cybersecurity - njbankers.com...– financial risk management – technology risk management –...
Post on 27-Jun-2020
7 Views
Preview:
TRANSCRIPT
CYBERSECURITY:HOW TO PREVENT, DETECT AND RESPOND TO
THE INCREASING THREAT
May 12, 2016
New Jersey Banker’s AssociationAnnual Conference - Scottsdale Arizona
Presented to:
• Provides IT compliance and cybersecurity services for community Financial Institutions (FIs) nationwide
• Understands how FIs use IT and what the regulators expect
• Has been the accountable executive in IT examinations as both a banker and service provider
• More than 30 years of serving financial services/FinTech industries
• Served as CIO for several Southern California-based Banks
• Led Bill Payment company through a period of explosive growth
• A Native New Yorker, I live in Las Vegas (and don’t gamble)
Michael Barrack, Managing Director
© 2016 Accume Partners
3
• Introduction and Background• What’s behind increased Regulator focus• Real-world security incidents – first responder view• What you should be doing. Now.• Ways Accume is helping• Q & A
Agenda
© 2016 Accume Partners
A Changing Accume Partners
© 2016 Accume Partners
Accume Partners Overview
© 2016 Accume Partners
Headquartered in New York City with a concentrated East Coast footprint and a national capability
Accume’s business serves financial institutions with assets of $50 million to greater than $20 billion
Firm is organized by its deep knowledge, expertise and approaches in the following areas:
– Internal Audit– Regulatory Compliance– Financial Risk Management– Technology Risk Management– Operations and Process Improvement– IT Compliance (Risk Director) and Cybersecurity Services
Accume Partners has a long history of providing internal audit, IT audit, regulatory compliance and risk management advisory services to over 600 clients since 1994
Growing Specialty Risk Focus
© 2016 Accume Partners
Banking Internal Audit - Extensive experience with internal/IT audit
processes and long-term relationships with regulators provides a differentiator for Accume
Banking Specialty Risk - Launched in 2012, extensive experience
with regulatory, and technology risk needs and processes and long-term relationships with regulators provides a differentiator for Accume
Commercial/ Insurance / Other - Key relationships across Commercial and
Insurance clients allows for diversification from the banking sector
- Principal services are internal auditing and Sarbanes Oxley compliance.
58%20%
22%
Banking Internal Audit Banking Specialty Risk
Commercial/ Insurance / Other
Cybersecurity:What’s Behind the Regulatory Focus?
© 2016 Accume Partners
8
FDIC Chairman Martin Gruenberg cites 3 risks at Institute of International Bankers Annual Conference:
Interest Rate Risk Credit Risk Cybersecurity Risk
In March this Year…
© 2016 Accume Partners
9
FFIEC – CEO Webinar (5/14)
Pilot program assessing Cyber Risk (Summer ‘14)
Technically specific FIL’s on Zero Day Threats DDoS Heartbleed Shellshock Poodle Cryptolocker Freak
Cybersecurity Assessment Tool Issued (6/15) Updated IT Management Handbook (11/15)
In the Last 2 Years
© 2016 Accume Partners
10
The first “wake-up” call
© 2016 Accume Partners
11
* Source – Krebs on Security, Brian Krebs
200 Million
53.7 Million
46%
400 Million The number of credit and debit cards stolen between Nov. 27 and Dec. 15, 2013
Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards
Estimated income generated by hackers
Drop in profits in Q4, 2013 compared with 2012
The number of credit and debit cards stolen between Nov. 27 and Dec. 15, 2013
Target by the Numbers
© 2016 Accume Partners
12
Small to mid-sized FI’s a target
© 2016 Accume Partners
13
Unlimited Operations FIL 10-2014
© 2016 Accume Partners
14
• Sony
• Health Care Breaches– Premera Blue Cross – up to 11 Million affected– Anthem (February) – Nearly 80 Million
• Office of Personnel Management– Government hacked by what is believed to be the Chinese
government– 22 million employees & counting
2015 – The Year of the Hack
© 2016 Accume Partners
15
The Good News-Awareness is High
Global%
US%
Europe%
MiddleEast
%
AsiaPacific
%
LatinAmerica
%
Africa%
Global Climate Change 46 42 42 35 41 61 59Global Economic Instability 42 51 40 33 35 54 50The Islamic Militant Group in Iraq and Syria (ISIS)
41 68 70 54 45 33 38
Iran’s Nuclear Program 31 62 42 29 29 33 29Cyberattacks on Govts., banks or corporations
30 59 35 22 35 33 30
Tensions between Russia and its neighbors *
24 43 41 18 22 22 20
