copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Cybersecurity Governance Update New FFIEC Requirements
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Our perspectivehellip CliftonLarsonAllen ndash Started in 1953 with a goal of total
client service
ndash Today industry specialized CPA and Advisory firm ranked in the top 10 in the US
ndash Information Security offered as specialized service offering for over 15 years
ndash Largest Credit Union Service Practice
Callahan and Associates 2014 Guide to Credit Union CPA Auditors CliftonLarsonAllenrsquos credit union practice has recently grown to over 100 professionals including more than 20 principals The group focuses on audit assurance consulting and advisory information technology and human resource management for credit unions across the country wwwlarsonallencom ndash news release
2
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Overview
bull Up To Date Cybersecurity and Fraud Risks
ndash Current threat environment
ndash Industry examples and case studies
bull FFIEC Cybersecurity Assessments and Governance Requirements
bull Strategies to mitigate and manage risks
3
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cyber Fraud Risk Themes
bull Hackers have ldquomonetizedrdquo their activity
ndash More hacking
ndash More sophistication
ndash More ldquohands-onrdquo effort
ndash Smaller organizations targeted
bull Social engineering on the rise
bull Hackers targeting members and member businesses
4
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Three Largest Cyber Fraud Trends
bull Organized Crime ndash Theft of Information
ndash Wholesale theft of personal financial information
bull CATOndash Corporate Account Takeover
ndash Use of online credentials for ACH CC and wire fraud
bull Ransomware
ndash Your data held for ransom
5
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Target
bull Goodwill
bull Haniford Brothers
bull University of Maryland
bull University of Indiana
bull Olmsted Medical Center
bull Community Health Systems
In the News - Theft of PFI and PII
6
bull Anthem
bull Blue Cross Primera
Active campaigns involving targeted phishing and hacking focused on commonknown vulnerabilities
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Stolen Card Data
bull Carder or Carding websites
bull Dumps vs CVVrsquos
bull A peek inside a carding operation
httpkrebsonsecuritycom201406peek-inside-a-professional-carding-shop
7
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
8
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Catholic church parish
bull Hospice
bull Finance company
bull Main Street newspaper stand
bull Electrical contractor
bull Utility company
bull Industry trade association
bull Rural hospital
bull Mining company
bull On and on and on and onhelliphelliphelliphelliphellip
(Corporate) Account Takeover
9
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Our perspectivehellip CliftonLarsonAllen ndash Started in 1953 with a goal of total
client service
ndash Today industry specialized CPA and Advisory firm ranked in the top 10 in the US
ndash Information Security offered as specialized service offering for over 15 years
ndash Largest Credit Union Service Practice
Callahan and Associates 2014 Guide to Credit Union CPA Auditors CliftonLarsonAllenrsquos credit union practice has recently grown to over 100 professionals including more than 20 principals The group focuses on audit assurance consulting and advisory information technology and human resource management for credit unions across the country wwwlarsonallencom ndash news release
2
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Overview
bull Up To Date Cybersecurity and Fraud Risks
ndash Current threat environment
ndash Industry examples and case studies
bull FFIEC Cybersecurity Assessments and Governance Requirements
bull Strategies to mitigate and manage risks
3
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cyber Fraud Risk Themes
bull Hackers have ldquomonetizedrdquo their activity
ndash More hacking
ndash More sophistication
ndash More ldquohands-onrdquo effort
ndash Smaller organizations targeted
bull Social engineering on the rise
bull Hackers targeting members and member businesses
4
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Three Largest Cyber Fraud Trends
bull Organized Crime ndash Theft of Information
ndash Wholesale theft of personal financial information
bull CATOndash Corporate Account Takeover
ndash Use of online credentials for ACH CC and wire fraud
bull Ransomware
ndash Your data held for ransom
5
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Target
bull Goodwill
bull Haniford Brothers
bull University of Maryland
bull University of Indiana
bull Olmsted Medical Center
bull Community Health Systems
In the News - Theft of PFI and PII
6
bull Anthem
bull Blue Cross Primera
Active campaigns involving targeted phishing and hacking focused on commonknown vulnerabilities
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Stolen Card Data
bull Carder or Carding websites
