10 Questions on IT Security for Directors/Executives › 2014 › 09 › ... · 10 Questions on IT...

10 Questions on IT Security for Directors/Executives

©2016 Secure Banking Solutions, LLC www.protectmybank.com 1

Chad Knutson ◦ President, SBS Institute ◦ Senior Information Security Consultant ◦ Masters in Information Assurance ◦ CISSP, CISA, CRISC ◦ www.protectmybank.com ◦ [email protected] ◦ Cell: (605) 480-3366

SBS Institute ◦ [email protected] ◦ 605-269-0909

Presenter Info


http://www.protectmybank.com/

mailto:[email protected]


11 Years Community Bank Consulting at SBS

Experience in Risk Management, ISP Development, and Auditing

Developed the SBS Institute and teach certifications for CBSM, CBCM, CBSTP, and CBIH.

SBS has worked with over 900 banks in 45 states

Relationship with Dakota State University NSA & DHS National Center of Excellence in Information Assurance One of the only universities focusing on community banking security

Background


Our Experience PROCESS:

• Information Security Program design and roll-out

• IT Risk Management

• Vendor Management

• Technology Selection

• Business Continuity/ Disaster Recovery

• Incident Response

• Information Security Consulting

• IT Audit ◦ ISP Audit ◦ Controls Audit ◦ Wire Transfer Audit ◦ ACH Audit ◦ Internet Banking Audit

TECHNOLOGY:

• Penetration Testing

• Vulnerability Assessment

• System Configuration Assessment

• Acceptable Use Scanning

PEOPLE:

• Social Engineering

• Awareness Programs

• ISO Training

• CATO Training

• TRAC – Risk Mgmt. Suite • Verify ACH Whitelisting • Cyber-Risk • Anti-Phishing


What is “Cybersecurity”? Cyber Risk ◦ the increased probability that the very-high-impact,

internet-based risks and threats we once thought were improbably will harm our networks

Cybersecurity ◦ the controls and processes in place to protect our

networks and customer information from cyber risk

How does it relate to Information Security? ◦ discipline of Information Security, which not only

encompasses Cybersecurity, but also all of the traditional things we’ve done to protect our confidential customer information, including IT Risk Assessment, Vendor Management, Business Continuity Planning, Vulnerability Assessment, IT Audit, and much more

Images courtesy of ISACA and member Menny Barzilay http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=296


FFIEC IS Booklet - Cybersecurity: The process of protecting consumer and bank information by preventing, detecting, and responding to attacks.

Cybersecurity

“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.”

President Obama


U.S. Department of the Treasury Deputy Secretary Raskin 10 QUESTIONS FOR EXECUTIVES AND THEIR BOARDS


Deputy Secretary Raskin – 7/2015

Updated: http://www.treasury.gov/press-center/press-releases/Pages/jl0112.aspx Original: http://www.treasury.gov/press-center/press-releases/Pages/jl9711.aspx


http://www.treasury.gov/press-center/press-releases/Pages/jl0112.aspx










How much do I need to know? Board involvement was a major point of the FFIEC Cybersecurity Assessment that were performed in the second half of 2014 and heavily mentioned in the General Observations

The Cybersecurity Assessment Tool specifically mentions Board involvement TWENTY-ONE (21) times in the Cybersecurity Maturity section, just in case you didn’t think the FFIEC is taking Board involvement seriously. ◦ Domain 1 - Cyber Risk Management and Oversight talks about Board

involvement on an increasing frequency to go with increasing maturity, particularly in the “Oversight” component of the “Governance” factor, mentioning the Board fourteen (14) times alone.


Cyberattacks Cyberattacks - and the harm caused by successful intrusions - have not decreased but are rather drawing more intense public focus.

