Post on 13-Apr-2020
AGENDA
• Introduction• Cybersecurity
– Recent News– Regulatory Statements– NIST Cybersecurity Framework– FFIEC Cybersecurity Assessment
• Questions• Information Security Stats (if we have time)
DISCLAIMER
• The information contained in this session may contain privileged and confidential information.
• This presentation is for information purposes only. Before acting on any ideas presented in this session; security, legal, technical, and reputational risks should be independently evaluated considering the unique factual circumstances surrounding each institution.
• No computer system can provide absolute security under all conditions.• Any views or opinions presented do not necessarily state or reflect those
of CoNetrix or ICBA NM.• The following information presented is confidential and/or proprietary and
is intended for the express use by attendees. Any unauthorized release of this information is prohibited.
• All original CoNetrix material is Copyright © 2015 CoNetrix
CYBERSECURITY RECENT HISTORY
• Feb. 2013 – Presidential Executive Order 13636
• June 2013 – FFIEC forms Cybersecurity and Critical Infrastructure Working Group
• Aug. 2013 – Council on Cybersecurity launched
• Feb. 2014 – NIST Released Cybersecurity Framework
• May 2014 – NY Report on Cybersecurity in the Banking Sector
• May 2014 – FFIEC Cybersecurity webinar
• June 2014 – FFIEC Launches Cybersecurity Web Page
• June – July 2014 – FFIEC Commences Cybersecurity Assessments
• Nov. 2014 – FFIEC Released Observation from Cybersecurity Assessment
• Feb. 2015 – FFIEC Revised BCP IT Exam Booklet
• Mar. 2015 – FFIEC Provides Overview of Cybersecurity Priorities
• Mar. 2015 – Office of Inspector General releases report on FDIC’s Supervisory Approach to Cyberattack Risks
• Mar. 2015 – FFIEC Releases 2 Statements on Compromised Credentials and Destructive Malware
• June 2015 – FFIEC Releases Cybersecurity Assessment Tool
FEDERAL RESERVE SR 15-9
“In particular, the Federal Reserve will work to tailor expectations to minimize burden for financial institutions with low cybersecurity risk profiles and, potentially, supplement expectations for financial institutions with significant cybersecurity risk profiles. Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.”
OCC BULLETIN 2015-31
“The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts.”“While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.OCC examiners will begin incorporating the Assessment into examinations in late 2015.”
FDIC FIL-28-2015
Use of the Cybersecurity Assessment Tool is voluntary.”“FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”
CONFERENCE OF STATE BANK SUPERVISORS (CSBS)
“The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely considered an IT problem, the rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of bank CEOs that management of a bank’s cybersecurity risk is not simply an IT issue, but a CEO and Board of Directors issue.”
- CSBS Cybersecurity 101
CHALLENGE
We are now have multiple information security frameworks. How do they fit together?
IT/GLBA Information Security Program
NIST Cybersecurity Framework
FFIEC Cybersecurity Assessment Tool
PCI DSS
NACHA Security
HIPAA
HOPEFULLY . . .
We would like to see integration. One information security program with components addressing malicious attacks, credit/debit threats,
ACH threats, medical info threats, etc.
NIST Cybersecurity Framework
FFIEC Cybersecurity Assessment Tool
PCI DSS NACHA Security
HIPAA
IT/GLBA Information Security Program
More alignment
CALL FOR CYBERSECURITY FRAMEWORK
Voluntary risk-based set of
industry standards & best
practices
Methodology to protect individual
privacy & civil liberties through
cybersecurity activities
Framework for Improving
Critical Infrastructure Cybersecurity v1.0 (NIST)
FFIEC CYBERSECURITY ASSESSMENT TOOL
• Part One: Inherent Risk Profile• Part Two: Cybersecurity Maturity• Interpreting & Analysis
– Senior management and Board reporting
PART ONE: INHERENT RISK PROFILE
Consists of 78 questions across 5 categories:• Technology and Connection Types• Delivery Channels• Online/Mobile Products and Technology Services• Organizational Characteristics• External Threats
PART TWO: CYBERSECURITY MATURITY
• Cyber Risk Management and Oversight• Threat Intelligence and Collaboration• Cybersecurity Controls• External Dependency Management• Cyber Incident Management and Resilience
SETTING MATURITY LEVELS
• All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.
• While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.
BENEFITS
• Identifying factors contributing to and determining the institution’s overall cyber risk.
• Assessing the institution’s cybersecurity preparedness.• Evaluating whether the institution’s cybersecurity
preparedness is aligned with its risks.• Determining risk management practices and controls that
could be enhanced and actions that could be taken to achieve the institution’s desired state of cyber preparedness.
• Informing risk management strategies.
