states in 1 day 11

Defense and Attack Technologies (NETS & CCB S'pore) VIRUS (1990s) (NETS (NETS) ANTI-VIRUS, FIREWALLS (1990s) WORMS (2000s) INTRUSION DETECTION & PREVENTION (2000s) BOTNETS (late 2000s to current) DLP, APPLICATION-AWARE FIREWALLS (late 2000s to current) APTs (current) NETWORK FLOW ANALYSIS 12

Defense and Attack Technologies (NETS) Top 5 Security Threat Defense Used by Organization (CISO) (Source: CISCO Annual Security Report 2015) Network security, firewalls, intrusion prevention 64% Web security 62% Email/messaging security 58% Data Loss Prevention (DLP) 55% Encryption/privacy/data protection 55% 13

Defense and Attack Technologies Huge Gaps in Defense Technologies we use today Firms using yesterday s technologies to defend against cyber threats. Advances in technological innovations far exceeding security and risk management practices. Profits come first! There is a popular web-browser that can bypass firewalls w/o hacking. Lack of committed resources to defend against cyber-attacks. Most firms still view cyber threats as isolated, IT related issues. Severe Knowledge Gaps in Cyber Risks & Security No skills and mindset for board of directors and C-Suite executives to make informed decisions. Lack of staff cybersecurity awareness to guard against cyber threats. 14

Using data, analytics and intelligence to combat threats(nets ) (NETS) BIG DATA 15

Using data, analytics and intelligence to combat threats. (NETS) BIG DATA + BIZ INTELLIGENCE 16

Power of collaboration and the role of regulators.. (NETS & CCB S'pore) 17

Power of collaboration and the role of regulators. 18

Part 2 - Defending against Cyber Threats from an Operational Risk Manager s Perspective. 19

Defining roles and responsibilities in cyber risk governance.. 20

Defining roles and responsibilities in cyber risk governance. (NETS & CCB S'pore). Board of directors ( Senior Management Responsible for cyber risk framework. Responsible for implementation and daily management of cyber risk framework. Cyber Risk & Security Committee Cyber Risk Champions (Biz & Support Units) Comprises of ORM, ERM, ITRM, Tech Ops, General Ops, BCM, Legal, Compliance, Audit (advisory). Cyber risk identification & assessment. Raise cyber risk warning alerts and recommend solutions to issues raised. 21

Strong Risk Culture Identifying and protecting information assets most important to your firm and susceptible to cyber threats. (NETS ERM). Cyber Risk Governance 22

Strong Risk Culture Identifying and protecting information assets most important to your firm and susceptible to cyber threats. (CCB S'pore). Cyber Risk Governance 23

Identifying and protecting information assets most important to your firm and susceptible to cyber threats. (NETS & CCB S'pore). Criteria Used Risk Tools Definition Single Point of Failures Most Vulnerable Attack Surface Area Risk Strategies Selection Process Mapping + RCSA Cyber Security & Risk Assessment Risk Impacts Dependent on whether it s data or assets or both. Failure at a single vector resulting in severe business disruptions/penalties, etc Success rate of cyber attacks can lead to brand & reputational risks for firms. 24

Definition of Information Assets (NETS) Components DATA APPLICATION HOST INTERNAL NETWORK PHYSICAL SECURITY POLICIES, PROCEDURES & AWARENESS Protection Technologies Data Encryption Application Hardening; Anti-virus Authentication; Update Mgmt Network Segmentation; IPSec; Network IDS. Guards; Locks; Tracking Devices User Education & Training 25

Definition of Information Assets (CCB S'pore) 26

Definition & Risk Strategies Selection (NETS) (NETS) 27

Single Point of Failure END-TO-END PROCESS MAPPING (Level 1) Cyber threats 28

Single Point of Failures END-TO-END PROCESS MAPPING (Level 2) Cyber threats 29

Strong Risk Culture Identifying and protecting information assets most important to your firm and susceptible to cyber threats.. Cyber Risk Governance 30

