THE EVOLUTION OF
CYBERSECURITY
Identifying Best Practices
June 2, 2015
Cerone F. “Cy” Sturdivant Managing Consultant Nashville, TN
• Participate in entire webinar
• Answer polls when they are provided • If you are viewing this webinar in a group
Complete group attendance form with • Title & date of live webinar
• Your company name
• Your printed name, signature & email address
All group attendance sheets must be submitted to [email protected] within 24 hours of live webinar
Answer polls when they are provided
• If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar
TO RECEIVE CPE CREDIT
• Formally defining cybersecurity
• Assessing your cybersecurity preparedness • Cybersecurity program development
• Regulatory expectations
TODAY’S AGENDA
In recent security discussions, there are references to both “cybersecurity” &
“information security.” The terms are often used interchangeably, but in reality, cybersecurity is a
part of information security
Note: The interconnected nature of critical infrastructure systems has introduced a host of new vulnerabilities. All of these factors have influenced the shift from information security to cybersecurity
DEFINING CYBERSECURITY
• Information security deals with protecting information, regardless of its format: physical documents, digital, intellectual property in people’s minds & verbal or visual
communications
• Cybersecurity is concerned with protecting digital assets—everything from networks to hardware & information processed, stored or transported by internetworked information systems
NIST has a very appropriate definition for financial institutions
– The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks
DEFINING CYBERSECURITY
– The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks
Identifying attacks: For financial institutions, employee training & customer awareness are
key
– The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks
Defending against attacks is in design & operation of network & application
environment; most banks we work with do this well
DEFINING CYBERSECURITY
– The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks
Responding to attacks refers to your institution’s
incident response plans
– The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks
Recovering from attacks should be covered by
your Disaster Recovery/Business Continuity Plan
DEFINING CYBERSECURITY
Confidentiality
Availability Integrity
CYBERSECURITY CONCEPTS
Objective of cybersecurity is threefold, involving the critical components of confidentiality, integrity & availability
• Confidentiality is protection of information from unauthorized access or disclosure • Integrity is protection of information from
unauthorized modification
• Availability ensures timely & reliable access to & use of information & systems
CONFIDENTIALITY, INTEGRITY & AVAILABILITY
FFIEC Cyber Preparedness Assessment
• Pilot cybersecurity examination work program (Cybersecurity Assessment) conducted in June 2014 at over 500 community financial institutions with less than $1 billion in assets to evaluate their
preparedness to mitigate cyber risks
• FFIEC regulators released initial results of their assessment in November 2014
CYBERSECURITY PREPAREDNESS
In addition to cybersecurity inherent risk, the Cybersecurity Assessment reviewed financial institutions’ current practices & overall preparedness, focusing on the following
• Risk management & oversight • Threat intelligence & collaboration • Cybersecurity controls
• External dependency management • Cyber incident management & resilience
BREAKING NEWS - Preliminary observations indicate most banks do not fully understand specific threats that face them
15
CYBERSECURITY PREPAREDNESS –
UTILIZING NIST FRAMEWORK
• Framework can be used to help identify & prioritize actions for reducing cybersecurity risk, & it is a tool for aligning policy, business & technological approaches to managing that risk
• Framework enables organizations—regardless of size, cyber risk or cybersecurity sophistication—to apply principles & best practices of risk management to
NIST FRAMEWORK OVERVIEW
17
A cybersecurity program should integrate all aspects of bank’s existing programs
• GLBA Information Security Program • Business Continuity & Disaster Recovery
• Incident Response & Crisis Management Plans • Third-Party Risk Management
EXAMPLE OF A CYBER ATTACK – WIRE FRAUD
19 Israel Bank United States Bank Manufacturer: Israel Re-Seller: United States Product Money Money MoneyEXAMPLE OF WIRE FRAUD – PART TWO Israel Bank United States Bank Manufacturer: Israel Re-Seller: United States Product Money Kuala Lumpur Bank Where is my money???
What did I do????? What Money???
Technical People
CYBER ATTACK – WHAT COULD HAVE BEEN
DONE?
• Content/spam filter to prevent phishing • Awareness training • Management review of change to wiring instructions • Phone verification of change Technical PeopleINCIDENT RESPONSE
• Design of network and infrastructure Monitoring IDS/IPS Testing • Training to recognize attack Don’t get distracted
Recognize it for what it is
Management oversight
Technical People
BUSINESS RESUMPTION
• Separate DR site • Additional equipment • Backup strategy • Regular testing • Vendor management • Third-party resources, if needed, on call Core & IT engineers
• Training in resumption
• Incorporate cybersecurity into all existing programs & policies
• Enhance IT-related risk assessments to identify & address cyber-specific threats • Enhance training efforts—employees, board
& customers
• Strengthen monitoring controls
EXAMINER EXPECTATIONS
• Financial institutions have to be careful they aren't tempted to make their reviews for cyber-resilience a checkbox compliance exercise. Ensuring cyber-resilience of their internal networks & people, as well as
networks of their third-party service providers & vendors, requires going beyond simply
implementing recommendations in new guidelines
CONCLUSION
• FFIEC Cybersecurity Awareness
-http://www.ffiec.gov/cybersecurity.htm
• Bank Info Security -http://www.bankinfosecurity.com/
• ABA Center for Payments and Cybersecurity
- http://www.aba.com/Tools/Function/Pages/center-payments-cybersecurity.aspx • NIST Framework -http://www.nist.gov/cyberframework/index.cfm • FS-ISAC -http://www.fsisac.com/
CYBERSECURITY RESOURCES
QUESTIONS?
CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS
BKD,LLPis registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.
The information in BKD webinars is presented by BKD professionals, but applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered in these webinars.
FOR MORE INFORMATION
THANK YOU!
Cerone F. “Cy” Sturdivant, CISAManaging Consultant | BKD, LLP One American Center
3100 West End Ave, Suite 850 Nashville, TN 37203-1320 615.988.3600, Ext 32614