Territorial disputes between China and its neighbors **
18 30 17 14 31 21 22
Top Threats by RegionMedian Very Concerned About …
* Not asked in Russia** Not asked in China Pew Research CenterSource: Spring 2015 Global Attitudes Survey
16
The Bad News:It Could Never Happen to Us
© 2016 Accume Partners
17
• Wire Fraud and account modification• Initial attack vector: spear phishing
– Adobe exploit• Lateral movement to infect 5 machines
– Used printer password to gain local admin access• Informed actors who knew how to use banking software• Clean up: incident response,
forensics, monitoring• Loss of $11,000 on fraudulent
wire, in addition to the cost ofForensics and reputation hit
Real World Incident – Midwest Bank
© 2016 Accume Partners
18
• Wire fraud on business banking client PC• Business sued bank looking to recover funds• Forensics performedto determine if sufficient
controls were present• Workstations examined had old anti-virus applications that
were never updated.– Several banking Trojans were discovered
• Actual loss $220,000
Real World Incident –Pacific Northwest Bank
© 2016 Accume Partners
19
• FBI contacted organization about detected malicious traffic• Institution just updated their server and anti-virus software.
– AV scans revealed no malicious software– Forensics revealed infections on all systems dating back
over 6 months, with the initial infection over 16 months• Clean up: reformat all machines, restore data from backup,
new firewall and Intrusion Detection System• Actual loss: large reputational loss, and
large recovery costs.
Real World Incident –New York Non-Profit
© 2016 Accume Partners
20
1. Keep yourself and your employees continuously educated and informed about information security
2. Defense in depth should have a balance of prevention, detection and response solutions
3. Rotate passwords regularly (and audit)4. Keep operating systems and applications current
and plan for full systems lifecycle5. Be aggressive with patch management, nothing to
exceed 90 days, ever.
First Responder’s “top ten”
© 2016 Accume Partners
21
6. Know what applications are on your network7. Lock down operating systems and network as
much as possible8. Use multi-factor authentication for high-risk
solutions9. Implement solutions to monitor traffic that leaves
the network10.Be sure critical logs are preserved and contain
the right type of data
First Responder’s “top ten”
© 2016 Accume Partners
22
How Else Should Banks Respond?
Build the required solutions?
Wait ‘til the Examiners “make us take action?”
© 2016 Accume Partners
© 2016 Accume Partners
Will yesterday’s security solutions…protect you from today’s and tomorrow’s
cybersecurity threats?
24
Multifactor authentication
Data encryption at rest
Security Event Management
Biometrics
Mobile Device Management
Evaluate Emerging Controls
© 2016 Accume Partners
25
Information Security Training
Website surfing
Email protocol
Laptop/PDA handling
The power of policy
Educate Board, Managers and Staff
© 2016 Accume Partners
26
Engage an incident response partner
Assess Need for Cyber Insurance
Build detailed procedures
Test the Incident Response Plan
Manage Contracts closely
Prepare to Respond
© 2016 Accume Partners
27
Leverage FFIEC Resources
© 2016 Accume Partners
28
Leverage FFIEC Resources
© 2016 Accume Partners
29
• Risk Management and Oversight • Threat Intelligence and Collaboration• Cybersecurity Controls• External Dependency Management• Cyber Incident Management and Resilience
5 Domains in Cybersecurity
© 2016 Accume Partners
30
Accume Partners solutions:– Cybersecurity Assessment Service– Enhanced Testing– Incident Response Assurance
Ways Accume is Helping
© 2016 Accume Partners
31
© 2016 Accume Partners Page 31
Automation and Expertise
32
• Provide a context and education for the Board of Directors • We help you analyze the data• We provide you with insight from other Banks like you• Identify misalignment at the macro/micro level• Define:
– Required actions– Desired actions– Significant risks
• Provide a Board of Directors ready report for management to present
Cybersecurity Assessment Service
© 2016 Accume Partners
33
Cybersecurity Assessment Service
© 2016 Accume Partners
34
• New FFIEC IT Handbook - Management• Introduces IT Risk Management as a major focus• Refers to credible “challenge” on the part of the Board• Signals a change in the exam program
• While the CAT is optional, the FDIC has indicated they will look at it; what the other agencies will do is an open ?
