a road forward · information provided in this presentation, including all materials, should not be...

A Road Forward:Cybersecurity Trends and Challenges

for Credit Unions Post-Pandemic

SILVERSKY PROPRIETARY AND CONFIDENTIAL

HOUSEKEEPING

This session is being recorded.

The recording and slides will be emailed to all

registrants.

Please submit your questions into the

Q&A box.

JOHNDEVENYNS

Senior Sales Engineer

ANUSHA PARISUTHAM

Head of ProductEmail Security and Cloud Email

MEET YOUR SPEAKERS

GERRITBOELE

Senior Sales Engineer

VALERIEMOSS

Senior Director of Compliance Analysis

POLL TIME


Road ForwardThe increasing sophistication of cyber criminals


Cybercrime’s Industrial Revolution

• In recent years, Cybercrime has undergone a profound process of modernization and innovation

• The Cybercrime industry has it’s own, service economy complete with solution providers, tools for hire and end users

• Commitment amongst criminals to adjust business practices to scale their operations and meet customer needs

• From novices to veteran cybercrime gangs – can buy the tools and expertise to launch malicious campaigns against targets with ease


Increased Frequency of Attacks

We typically see a let up in number of attacks at the beginning of the year.

• 2020 didn’t see this lull in activity – in fact it increased

• Attacks focused on hot topics –Pandemic, Stimulus checks (over 1.2 million COVID/Corona related domains registered)

• Exploit Situational Social Topics

• Future attacks will do the same


Marketplace for Threats

350,000 new malware instances created daily

• Easy access to threats on the dark web

• 25 different shadow trading platforms

• 10,000 ads for malware, stolen data and hacking services

• Nation-state TTPs are filtering through sophisticated hackers to the masses

1 Source: AVTest


Once considered advanced attacks are now commonplace: • Polymorphic malware

• Supply chain attacks

• Code compression packers

• File-less malware

Increasing Sophistication

Victims are highly targeted• Job roles that perform specific

functions

• Extensive research and reconnaissance

• Multi-phased attacks


Targeted Vulnerabilities – Disrupted Workforce

• Disruption from pandemic has many people working from home.

• No longer protected in the corporate bunker sitting behind a carefully managed firewall with other network protections

• Users using their own networks leaving companies exposed.

• Lack of control over user’s home security and connected devices

• Lack of collaboration with other team members on cyber threats


Preparing to Expect the Unexpected


Preparing to Expect the Unexpected

The pandemic has fundamentally changed our lives. Some industries have been irreversibly altered!

• Enable Resilience

• Business Processes

• People• Employee Behaviors• Customer Behaviors

• Infrastructure


Building Resilience - Business Processes

• What did history teach us?• Prior to Sept 11 attacks• Post Sept 11 attacks• Pandemic – The Great Lockdown

• Revisit your new business processes

• Update your Business Continuity Plans (BCP)(based on the new way of doing business)

• BCP should continuously improve and evolve

• Look through the cybersecurity and compliance lens• Regulations and frameworks will evolve• Work with security and compliance partners


Building Resilience – People and Infrastructure

People

• Continuously engage your employees

• Best practices training

• Establish a forum for feedback

• Security and Compliance training

• Engage your customers

Infrastructure

• Are new infrastructure/applications secure?

• Is your communication/network traffic secure?

• Innovate based on evolved customer behaviors; build security into innovation


Prevention VS. Detection


“Adopting detection techniques rather than focusing solely on prevention”

- Gerrit Boele


Prevent DetectBudget

Maturity

Exposure

PainBus

ines

s In

ertia

Prevent Detect

Compliance and Regulation

Common Strategies for Prevention & Detection


Detection Grows with Maturity

• It is the ears of the IT estate

• Layering of detection technologies allows “Security Professionals” the ability to assign criticality to incidents.

• IT Estates are no longer a perimeter discussion

• Compliance and Regulation is increasing the need to understand your IT estate

internet


A user clicks a bad link

The link installed an executable script

Detection in a ScenarioIDPS would alert

Account is used to escalate privileges to domain level

The script created a user admin account

ObjectiveComplete

EDR would identify

EDR would identify

Threat stopped or logged and techniques

adjusted for better threat coverage

Criminal crawls the estate to send data

SIEM Threat correlation identifies outboard IP’s


Aligning the Stars

• Evaluate the controls of prevention and detection

• Do they overlap? UTM serves a purpose• Is the cost worth the risk?• What is it preventing or detecting?

