TESTING YOUR CYBER SECURITY INCIDENT …...TESTING YOUR CYBER SECURITY INCIDENT RESPONSE PLAN Thomas...

TESTING YOUR CYBER SECURITY INCIDENT RESPONSE PLAN

Thomas E. Williams Gladiator Business Continuity Strategy Manager

Jack Henry & Associates Centurion Disaster Recovery Services

Northville, MI [email protected]

800-299-4411

August 9 & 10, 2018

© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®

Tom Williams - Gladiator Business Continuity Strategy Manager

Testing Your Cyber Security Incident Response PlanPresented by

Gladiator - A Division of Jack Henry & Associates And The Graduate School of Banking

August 8-9, 2018

© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®

Agenda

• The FFIEC Guidelines on Cyber-Security• Risk factors facing financial institutions• Incident Response Plan components• Incident Response Plan testing techniques• Centurion Cyber Drill


• Nuggets of Wisdom• Write them down, memorize

them, take pictures of them, etc.

• Be prepared to answer:

“What nuggets of wisdom have you learned?”

Takeaways Throughout the Day

© 2017 Jack Henry & Associates, Inc.®

Three Successful Brands

• Community and Multi-Billion Dollar Banks

• Core Processing Systems

• Integrated Complementary Products

• In-House or Outsourced Services

• Credit Unions of All Sizes

• Core Processing Systems

• Integrated Complementary Products

• In-House or Outsourced Services

• Financial Institutions of All Sizes

• Corporate Entities and Strategic Partnerships

• Core Processor Agnostic

• Best-of-Breed Niche Solutions


Brief Introduction to Gladiator Services

Gladiator® CoreDEFENSEManaged Security

Services™

Gladiator® IT Regulatory Compliance/Policy

Products™

Centurion Business Continuity Planning™/

Centurion Disaster Recovery®

Gladiator® Hosted Network Solutions™

Gladiator® Managed IT Services™


Business Continuity / Incident Response Plan Components

The FFIEC – Federal Financial Institution Examination Counsel Guidelines on BCP/IRP


FFIEC BCP Guidelines

Business Impact

Analysis (BIA)

Risk Assessment

Risk Management

Risk Monitoring

• Critical Business Functions

• Disaster Impacts• Prioritization• Recovery Windows• Recovery Strategies• Resources

• Threats– Natural– Human– Technical– Cyber Attacks

• Enterprise-wide BCP

• Emergency Plans• Crisis Management

Plans• IT & Business Unit

Plans• Family Disaster

Plan

• Plan Maintenance• Plan Testing

• Business Units

• Systems / Apps


IRP Basic RequirementsFFIEC’s IRP Minimum Components:• Assess the nature and scope to identify systems and types

of information that have been accessed and/or misused• Notification of primary regulator• Completing a SAR and notification of law enforcement• Take steps to contain the incident to prevent further

unauthorized access


IRP Basic Requirements

• Criteria that must be met before compromised systems are returned

• Notification of employees when warranted• Notification of customers when warranted• Intrusion response team in place• Important pieces, but do not provide details to respond in

the most effective manner.


Key Best Practices to Supplement RequirementsConsider the following:

– What happened and when?– Performance?– Was the Recovery process inhibited?– What could be done differently?– Corrective steps for similar future incidents?– Other tools or resources?– Use this as an opportunity to improve upon what you already

have in place.


Risk Factors Facing Financial Institutions


Cybersecurity Challenges

• Cybercrime cost in the trillions

• Segregation of InfoSec oversight from IT

• Cyber incident management and resiliency

• Qualified InfoSec personnel

• Ever changing Risk Landscape

* salary.com

© 2017 Jack Henry & Associates, Inc.®14 © 2017 Jack Henry & Associates, Inc.®

.

Regulators Making Cybersecurity a Priority

The FFIEC releases a revised Information Security booklet - FFIEC, September 9, 2016

FFIEC Releases Updates to Cybersecurity Assessment Tool

- FFIEC, May 31, 2017

FFIEC Releases Cybersecurity Assessment Tool - FFIEC, June 30, 2015

Financial Regulators Release Revised Management Booklet - FFIEC, November 10, 2015

FFIEC Issues Statement on Safeguarding the Cybersecurity of Interfinancialinstitution Messaging and Payment Networks - FFIEC, June 7, 2016

The FFIEC published frequently asked questions (FAQ) guide related to the Cybersecurity Assessment Tool - FFIEC, October 17, 2016

New York State Department of Financial ServicesProposed 23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies

- NYSDFS, December 28, 2016

The FDIC launches the Information Technology Risk Examination (InTREx) Program - FFIEC, June 30, 2016

© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.® Source: Deloitte. Beneath the surface of a cyberattack, 2016

