Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan...
-
Upload
ulf-mattsson -
Category
Technology
-
view
160 -
download
1
Transcript of Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan...
Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond
Ulf Mattsson, CTO Security SolutionsAtlantic Business [email protected]
2
Ulf MattssonInventor of more than 45 US PatentsIndustry Involvement:
• PCI DDS - PCI Security Standards CouncilEncryption & Tokenization Task Forces, Cloud &
Virtualization SIGs• IFIP - International Federation for Information
Processing• CSA - Cloud Security Alliance• ANSI - American National Standards Institute
ANSI X9 Tokenization Work Group• NIST - National Institute of Standards and
TechnologyNIST Big Data Working Group
• User GroupsSecurity: ISACA & ISSADatabases: IBM & Oracle
3
My Work with PCI DSS StandardsPayment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Guidelines Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC Tokenization Products Task Force
4
Evolving IT Risk – My ISACA Articles
5
Data Security – My Recent ISACA Presentations
Agenda
1. FFIEC Cyber Assessment Toolkit2. Current trends in Cyber attacks3. Security Metrics4. Oversight of third parties5. How to measure cybersecurity preparedness6. Automated approaches to integrate Security into DevOps
6
7
Federal Financial Institutions Examination
Council (FFIEC)
FFIEC is a Formal U.S. Government Interagency BodyIt includes five banking regulators
Source: WIKPEDIA
9
1. Federal Reserve Board of Governors (FRB), 2. Federal Deposit Insurance Corporation (FDIC), 3. National Credit Union Administration (NCUA), 4. Office of the Comptroller of the Currency (OCC), and 5. Consumer Financial Protection Bureau (CFPB).
It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"
FFIEC Cybersecurity Assessment Tool The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.
To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:
• Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats
Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:
• Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 10
FFIEC Cybersecurity Assessment Tool – Part OneInherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk:
• Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services.
• Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered.
• Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered.
• Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.
• External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 11
FFIEC Cybersecurity Assessment Tool – Risk LevelsThe following includes definitions of risk levels:
• Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees.
• Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services.
• Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication.
• Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication.
• Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf12
FFIEC Cybersecurity Assessment Tool – Part Two Cybersecurity Maturity
Maturity level within each of the following five domains:
• Domain 1: Cyber Risk Management and Oversight
• Domain 2: Threat Intelligence and Collaboration
• Domain 3: Cybersecurity Controls
• Domain 4: External Dependency Management
• Domain 5: Cyber Incident Management and Resilience Domains, Assessment Factors, Components, and Declarative Statements Within each domain are assessment factors and contributing components.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 13
FFIEC Cybersecurity Assessment Tool – Maturity LevelsEach maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf
Definitions for each of the maturity levels
The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level
14
FFIEC Cybersecurity Assessment Tool – 5 Domains:1. Domain 1: Cyber Risk
Management and Oversight2. Domain 2: Threat Intelligence
and Collaboration3. Domain 3: Cybersecurity
Controls4. Domain 4: External Dependency
Management5. Domain 5: Cyber Incident
Management and Resilience
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
15
FFIEC &
NIST
Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity Framework
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 17
FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing Assessment Results
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf
18
FFIEC Cybersecurity Assessment Tools
- Excel Templates
FFIEC Cybersecurity Assessment Tool - Excel TemplateThe linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment.
The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against defined targets based on the completed assessment worksheets.
Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele20
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity
Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected for each domain.
Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity
The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack thereof.
Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
22
FFIEC Cybersecurity Assessment Tool
FFIEC released this as a free spreadsheet “tool”:
• Spreadsheets are notoriously hard to maintain control of, and the information contained within this tool is clearly sensitive in nature.
Like many other checklist assessment frameworks, the FFIEC CAT is relatively binary in how it forces the user to characterize the condition of the elements it evaluates.
• Some tools, users rate each element of the framework as “Weak”, “Partial”, or “Strong”, enabling them to identify elements that have room for improvement and providing actionable insight.
Making a meaningful comparison between “inherent risk” and control conditions is tricky though, and the FFIEC CAT describes a rudimentary matrix-like approach for doing so.
• Some tools, combine these measurements graphically, which makes the comparison easier to digest.
Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool23
FFIEC Cybersecurity Assessment Tool – FAIR International Standard
Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool
Factor Analysis of Information Risk
(FAIR)
24
FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC FSSCC Automated Cybersecurity Assessment Tool FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on an ”automated” tool: • No attempts were made to interpret or change any of the FFIEC’s stated expectations; and
• Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination and supervisory process
Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool 25
Board Involvement
The Board’s Perception of Cybersecurity Risks
• How would you characterize the board’s perception of cybersecurity risks over the last one to two years?
