Transcription
Ed McMurray, CISA, CISSP, CTGACoNetrix
AGENDA Introduction Cybersecurity––––Recent NewsRegulatory StatementsNIST Cybersecurity FrameworkFFIEC Cybersecurity Assessment Questions Information Security Stats (if we have time)
DISCLAIMER The information contained in this session may contain privileged andconfidential information.This presentation is for information purposes only. Before acting on anyideas presented in this session; security, legal, technical, andreputational risks should be independently evaluated considering theunique factual circumstances surrounding each institution.No computer system can provide absolute security under all conditions.Any views or opinions presented do not necessarily state or reflect thoseof CoNetrix or ICBA NM.The following information presented is confidential and/or proprietary andis intended for the express use by attendees. Any unauthorized releaseof this information is prohibited.All original CoNetrix material is Copyright 2015 CoNetrix
CoNetrix
CYBERSECURITY RECENTHISTORY Feb. 2013 – Presidential ExecutiveOrder 13636June 2013 – FFIEC formsCybersecurity and Critical InfrastructureWorking GroupAug. 2013 – Council on CybersecuritylaunchedFeb. 2014 – NIST ReleasedCybersecurity FrameworkMay 2014 – NY Report onCybersecurity in the Banking SectorMay 2014 – FFIEC CybersecuritywebinarJune 2014 – FFIEC LaunchesCybersecurity Web PageJune – July 2014 – FFIEC CommencesCybersecurity Assessments Nov. 2014 – FFIEC ReleasedObservation from CybersecurityAssessmentFeb. 2015 – FFIEC Revised BCP ITExam BookletMar. 2015 – FFIEC Provides Overviewof Cybersecurity PrioritiesMar. 2015 – Office of Inspector Generalreleases report on FDIC’s SupervisoryApproach to Cyberattack RisksMar. 2015 – FFIEC Releases 2Statements on CompromisedCredentials and Destructive MalwareJune 2015 – FFIEC ReleasesCybersecurity Assessment Tool
20152014
FEDERAL RESERVE SR 15-9“In particular, the Federal Reserve will work to tailorexpectations to minimize burden for financial institutionswith low cybersecurity risk profiles and, potentially,supplement expectations for financial institutions withsignificant cybersecurity risk profiles. Beginning in late2015 or early 2016, the Federal Reserve plans to utilize theassessment tool as part of our examination process whenevaluating financial institutions’ cybersecuritypreparedness in information technology and safety andsoundness examinations and inspections.”
OCC BULLETIN 2015-31“The OCC will implement the Assessment as part of thebank examination process over time to benchmark andassess bank cybersecurity efforts.”“While use of the Assessment is optional for financialinstitutions, OCC examiners will use the Assessment tosupplement exam work to gain a more completeunderstanding of an institution’s inherent risk, riskmanagement practices, and controls related tocybersecurity.OCC examiners will begin incorporating the Assessmentinto examinations in late 2015.”
FDIC FIL-28-2015Use of the Cybersecurity Assessment Tool is voluntary.”“FDIC examiners will discuss the Cybersecurity AssessmentTool with institution management during examinations toensure awareness and assist with answers to anyquestions.”