bull Dumps vs CVVrsquos
bull A peek inside a carding operation
httpkrebsonsecuritycom201406peek-inside-a-professional-carding-shop
7
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
8
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Catholic church parish
bull Hospice
bull Finance company
bull Main Street newspaper stand
bull Electrical contractor
bull Utility company
bull Industry trade association
bull Rural hospital
bull Mining company
bull On and on and on and onhelliphelliphelliphelliphellip
(Corporate) Account Takeover
9
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Overview
bull Up To Date Cybersecurity and Fraud Risks
ndash Current threat environment
ndash Industry examples and case studies
bull FFIEC Cybersecurity Assessments and Governance Requirements
bull Strategies to mitigate and manage risks
3
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cyber Fraud Risk Themes
bull Hackers have ldquomonetizedrdquo their activity
ndash More hacking
ndash More sophistication
ndash More ldquohands-onrdquo effort
ndash Smaller organizations targeted
bull Social engineering on the rise
bull Hackers targeting members and member businesses
4
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Three Largest Cyber Fraud Trends
bull Organized Crime ndash Theft of Information
ndash Wholesale theft of personal financial information
bull CATOndash Corporate Account Takeover
ndash Use of online credentials for ACH CC and wire fraud
bull Ransomware
ndash Your data held for ransom
5
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Target
bull Goodwill
bull Haniford Brothers
bull University of Maryland
bull University of Indiana
bull Olmsted Medical Center
bull Community Health Systems
In the News - Theft of PFI and PII
6
bull Anthem
bull Blue Cross Primera
Active campaigns involving targeted phishing and hacking focused on commonknown vulnerabilities
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Stolen Card Data
bull Carder or Carding websites
bull Dumps vs CVVrsquos
bull A peek inside a carding operation
httpkrebsonsecuritycom201406peek-inside-a-professional-carding-shop
7
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
8
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Catholic church parish
bull Hospice
bull Finance company
bull Main Street newspaper stand
bull Electrical contractor
bull Utility company
bull Industry trade association
bull Rural hospital
bull Mining company
bull On and on and on and onhelliphelliphelliphelliphellip
(Corporate) Account Takeover
9
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cyber Fraud Risk Themes
bull Hackers have ldquomonetizedrdquo their activity
ndash More hacking
ndash More sophistication
ndash More ldquohands-onrdquo effort
ndash Smaller organizations targeted
bull Social engineering on the rise
bull Hackers targeting members and member businesses
4
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Three Largest Cyber Fraud Trends
bull Organized Crime ndash Theft of Information
ndash Wholesale theft of personal financial information
bull CATOndash Corporate Account Takeover
ndash Use of online credentials for ACH CC and wire fraud
bull Ransomware
ndash Your data held for ransom
5
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Target
bull Goodwill
bull Haniford Brothers
bull University of Maryland
bull University of Indiana
bull Olmsted Medical Center
bull Community Health Systems
In the News - Theft of PFI and PII
6
bull Anthem
bull Blue Cross Primera
Active campaigns involving targeted phishing and hacking focused on commonknown vulnerabilities
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Stolen Card Data
bull Carder or Carding websites
bull Dumps vs CVVrsquos
bull A peek inside a carding operation
httpkrebsonsecuritycom201406peek-inside-a-professional-carding-shop
7
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
8
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Catholic church parish
bull Hospice
bull Finance company
bull Main Street newspaper stand
bull Electrical contractor
bull Utility company
bull Industry trade association
bull Rural hospital
bull Mining company
bull On and on and on and onhelliphelliphelliphelliphellip
(Corporate) Account Takeover
9
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Three Largest Cyber Fraud Trends
bull Organized Crime ndash Theft of Information
ndash Wholesale theft of personal financial information
bull CATOndash Corporate Account Takeover
ndash Use of online credentials for ACH CC and wire fraud
bull Ransomware
ndash Your data held for ransom
5
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Target
bull Goodwill
bull Haniford Brothers
bull University of Maryland
bull University of Indiana
bull Olmsted Medical Center
bull Community Health Systems
In the News - Theft of PFI and PII
6
bull Anthem
bull Blue Cross Primera
Active campaigns involving targeted phishing and hacking focused on commonknown vulnerabilities
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Stolen Card Data
