• No results found

Ed McMurray, CISA, CISSP, CTGA CoNetrix

N/A
N/A
Protected

Academic year: 2021

Share "Ed McMurray, CISA, CISSP, CTGA CoNetrix"

Copied!
71
0
0

Loading.... (view fulltext now)

Full text

(1)

Ed McMurray, CISA, CISSP, CTGA

(2)

AGENDA

• Introduction • Cybersecurity

– Recent News

– Regulatory Statements

– NIST Cybersecurity Framework – FFIEC Cybersecurity Assessment

• Questions

(3)

DISCLAIMER

• The information contained in this session may contain privileged and confidential information.

• This presentation is for information purposes only. Before acting on any ideas presented in this session; security, legal, technical, and

reputational risks should be independently evaluated considering the unique factual circumstances surrounding each institution.

• No computer system can provide absolute security under all conditions. • Any views or opinions presented do not necessarily state or reflect those

of CoNetrix or ICBA NM.

• The following information presented is confidential and/or proprietary and is intended for the express use by attendees. Any unauthorized release of this information is prohibited.

(4)
(5)
(6)

CYBERSECURITY RECENT

HISTORY

Feb. 2013 – Presidential Executive Order 13636

• June 2013 – FFIEC forms

Cybersecurity and Critical Infrastructure Working Group

• Aug. 2013 – Council on Cybersecurity launched

Feb. 2014 – NIST Released Cybersecurity Framework

• May 2014 – NY Report on

Cybersecurity in the Banking Sector • May 2014 – FFIEC Cybersecurity

webinar

• June 2014 – FFIEC Launches Cybersecurity Web Page

• June – July 2014 – FFIEC Commences Cybersecurity Assessments

• Nov. 2014 – FFIEC Released Observation from Cybersecurity Assessment

• Feb. 2015 – FFIEC Revised BCP IT Exam Booklet

• Mar. 2015 – FFIEC Provides Overview of Cybersecurity Priorities

• Mar. 2015 – Office of Inspector General releases report on FDIC’s Supervisory Approach to Cyberattack Risks

• Mar. 2015 – FFIEC Releases 2 Statements on Compromised

Credentials and Destructive Malware

June 2015 – FFIEC Releases Cybersecurity Assessment Tool

(7)
(8)
(9)

FEDERAL RESERVE SR 15-9

“In particular, the Federal Reserve will work to tailor  expectations to minimize burden for financial institutions  with low cybersecurity risk profiles and, potentially,  supplement expectations for financial institutions with  significant cybersecurity risk profiles. Beginning in late  2015 or early 2016, the Federal Reserve plans to utilize the  assessment tool as part of our examination process when  evaluating financial institutions’ cybersecurity  preparedness in information technology and safety and  soundness examinations and inspections.”

(10)

OCC BULLETIN 2015-31

“The OCC will implement the Assessment as part of the  bank examination process over time to benchmark and  assess bank cybersecurity efforts.”

“While use of the Assessment is optional for financial  institutions, OCC  examiners will use the Assessment to  supplement exam work to gain a more complete  understanding of an institution’s inherent risk, risk  management practices, and controls related to  cybersecurity. OCC examiners will begin incorporating the Assessment  into examinations in late 2015.”

(11)

FDIC FIL-28-2015

Use of the Cybersecurity Assessment Tool is voluntary.” “FDIC examiners will discuss the Cybersecurity Assessment  Tool with institution management during examinations to  ensure awareness and assist with answers to any  questions.”

(12)

CONFERENCE OF STATE BANK

SUPERVISORS (CSBS)

“The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely

considered an IT problem, the rise in frequency and sophistication of cyber-attacks now

requires a shift in thinking on the part of bank CEOs that management of a bank’s

cybersecurity risk is not simply an IT issue, but a CEO and Board of Directors issue.”

(13)

NY STATE – REPORT ON CYBER

SECURITY

(14)

CHALLENGE

We are now have multiple information security  frameworks. How do they fit together? IT/GLBA Information  Security Program NIST Cybersecurity  Framework FFIEC  Cybersecurity  Assessment  Tool PCI DSS NACHA  Security HIPAA

(15)

HOPEFULLY . . .