CONFERENCE OF STATE BANKSUPERVISORS (CSBS)“The persistent threat of internet attacks is asocietal issue facing all industries, especiallythe financial services industry. Once largelyconsidered an IT problem, the rise in frequencyand sophistication of cyber-attacks nowrequires a shift in thinking on the part of bankCEOs that management of a bank’scybersecurity risk is not simply an IT issue, buta CEO and Board of Directors issue.”- CSBS Cybersecurity 101
NY STATE – REPORT ON CYBERSECURITY
CHALLENGEWe are now have multiple information securityframeworks. How do they fit together?PCI DSSNACHASecurityHIPAAIT/GLBA InformationSecurity ProgramFFIECCybersecurityAssessmentToolNIST CybersecurityFramework
HOPEFULLY . . .We would like to see integration. One information security programwith components addressing malicious attacks, credit/debit threats,ACH threats, medical info threats, etc.IT/GLBA Information Security ProgramFFIECCybersecurityAssessmentToolPCI DSSMore PAA
REQUEST FOR ALIGNMENT OF FFIEC &NIST CYBERSECURITY DOCUMENTS
CALL FOR CYBERSECURITYFRAMEWORKVoluntary riskbased set ofindustrystandards & bestpracticesMethodology toprotect individualprivacy & civilliberties throughcybersecurityactivitiesFramework 0 (NIST)
NIST CYBERSECURITYFRAMEWORK CORE
NIST CYBERSECURITYFRAMEWORK
FRAMEWORK COREIdentifyRecoverRespondProtectDetect
IMPLEMENTATION TIERSAdaptiveRepeatablePartialRiskInformed
PROCESS FLOW
FFIEC CYBERSECURITYASSESSMENT TOOL Part One: Inherent Risk Profile Part Two: Cybersecurity Maturity Interpreting & Analysis– Senior management and Board reporting
PART ONE: INHERENT RISK PROFILEConsists of 78 questions across 5 categories: Technology and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats
INHERENT RISK PROFILE LAYOUT
DETERMINE INHERENT RISK PROFILE
PART TWO: CYBERSECURITY MATURITY Cyber Risk Management and OversightThreat Intelligence and CollaborationCybersecurity ControlsExternal Dependency ManagementCyber Incident Management and Resilience
ServicesCYBERSECURITY MATURITY LEVELS
CYBERSECURITY MATURITY
MATURITY MODELDomain Assessment Factor Contributing Components Declarative Statements
CYBERSECURITY MATURITY EXCERPT
MATURITY
CYBERSECURITY MATURITY LEVELS
SETTING MATURITY LEVELS All declarative statements in each maturity level,and previous levels, must be attained andsustained to achieve that domain’s maturity level. While management can determine the institution’smaturity level in each domain, the Assessment isnot designed to identify an overall cybersecuritymaturity level.
MATURITY
INTERPRETING & ANALYZING RESULTS
INTERPRETING AND ANALYZING RESULTS
BENEFITS Identifying factors contributing to and determining theinstitution’s overall cyber risk. Assessing the institution’s cybersecurity preparedness. Evaluating whether the institution’s cybersecuritypreparedness is aligned with its risks. Determining risk management practices and controls thatcould be enhanced and actions that could be taken toachieve the institution’s desired state of cyberpreparedness. Informing risk management strategies.
FFIEC PRIORITIES Cybersecurity Self-Assessment ToolIncident AnalysisCrisis ManagementTrainingPolicy DevelopmentTechnology Service Provider StrategyCollaboration with Law Enforcement andIntelligence Agencies
RESOURCES FFIEC Cybersecurity Awareness Web Page:www.ffiec.gov/cybersecurity.htmNCUA Cyber Security ity-resources.aspxNIST Cybersecurity Framework: www.nist.gov/cyberframeworkFinancial Services Information Sharing and Analysis Center (FS-ISAC):www.fsisac.comInfraGard: www.infragard.orgUS Computer Emergency Readiness Team: www.us-cert.govUS Secret Service Electronic Crimes Task Force:www.secretservice.gov/ectf.shtmlISACA Cybersecurity NEXUS: www.isaca.org/cyber/Pages/default.aspxCouncil on CyberSecurity: www.counciloncybersecurity.orgCSBS Conference of State Bank /default.aspx
FDIC – CYBER CHALLENGE irector/technical/cyber/cyber.html
QUESTIONSEd www.conetrix.com
CASE STUDYA review of high risk and common repeat findings from ITAudits, Penetration Tests, and Cybersecurity Assessments.