FFIEC PRIORITIES
• Cybersecurity Self-Assessment Tool• Incident Analysis• Crisis Management• Training• Policy Development• Technology Service Provider Strategy• Collaboration with Law Enforcement and
Intelligence Agencies
RESOURCES
• FFIEC Cybersecurity Awareness Web Page: www.ffiec.gov/cybersecurity.htm
• NCUA Cyber Security Resources: www.ncua.gov/Resources/Pages/cyber-security-resources.aspx
• NIST Cybersecurity Framework: www.nist.gov/cyberframework• Financial Services Information Sharing and Analysis Center (FS-ISAC):
www.fsisac.com• InfraGard: www.infragard.org• US Computer Emergency Readiness Team: www.us-cert.gov• US Secret Service Electronic Crimes Task Force:
www.secretservice.gov/ectf.shtml• ISACA Cybersecurity NEXUS: www.isaca.org/cyber/Pages/default.aspx• Council on CyberSecurity: www.counciloncybersecurity.org• CSBS Conference of State Bank Supervisors
http://www.csbs.org/cybersecurity/Pages/default.aspx
FDIC – CYBER CHALLENGE VIDEOS
https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html
CASE STUDY
A review of high risk and common repeat findings from IT Audits, Penetration Tests, and Cybersecurity Assessments.
SOCIAL ENGINEERING TESTS
0
10
20
30
40
50
60
70
80
90
Phishing Email Social Engineering Call
Social Engineering Tests conducted in 2014
Failed Passed
SOCIAL ENGINEERING TESTS -DETAILS
Type of Test Total Tests Total Responses
% Failure
Phishing Email 5,935 1,180 19.9%
Social Engineering Call
313 92 29.4%
REVIEW OF IT AUDIT OBSERVATIONS
• 50 IT Audits and Assessments conducted in between 8/2014 - 2/2015– 45 IT/GLBA Audit & Assessments– 4 IT Security Reviews– 1 Network Assessments
REVIEW OF IT AUDIT OBSERVATIONSDEMOGRAPHICS
• Customers by Regulating Body:– 53% FDIC– 31% OCC– 16% Other
• Customers by Asset Size:– 10% <100M– 42% 100M-300M– 23% 300M-500M– 11% 500M-1B– 6% >1B– 8% N/A
IT AUDIT OVERALL STATUS
53%
34%
11%2%
Overall Security and Compliance Rating
Strong Satisfactory Needs Improvement Weak
RISK LEVELS DEFINED
In the determination of risk levels associated with deficiencies discovered in the audit process, consideration is given to:• The likelihood a deficiency is exploited• The impact on the bank or its customers• Any existing controls used to mitigate associated risk levelsRisk levels are defined as follows:• High: A deficiency posing a direct threat to availability, integrity, and/or
confidentiality of customer or bank information due to little or no mitigating controls
• Medium: A deficiency posing a direct threat to availability, integrity, and/or confidentiality of customer or bank information whose mitigating controls are not sufficient to reduce risk to an acceptable level
• Low:A deficiency posing a possible threat to the availability, integrity, and/or confidentiality of customer or bank information
FIREWALL OBSERVATIONS
2%
68%
16%
14%
Router/Firewall Findings
High Risk Medium Risk Low Risk No Finding
PATCH MANAGEMENT OBSERVATIONS
4%
44%
30%
22%
Patch Management Findings
High Risk Medium Risk Low Risk No Finding
LOCAL ADMINISTRATOR OBSERVATIONS
2%
32%
28%
38%
Users Running as Local Administrator
High Risk Medium Risk Low Risk No Finding
MOBILE DEVICE OBSERVATIONS
8%
10%
14%
68%
Mobile Device Findings
High Risk Medium Risk Low Risk No Finding
LAPTOP ENCRYPTION OBSERVATIONS
4%8%
10%
78%
Laptops Not Encrypted Findings
High Risk Medium Risk Low Risk No Finding
REMOVABLE MEDIA OBSERVATIONS
2%
20%
14%64%
Removable Media Findings
High Risk Medium Risk Low Risk No Finding
AUTHENTICATION OBSERVATIONS
4%10%
86%
Multi-factor Authentication Findings
High Risk Medium Risk Low Risk No Finding
THIRD PARTY OVERSIGHT OBSERVATIONS
6%
38%
26%
30%
Vendor Management Findings
High Risk Medium Risk Low Risk No Finding
BUSINESS CONTINUITY OBSERVATIONS
10%
42%30%
18%
BCP/DR Findings
High Risk Medium Risk Low Risk No Finding
INCIDENT RESPONSE OBSERVATIONS
22%
14%64%
Incident Response Findings
High Risk Medium Risk Low Risk No Finding