bull Carder or Carding websites
bull Dumps vs CVVrsquos
bull A peek inside a carding operation
httpkrebsonsecuritycom201406peek-inside-a-professional-carding-shop
7
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
8
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Catholic church parish
bull Hospice
bull Finance company
bull Main Street newspaper stand
bull Electrical contractor
bull Utility company
bull Industry trade association
bull Rural hospital
bull Mining company
bull On and on and on and onhelliphelliphelliphelliphellip
(Corporate) Account Takeover
9
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Target
bull Goodwill
bull Haniford Brothers
bull University of Maryland
bull University of Indiana
bull Olmsted Medical Center
bull Community Health Systems
In the News - Theft of PFI and PII
6
bull Anthem
bull Blue Cross Primera
Active campaigns involving targeted phishing and hacking focused on commonknown vulnerabilities
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Stolen Card Data
bull Carder or Carding websites
bull Dumps vs CVVrsquos
bull A peek inside a carding operation
httpkrebsonsecuritycom201406peek-inside-a-professional-carding-shop
7
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
8
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Catholic church parish
bull Hospice
bull Finance company
bull Main Street newspaper stand
bull Electrical contractor
bull Utility company
bull Industry trade association
bull Rural hospital
bull Mining company
bull On and on and on and onhelliphelliphelliphelliphellip
(Corporate) Account Takeover
9
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Stolen Card Data
bull Carder or Carding websites
bull Dumps vs CVVrsquos
bull A peek inside a carding operation
httpkrebsonsecuritycom201406peek-inside-a-professional-carding-shop
7
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
8
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Catholic church parish
bull Hospice
bull Finance company
bull Main Street newspaper stand
bull Electrical contractor
bull Utility company
bull Industry trade association
bull Rural hospital
bull Mining company
bull On and on and on and onhelliphelliphelliphelliphellip
(Corporate) Account Takeover
9
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Credit Card Data For Sale
8
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Catholic church parish
bull Hospice
bull Finance company
bull Main Street newspaper stand
bull Electrical contractor
bull Utility company
bull Industry trade association
bull Rural hospital
bull Mining company
bull On and on and on and onhelliphelliphelliphelliphellip
(Corporate) Account Takeover
9
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Catholic church parish
bull Hospice
bull Finance company
bull Main Street newspaper stand
bull Electrical contractor
bull Utility company
bull Industry trade association
bull Rural hospital
bull Mining company
bull On and on and on and onhelliphelliphelliphelliphellip
(Corporate) Account Takeover
9
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
a payment order received by the [bank] is ldquoeffective as the order of the customer whether or not authorized if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customerrdquo
10
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
11
bull Electrical Contractor vs Bank
bull gt $300000 stolen via ACH through CATO
bull Internet banking site was ldquodownrdquo ndash DOS
bull Contractor asserting Bank processed bogus ACH file without any call back
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Lawsuits - UCC
12
bull Escrow company vs Bank
bull gt $400000 stolen via single wire through CATO
ndash CE passed on dual control offered by the bank
bull Court ruled in favor of bank
bull Companies attorneys failed to demonstrate bankrsquos procedures were not commercially reasonable
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CATO Defensive Measures
bull Multi-layer authentication
bull Multi-factor authentication
bull Out of band authentication
bull Positive pay
bull ACH block and filter
bull IP address filtering
bull Dual control
bull Activity monitoring
bull Manual vs Automated controls
13
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Malware encrypts everything it can interact with
ndash ie anything the infected user has access to
bull CryptoLocker
bull Kovter
ndash Also displays and adds child pornography images
May 20 2014 ndash Ransomware attacks doubled in last month (7000 to 15000)
httpinsurancenewsnetcomoarticle20140520cryptolocker-goes-spear-phishing-infections-soar-warns-knowbe4-a-506966html
14
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Ransomware
bull Working (tested) backups are key 15
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breaches 2013 2014
16
httpswww2trustwavecomGSR2014
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Keys to Successful Breacheshellip
17
Reliancedependence on 3rd party service providers is at root of most breaches
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