Cyber Security & Risk Assessment (Scenario Based Approach) 31

RISK & CONTROL SELF ASSESSMENT Risk Description Identification 1. Economic ALL RISKS Likelihood Impact Gross Risk Gross Risk Score Gross Risk Ranking Risk Assessment Gross Risk Rating Likeli hood Impact Residual Risk Residual Risk Score Residual Risk Ranking Financial loss 3 3 9 1 1 2 2 4 1 1 Residual Risk Rating Risk Control Register Effective Controls in place? (Y/N) Transaction Value 2 3 4 2 2 1 2 2 2 2 2. Operational System Availability NA NA NA NA NA NA NA NA NA NA Staff Attrition NA NA NA NA NA NA NA NA NA NA 3. Brand and Reputation Damage to reputation NA NA NA NA NA NA NA NA NA NA 4. Regulatory Non-compliance NA NA NA NA NA NA NA NA NA NA 5. Client Customer Impact NA NA NA NA NA NA NA NA NA NA Merchant Impact NA NA NA NA NA NA NA NA NA NA 32

Strong Risk Culture Identifying and protecting information assets most important to your firm and susceptible to cyber threats.. Cyber Risk Governance 33

RISK & CONTROL SELF ASSESSMENT Risk Description Identification 1. Economic ALL RISKS Likelihood Impact Gross Risk Gross Risk Score Gross Risk Ranking Risk Assessment Gross Risk Rating Likeli hood Impact Residual Risk Residual Risk Score Residual Risk Ranking Financial loss NA NA NA NA NA NA NA NA NA NA Residual Risk Rating Risk Control Register Effective Controls in place? (Y/N) Transaction Value NA NA NA NA NA NA NA NA NA NA 2. Operational System Availability NA NA NA NA NA NA NA NA NA NA Staff Attrition NA NA NA NA NA NA NA NA NA NA 3. Brand and Reputation Damage to reputation NA NA NA NA NA NA NA NA NA NA 4. Regulatory Non-compliance NA NA NA NA NA NA NA NA NA NA 5. Client Customer Impact NA NA NA NA NA NA NA NA NA NA Merchant Impact NA NA NA NA NA NA NA NA NA NA 34

Strong Risk Culture Identifying and protecting information assets most important to your firm and susceptible to cyber threats.. Cyber Risk Governance 35

RISK & CONTROL SELF ASSESSMENT Risk Description Identification 1. Economic ALL RISKS Likelihood Impact Gross Risk Gross Risk Score Gross Risk Ranking Risk Assessment Gross Risk Rating Likeli hood Impact Residual Risk Residual Risk Score Residual Risk Ranking Financial loss NA NA NA NA NA NA NA NA NA NA Residual Risk Rating Risk Control Register Effective Controls in place? (Y/N) Transaction Value NA NA NA NA NA NA NA NA NA NA 2. Operational System Availability NA NA NA NA NA NA NA NA NA NA Staff Attrition NA NA NA NA NA NA NA NA NA NA 3. Brand and Reputation Damage to reputation NA NA NA NA NA NA NA NA NA NA 4. Regulatory Non-compliance NA NA NA NA NA NA NA NA NA NA 5. Client Customer Impact NA NA NA NA NA NA NA NA NA NA Merchant Impact NA NA NA NA NA NA NA NA NA NA Key Risk Indicators Review KRI Thresholds 36

CREATE YOUR FIRM S CYBER RISK UNIVERSE Human Risk Fraud Risk Flaws & Bugs Outsourcing Risk Encryption Risk Governance Risk Reputation Risk Escalation Risk Technology Risk Disruption Risk Malware Risk Vendor Risk Regulatory Risk Vulnerabilities Project Risk Compliance Risk Monitoring Risk Legal Risk Threats Risk Reporting Risk Audit PCI DSS Application Risk NYU Leonard N. Stern of Business - MSRM Risk Management 37 Symposium 30 May 2015 37

OPERATIONAL RISK MANAGEMENT RISK HEAT MAP NYU Leonard N. Stern of Business - MSRM Risk Management 38 Symposium 30 May 2015 38

OPERATIONAL RISK MANAGEMENT RISK HEAT MAP CYBER- RISKS (Possible, Catastrophic) 39

Strong Risk Culture OPERATIONAL RISK MANAGEMENT RISK HEAT MAP Cyber Risk Governance 40