Cyber-attacks are uniquely devastating ◦ Prevention challenge ◦ Detection rates low ◦ Unknown financial losses ◦ Unknown reputational damages


Guidance and Regulatory Trends

In Summer 2014, the FFIEC completed pilot cybersecurity examination work programs on 500 community banks to evaluate their preparedness for cyber risks

The FFIEC Summary Assessment included the following: • Banks have a large dependence on IT to conduct business operations • Dependence risk includes sector interconnectedness and rapidly evolving cyber

threats • Assessment reinforces the need for engagement by the board of directors with

the following suggestions ◦ Routine discussion of cyber security issues in meetings ◦ Maintaining sufficient awareness of threats and vulnerabilities ◦ Managing connections to third parties ◦ Ensuring BCP and DR plans incorporate cyber incident scenarios

Cybersecurity Examinations FFIEC Release of the Cybersecurity Assessment Tool


Question 1 Does your bank embed cybersecurity into our governance, control, and risk management systems?


Question 1


Question 2 Have you remained vigilant about systematically identifying key assets, that is, those that provide high-value targets for malicious cyber actors?

What Are Your Crown Jewels?


Question 2 Key Systems ◦ Online Banking ◦ Remote Merchant Capture ◦ Core Banking ◦ Mobile Banking ◦ BYOD

Asset Confidentiality Integrity Availability Volume Protection Profile

Core System H H H H 12

Business Online Banking H H M M 10

File Server M M M H 9

Statement Printer H L L H 8

Android Phone M M L L 6


Question 3 Are your security controls tailored to the specific cyber risks presented by each key network, system, or set of sensitive data?


Question 3 Controls on specific systems.

What are others doing for controls?


Question 4 How do you prioritize the implementing of enhanced controls around key networks, systems, and sensitive data?


Question 4 Where do you apply your next control?

What is your risk goal “appetite”?

Next Control


Question 5 Have you reviewed the FFIEC Cybersecurity Assessment Tool and appropriately incorporated it into your approach to cyber risk management?


Question 5 – Set Goals What are the next steps?

Have we reach our goal?

Your Here ©2016 Secure Banking Solutions, LLC

www.protectmybank.com 21

Question 5 – Fill Gaps

Y

Y

Y

Y

Y

Y Y Y N Fill The Gaps


Have you designated specific professionals to be responsible for the institution’s cybersecurity strategy?

Have you provided them with the authority, resources, and access they need to effectively perform their work?

Question 6


Do they have the time?

Is this their focus?

How trained are they?

Will they be proactive in identifying, remediating, and communicating risks?

Question 6


Question 7 Have you trained personnel on cybersecurity policies?

Risk Assessment

Policy (ISP)

Audit


Question 7 How do you train your organization on cybersecurity policies?

Annual Training?


What does your cybersecurity insurance cover?

How do we ensure that our insurance coverage matches our cyber-related risks?


Question 8

Question 8


Question 8

Generally non-insurable items:

Reputational harm.

Loss of future revenue (for example, in the case of Target if sales were down due to customers staying away after data breach).

Costs to improve internal technology systems.

Lost value of your own intellectual property


Question 9 Does our cyber risk insurance impose “minimum required practices,” which may lead to denial of coverage if not followed?


Question 9 What level of security must be maintained for coverage?

◦ If you were found negligent in patching, would it affect claim?

Look for sublimits for: ◦ Forensics ◦ Regulatory fines and penalties

Time restrictions for business interruptions (e.g. more than 8 hours of network downtime.

Many other areas of insurance are excluding technology or electronic fraud losses, carving a space for cyber insurance.

No standard for insurance, dramatic differences in pricing options and coverages.

What if errors are documented in those long questionnaires used for cyber applications?

https://www.mcguirewoods.com/Client-Resources/Alerts/2013/10/Buyers-Guide-to-Cyber-Insurance.aspx

http://www.wsandco.com/about-us/news-and-events/cyber-blog/cyber-basics







Question 9 What if errors are documented in those long questionnaires used for cyber applications?