Technical Investigation

Customer breach notification

Post-breachcustomer protection

Regulatory compliance

Public relations

Attorney fees and litigation

Cybersecurity improvements

© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.® Source: Deloitte. Beneath the surface of a cyberattack, 2016

Insurance premium increases

Increase cost to raise debt

Impact of operation disruption

Lost value of customer relationships

Value of lost contract revenue

Devaluation of trade name

Loss of intellectual property


Today’s Top 6 Cyber Threats Facing Financial Institutions

6Social

Engineering

1Encrypted

Traffic

2Malicious

Code Variants

3Supply Chain

Infections

4Patches/

Vulnerabilities

5 Ransomware


1 - Encrypted Messages - Counter Measures

1. Decrypt Traffic for Inspection2. Behavioral Analytics


AV Is Failing, and IPS Is Not Far Behind

Signature based “safety net”

APTs & zero-day attacks


2 - Malicious Code Variants - Counter Measures

1. DNS Protection2. Deep Content Inspection / Sand Box


DNS Protection: Phishing

1. Threat sends malware to user

2. User clicks to view MalwareDL.com

3. Gladiator® analyzes threat;rejects

4. Gladiator® redirects unsafe request to safe landing page


DNS Protection: Drive-by Download

1. User types in website

2. Website has been hacked and redirects to malicious site

3. Gladiator® detects malicious site

4. Gladiator® Redirects


3 - Supply Chain

Sup p lyCha i n

L o g i s t i c s

C o n s u m e r

S u p p l i e r

D i s t r i b u t e r

M a n u f a c t u r e r

R e t a i l e r


3 - Supply Chain - Counter Measures

1. Vendor Due Diligence2. Vendor Management


4 - Patching - Counter Measures

1. Weekly Patching or as Needed2. Weekly Vulnerability Scanning3. Data Access Governance4. Managed IT Services


CNN HeadlineMarch 23rd

NBC affiliate WXIA reported that the city received a ransom demand in bitcoin for $6,800 per unit or $51,000 to unlock the entire system.

The FBI is investigating a ransomware attack on the city of Atlanta

http://www.11alive.com/article/news/local/cyber-attack-hits-atlanta-computers-everyone-who-has-done-business-with-city-may-be-at-risk/85-530947288


5 – Ransomware Counter Measures

1. Data Access Governance2. Actively Managed Endpoint Security3. Modern Era Backup Strategy4. Sandbox Technology


Top Threats (June – December 2017)

Top threats detected by Microsoft Office 365 ATP


6 – Social Engineering Counter Measures

1. Security Awareness Training2. Principle of Least Privilege3. Application Whitelisting


Incident Response Plan Components


• This document establishes the plan, procedures, forms and other steps Cashmere Valley Bank will use when responding to a computer security related incident.

• A computer security incident is an information related event where there appears to be: – The misuse or unauthorized use of information or computing

resources;– An impact or potential impact to the confidentiality, integrity or

availability of information.• The incident may be due to an external intruder or may be caused

by a disgruntled employee.

31Incident Response Plan – Purpose


• Indications or symptoms of a computer security infraction, event or incident that deserves special attention could be the following:– System crashes– New user accounts or high activity on a previously low usage account;– New files (usually with novel or strange file names);– Data modification or deletion (files start to disappear);– Denial of service (users become locked out of a system);– Unexplained or poor system performance;– Suspicious probes (there are numerous unsuccessful login attempts);– Suspicious access (someone accesses files on many user accounts).

32 Incident Response Plan – Purpose


Cyber Risk Appetite

• Management position on cyber risk

• Cyber risk appetite is not static

• Not a one-size-fits-all

• Based on business strategy

• Actionable and specific


LOWRISK

HIGHRISK

What is the Bank’s Cyber-Security Risk Mitigation Profile?

BSA/AML

No Incident Response

Plan

Internal Fraud

Incident Response

Plan

MODERATE RISK

Each organization should continually strive to move toward the Low Risk area


Cyber Incident Response Plan Components

Monitoring Identification /

Detection

Investigation / Decision Making

Evidence Collection /

Forensic Analysis

Communications –

Employees -Members

Media – Legal –Insurance

Management

Vendor / Resource

Management

Business Resumption


Incident Response Process

Cyber Incident

1.Report Incident

• Technical Support / Help Desk

2.Incident

Classification• Validation and Severity of

Incident

3.Notification/

Escalation• Who to contact,

internal-external

4.Assessment

• Entry point of virus• Systems affected• Time to close incident• Regulatory - Law agencies

5.Documentation

• Phone conversations• System logs• Meeting minutes• Screen shots

6.Containment

• Shut down system• Disconnect from network• Monitor system/network• Set traps• Disable functions, etc.


