Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan...

Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond

Ulf Mattsson, CTO Security SolutionsAtlantic Business [email protected]

2

Ulf MattssonInventor of more than 45 US PatentsIndustry Involvement:

• PCI DDS - PCI Security Standards CouncilEncryption & Tokenization Task Forces, Cloud &

Virtualization SIGs• IFIP - International Federation for Information

Processing• CSA - Cloud Security Alliance• ANSI - American National Standards Institute

ANSI X9 Tokenization Work Group• NIST - National Institute of Standards and

TechnologyNIST Big Data Working Group

• User GroupsSecurity: ISACA & ISSADatabases: IBM & Oracle

3

My Work with PCI DSS StandardsPayment Card Industry Security Standards Council (PCI SSC)

1. PCI SSC Tokenization Guidelines Task Force

2. PCI SSC Encryption Task Force

3. PCI SSC Point to Point Encryption Task Force

4. PCI SSC Risk Assessment SIG

5. PCI SSC eCommerce SIG

6. PCI SSC Cloud SIG

7. PCI SSC Virtualization SIG

8. PCI SSC Pre-Authorization SIG

9. PCI SSC Scoping SIG Working Group

10. PCI SSC Tokenization Products Task Force

4

Evolving IT Risk – My ISACA Articles

5

Data Security – My Recent ISACA Presentations

Agenda

1. FFIEC Cyber Assessment Toolkit2. Current trends in Cyber attacks3. Security Metrics4. Oversight of third parties5. How to measure cybersecurity preparedness6. Automated approaches to integrate Security into DevOps

6

Federal Financial Institutions Examination

Council (FFIEC)

FFIEC is a Formal U.S. Government Interagency BodyIt includes five banking regulators

Source: WIKPEDIA

9

1. Federal Reserve Board of Governors (FRB), 2. Federal Deposit Insurance Corporation (FDIC), 3. National Credit Union Administration (NCUA), 4. Office of the Comptroller of the Currency (OCC), and 5. Consumer Financial Protection Bureau (CFPB).

It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"

FFIEC Cybersecurity Assessment Tool The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.

To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:

• Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats

Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:

• Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 10

FFIEC Cybersecurity Assessment Tool – Part OneInherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk:

• Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services.

• Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered.

• Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered.

• Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.

• External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure.


FFIEC Cybersecurity Assessment Tool – Risk LevelsThe following includes definitions of risk levels:

• Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees.

• Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services.

• Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication.

• Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication.

• Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services.

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf12

FFIEC Cybersecurity Assessment Tool – Part Two Cybersecurity Maturity

Maturity level within each of the following five domains:

• Domain 1: Cyber Risk Management and Oversight

• Domain 2: Threat Intelligence and Collaboration

• Domain 3: Cybersecurity Controls

• Domain 4: External Dependency Management

• Domain 5: Cyber Incident Management and Resilience Domains, Assessment Factors, Components, and Declarative Statements Within each domain are assessment factors and contributing components.


FFIEC Cybersecurity Assessment Tool – Maturity LevelsEach maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes.

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf

Definitions for each of the maturity levels

The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level

14

FFIEC Cybersecurity Assessment Tool – 5 Domains:1. Domain 1: Cyber Risk

Management and Oversight2. Domain 2: Threat Intelligence

and Collaboration3. Domain 3: Cybersecurity

Controls4. Domain 4: External Dependency

Management5. Domain 5: Cyber Incident

Management and Resilience

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf

15

FFIEC &

NIST

Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity Framework

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 17

FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing Assessment Results

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf

18

FFIEC Cybersecurity Assessment Tools

- Excel Templates

FFIEC Cybersecurity Assessment Tool - Excel TemplateThe linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment.

The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against defined targets based on the completed assessment worksheets.

Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele20

FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity

Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected for each domain.

Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele

FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity

The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack thereof.

Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele

22

FFIEC Cybersecurity Assessment Tool

FFIEC released this as a free spreadsheet “tool”:

• Spreadsheets are notoriously hard to maintain control of, and the information contained within this tool is clearly sensitive in nature.

Like many other checklist assessment frameworks, the FFIEC CAT is relatively binary in how it forces the user to characterize the condition of the elements it evaluates.

• Some tools, users rate each element of the framework as “Weak”, “Partial”, or “Strong”, enabling them to identify elements that have room for improvement and providing actionable insight.

Making a meaningful comparison between “inherent risk” and control conditions is tricky though, and the FFIEC CAT describes a rudimentary matrix-like approach for doing so.

• Some tools, combine these measurements graphically, which makes the comparison easier to digest.

Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool23

FFIEC Cybersecurity Assessment Tool – FAIR International Standard

Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool

Factor Analysis of Information Risk

(FAIR)

24

FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC FSSCC Automated Cybersecurity Assessment Tool FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on an ”automated” tool: • No attempts were made to interpret or change any of the FFIEC’s stated expectations; and

• Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination and supervisory process

Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool 25

Board Involvement

The Board’s Perception of Cybersecurity Risks

• How would you characterize the board’s perception of cybersecurity risks over the last one to two years?