How do hackers and fraudsters break in
Social Engineering relies on the following
bull The appearance of ldquoauthorityrdquo
bull People want to avoid inconvenience
bull Timing timing timinghellip
ldquoAmateurs hack systems professionals hack peoplerdquo Bruce Schneier
18
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Pre-text Phone Calls bull ldquoHi this is Randy from Fiserv users support I am
working with Dave and I need your helphelliprdquo
ndash Name dropping
ndash Establish a rapport
ndash Ask for help
ndash Inject some techno-babble
ndash Think telemarketers script
bull Home Equity Line of Credit (HELOC) fraud calls
bull Ongoing high-profile ACH frauds
19
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Attacks - Spoofing and Phishing
bull Impersonate someone in authority and
ndash Ask them to visit a web-site
ndash Ask them to open an attachment or run update
bull Examples
ndash Better Business Bureau complaint
ndash httpwwwmillersmilescoukemailvisa-usabetter-business-bureaucall-for-action-visa
ndash Microsoft Security Patch Download
20
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Email Phishing ndash ldquoTargeted Attackrdquo
21
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Physical (Facility) Security Compromise the site
bull ldquoHi Joe said he would let you know I was coming to fix the printershelliprdquo
Plant devices
bull Keystroke loggers
bull Wireless access point
bull Thumb drives (ldquoSwitch Bladerdquo)
Exampleshellip -Sumitomo Bank (2005) ndash over $500M -httpwwwnetworkworldcomnews2009012209-clerical-error-foiled-sumitomo-bankhtml
-Barclays Bank (December 2013) - $130M lost -httpwwwtelegraphcouknewsuknewscrime10322536Barclays-hacking-attack-gang-stole-13-million-police-sayhtml
22
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies to Combat Social Engineering bull (Ongoing) user awareness training
bull SANS ldquoFirst Fiverdquo ndash Layers ldquobehind the peoplerdquo
1 SecureStandard Configurations (hardening)
2 Critical Patches ndash Operating Systems
3 Critical Patches ndash Applications
4 Application White Listing
5 Minimized user access rights
No browsingemail with admin rights
bull Logging Monitoring and Alerting capabilities
ndash ldquoThe 3 Rrsquosrdquo Recognize React Respond
ndash More on this at the endhellip
23
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
FFIEC ndash Executive Leadership of Cybresecurity
24
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
25
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
26
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
May 7 2014 FFIEC Executive Leadership Cybersecurity webinar bull Importance of identifying emerging cyber threats and the
need for BoardC-suite involvement including
ndash Setting the tone at the top and building a security culture
ndash Identifying measuring mitigating and monitoring risks
ndash Developing risk management processes commensurate with the risks and complexity of the institutions
ndash Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
ndash Creating a governance process to ensure ongoing awareness and accountability
ndash Ensuring timely reports to senior management that include meaningful information addressing the institutions vulnerability to cyber risks
27
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
28
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
29
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
bull httpswwwfdicgovnewsnewsfinancial2014fil14021html
31
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Assessments
July ndash August 2014
32
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Current FFIEC IT Examination Process
bull Each FFIEC agency (FDIC Federal Reserve OCC NCUA) will perform periodic information technology examinations at regulated financial institutions
bull Examination procedures are based on the FFIEC IT Handbooks (httpithandbookffiecgov) and supplemented by periodic agency guidance
bull IT Examinations review the financial institutionrsquos Information Security Program
33
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program bull Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (GLBA)
for the safeguarding of customer information ndash Board of Directors will develop an Information Security Program that
addresses the requirements of loz Section 501(b) of the GLBA loz Federal Financial Institutions Examination Councilrsquos (FFIEC) ldquoInteragency Guidelines
Establishing Information Security Standardsrdquo (501[b] Guidelines) and loz Agency-specific guidelines (ie Appendix B to Part 364 of the FDICrsquos Rules and
Regulations)
bull The Information Security Program (ISP) is comprised of ndash Risk Assessment ndash Risk Management ndash Audit ndash Business ContinuityDisaster RecoveryIncident Response ndash Vendor Management ndash Board and Committee Oversight
34
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
