Ed McMurray, CISA, CISSP, CTGA - LBA
2y ago
31 Views
1 Downloads
5.53 MB
71 Pages
Report/dmca
Download PDF

Transcription

Ed McMurray, CISA, CISSP, CTGACoNetrix

AGENDA Introduction Cybersecurity––––Recent NewsRegulatory StatementsNIST Cybersecurity FrameworkFFIEC Cybersecurity Assessment Questions Information Security Stats (if we have time)

DISCLAIMER The information contained in this session may contain privileged andconfidential information.This presentation is for information purposes only. Before acting on anyideas presented in this session; security, legal, technical, andreputational risks should be independently evaluated considering theunique factual circumstances surrounding each institution.No computer system can provide absolute security under all conditions.Any views or opinions presented do not necessarily state or reflect thoseof CoNetrix or ICBA NM.The following information presented is confidential and/or proprietary andis intended for the express use by attendees. Any unauthorized releaseof this information is prohibited.All original CoNetrix material is Copyright 2015 CoNetrix

CoNetrix

CYBERSECURITY RECENTHISTORY Feb. 2013 – Presidential ExecutiveOrder 13636June 2013 – FFIEC formsCybersecurity and Critical InfrastructureWorking GroupAug. 2013 – Council on CybersecuritylaunchedFeb. 2014 – NIST ReleasedCybersecurity FrameworkMay 2014 – NY Report onCybersecurity in the Banking SectorMay 2014 – FFIEC CybersecuritywebinarJune 2014 – FFIEC LaunchesCybersecurity Web PageJune – July 2014 – FFIEC CommencesCybersecurity Assessments Nov. 2014 – FFIEC ReleasedObservation from CybersecurityAssessmentFeb. 2015 – FFIEC Revised BCP ITExam BookletMar. 2015 – FFIEC Provides Overviewof Cybersecurity PrioritiesMar. 2015 – Office of Inspector Generalreleases report on FDIC’s SupervisoryApproach to Cyberattack RisksMar. 2015 – FFIEC Releases 2Statements on CompromisedCredentials and Destructive MalwareJune 2015 – FFIEC ReleasesCybersecurity Assessment Tool

20152014

FEDERAL RESERVE SR 15-9“In particular, the Federal Reserve will work to tailorexpectations to minimize burden for financial institutionswith low cybersecurity risk profiles and, potentially,supplement expectations for financial institutions withsignificant cybersecurity risk profiles. Beginning in late2015 or early 2016, the Federal Reserve plans to utilize theassessment tool as part of our examination process whenevaluating financial institutions’ cybersecuritypreparedness in information technology and safety andsoundness examinations and inspections.”

OCC BULLETIN 2015-31“The OCC will implement the Assessment as part of thebank examination process over time to benchmark andassess bank cybersecurity efforts.”“While use of the Assessment is optional for financialinstitutions, OCC examiners will use the Assessment tosupplement exam work to gain a more completeunderstanding of an institution’s inherent risk, riskmanagement practices, and controls related tocybersecurity.OCC examiners will begin incorporating the Assessmentinto examinations in late 2015.”

FDIC FIL-28-2015Use of the Cybersecurity Assessment Tool is voluntary.”“FDIC examiners will discuss the Cybersecurity AssessmentTool with institution management during examinations toensure awareness and assist with answers to anyquestions.”

CONFERENCE OF STATE BANKSUPERVISORS (CSBS)“The persistent threat of internet attacks is asocietal issue facing all industries, especiallythe financial services industry. Once largelyconsidered an IT problem, the rise in frequencyand sophistication of cyber-attacks nowrequires a shift in thinking on the part of bankCEOs that management of a bank’scybersecurity risk is not simply an IT issue, buta CEO and Board of Directors issue.”- CSBS Cybersecurity 101

NY STATE – REPORT ON CYBERSECURITY

CHALLENGEWe are now have multiple information securityframeworks. How do they fit together?PCI DSSNACHASecurityHIPAAIT/GLBA InformationSecurity ProgramFFIECCybersecurityAssessmentToolNIST CybersecurityFramework

HOPEFULLY . . .We would like to see integration. One information security programwith components addressing malicious attacks, credit/debit threats,ACH threats, medical info threats, etc.IT/GLBA Information Security ProgramFFIECCybersecurityAssessmentToolPCI DSSMore PAA