SOCIAL ENGINEERING TESTS – 99TESTS99 Social Engineering Tests in 201413%87%PassedFailed
SOCIAL ENGINEERING TESTSSocial Engineering Tests conducted in 20149080706050403020100Phishing EmailSocial Engineering CallFailedPassed
SOCIAL ENGINEERING TESTS DETAILSType of TestPhishing EmailSocialEngineering CallTotal Tests Total% FailureResponses5,9351,18019.9%3139229.4%
MODEMS DISCOVEREDModems Discovered from 91 tests in201449%51%YesNo
REVIEW OF IT AUDITOBSERVATIONS 50 IT Audits and Assessments conducted inbetween 8/2014 - 2/2015– 45 IT/GLBA Audit & Assessments– 4 IT Security Reviews– 1 Network Assessments
REVIEW OF IT AUDIT OBSERVATIONSDEMOGRAPHICS Customers by Regulating Body:– 53% FDIC– 31% OCC– 16% Other Customers by Asset Size:––––––10% 100M42% 100M-300M23% 300M-500M11% 500M-1B6% 1B8% N/A
IT AUDIT OVERALL STATUSOverall Security and Compliance Rating2%11%53%34%StrongSatisfactoryNeeds ImprovementWeak
% OF FINDINGS REPEATRepeat18%82%YesNo
RISK LEVELS DEFINEDIn the determination of risk levels associated with deficiencies discovered inthe audit process, consideration is given to: The likelihood a deficiency is exploited The impact on the bank or its customers Any existing controls used to mitigate associated risk levelsRisk levels are defined as follows: High: A deficiency posing a direct threat to availability, integrity, and/orconfidentiality of customer or bank information due to little or nomitigating controls Medium: A deficiency posing a direct threat to availability, integrity,and/or confidentiality of customer or bank information whose mitigatingcontrols are not sufficient to reduce risk to an acceptable level Low:A deficiency posing a possible threat to the availability, integrity,and/or confidentiality of customer or bank information
FIREWALL OBSERVATIONSRouter/Firewall Findings2%14%16%68%High RiskMedium RiskLow RiskNo Finding
PATCH MANAGEMENTOBSERVATIONSPatch Management Findings4%22%44%30%High RiskMedium RiskLow RiskNo Finding
LOCAL ADMINISTRATOROBSERVATIONSUsers Running as Local Administrator2%32%38%28%High RiskMedium RiskLow RiskNo Finding
ANTIVIRUS OBSERVATIONSAntivirus Findings2%26%54%18%High RiskMedium RiskLow RiskNo Finding
MOBILE DEVICE OBSERVATIONSMobile Device Findings8%10%14%68%High RiskMedium RiskLow RiskNo Finding
LAPTOP ENCRYPTIONOBSERVATIONSLaptops Not Encrypted Findings4%8%10%78%High RiskMedium RiskLow RiskNo Finding
REMOVABLE MEDIAOBSERVATIONSRemovable Media Findings2%20%14%64%High RiskMedium RiskLow RiskNo Finding
PASSWORD OBSERVATIONS
PASSWORD OBSERVATIONSPassword Findings6%32%26%36%High RiskMedium RiskLow RiskNo Finding
AUTHENTICATION OBSERVATIONSMulti-factor Authentication Findings4%10%86%High RiskMedium RiskLow RiskNo Finding
THIRD PARTY OVERSIGHTOBSERVATIONSVendor Management Findings6%30%38%26%High RiskMedium RiskLow RiskNo Finding
BUSINESS CONTINUITYOBSERVATIONS
BUSINESS CONTINUITYOBSERVATIONSBCP/DR Findings10%18%42%30%High RiskMedium RiskLow RiskNo Finding
INCIDENT RESPONSEOBSERVATIONS
INCIDENT RESPONSEOBSERVATIONSIncident Response Findings22%14%64%High RiskMedium RiskLow RiskNo Finding
RISK MANAGEMENTOBSERVATIONSRisk Assessment Findings4%28%40%28%High RiskMedium RiskLow RiskNo Finding
Feb. 2015 – FFIEC Revised BCP IT Exam Booklet Mar. 2015 – FFIEC Provides Overview of Cybersecurity Priorities Mar. 2015 – Office of Inspector General releases report on FDIC’s Supervisory Approach to Cyberattack Risks Mar. 2015 – FFIEC Releases 2 Stat