cybersecurity - njbankers.com...– financial risk management – technology risk management –...

CYBERSECURITY:HOW TO PREVENT, DETECT AND RESPOND TO

THE INCREASING THREAT

May 12, 2016

New Jersey Banker’s AssociationAnnual Conference - Scottsdale Arizona

Presented to:

• Provides IT compliance and cybersecurity services for community Financial Institutions (FIs) nationwide

• Understands how FIs use IT and what the regulators expect

• Has been the accountable executive in IT examinations as both a banker and service provider

• More than 30 years of serving financial services/FinTech industries

• Served as CIO for several Southern California-based Banks

• Led Bill Payment company through a period of explosive growth

• A Native New Yorker, I live in Las Vegas (and don’t gamble)

Michael Barrack, Managing Director

© 2016 Accume Partners

3

• Introduction and Background• What’s behind increased Regulator focus• Real-world security incidents – first responder view• What you should be doing. Now.• Ways Accume is helping• Q & A

Agenda


A Changing Accume Partners


Accume Partners Overview


Headquartered in New York City with a concentrated East Coast footprint and a national capability

Accume’s business serves financial institutions with assets of $50 million to greater than $20 billion

Firm is organized by its deep knowledge, expertise and approaches in the following areas:

– Internal Audit– Regulatory Compliance– Financial Risk Management– Technology Risk Management– Operations and Process Improvement– IT Compliance (Risk Director) and Cybersecurity Services

Accume Partners has a long history of providing internal audit, IT audit, regulatory compliance and risk management advisory services to over 600 clients since 1994

Growing Specialty Risk Focus


Banking Internal Audit - Extensive experience with internal/IT audit

processes and long-term relationships with regulators provides a differentiator for Accume

Banking Specialty Risk - Launched in 2012, extensive experience

with regulatory, and technology risk needs and processes and long-term relationships with regulators provides a differentiator for Accume

Commercial/ Insurance / Other - Key relationships across Commercial and

Insurance clients allows for diversification from the banking sector

- Principal services are internal auditing and Sarbanes Oxley compliance.

58%20%

22%

Banking Internal Audit Banking Specialty Risk

Commercial/ Insurance / Other

Cybersecurity:What’s Behind the Regulatory Focus?


8

FDIC Chairman Martin Gruenberg cites 3 risks at Institute of International Bankers Annual Conference:

Interest Rate Risk Credit Risk Cybersecurity Risk

In March this Year…


9

FFIEC – CEO Webinar (5/14)

Pilot program assessing Cyber Risk (Summer ‘14)

Technically specific FIL’s on Zero Day Threats DDoS Heartbleed Shellshock Poodle Cryptolocker Freak

Cybersecurity Assessment Tool Issued (6/15) Updated IT Management Handbook (11/15)

In the Last 2 Years


10

The first “wake-up” call


11

* Source – Krebs on Security, Brian Krebs

200 Million

53.7 Million

46%

400 Million The number of credit and debit cards stolen between Nov. 27 and Dec. 15, 2013

Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards

Estimated income generated by hackers

Drop in profits in Q4, 2013 compared with 2012

The number of credit and debit cards stolen between Nov. 27 and Dec. 15, 2013

Target by the Numbers


12

Small to mid-sized FI’s a target


13

Unlimited Operations FIL 10-2014


14

• Sony

• Health Care Breaches– Premera Blue Cross – up to 11 Million affected– Anthem (February) – Nearly 80 Million

• Office of Personnel Management– Government hacked by what is believed to be the Chinese

government– 22 million employees & counting

2015 – The Year of the Hack


15

The Good News-Awareness is High

Global%

US%

Europe%

MiddleEast

%

AsiaPacific

%

LatinAmerica

%

Africa%

Global Climate Change 46 42 42 35 41 61 59Global Economic Instability 42 51 40 33 35 54 50The Islamic Militant Group in Iraq and Syria (ISIS)

41 68 70 54 45 33 38

Iran’s Nuclear Program 31 62 42 29 29 33 29Cyberattacks on Govts., banks or corporations

30 59 35 22 35 33 30

Tensions between Russia and its neighbors *

24 43 41 18 22 22 20

Territorial disputes between China and its neighbors **

18 30 17 14 31 21 22

Top Threats by RegionMedian Very Concerned About …

* Not asked in Russia** Not asked in China Pew Research CenterSource: Spring 2015 Global Attitudes Survey

16

The Bad News:It Could Never Happen to Us


17

• Wire Fraud and account modification• Initial attack vector: spear phishing

– Adobe exploit• Lateral movement to infect 5 machines

– Used printer password to gain local admin access• Informed actors who knew how to use banking software• Clean up: incident response,

forensics, monitoring• Loss of $11,000 on fraudulent

wire, in addition to the cost ofForensics and reputation hit

Real World Incident – Midwest Bank


18

• Wire fraud on business banking client PC• Business sued bank looking to recover funds• Forensics performedto determine if sufficient

controls were present• Workstations examined had old anti-virus applications that

were never updated.– Several banking Trojans were discovered

• Actual loss $220,000

Real World Incident –Pacific Northwest Bank


19

• FBI contacted organization about detected malicious traffic• Institution just updated their server and anti-virus software.