bull Assess risk periodically to identify reasonably foreseeable internal and external threats to data and information technology assets that could negatively impact confidentiality and integrity of data andor availability of systems
bull Risk is determined based on the likelihood of a given threat-sourcersquos ability to exercise a particular potential vulnerability and the resulting impact of that adverse event on the organization
bull The results of the risk assessment are used as a basis for establishing and implementing appropriate administrative technical and physical controls to reduce or eliminate the impact of the threat
Information Security Program Risk Assessment and Risk Management
35
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Audit
bull ISP-related AuditsReviews
ndash ISP ReviewIT General Controls Review
ndash ExternalInternal Vulnerability and Penetration Assessments
ndash Social Engineering Assessments
bull E-Banking Reviews
ndash ACH Audit
ndash Wire Transfer Audit
ndash RemoteMobile Deposit Capture Audit
bull AuditExam Recommendation Tracking and Reporting
36
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Business ContinuityDisaster Recovery Incident Response
bull Business ContinuityDisaster Recovery Plan
ndash Annual Testing of Critical Systems
ndash Annual Employee TabletopScenario Testing
ndash Board Reporting
bull Incident Response Plan
ndash Compromise of customer information
ndash Annual Testing
ndash FS-ISAC
ndash Cybersecurity Examinations
37
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Information Security Program Vendor Management
bull Vendor Management Policy
bull Vendor Risk Assessment
ndash Access to Customer Information
ndash Criticality to Bank Operations
ndash Ease of Replacement
bull New Vendor Due Diligence and Annual Reviews
bull Continuous Monitoring
38
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
bull In the summer of 2014 the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cybersecurity Assessment procedures at over 500 community financial institutions to raise awareness of and evaluate their preparedness to mitigate cybersecurity risks
bull Integrated into regular IT Examination process
ndash Cyber Risk Management and Oversight
ndash Cyber Security Controls
ndash External Dependency Management
ndash Threat Intelligence and Collaboration
ndash Cyber Resilience
bull Launched a cybercrime website httpswwwffiecgovcybersecurityhtm
39
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull All FIs AND their critical technology service providers must have appropriate threat identification information sharing and response procedures
bull Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)
ndash Improved identification and mitigation of attacks
ndash Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems
ndash Sharing information to help other FIs
40
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11314)
bull FI Management should
ndash Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly
ndash Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization loz FS-ISAC wwwfsisaccom
loz FBI Infragard wwwinfragardorg
loz US Computer Emergency Readiness Team at US-CERT wwwus-certgov
loz US Secret Service Electronic Crimes Task Force wwwsecretservicegovectfshtml
41
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk
ndash Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness
loz Connection Types identify and assess the threats to all access points to the internal network
bull VPN
bull Wireless
bull TelnetFTP
bull Vendor LANWAN access
bull BYOD
42
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Products and Services identify and assess threats to all products and services currently offered and planned
bull Online ACH and Wire Transfer origination
bull External funds transfers (A2A P2P bill pay)
43
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Inherent Risk (cont)
loz Technologies Used identify and assess threats to all technologies currently used and planned
bull Core systems
bull ATMs
bull Internet and mobile applications
bull Cloud computing
44
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness
ndash Current cybersecurity practices and overall preparedness should include
loz Cybersecurity Controls Preventive detective or corrective procedures for mitigating identified cybersecurity threats
bull Patching encryption limited user access
bull Intrusion detectionprevention systems firewall alerts
bull Formal audit program with scope and schedule based on an assetrsquos inherent risk prompt and documented remediation of findings regular activity report reviews
45
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment General Observations
bull Cybersecurity Preparedness (cont)
ndash
loz Cyber Incident Management and Resilience Incident detection response mitigation escalation reporting and resilience
bull Formal Incident Response Programs including regulatory and customer notification guidelines and procedures
bull Senior management and board incident reporting
46
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessment Implications
bull Increased Board and C-Suite Involvement