MONITOR & IMPROVE OPS RISK PROGRAM Define Key Risk Indicators 1 Risk Parameter Risk Score = Likelihood x Impact Risk Scores Time Frame Likelihood Impact 2 Risk Escalation 4 New Ops process New Obj / Strategy New Risk New System Economic 1 2 3 4 5 3 Operational 1 2 3 4 5 Brand & Reputation 1 2 3 4 5 Regulatory 1 2 3 4 5 Tier 1 Tier 2 Tier 3 Client 1 2 3 4 5 Impact Insignificant Minor Moderate Major Severe NYU Leonard N. Stern of Business - MSRM Risk Management 41 Symposium 30 May 2015

How can Key Risk Indicators (KRIs) effectively interact with other tools to monitor attempts of cyber-attacks? KRI Metrics Risk Owners Scope of Responsibilities Percentage of Failure rates Volume of data passing thru network traffic System disruptions Technology Team (NETS & CCB Security & Risk Team Business, Technology, Security & Risk Product and/or services Failure Testing Cycles Managing data traffic passing thru firewalls defenses via setting up filter rules for data packets. Managing system downtime, investigate root causes & incident escalation 42

How can Key Risk Indicators (KRIs) effectively interact with other tools to monitor attempts of cyber-attacks? 43

Interplay of Incident Response and Business Continuity planning. CURRENT STATE OF CYBER INCIDENT RESPONSE CYBER-ATTACKS CAN STRIKE WITHIN SECONDS! DATA CAN BE STOLEN WITHIN MINUTES! 44

Interplay of Incident Response and Business Continuity planning. (NETS & CCB ) LOW CYBER INCIDENTS HIGH CYBER INCIDENTS Notification Timing Ownership Notification Timing Ownership Biz Unit Dept Head Immediate Biz Unit Dept Head Senior Mgmt Immediate CEO ORM Dept Head < 30 mins - ERM + ORM Dept Heads Immediate - Cyber Alert Team < 45 mins - Cyber Alert Team Immediate 45

Interplay of Incident Response and Business Continuity planning(nets & CCB). (NETS & CCB) 46

KEY TAKEAWAYS Part 1 - Cyber Security Threats Aware of high risk/profile threats + their rising sophistication/ scale. Huge Gaps in Cyber Defense Technologies and Expertise. Ideas to use big data, analytics & intelligence to combat threats. Common goals in collaborating with peers and regulators. Part 2 - Defending against Cyber Threats/ORM Perspective Need to set-up cyber risk governance. Know how to identify & protect key assets against cyber threats. Define key KRIs metrics to monitor attempts of cyber-attacks. Understanding the problem in Incident Response and to use Business Continuity planning to address them. 47

Some Useful References: Andrew Koh : Rethinking enterprise risk management A new educational series looking at practical ideas for managing a variety of risks, (StrategicRISK, Asia edition, Issue 5, Sep. 2014): file:///c:/users/andrew%20koh/downloads/sr-asia- September-2014.pdf Andrew Koh : Rethinking enterprise risk management Our Educational Series Examines Emerging Risks and Scenario Analysis (StrategicRISK, Asia edition, Issue 6, Jan 2015): http://edition.pagesuiteprofessional.co.uk//launch.aspx?eid=75224692-730f-4804-998c-cfad87fbc0b2 Models of Escalation and De-escalation in Cyber Conflict John C. Mallery Computer Science & Artificial Intelligence Laboratory Massachusetts Institute of Technology Presentation at the 2011 Workshop on Cyber Security and Global Affairs, Budapest, Hungary, May 31 June 2, 2011.Version: 3/29/2012 11:04 AM Verizon 2015 Data Breach Investigations Report: http://www.verizonenterprise.com/dbir/2015/ An ISACA and RSA Conference Survey: State of Cybersecurity: Implications for 2015: http://www.isaca.org/cyber/pages/state-of-cybersecurity-implications-for- 2015.aspx CISCO Annual Security Report 2015: http://www.cisco.com/web/offers/lp/2015- annual-security-report/index.html 48

If You Have Trouble Sleeping After This. Contact Information andrewkohmw@yahoo.com.sg https://sg.linkedin.com/in/andrewkohmw @KohWee 49

NYU Leonard N. Stern School of Business Master of Science Risk Management RISK MANAGEMENT SYMPOSIUM 2015 Defending Against Cyber Security Threats to the Payment and Banking Systems Q & A Andrew Koh Class of 2010 MSRM Class of 2009 MSGF 50

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information