• Since it is discretionary, if you do it, do it candidly
Cybersecurity Assessment Service
© 2016 Accume Partners
35
• Baseline statements are the minimal level of maturity allowed• These will be an area of focus in future examinations• Of 123 statements, 18 represent areas that:
– Banks traditionally have not fully or effectively implemented– Previously have not been a dedicated exam focus– Are not traditionally included in IT general controls or security
assessments
Cybersecurity Enhanced Testing
© 2016 Accume Partners
© 2016 Accume Partners Page 36
Cyber Training Enhancement of Employees Situational Notifications to StaffThreat Information Monitoring and Usage Forensic Log RetentionBaseline System Configuration Auditing Attack detection and discovery capabilitiesElevated Privilege Monitoring End-Point Removable Device ManagementDetection of Unauthorized Applications Anomalous Activity Detection capabilitiesEmail Protection Services Unauthorized Device/User/Connection
DetectionNetwork Activity Baseline Physical Device Monitoring and DetectionData Flow Identification Incident Response Containment and ControlIncident Response Testing Scenarios Incident Response Board Reporting
Requirements
Cybersecurity Enhanced Testing
Incident Response Solutions
© 2016 Accume Partners
Comprehensive Incident Response Assurance Program
• Proactive Components
• Continuous Learning and Improvement Program
• SWAT Team and Forensics
Incident Response Solutions
© 2016 Accume Partners
Comprehensive Incident Response Assurance Program
• Proactive Components– Incident Readiness Assessment and Gap Analysis– Detailed Incident Response Playbook– Tabletop exercise with all Bank key stakeholders
Incident Response Solutions
© 2016 Accume Partners
Comprehensive Incident Response Assurance Program
• Continuous Learning and Improvement Program– Threat Intelligence Briefings– Aggregated from sources like FS-ISAC, Infragard, and other like feeds– Identifies what is relevant and translates it into action
Incident Response Solutions
© 2016 Accume Partners
Comprehensive Incident Response Assurance Program
• SWAT Team– SLA response– Incident Containment– Determination of Root Cause– Communications Plan
Incident Response Assurance
© 2016 Accume Partners
Incident Response at Most Banks
© 2016 Accume Partners
Weak, incomplete or missing --• Often organizations rely on their BC Plan for major incidents• DR/BC plans often don’t account for cyber events• DR/BC plans don’t deal with the necessity for investigations and
reporting– Most organizations don’t know what information to retain in the event of
an incident– Few Community Banks know how to preserve chain of custody
• An ineffective program will fail you when you need it the most
What have our Clients Learned?
© 2016 Accume Partners
What We Don’t Know We Know
What We Don’t Know We Don’t Know
What We Know We Know What We Know We Don’t Know
What have our Clients Learned?
© 2016 Accume Partners
Clients were unaware: their contracts with key 3rd party providers are silent on
roles and responsibilities in the event of a breach how much event history is maintained by either their
internal IT department or 3rd party provider whether the Bank’s firewall and Website Content Filter
was being updated to account for identified bad actors (i.e., IP’s and URL’s)
how poorly their employees would fare in social engineering testing
their detective control reports were not being reviewed or had significant blind spots
46
What am I pretending not to know?
© 2016 Accume Partners
47
Take Action!
© 2016 Accume Partners
48
Engage Your Partners
© 2016 Accume Partners
How To Contact …
© 2016 Accume Partners
Michael Barrack, Managing DirectorRisk Director and Cybersecuritymbarrack@accumepartners.com
(702) 461-8682
Questions?
© 2016 Accume Partners
© 2016 Accume Partners
top related