– AV scans revealed no malicious software– Forensics revealed infections on all systems dating back

over 6 months, with the initial infection over 16 months• Clean up: reformat all machines, restore data from backup,

new firewall and Intrusion Detection System• Actual loss: large reputational loss, and

large recovery costs.

Real World Incident –New York Non-Profit


20

1. Keep yourself and your employees continuously educated and informed about information security

2. Defense in depth should have a balance of prevention, detection and response solutions

3. Rotate passwords regularly (and audit)4. Keep operating systems and applications current

and plan for full systems lifecycle5. Be aggressive with patch management, nothing to

exceed 90 days, ever.

First Responder’s “top ten”


21

6. Know what applications are on your network7. Lock down operating systems and network as

much as possible8. Use multi-factor authentication for high-risk

solutions9. Implement solutions to monitor traffic that leaves

the network10.Be sure critical logs are preserved and contain

the right type of data

First Responder’s “top ten”


22

How Else Should Banks Respond?

Build the required solutions?

Wait ‘til the Examiners “make us take action?”



Will yesterday’s security solutions…protect you from today’s and tomorrow’s

cybersecurity threats?

24

Multifactor authentication

Data encryption at rest

Security Event Management

Biometrics

Mobile Device Management

Evaluate Emerging Controls


25

Information Security Training

Website surfing

Email protocol

Laptop/PDA handling

The power of policy

Educate Board, Managers and Staff


26

Engage an incident response partner

Assess Need for Cyber Insurance

Build detailed procedures

Test the Incident Response Plan

Manage Contracts closely

Prepare to Respond


27

Leverage FFIEC Resources


28

Leverage FFIEC Resources


29

• Risk Management and Oversight • Threat Intelligence and Collaboration• Cybersecurity Controls• External Dependency Management• Cyber Incident Management and Resilience

5 Domains in Cybersecurity


30

Accume Partners solutions:– Cybersecurity Assessment Service– Enhanced Testing– Incident Response Assurance

Ways Accume is Helping


31


Automation and Expertise

32

• Provide a context and education for the Board of Directors • We help you analyze the data• We provide you with insight from other Banks like you• Identify misalignment at the macro/micro level• Define:

– Required actions– Desired actions– Significant risks

• Provide a Board of Directors ready report for management to present

Cybersecurity Assessment Service


33



34

• New FFIEC IT Handbook - Management• Introduces IT Risk Management as a major focus• Refers to credible “challenge” on the part of the Board• Signals a change in the exam program

• While the CAT is optional, the FDIC has indicated they will look at it; what the other agencies will do is an open ?

• Since it is discretionary, if you do it, do it candidly



35

• Baseline statements are the minimal level of maturity allowed• These will be an area of focus in future examinations• Of 123 statements, 18 represent areas that:

– Banks traditionally have not fully or effectively implemented– Previously have not been a dedicated exam focus– Are not traditionally included in IT general controls or security

assessments

Cybersecurity Enhanced Testing



Cyber Training Enhancement of Employees Situational Notifications to StaffThreat Information Monitoring and Usage Forensic Log RetentionBaseline System Configuration Auditing Attack detection and discovery capabilitiesElevated Privilege Monitoring End-Point Removable Device ManagementDetection of Unauthorized Applications Anomalous Activity Detection capabilitiesEmail Protection Services Unauthorized Device/User/Connection

DetectionNetwork Activity Baseline Physical Device Monitoring and DetectionData Flow Identification Incident Response Containment and ControlIncident Response Testing Scenarios Incident Response Board Reporting

Requirements

Cybersecurity Enhanced Testing

Incident Response Solutions


Comprehensive Incident Response Assurance Program

• Proactive Components

• Continuous Learning and Improvement Program

• SWAT Team and Forensics




• Proactive Components– Incident Readiness Assessment and Gap Analysis– Detailed Incident Response Playbook– Tabletop exercise with all Bank key stakeholders




• Continuous Learning and Improvement Program– Threat Intelligence Briefings– Aggregated from sources like FS-ISAC, Infragard, and other like feeds– Identifies what is relevant and translates it into action




• SWAT Team– SLA response– Incident Containment– Determination of Root Cause– Communications Plan

Incident Response Assurance


Incident Response at Most Banks


Weak, incomplete or missing --• Often organizations rely on their BC Plan for major incidents• DR/BC plans often don’t account for cyber events• DR/BC plans don’t deal with the necessity for investigations and

reporting– Most organizations don’t know what information to retain in the event of

an incident– Few Community Banks know how to preserve chain of custody

• An ineffective program will fail you when you need it the most

What have our Clients Learned?


What We Don’t Know We Know

What We Don’t Know We Don’t Know

What We Know We Know What We Know We Don’t Know

What have our Clients Learned?


Clients were unaware: their contracts with key 3rd party providers are silent on

roles and responsibilities in the event of a breach how much event history is maintained by either their

internal IT department or 3rd party provider whether the Bank’s firewall and Website Content Filter

was being updated to account for identified bad actors (i.e., IP’s and URL’s)

how poorly their employees would fare in social engineering testing

their detective control reports were not being reviewed or had significant blind spots

46

What am I pretending not to know?


47

Take Action!


48

Engage Your Partners


How To Contact …


Michael Barrack, Managing DirectorRisk Director and [email protected]

(702) 461-8682

mailto:[email protected]

Questions?


cybersecurity - njbankers.com...– financial risk management – technology risk management –...

Documents