◦ Any complaints or lawsuits regarding privacy/security violations been filed against you? ◦ Have losses or disruptions in service happened in the past? ◦ Have you implemented firewall, malware protection, and system patching? ◦ Do you manage vendor/service provider’s security controls? ◦ Do you perform periodic risk assessments? ◦ Do you have standard security configurations on all critical systems? ◦ Do you implement physical security controls? ◦ Do you implement logical access controls? ◦ Do you have written security policies, incident response programs, and disaster

recovery programs? ◦ Are system backups created, stored offsite, and tested? ◦ Are log files reviewed? ◦ Do you have a regular audit conducted on your security controls? ◦ What types of data do you have? ◦ What compliance areas are you required to follow (GLBA, HIPAA, PCI)? ◦ Are your employees trained on security polices and procedures?


http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/

Cyber Insurance War Starting?
















Question 10

Does your Bank engage in cyber-hygiene?

Most important of the 10: basic cyber hygiene may prevent 80 percent of all known incidents.


Question 10 Cyber Hygiene Priority:

COUNT: Know what’s connected to your network CONFIGURE: Protecting your systems by implementing key security settings. CONTROL: Protecting your systems by properly managing accounts and limiting user and administrator privileges to only what they need to do their job. PATCH: Protecting your systems by keeping current! REPEAT: Regularize the Top Priorities to form a solid foundation of cybersecurity for your organization.

http://cisecurity.org/about/CHToolkits.cfm


http://cisecurity.org/about/CHToolkits.cfm

Risk Assessment

Information Security Program

Audit


SBS Questions

Bank

Customer Third Party

How do we address this issue in our? How do we address this in with the?

Emerging Security Threats


Spear Phishing


New Malware


Corporate Account Takeover

FBI Reports BEC losses in 2014/2015 = $1.2 billion

Business System Compromised Business Email Compromise

Federal Reserve Atlanta stated losses in 2012 = $4.9 billion


Wires/ACH Fraud


ATM Fraud 2) Magstripe Shimmer 1) Traditional Magstripe Skimmer

5) EMV Shimmer 3) Drill to insert USB w/ Malware or Mobile Device

4) Hacker in the network


Mobile Threats


Trident Vulnerability

How to monitor Cyber Security Issues and Take Action? ◦ Conferences and Conventions

◦ Technology & Security Conferences from http://www.iowabankers.com/

◦ Webinars ◦ Regular Hot Topics from http://www.iowabankers.com/

◦ Banking Schools ◦ Graduate Banking Schools such as www.gsb.org

◦ Certifications: Deep dive into Cybersecurity: ◦ Management Level:

◦ Cybersecurity Manager (CBCM) ◦ Security Executive (CBSE) ◦ Security Manager (CBSM) ◦ Vendor Manager (CBVM) ◦ Incident Handler (CBIH)

◦ Technical Level: ◦ Security Technical Professional (CBSTP) ◦ Ethical Hacker (CBEH) ◦ Mobile Administrator (CBMA) ◦ Forensic Investigator (CBFI)

◦ And more info at www.protectmybank.com/sbsinstitute/

Education


http://www.iowabankers.com/

http://www.iowabankers.com/

http://www.gsb.org/

http://www.protectmybank.com/sbsinstitute/

Chad Knutson ◦ President SBS Institute ◦ Senior Information Security Consultant ◦ Masters in Information Assurance ◦ CISSP, CISA, CRISC ◦ www.protectmybank.com ◦ [email protected] ◦ Cell: (605) 480-3366

Robb Nielson ◦ Regional Sales Representative ◦ [email protected] ◦ Cell: (712)369-0139

Questions & Contact Information


http://www.protectmybank.com/



10 Questions on IT Security for Directors/Executives › 2014 › 09 › ... · 10 Questions on IT...

Documents

Transcript of 10 Questions on IT Security for Directors/Executives › 2014 › 09 › ... · 10 Questions on IT...