bull Participation in information-sharing group(s)
bull Cybersecurity scenario testing with employees and management
bull Increased oversight of third-party service providers
bull Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings
47
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
48
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
49
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Recent Examiner Supplemental Cyber Security ldquoRequest Listrdquo
50
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
Key Defensive Strategies
51
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Strategies
Our information security strategy should have the following objectives
bull Users who are more aware and savvy
bull Networks that are resistant to malware
bull Be Preparedhellip Monitoring Incident Response and forensic Capabilities
52
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
1 Strong policies
2 Defined user access roles Minimum Access
3 Hardened internal systems and end points
4 Encryption strategy ndash data centered
5 Vulnerability management process
Ten Keys to Mitigate Risk
6 Perimeter security layers
7 Centralized logging analysis and alerting capabilities
8 Incident response capabilities
9 Know use online banking tools
10Test Test Test ndash Independent validation that it workshellip
53
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Verizon bull Report is analysis of intrusions
investigated by Verizon and US Secret Service
bull KEY POINTS ndash Time from successful intrusion to
compromise of data was days to weeks
ndash Log files contained evidence of the intrusion attempt success and removal of data
ndash Most successful intrusions were not considered highly difficult
54
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Centralized Logging Analysis and Alerting Centralized audit logging analysis and automated alerting capabilities (SIEM)
bullFirewalls
bullSecurity appliances
bullRouting infrastructure
bullNetwork authentication
bullServers
bullApplications
bullArchiving vs Reviewing
55
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Call To Action
56
Policies to set foundation
Train your users
Thoroughly assess your risks
Three Rrsquos Recognize React Respond
Thoroughly validate your controls
ndash High expectations of your vendors
ndash Penetration testing
ndash Application testing
ndash Vulnerability scanning
ndash Social engineering testing
People Rules
`
Tools
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions
57
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallencom
twittercom CLA_CPAs
facebookcom cliftonlarsonallen
linkedincomcompany cliftonlarsonallen
Randy Romes CISSP CRISC MCP PCI-QSA Principal Information Security Services Randyromescliftonlarsonallencom 8885292648
58
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
bull Common Frameworks - Matrix Resources
httpneteducauseeduirlibrarypdfCSD5876pdf
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS ndash ldquoDigital Dozenrdquo bull PCI ndash DSS version 30
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices Laptops Workstations and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security
7 Wireless Access Control
8 Data Recovery Capability
9 Security Skills Assessment and Appropriate Training to Fill Gaps
10 Secure Configurations for Network Devices such as Firewalls Routers and Switches
61
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS Critical Security Controls - Version 5 11 Limitation and Control of Network Ports Protocols and
Services
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance Monitoring and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control
17 Data Protection
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
62
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
SANS ldquoFirst Fiverdquo 1 Secure configurationshellip
2 Application white listing
3 Controlled use of administrative privileges
4 Application of critical operating systems patches
5 Application of critical application patches
63
SANS Top 20 Controls
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
FFIEC IT Examination Handbook
httpithandbookffiecgovit-bookletsauditaspx
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Resources ndash Hardening Checklists
Hardening checklists from vendors
bull CIS offers vendor-neutral hardening resources
httpwwwcisecurityorg
bull Microsoft Security Checklists httpwwwmicrosoftcomtechnetarchivesecuritychklistdefaultmspxmfr=true
httptechnetmicrosoftcomen-uslibrarydd366061aspx
Most of these will be from the ldquoBIGrdquo software and hardware providers
65
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66
copy2
01
3 C
lifto
nLa
rso
nA
llen
LLP
ldquoThreerdquo Security Reports bull Trends Sans 2009 Top Cyber Security Threats
ndash httpwwwsansorgtop-cyber-security-risks
bull Intrusion Analysis TrustWave (Annual) ndash httpswwwtrustwavecomwhitePapersphp
bull Intrusion Analysis Verizon Business Services (Annual) ndash httpwwwverizonenterprisecomDBIR
66