REQUEST FOR ALIGNMENT OF FFIEC &NIST CYBERSECURITY DOCUMENTS

CALL FOR CYBERSECURITYFRAMEWORKVoluntary riskbased set ofindustrystandards & bestpracticesMethodology toprotect individualprivacy & civilliberties throughcybersecurityactivitiesFramework 0 (NIST)

NIST CYBERSECURITYFRAMEWORK CORE

NIST CYBERSECURITYFRAMEWORK

FRAMEWORK COREIdentifyRecoverRespondProtectDetect

IMPLEMENTATION TIERSAdaptiveRepeatablePartialRiskInformed

PROCESS FLOW

FFIEC CYBERSECURITYASSESSMENT TOOL Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity Interpreting & Analysis– Senior management and Board reporting

PART ONE: INHERENT RISK PROFILEConsists of 78 questions across 5 categories: Technology and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats

INHERENT RISK PROFILE LAYOUT

DETERMINE INHERENT RISK PROFILE

PART TWO: CYBERSECURITY MATURITY Cyber Risk Management and OversightThreat Intelligence and CollaborationCybersecurity ControlsExternal Dependency ManagementCyber Incident Management and Resilience

ServicesCYBERSECURITY MATURITY LEVELS

CYBERSECURITY MATURITY

MATURITY MODELDomain Assessment Factor Contributing Components Declarative Statements

CYBERSECURITY MATURITY EXCERPT

MATURITY

CYBERSECURITY MATURITY LEVELS

SETTING MATURITY LEVELS All declarative statements in each maturity level,and previous levels, must be attained andsustained to achieve that domain’s maturity level. While management can determine the institution’smaturity level in each domain, the Assessment isnot designed to identify an overall cybersecuritymaturity level.

MATURITY

INTERPRETING & ANALYZING RESULTS

INTERPRETING AND ANALYZING RESULTS

BENEFITS Identifying factors contributing to and determining theinstitution’s overall cyber risk. Assessing the institution’s cybersecurity preparedness. Evaluating whether the institution’s cybersecuritypreparedness is aligned with its risks. Determining risk management practices and controls thatcould be enhanced and actions that could be taken toachieve the institution’s desired state of cyberpreparedness. Informing risk management strategies.

FFIEC PRIORITIES Cybersecurity Self-Assessment ToolIncident AnalysisCrisis ManagementTrainingPolicy DevelopmentTechnology Service Provider StrategyCollaboration with Law Enforcement andIntelligence Agencies

RESOURCES FFIEC Cybersecurity Awareness Web Page:www.ffiec.gov/cybersecurity.htmNCUA Cyber Security ity-resources.aspxNIST Cybersecurity Framework: www.nist.gov/cyberframeworkFinancial Services Information Sharing and Analysis Center (FS-ISAC):www.fsisac.comInfraGard: www.infragard.orgUS Computer Emergency Readiness Team: www.us-cert.govUS Secret Service Electronic Crimes Task Force:www.secretservice.gov/ectf.shtmlISACA Cybersecurity NEXUS: www.isaca.org/cyber/Pages/default.aspxCouncil on CyberSecurity: www.counciloncybersecurity.orgCSBS Conference of State Bank /default.aspx

FDIC – CYBER CHALLENGE irector/technical/cyber/cyber.html

QUESTIONSEd www.conetrix.com

CASE STUDYA review of high risk and common repeat findings from ITAudits, Penetration Tests, and Cybersecurity Assessments.

SOCIAL ENGINEERING TESTS – 99TESTS99 Social Engineering Tests in 201413%87%PassedFailed

SOCIAL ENGINEERING TESTSSocial Engineering Tests conducted in 20149080706050403020100Phishing EmailSocial Engineering CallFailedPassed

SOCIAL ENGINEERING TESTS DETAILSType of TestPhishing EmailSocialEngineering CallTotal Tests Total% FailureResponses5,9351,18019.9%3139229.4%

MODEMS DISCOVEREDModems Discovered from 91 tests in201449%51%YesNo

REVIEW OF IT AUDITOBSERVATIONS 50 IT Audits and Assessments conducted inbetween 8/2014 - 2/2015– 45 IT/GLBA Audit & Assessments– 4 IT Security Reviews– 1 Network Assessments

REVIEW OF IT AUDIT OBSERVATIONSDEMOGRAPHICS Customers by Regulating Body:– 53% FDIC– 31% OCC– 16% Other Customers by Asset Size:––––––10% 100M42% 100M-300M23% 300M-500M11% 500M-1B6% 1B8% N/A