• Source: PWC – The Global State of Information Security Survey 2016
Increased
Increased
significantly
HighNo change
27
Source: PWC – The Global State of Information Security Survey 2016
Cybersecurity is now a Persistent Business Risk
• Cybersecurity software, solutions, and services market is likely to remain a growth sector because executives and Boards recognize that cyber threats will never be completely eliminated, and regulatory and compliance requirements will likely become more stringent
• Cybersecurity services market is expanding in the wake of increased incidents and heightened regulations, corporations and government agencies are scrambling to safeguard their data and networks—a push that is catalyzing growth in the market for cybersecurity solutions and technologies
28
Trends in Board Involvement in Cyber Security
• Source: PWC – The Global State of Information Security Survey 2016
29
Questions the Board Will Ask
Source: PWC – The Global State of Information Security Survey 2016
30
CEOs, CFOs, BRusiness Risk Owners & CISOs questions
1."How much cyber risk do we have in dollars and cents?"2."How much cyber insurance do we need?"3."Why am I investing in this cyber security tool?"4."How well are our crown jewel assets protected?"5."How do I know that we’ve actually lowered our risk
exposure?"6. "As my business changes through M&A, adding new
business applications and new cyber risks , how can I get the quickest view of the impact on my overall business risk?"
31
• The global shortage of technical skills in information security is by now well documented, but an equally concerning shortage of soft skills
• Need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line
• But it's very hard to find information security professionals who have that mindset
Security & Business Skills
Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-one-talks-about/a/d-id/1315690
32
Metrics
Trends in Board Involvement in Cyber Security
Source: PWC – The Global State of Information Security Survey 201634
Risk ManagementAre your security controls covering all sensitive data?
Are your deployed security controls failing?
Source: storm.innosec.com
Are you prioritizing business asset risk?
35
Cyber Budgeting
Source: storm.innosec.com
AssetRegulatory Risk Residual Risk FTE Cost Tool Cost Total Cost
CRM High Medium $ 20,000 0 $ 20,000
HR High Medium $ 100,000 20,000 $ 120,000
Feed High Low $ 1,000 0 $ 1,000
Crossbow Medium Medium $ 5,000 50,00 $ 10,000
eTrader Low Low $ 1,000 0 $ 1,000
IT Alert Low Low $ 1,000 0 $ 1,000
SAP Low Low $ 1,000 0 $ 1,000
Total $ 129,000 $ 25,000 $ 154,000
36
Asset Sensitivity, Risk and Quarterly Findings
Source: innosec.com 37
Data Breaches
Source: Verizon 2016 Data Breach Investigations Report
Law Enforcement will Discover Your Breach – Not You
Internal Detection
Law
Enforcem
ent
Fraud Detection
39
Data Security Blind Spots
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 201541
How can I Find My Blind Spots?
Existing PII DataUnprotect
ed PII Data
Data Found in
Audit
Time
Protected PII Data
Audit
42
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 201543
Visibility Into Third Party Risk
Discover and thwart third party vulnerabilities and security gaps in real-time to better control the impact of breaches.
Source: SecurityScoreCard
# Vulnerabilities
Time44
Focus on Applications
and Data
46
Incident Classification Patterns Across Confirmed Data Breaches
Source: Verizon 2016 Data Breach Investigations Report
Web ApplicationAttacks
47
Worry Only About the Major Breach Patterns
Source: Verizon 2016 Data Breach Investigations Report
ApplicationAttacks
FFIECApplications
and Data
FFIEC Cybersecurity Assessment
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
Risk
Resources
Controls
49
FFIEC Cybersecurity Assessment
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
Resources
50
51
Security Skills Shortage
Cybercriminal Sweet Spot
Source: calnet
Cybercrime Trends and Targets
52
53
Problematic and Increasing Shortage of Cybersecurity Skills
• 46 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2016
• 28 percent of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015
• 18 percent year-over-year increase
Examples of Services That Can Fill The Gap
Application Services
• Application Hosting & Cloud
Migration
• IT Consulting & Information Architecture
• Software Development & User Experience
Design
Security Services
• Audit & Assessment Services
• Application Security Consulting
• Managed Vulnerability Scanning
• Security Tools Implementation
• Virtual CISO
SecDevOps
54
FFIEC Cybersecurity Assessment Tool – 5 Domains:
1. Domain 1: Cyber Risk Management and Oversight
2. Domain 2: Threat Intelligence and Collaboration
3. Domain 3: Cybersecurity Controls
4. Domain 4: External Dependency Management
5. Domain 5: Cyber Incident Management and Resilience
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
55
FFIEC Cybersecurity Assessment
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
Controls
56
Automation and Security Metrics
58
Security Tools for DevOps
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Fuzz testing is essentially throwing lots of random garbage
Vulnerability Analysis
Runtime Application Self Protection (RASP)
Interactive Application Self-Testing (IAST)
Security Metrics from DevOps
59
# Vulnerabilities
Time
60
Generating Key Security Metrics
# Vulnerabilities
Time
DCAP Data Centric Audit and
Protection -Centrally managed
security
Data Centric Security Lifecycle & PCI DSS
UEBA User behavior analytics helps
businesses detect targeted attacks
PCI DSS Protect stored
cardholder data
YearI2004
I2014
I2015
PCI DSS 3.2
I2016
PCI DSS Security in the development
process
Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond
Ulf Mattsson, CTO Security SolutionsAtlantic Business [email protected]