We would like to see integration. One information security program  with components addressing malicious attacks, credit/debit threats,  ACH threats, medical info threats, etc. NIST  Cybersecurity  Framework FFIEC  Cybersecurity  Assessment  Tool PCI DSS NACHA  Security HIPAA IT/GLBA Information Security Program More alignment

(16)

REQUEST FOR ALIGNMENT OF FFIEC &

NIST CYBERSECURITY DOCUMENTS

(17)
(18)

CALL FOR CYBERSECURITY

FRAMEWORK

Voluntary risk-based set of

industry standards & best

practices

Methodology to protect individual

privacy & civil liberties through cybersecurity activities Framework for Improving Critical Infrastructure Cybersecurity v1.0 (NIST)

(19)

NIST CYBERSECURITY

FRAMEWORK CORE

(20)

NIST CYBERSECURITY

FRAMEWORK

(21)

FRAMEWORK CORE

Identify

Protect

Detect

Respond

Recover

(22)

IMPLEMENTATION TIERS

Partial Risk Informed Repeatable Adaptive

(23)
(24)
(25)

FFIEC CYBERSECURITY

ASSESSMENT TOOL

• Part One: Inherent Risk Profile • Part Two: Cybersecurity Maturity • Interpreting & Analysis

(26)

PART ONE: INHERENT RISK PROFILE

Consists of 78 questions across 5 categories: • Technology and Connection Types

• Delivery Channels

• Online/Mobile Products and Technology Services • Organizational Characteristics

(27)
(28)
(29)

PART TWO: CYBERSECURITY MATURITY

• Cyber Risk Management and Oversight • Threat Intelligence and Collaboration

• Cybersecurity Controls

• External Dependency Management

(30)

Services

CYBERSECURITY MATURITY LEVELS

(31)
(32)

MATURITY MODEL

(33)
(34)
(35)
(36)

SETTING MATURITY LEVELS

• All declarative statements in each maturity level,  and previous levels, must be attained and  sustained to achieve that domain’s maturity level. • While management can determine the institution’s  maturity level in each domain, the Assessment is  not designed to identify an overall cybersecurity  maturity level.

(37)
(38)
(39)
(40)

BENEFITS

• Identifying factors contributing to and determining the  institution’s overall cyber risk. • Assessing the institution’s cybersecurity preparedness. • Evaluating whether the institution’s cybersecurity  preparedness is aligned with its risks. • Determining risk management practices and controls that  could be enhanced and actions that could be taken to  achieve the institution’s desired state of cyber  preparedness. • Informing risk management strategies.

(41)

FFIEC PRIORITIES

• Cybersecurity Self-Assessment Tool • Incident Analysis

• Crisis Management • Training

• Policy Development

• Technology Service Provider Strategy

• Collaboration with Law Enforcement and Intelligence Agencies

(42)

RESOURCES

• FFIEC Cybersecurity Awareness Web Page:

www.ffiec.gov/cybersecurity.htm

• NCUA Cyber Security Resources:

www.ncua.gov/Resources/Pages/cyber-security-resources.aspx

• NIST Cybersecurity Framework: www.nist.gov/cyberframework

• Financial Services Information Sharing and Analysis Center (FS-ISAC):

www.fsisac.com

• InfraGard: www.infragard.org

• US Computer Emergency Readiness Team: www.us-cert.gov

• US Secret Service Electronic Crimes Task Force:

www.secretservice.gov/ectf.shtml

• ISACA Cybersecurity NEXUS: www.isaca.org/cyber/Pages/default.aspx

• Council on CyberSecurity: www.counciloncybersecurity.org

• CSBS Conference of State Bank Supervisors

(43)

FDIC – CYBER CHALLENGE VIDEOS

(44)

QUESTIONS

Ed McMurray

CoNetrix

800.356.6568

[email protected]

www.conetrix.com

(45)

CASE STUDY

A review of high risk and common repeat findings from IT Audits, Penetration Tests, and Cybersecurity Assessments.