IT AUDIT OVERALL STATUSOverall Security and Compliance Rating2%11%53%34%StrongSatisfactoryNeeds ImprovementWeak

% OF FINDINGS REPEATRepeat18%82%YesNo

RISK LEVELS DEFINEDIn the determination of risk levels associated with deficiencies discovered inthe audit process, consideration is given to: The likelihood a deficiency is exploited The impact on the bank or its customers Any existing controls used to mitigate associated risk levelsRisk levels are defined as follows: High: A deficiency posing a direct threat to availability, integrity, and/orconfidentiality of customer or bank information due to little or nomitigating controls Medium: A deficiency posing a direct threat to availability, integrity,and/or confidentiality of customer or bank information whose mitigatingcontrols are not sufficient to reduce risk to an acceptable level Low:A deficiency posing a possible threat to the availability, integrity,and/or confidentiality of customer or bank information

FIREWALL OBSERVATIONSRouter/Firewall Findings2%14%16%68%High RiskMedium RiskLow RiskNo Finding

PATCH MANAGEMENTOBSERVATIONSPatch Management Findings4%22%44%30%High RiskMedium RiskLow RiskNo Finding

LOCAL ADMINISTRATOROBSERVATIONSUsers Running as Local Administrator2%32%38%28%High RiskMedium RiskLow RiskNo Finding

ANTIVIRUS OBSERVATIONSAntivirus Findings2%26%54%18%High RiskMedium RiskLow RiskNo Finding

MOBILE DEVICE OBSERVATIONSMobile Device Findings8%10%14%68%High RiskMedium RiskLow RiskNo Finding

LAPTOP ENCRYPTIONOBSERVATIONSLaptops Not Encrypted Findings4%8%10%78%High RiskMedium RiskLow RiskNo Finding

REMOVABLE MEDIAOBSERVATIONSRemovable Media Findings2%20%14%64%High RiskMedium RiskLow RiskNo Finding

PASSWORD OBSERVATIONS

PASSWORD OBSERVATIONSPassword Findings6%32%26%36%High RiskMedium RiskLow RiskNo Finding

AUTHENTICATION OBSERVATIONSMulti-factor Authentication Findings4%10%86%High RiskMedium RiskLow RiskNo Finding

THIRD PARTY OVERSIGHTOBSERVATIONSVendor Management Findings6%30%38%26%High RiskMedium RiskLow RiskNo Finding

BUSINESS CONTINUITYOBSERVATIONS

BUSINESS CONTINUITYOBSERVATIONSBCP/DR Findings10%18%42%30%High RiskMedium RiskLow RiskNo Finding

INCIDENT RESPONSEOBSERVATIONS

INCIDENT RESPONSEOBSERVATIONSIncident Response Findings22%14%64%High RiskMedium RiskLow RiskNo Finding

RISK MANAGEMENTOBSERVATIONSRisk Assessment Findings4%28%40%28%High RiskMedium RiskLow RiskNo Finding

Feb. 2015 – FFIEC Revised BCP IT Exam Booklet Mar. 2015 – FFIEC Provides Overview of Cybersecurity Priorities Mar. 2015 – Office of Inspector General releases report on FDIC’s Supervisory Approach to Cyberattack Risks Mar. 2015 – FFIEC Releases 2 Stat

Related Books

Certifi ed Information (CISA Cert Guide

Certifi ed Information (CISA Cert Guide

2021-2025 Strategic Technology Roadmap Overview

2021-2025 Strategic Technology Roadmap Overview

STUDY PLAN (ISC) 2 CISSP 2015 - CBT Nuggets

STUDY PLAN (ISC) 2 CISSP 2015 - CBT Nuggets

CISSP: The Domains - Infosec

CISSP: The Domains - Infosec

CISSP study plan - 2021 - Thor Teaches

CISSP study plan - 2021 - Thor Teaches

CISSP - Infopoint Security

CISSP - Infopoint Security

CHAPTER Becoming a CISSP

CHAPTER Becoming a CISSP

ISC2 CISSP-ISSAP

ISC2 CISSP-ISSAP

CISSP Course Introduction - USALearning

CISSP Course Introduction - USALearning

WHY BECOME A CISSP - Harrisburg University

WHY BECOME A CISSP - Harrisburg University

Certified Information Systems AuditorTM

Certified Information Systems AuditorTM

PopularTags

Recent Views