• Communicating the challenges• Make technical less technical when talking to

leadership• Enable relationships across the business• Inventory and diagrams help highlight the needs


3rd Party Due Diligence & Compliance


Third Parties are a Constant in BusinessUtilizing the skills of qualified third parties is an important avenue for some credit unions in expanding service offerings, increasing efficiencies and economies of scale, while managing processes and programs. -- NCUA

PROS

Time saving processes

Vendors are specialists

Accountable Party

Instant Maturity

Removes FTE’s

CONS

Increased IT risk

Lack of Control

Less Visibility

Internal Skillsets

Requires FTE’s


Basic Due Diligence Questions

• Define the corporate structure and ownership

• Evaluate the Financial history and current condition

• Understand the vendors Business model

• Gather Service Scope:• “Security and data handling practices• Business continuity planning• Operations controls• Hiring/screening

• Evaluate Reputation & relevant experience


Vendor Life Cycles

• Build a life cycle strategy

• Gather detailed due diligence records

• Contracting language is important

• Vendor documentation

• Vender risk assessment

• Good communication

• Vendor termination (insurance)

Procurement

Risk and Due Diligence

Contracting

Onboarding

Contract & Risk Management

Terminating

Vendor Life Cycle


Red Flags

• Amazing sales pitch/ no substance

• Bleeding edge technology

• Doing business with relatives or friends

• Unanswered RFI/RFP questions

• One sided agreements

• BETA products

• Too good to be true

• Inconsistent support

Communication is key when selecting a vendor but beware some of this issues when selecting a vendor for your organization.


Compliance Considerations

• NCUA expectations

• On-going threat environment

• Managing remote workers

• Virtual examinations


CUNA Disclaimer

Information provided in this presentation, including all materials, should not be construed as legal services, legal advice, or in any way establishing an attorney-client relationship.

Credit unions should contact their own legal counsel for advice. Information may have changed since this presentation was prepared. This information is intended to only be a summary and is not all inclusive.


NCUA Expectations

• NCUA expects credit unions to have the appropriate polices and procedures in place to anticipate, identify, and mitigate cybersecurity risks.

• Agency expectations can be found in Part 748 of NCUA regulations and the FFIEC IT Examination Handbooks.

• FFIEC’s cybersecurity assessment tool (CAT) can be used to help assess a CU’s level of preparedness.

• NCUA’s automated cybersecurity examination tool (ACET) in use since 2018

• NCUA is following an asset size-based exam schedule (from largest to smallest institutions), refreshing the cycle every 4 years.


COVID-19 Threat Environment

• Threats observed by the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) include:

• Phishing, using the subject “coronavirus” or “COVID-19” as a lure;

• Malware distribution, using coronavirus- or COVID-19- themed lures;

• Registration of new domain names containing coronavirus or COVID-19-related wording; and

• Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.

• CISA Alert (AA20-099A): COVID-19 Exploited by Malicious Cyber Actors (April 8, 2020)

https://www.us-cert.gov/ncas/alerts/aa20-099a


Managing Remote Workers

• NCUA Risk Alert 20-RISK-01: Cybersecurity Considerations for Remote Work (April 2020)

• Remote employees should adhere to the CU’s information security- and privacy-related policies and procedures.

• Policies and procedures should prepare employees to:

• Prevent cyber-incidents (e.g., keep devices secure, update software regularly, implement session time outs and encryption of sensitive information, leverage firewall capabilities, increase wireless security as needed, etc.); and

• Respond to any incidents that do occur (e.g., disconnecting device(s) from Internet connectivity, preserving forensic evidence, reporting incident to IT, etc.)

https://www.ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/cybersecurity-considerations-remote-work


Virtual Examinations

• NCUA Request for Information: “Strategies for Future Examination and Supervision Utilizing Digital Technology” (announced at the agency’s June Board meeting; comments due on or before August 31, 2020.

• Request for stakeholder input to improve the offsite examination process.

• RFI poses 36 questions for credit unions to provide feedback. • NCUA will use submitted stakeholder responses to:

• Refine a strategy for leveraging technology in the future examination and supervision process;

• Determine how much onsite examination activity would still be required with an exam primarily conducted offsite; and

• Develop an implementation strategy that reduces burden while maintaining the agency’s ability to determine whether federally insured credit unions are operating safely and soundly and in compliance with applicable laws and regulations.

https://www.ncua.gov/about/board-actions/calendar/board-agenda-june-25-2020-meeting

cuna.org/compliance

Compliance Confidence

CUNA ComplianceCommunity

webinars & eschools

CompBlog

CUNA eGuide to Federal Laws & Regulations

CUNA RegTraC

CUNA vendor managementcompliance resources

SCHOOLS & CONFERENCES

CUNA Strategic Services

designations

enterprise risk management

THANK [email protected]

1-800-356-9655

mailto:[email protected]

QUESTIONS?

THANK YOU

[email protected]

[email protected]



a road forward · information provided in this presentation, including all materials, should not be...

Documents