(46)

SOCIAL ENGINEERING TESTS – 99

TESTS

13%

87%

99 Social Engineering Tests in 2014

(47)

SOCIAL ENGINEERING TESTS

0 10 20 30 40 50 60 70 80 90

Phishing Email Social Engineering Call

Social Engineering Tests conducted in 2014

(48)

SOCIAL ENGINEERING TESTS

-DETAILS

Type of Test Total Tests Total

Responses % Failure Phishing Email 5,935 1,180 19.9% Social Engineering Call 313 92 29.4%

(49)

MODEMS DISCOVERED

51% 49%

Modems Discovered from 91 tests in 2014

(50)

REVIEW OF IT AUDIT

OBSERVATIONS

• 50 IT Audits and Assessments conducted in between 8/2014 - 2/2015

– 45 IT/GLBA Audit & Assessments – 4 IT Security Reviews

(51)

REVIEW OF IT AUDIT OBSERVATIONS

DEMOGRAPHICS

• Customers by Regulating Body:

– 53% FDIC – 31% OCC – 16% Other

• Customers by Asset Size:

– 10% <100M – 42% 100M-300M – 23% 300M-500M – 11% 500M-1B – 6% >1B – 8% N/A

(52)

IT AUDIT OVERALL STATUS

53% 34%

11%

2%

Overall Security and Compliance Rating

(53)

% OF FINDINGS REPEAT

18%

82%

Repeat

(54)

RISK LEVELS DEFINED

In the determination of risk levels associated with deficiencies discovered in the audit process, consideration is given to:

• The likelihood a deficiency is exploited • The impact on the bank or its customers

• Any existing controls used to mitigate associated risk levels Risk levels are defined as follows:

High: A deficiency posing a direct threat to availability, integrity, and/or

confidentiality of customer or bank information due to little or no mitigating controls

Medium: A deficiency posing a direct threat to availability, integrity,

and/or confidentiality of customer or bank information whose mitigating controls are not sufficient to reduce risk to an acceptable level

Low: A deficiency posing a possible threat to the availability, integrity,

(55)

FIREWALL OBSERVATIONS

2% 68% 16% 14% Router/Firewall Findings

(56)

PATCH MANAGEMENT

OBSERVATIONS

4% 44% 30% 22%

Patch Management Findings

(57)

LOCAL ADMINISTRATOR

OBSERVATIONS

2% 32% 28% 38%

Users Running as Local Administrator

(58)

ANTIVIRUS OBSERVATIONS

2% 26% 18% 54% Antivirus Findings

(59)
(60)

MOBILE DEVICE OBSERVATIONS

8%

10%

14%

68%

Mobile Device Findings

(61)

LAPTOP ENCRYPTION

OBSERVATIONS

4% 8% 10% 78%

Laptops Not Encrypted Findings

(62)

REMOVABLE MEDIA

OBSERVATIONS

2% 20% 14% 64%

Removable Media Findings

(63)
(64)

PASSWORD OBSERVATIONS

6% 26% 36% 32% Password Findings

(65)

AUTHENTICATION OBSERVATIONS

4%

10%

86%

Multi-factor Authentication Findings

(66)

THIRD PARTY OVERSIGHT

OBSERVATIONS

6% 38% 26% 30%

Vendor Management Findings

(67)

BUSINESS CONTINUITY

OBSERVATIONS

(68)

BUSINESS CONTINUITY

OBSERVATIONS

10% 42% 30% 18% BCP/DR Findings

(69)

INCIDENT RESPONSE

OBSERVATIONS

(70)

INCIDENT RESPONSE

OBSERVATIONS

22%

14% 64%

Incident Response Findings

(71)

RISK MANAGEMENT

OBSERVATIONS

4% 28% 28% 40%

Risk Assessment Findings

References

Related documents

NIST has explained that the Framework “complements, and does not replace, an organization’s existing business or cybersecurity risk management process and cybersecurity program.” 29

Nearly 50% of respondents weren’t sure if the NIST Cybersecurity Framework has been helpful to their company in managing cybersecurity risk.. This may indicate that it is premature

• Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements

cybersecurity activities. Many organizations already have processes for addressing privacy and civil liberties. The methodology is designed to complement such processes and

Framework profile – Describes outcomes based on the business need and risk assessment that the organization has selected from the Core.. This information enables you to

Figure 5.15: Using Figure 5.14 as a knowledge base, this shows the confidence we have in a new transformation containing two tables with a column and a row each; however these

A baseline of network operations and expected data flows for users and systems is established by ObserveIT monitoring user activities in business applications and IT

Budući da kapitalni radovi obično uključuju tvrđe materijale (kamenje) ili transport velikog kapaciteta iskopanog materijala, rad se vrši pomoću usisnih jaružala s rezačem