Ed McMurray, CISA, CISSP, CTGA
AGENDA
• Introduction • Cybersecurity
– Recent News
– Regulatory Statements
– NIST Cybersecurity Framework – FFIEC Cybersecurity Assessment
• Questions
DISCLAIMER
• The information contained in this session may contain privileged and confidential information.
• This presentation is for information purposes only. Before acting on any ideas presented in this session; security, legal, technical, and
reputational risks should be independently evaluated considering the unique factual circumstances surrounding each institution.
• No computer system can provide absolute security under all conditions. • Any views or opinions presented do not necessarily state or reflect those
of CoNetrix or ICBA NM.
• The following information presented is confidential and/or proprietary and is intended for the express use by attendees. Any unauthorized release of this information is prohibited.
CYBERSECURITY RECENT
HISTORY
• Feb. 2013 – Presidential Executive Order 13636
• June 2013 – FFIEC forms
Cybersecurity and Critical Infrastructure Working Group
• Aug. 2013 – Council on Cybersecurity launched
• Feb. 2014 – NIST Released Cybersecurity Framework
• May 2014 – NY Report on
Cybersecurity in the Banking Sector • May 2014 – FFIEC Cybersecurity
webinar
• June 2014 – FFIEC Launches Cybersecurity Web Page
• June – July 2014 – FFIEC Commences Cybersecurity Assessments
• Nov. 2014 – FFIEC Released Observation from Cybersecurity Assessment
• Feb. 2015 – FFIEC Revised BCP IT Exam Booklet
• Mar. 2015 – FFIEC Provides Overview of Cybersecurity Priorities
• Mar. 2015 – Office of Inspector General releases report on FDIC’s Supervisory Approach to Cyberattack Risks
• Mar. 2015 – FFIEC Releases 2 Statements on Compromised
Credentials and Destructive Malware
• June 2015 – FFIEC Releases Cybersecurity Assessment Tool
FEDERAL RESERVE SR 15-9
“In particular, the Federal Reserve will work to tailor expectations to minimize burden for financial institutions with low cybersecurity risk profiles and, potentially, supplement expectations for financial institutions with significant cybersecurity risk profiles. Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.”OCC BULLETIN 2015-31
“The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts.”
“While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity. OCC examiners will begin incorporating the Assessment into examinations in late 2015.”
FDIC FIL-28-2015
Use of the Cybersecurity Assessment Tool is voluntary.” “FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”CONFERENCE OF STATE BANK
SUPERVISORS (CSBS)
“The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely
considered an IT problem, the rise in frequency and sophistication of cyber-attacks now
requires a shift in thinking on the part of bank CEOs that management of a bank’s
cybersecurity risk is not simply an IT issue, but a CEO and Board of Directors issue.”
NY STATE – REPORT ON CYBER
SECURITY
CHALLENGE
We are now have multiple information security frameworks. How do they fit together? IT/GLBA Information Security Program NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Tool PCI DSS NACHA Security HIPAAHOPEFULLY . . .
We would like to see integration. One information security program with components addressing malicious attacks, credit/debit threats, ACH threats, medical info threats, etc. NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Tool PCI DSS NACHA Security HIPAA IT/GLBA Information Security Program More alignmentREQUEST FOR ALIGNMENT OF FFIEC &
NIST CYBERSECURITY DOCUMENTS
CALL FOR CYBERSECURITY
FRAMEWORK
Voluntary risk-based set of
industry standards & best
practices
Methodology to protect individual
privacy & civil liberties through cybersecurity activities Framework for Improving Critical Infrastructure Cybersecurity v1.0 (NIST)
NIST CYBERSECURITY
FRAMEWORK CORE
NIST CYBERSECURITY
FRAMEWORK
FRAMEWORK CORE
Identify
Protect
Detect
Respond
Recover
IMPLEMENTATION TIERS
Partial Risk Informed Repeatable AdaptiveFFIEC CYBERSECURITY
ASSESSMENT TOOL
• Part One: Inherent Risk Profile • Part Two: Cybersecurity Maturity • Interpreting & Analysis
PART ONE: INHERENT RISK PROFILE
Consists of 78 questions across 5 categories: • Technology and Connection Types
• Delivery Channels
• Online/Mobile Products and Technology Services • Organizational Characteristics
PART TWO: CYBERSECURITY MATURITY
• Cyber Risk Management and Oversight • Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
Services
CYBERSECURITY MATURITY LEVELS
MATURITY MODEL
SETTING MATURITY LEVELS
• All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level. • While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.BENEFITS
• Identifying factors contributing to and determining the institution’s overall cyber risk. • Assessing the institution’s cybersecurity preparedness. • Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks. • Determining risk management practices and controls that could be enhanced and actions that could be taken to achieve the institution’s desired state of cyber preparedness. • Informing risk management strategies.FFIEC PRIORITIES
• Cybersecurity Self-Assessment Tool • Incident Analysis
• Crisis Management • Training
• Policy Development
• Technology Service Provider Strategy
• Collaboration with Law Enforcement and Intelligence Agencies
RESOURCES
• FFIEC Cybersecurity Awareness Web Page:
www.ffiec.gov/cybersecurity.htm
• NCUA Cyber Security Resources:
www.ncua.gov/Resources/Pages/cyber-security-resources.aspx
• NIST Cybersecurity Framework: www.nist.gov/cyberframework
• Financial Services Information Sharing and Analysis Center (FS-ISAC):
www.fsisac.com
• InfraGard: www.infragard.org
• US Computer Emergency Readiness Team: www.us-cert.gov
• US Secret Service Electronic Crimes Task Force:
www.secretservice.gov/ectf.shtml
• ISACA Cybersecurity NEXUS: www.isaca.org/cyber/Pages/default.aspx
• Council on CyberSecurity: www.counciloncybersecurity.org
• CSBS Conference of State Bank Supervisors
FDIC – CYBER CHALLENGE VIDEOS
CASE STUDY
A review of high risk and common repeat findings from IT Audits, Penetration Tests, and Cybersecurity Assessments.
SOCIAL ENGINEERING TESTS – 99
TESTS
13%
87%
99 Social Engineering Tests in 2014
SOCIAL ENGINEERING TESTS
0 10 20 30 40 50 60 70 80 90Phishing Email Social Engineering Call
Social Engineering Tests conducted in 2014
SOCIAL ENGINEERING TESTS
-DETAILS
Type of Test Total Tests Total
Responses % Failure Phishing Email 5,935 1,180 19.9% Social Engineering Call 313 92 29.4%
MODEMS DISCOVERED
51% 49%
Modems Discovered from 91 tests in 2014
REVIEW OF IT AUDIT
OBSERVATIONS
• 50 IT Audits and Assessments conducted in between 8/2014 - 2/2015
– 45 IT/GLBA Audit & Assessments – 4 IT Security Reviews
REVIEW OF IT AUDIT OBSERVATIONS
DEMOGRAPHICS
• Customers by Regulating Body:
– 53% FDIC – 31% OCC – 16% Other
• Customers by Asset Size:
– 10% <100M – 42% 100M-300M – 23% 300M-500M – 11% 500M-1B – 6% >1B – 8% N/A
IT AUDIT OVERALL STATUS
53% 34%
11%
2%
Overall Security and Compliance Rating
% OF FINDINGS REPEAT
18%
82%
Repeat
RISK LEVELS DEFINED
In the determination of risk levels associated with deficiencies discovered in the audit process, consideration is given to:
• The likelihood a deficiency is exploited • The impact on the bank or its customers
• Any existing controls used to mitigate associated risk levels Risk levels are defined as follows:
• High: A deficiency posing a direct threat to availability, integrity, and/or
confidentiality of customer or bank information due to little or no mitigating controls
• Medium: A deficiency posing a direct threat to availability, integrity,
and/or confidentiality of customer or bank information whose mitigating controls are not sufficient to reduce risk to an acceptable level
• Low: A deficiency posing a possible threat to the availability, integrity,
FIREWALL OBSERVATIONS
2% 68% 16% 14% Router/Firewall FindingsPATCH MANAGEMENT
OBSERVATIONS
4% 44% 30% 22%Patch Management Findings
LOCAL ADMINISTRATOR
OBSERVATIONS
2% 32% 28% 38%Users Running as Local Administrator
ANTIVIRUS OBSERVATIONS
2% 26% 18% 54% Antivirus FindingsMOBILE DEVICE OBSERVATIONS
8%
10%
14%
68%
Mobile Device Findings
LAPTOP ENCRYPTION
OBSERVATIONS
4% 8% 10% 78%Laptops Not Encrypted Findings
REMOVABLE MEDIA
OBSERVATIONS
2% 20% 14% 64%Removable Media Findings
PASSWORD OBSERVATIONS
6% 26% 36% 32% Password FindingsAUTHENTICATION OBSERVATIONS
4%
10%
86%
Multi-factor Authentication Findings
THIRD PARTY OVERSIGHT
OBSERVATIONS
6% 38% 26% 30%Vendor Management Findings
BUSINESS CONTINUITY
OBSERVATIONS
BUSINESS CONTINUITY
OBSERVATIONS
10% 42% 30% 18% BCP/DR FindingsINCIDENT RESPONSE
OBSERVATIONS
INCIDENT RESPONSE
OBSERVATIONS
22%
14% 64%
Incident Response Findings
RISK MANAGEMENT
OBSERVATIONS
4% 28% 28% 40%Risk Assessment Findings