Incident Response Process7.

Protecting Evidence

• Preserving hard drives• Documenting incidents

8.

Eradication & Recovery

• Anti-virus software• System rebuilds

9.Follow-up Analysis

• System monitoring• Sequence of events• Method of discovery• Lessons learned

10.Incident Prevention

• Technology• Policies, procedures• Training on security awareness• Technical configurations• Access permissions, logs, etc.

11Vendor Management

• Tier 1 vendors must report all Incidents to CVB • T1 vendors must have Incident Response Plans• T1 Vendors must have Business Continuity Plans


Incident Response Severity Levels

Level1

• Not a computer security condition – Low Impact• The incident may be another type of issue• The CIO may redirect the issue back to the Help Desk

Level2

Security Infraction or Event – Moderate ImpactA security infraction is non-compliance with security policy or standardIn many cases does not require formal investigation or tracking Infractions are addressed according to policy and enforcement

Level3

• Information Security Incident – High Impact• An information security incident appears significant upon initial

reporting and additional investigation is deemed appropriate.


Incident Response Testing

• Annual requirement

• Validates that the IRP will work

• Appropriate response

• Incident reporting requirements

• Severity ranked scenarios


Incident Response Plan Testing Considerations

• Testing is a necessity and should be completed annually.• Size and complexity matter in testing.• Assemble your team.

– Validate response capabilities.– Consider a vendor representative.– Vendors assist with testing efforts-Centurion.

• Determine your testing scenario.– Variety of severity levels with technical and non-technical

incidents.


The Impact of Cybersecurity and Technology Service Providers

• Technology Service Providers (TSPs)– Cyber resilience becomes a factor– TSP’ are now a part of your Incident Response Team– Vendor Management

• Relationship between vendor management and incident response

• Information Sharing


FFIEC-Information Security Officer Responsibilities

Incident Response

Management & Training

Information Security

Strategy & Policies

Information Systems

Risk Assessment

IT Audits & Interaction

with Examiners

Business Continuity /

Disaster Recovery

Vendor Management

Vulnerability Assessments


vISO (Virtual Information Security Officer) Service Elements

Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation

Written Information Security ProgramPolicies, Procedures, Forms

Ongoing Compliance ManagementAudit Support, Monthly Meetings

ReportingInformation Security Program Status


Centurion Cyber Drill


• Better understand your financial institution’s vulnerability toward cyber incidents.

• Assess your financial institution’s Incident Response Plan (IRP).

• Identify the major milestones associated with a cyber incident.

• Collaborate with your peers to share approaches to dealing with cyber incidents.

Cyber Incident Response Drill Objectives


Avoid becoming a victim like the following companies:

Cyber Incident Response Drill Objectives


• This is a test exercise, based on the probability of a real-world scenario.

• Treat scenario details as fact.• Think about how your bank’s cyber program would

measure up to a similar, but real incident.• Consider what improvements may be required to your

IRP resulting from the drill.

Cyber Attack Drill Information


• Provide an interactive experience based on decisions associated with a cyber incident.

• You are assigned to the Incident Response Team (IRT) of The Financial Institution of Madison.

• Your team will be given a scenario resulting in a cyber incident to The Financial Institution of Madison.

• Please assume the role that you are assigned to as an Incident Response Team Member.

Cyber Attack Drill Information


Incident Response Team Introduction

FRONT OF Room

Chief Operations Manager /Compliance Manager

Chief Information Security OfficerChief Executive Officer

Marketing / HR Manager


Incident Response Drill Challenges

Situational events that your IRT has to make decisions on

Share ideas and learn from your peers

Challenges are derived from real-world situations

Poll Everywhere will display team challenge results

Creates group discussion and collaboration


• $757 million in assets

• Main office is located in downtown Madison, WI

• 9 additional branch office locations throughout Madison

• 211 employees and 511,000 customers

Financial Institution of Madison Bank Profile


• Core processing – Outsourced

• Windows® infrastructure runs at main office• VMware Snapshots taken once per day and replicated off-site at

another branch twenty-five miles away

• Uses a MPLS common network between branches• Thirty days of historical backups

Financial Institution of Madison Technology Profile


Let’s Get Started!


Cyber-Exercise Slides

• To maintain the integrity of the cyber-exercise, we elected not to include the actual slides of the drill until after the drill is completed in class.

• For those that elect to attend the class the slide for the cyber-exercise will be made available immediately after attending the class.

TESTING YOUR CYBER SECURITY INCIDENT …...TESTING YOUR CYBER SECURITY INCIDENT RESPONSE PLAN Thomas...

Documents

Transcript of TESTING YOUR CYBER SECURITY INCIDENT …...TESTING YOUR CYBER SECURITY INCIDENT RESPONSE PLAN Thomas...