• Source: PWC – The Global State of Information Security Survey 2016

Increased

Increased

significantly

HighNo change

27

Source: PWC – The Global State of Information Security Survey 2016

Cybersecurity is now a Persistent Business Risk

• Cybersecurity software, solutions, and services market is likely to remain a growth sector because executives and Boards recognize that cyber threats will never be completely eliminated, and regulatory and compliance requirements will likely become more stringent

• Cybersecurity services market is expanding in the wake of increased incidents and heightened regulations, corporations and government agencies are scrambling to safeguard their data and networks—a push that is catalyzing growth in the market for cybersecurity solutions and technologies

28

Trends in Board Involvement in Cyber Security

• Source: PWC – The Global State of Information Security Survey 2016

29

Questions the Board Will Ask


30

CEOs, CFOs, BRusiness Risk Owners & CISOs questions

1."How much cyber risk do we have in dollars and cents?"2."How much cyber insurance do we need?"3."Why am I investing in this cyber security tool?"4."How well are our crown jewel assets protected?"5."How do I know that we’ve actually lowered our risk

exposure?"6. "As my business changes through M&A, adding new

business applications and new cyber risks , how can I get the quickest view of the impact on my overall business risk?"

31

• The global shortage of technical skills in information security is by now well documented, but an equally concerning shortage of soft skills

• Need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line

• But it's very hard to find information security professionals who have that mindset

Security & Business Skills

Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-one-talks-about/a/d-id/1315690

32

Metrics

Trends in Board Involvement in Cyber Security


Risk ManagementAre your security controls covering all sensitive data?

Are your deployed security controls failing?

Source: storm.innosec.com

Are you prioritizing business asset risk?

35

Cyber Budgeting

Source: storm.innosec.com

AssetRegulatory Risk Residual Risk FTE Cost Tool Cost Total Cost

CRM High Medium $ 20,000 0 $ 20,000

HR High Medium $ 100,000 20,000 $ 120,000

Feed High Low $ 1,000 0 $ 1,000

Crossbow Medium Medium $ 5,000 50,00 $ 10,000

eTrader Low Low $ 1,000 0 $ 1,000

IT Alert Low Low $ 1,000 0 $ 1,000

SAP Low Low $ 1,000 0 $ 1,000

Total $ 129,000 $ 25,000 $ 154,000

36

Asset Sensitivity, Risk and Quarterly Findings

Source: innosec.com 37

Data Breaches

Source: Verizon 2016 Data Breach Investigations Report

Law Enforcement will Discover Your Breach – Not You

Internal Detection

Law

Enforcem

ent

Fraud Detection

39

Data Security Blind Spots

Not Knowing Where Sensitive Data Is

Source: The State of Data Security Intelligence, Ponemon Institute, 201541

How can I Find My Blind Spots?

Existing PII DataUnprotect

ed PII Data

Data Found in

Audit

Time

Protected PII Data

Audit

42

Not Knowing Where Sensitive Data Is

Source: The State of Data Security Intelligence, Ponemon Institute, 201543

Visibility Into Third Party Risk

Discover and thwart third party vulnerabilities and security gaps in real-time to better control the impact of breaches.

Source: SecurityScoreCard

# Vulnerabilities

Time44

Focus on Applications

and Data

46

Incident Classification Patterns Across Confirmed Data Breaches


Web ApplicationAttacks

47

Worry Only About the Major Breach Patterns


ApplicationAttacks

FFIECApplications

and Data

FFIEC Cybersecurity Assessment


Risk

Resources

Controls

49



Resources

50

51

Security Skills Shortage

Cybercriminal Sweet Spot

Source: calnet

Cybercrime Trends and Targets

52

53

Problematic and Increasing Shortage of Cybersecurity Skills

• 46 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2016

• 28 percent of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015

• 18 percent year-over-year increase

Examples of Services That Can Fill The Gap

Application Services

• Application Hosting & Cloud

Migration

• IT Consulting & Information Architecture

• Software Development & User Experience

Design

Security Services

• Audit & Assessment Services

• Application Security Consulting

• Managed Vulnerability Scanning

• Security Tools Implementation

• Virtual CISO

SecDevOps

54

FFIEC Cybersecurity Assessment Tool – 5 Domains:

1. Domain 1: Cyber Risk Management and Oversight

2. Domain 2: Threat Intelligence and Collaboration

3. Domain 3: Cybersecurity Controls

4. Domain 4: External Dependency Management

5. Domain 5: Cyber Incident Management and Resilience


55



Controls

56

Automation and Security Metrics

58

Security Tools for DevOps

Static Application Security Testing (SAST)

Dynamic Application Security Testing (DAST)

Fuzz testing is essentially throwing lots of random garbage

Vulnerability Analysis

Runtime Application Self Protection (RASP)

Interactive Application Self-Testing (IAST)

Security Metrics from DevOps

59

# Vulnerabilities

Time

60

Generating Key Security Metrics

# Vulnerabilities

Time

DCAP Data Centric Audit and

Protection -Centrally managed

security

Data Centric Security Lifecycle & PCI DSS

UEBA User behavior analytics helps

businesses detect targeted attacks

PCI DSS Protect stored

cardholder data

YearI2004

I2014

I2015

PCI DSS 3.2

I2016

PCI DSS Security in the development

process

Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond

Ulf Mattsson, CTO Security SolutionsAtlantic Business [email protected]

Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan...

Technology

Transcript of Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan...