NCUA IT Exam Focus

By Tom Schauer, Principal

CliftonLarsonAllen

My Background and Experience

• Computer Science Degree - Puget Sound

• Information Security Professional for 30 years

• Consultant: Ernst & Young, Deloitte, Guardent (Verisign)

• Started TrustCC in 2000 - IT Security and Compliance

• Grew to about 20 people

• Technically superior, devoted, trusted!

• Joined CliftonLarsonAllen in September of 2015

2

My personal security philosophy…

• “When you and a friend are being chased

by a bear, it is not necessary to out run the

bear, it is only necessary to out run your

friend.”

• Effective security May Be nothing more

than being more secure than the target

down the road?

• Absolute security is unattainable.

3

In the world of networked

computers every sociopath is

your neighbor.

Opportunistic

vs

Targeted

Example:

11

13

Attack Sophistication

CORE Banking System

4PM

FedLine ACH

4:05 to 5:00PM

HACKER

4:01PM

Windows File Share

ACH

• Notates Total Debits • Notates Total Credits • Notates Total # Batches

The FED

Upload File to The FED

• Confirms Total Debits • Confirms Total Credits • Confirms Total # Batches

In-house ACH Originations are most susceptible

to this attack vector. Outsourced ACH could

also be susceptible.

Why is ACH Susceptible?

• ACH File Format created in 1970s and

does not include ANY modern security

mechanisms.

• Typical ACH process utilizes Windows File

Share as temporary file location.

• With Windows having 92% of the market

share, hackers are most proficient hacking

Windows. …65% to 100% success.

Secure Computer?

• “The only secure computer is one

surrounded by concrete and in the bottom

of the ocean. We are not seeking absolute

security, we are seeking enough

security… and ‘enough’ is a moving

target!”

• Password length was 4, then 8, now 14+

• Passwords were reused, now unique per use

1

6

In Response…

• NCUA has declared Cybersecurity as the

number one priority for 2015 and 2016

• FFIEC issues Cybersecurity Assessment

Tool in 2015

• Starting June 2016, Exams will have new

Cybersecurity procedures

17

Historical Guidance

• 2001 GLBA inspired 12CFR Part 748

• 2005 12CFR Part 748 Appendix B

• 2006 FFIEC Information Security Guide

• Miscellaneous Letters to Credit Unions

• 2015 FFIEC Cybersecurity (CAT)

FFIEC CAT Tool

• 2015 Guidance, originally notated as

voluntary. “Voluntary” removed Aug 2015

• Starting June 2016, examers expect some

form of cybersecurity risk assessment that

is similarly capable as FFIEC Tool

• Inherent Risk Component

• Controls Maturity Component

FFIEC CAT Tool

• Inherent risk model must scale to financial

institutions of all sizes

FFIEC CAT Tool

Maturity model is based upon self reporting and

does not have a validation component. Just a

risk assessment.

FFIEC CAT Tool

FSISAC CAT Tool

Polling Question

How many have completed the FFIEC CAT

using some form of the guidance?

a) Completed

b) Not Completed

A Risk Assessment a Day

Keeps the Examiner at Bay

Risk Assessments

• Convenient method of documenting regular risk

management analysis and decisions.

• Differentiate between required and risk

assessment as a management tool.

• Have a simple form…

– Topic

– Characterization of Inherent Risk

– Risk Mitigation and Controls

– Characterization of Residual Risks

– Conclusion and Plans for Action

Polling Question

How many use a risk assessment

form/process of some kind to regularly

document risk management analysis and

decisions?

a) Use Documented Form/Process

b) Do Not Used Documented Form/Process

Risk Assess: Attack Targets

• NCUA Aires File

• Other Core extracts

• Marketing extracts

• Wire Transfers

• ACH Originations

Risk Assess: Ransomware

• Ransomware and other common attack

vectors delivered through social

engineering.

Breach Detection

• Indicators of Compromise – The creation or modification of an administrator account

– Any activity which seems to disable antivirus, logging or firewall controls

– Outbound data transfers

– Unknown Hosts attached to the network

– Unauthorized or Unknown Software installed on a known host

– Consecutive invalid password attempts on multiple user IDs from the

same IP

– Consecutive access denied events on a single account on multiple

hosts from the same IP

– Attempts to access disabled accounts

Polling Question

How many believe their process will detect

and alert to these indicators of compromise?

a) All, and our testing proves it!

b) All, but we’ve not validated/tested.

c) Some, testing shows gaps.

d) Some, but testing needed.

e) Oh boy, we are in trouble.

Breach Preparedness and Testing

• Cybersecurity Insurance

– Who is covered, when are they covered,

how?

• Incident Response Plan

• Notice Obligations (12CFR Part 748 Appendix B)

• Plan Testing

– Covert Pen Testing (True Breach Simulation)

– Table Top Scenario Testing

Using Standards…

“Engage a large, nationwide IT auditing

firm—with extensive experience performing

IT governance audits for a range of

industries—to perform an “ISO Based

Information Security Assessment”

leveraging a methodology rooted in industry

standards and best practices (ISO 27002,

27015)."

Examiner Skills

• RISOs – generally very well qualified, full time

• SMEs – less experienced, part time

• Skilled – Understand role, operationally savvy

• Over Achiever – Expectations beyond authority

• Under Achiever – Checklist reviews

Polling Question

What was the skill of your most recent IT

examiner?

a) Skilled

b) Over Achiever

c) Under Achiever

Standards to consider…

• Great tools for measuring progress

towards goal

• In addition to the FFIEC CAT

– SANS / CIS Twenty Critical Security Controls

– ISO 27001/27001

– NIST 800-53A and others

– COBIT

Polling Question

Are you measuring your security program

against a specific standard?

a) No

b) Yes, SANS/CIS Twenty Critical

c) Yes, NIST

d) Yes, ISO

e) Yes, Other or Several of the Above

Covert Breach Testing

Security Assessments performed with IT

knowledge and collaboration can be the

most thorough and effective tests but they

fail to evaluate breach detection and

response capabilities.

Vulnerability Management

• Supplement / Support Patch Management

• Credentialed Vulnerability Scans

• Remediation and Reconciliation

• Reporting

Frequency of Testing

• Risk Assessment

• Penetration Testing

• Vulnerability Assessment

• General Controls Review

• Social Engineering

• True Breach Simulation

Password Management

• Passwords are clearly the weakest link in

the security chain.

• Equip users to select strong passwords.

– Length increasing… 14

– Stronger requirements for Admins

– Distinct Admin/User accounts w unique PWs

– Password Wallets?

Board Reporting

• Regular – consider monthly, quarterly

• All elements: – Information Security Program and status

– - IT and InfoSec Policies

– - Security Breaches or attempted breaches

– - IT Strategic Plan

– - Information Security Risk Assessment

– - Business Continuity Plan and Testing Results

– - Incident Response Plan

– - Results from Vendor Management Reviews

– - Insurance coverage for IT risks

• “The threat has reached the point that,

given enough time, motivation, and

funding, a determined adversary will likely

be able to penetrate any system

accessible from the Internet.”

• Joseph M Demarest, Assistant Director, Cyber Division FBI, before the Senate

Judiciary Committee, May 8, 2013

43

44

Time

Motivation

Funding

Time Motivation

Funding Profit

Profit

This is your security program!

And…

• Business Continuity Planning

• Vendor Management

• Information Security Policies

Any Questions?

tom.schauer@claconnect.com

253-468-9750

CliftonLarsonAllen