2/9/2015
1
10 Cybersecurity Questions for Bank CEOs and the Board of Directors
Dr. Kevin Streff
Founder, Secure Banking Solutions
4th Annual UBA Bank Executive
Winter ConferenceFebruary, 2015
1
Board of Directors and Management Team is Responsible for Security
2
On a scale of 1 to 10, grade your board’s ability to:Understand cyber risksGive attention and resources to cyber risks
2/9/2015
3
Top Security Threats
1. Hacking
2. Data Leakage
3. Social Engineering
4. Corporate Account Takeover
5. ATM
“Small and medium sized banks are in the cross-hairs of the cyber criminal”
Howard Schmidt, Cybersecurity Secretary for the White House 5
Most threats involveinstalling MALWARE
Hacking
Threat #1
6
2/9/2015
4
Hacker Tools Examples
• Tools to hack your bank are downloadable– http://sectools.org/
• Default passwords are all available– http://www.phenoelit.org/dpl/dpl.html
• Economy is available to sell stolen data (“underground markets”)– http://krebsonsecurity.com/2013/12/cards-
stolen-in-target-breach-flood-underground-markets/
7
Data Leakage
Threat #2
8
2/9/2015
5
Data Leakage
• Data Leakage is about insiders leaking customer information out of your bank
• Most attention is paid to outsiders breaking into your network (aka hackers)
• Malicious Behavior
• Accidental
9
Misuse of Bank Computers
10
2/9/2015
6
Social Engineering
Threat #3
11
12
Social Engineering
• What is Social Engineering?– Exploitation of human nature for
the gathering of sensitive information.
– Tool attackers use to gain knowledge about employees, networks, vendors or other business associates.
2/9/2015
7
13
Sample Social Engineering Methods
• Phishing/Pharming
• Telephone (Remote Impersonation)
• Dumpster Diving
• Impersonation
• E-mail Scams
• USB Sticks
Corporate Account Takeover
Threat #4
14
2/9/2015
8
Small Business Security
• 70% lack basic security controls
• Conduct a risk assessment looking for these basic security controls
– Firewall,
– Strong passwords,
– Malware Protection
– Etc.
15
Finger Pointing?
16
2/9/2015
10
Skimmer Camera
19
Question
• How long does it take to install a skimmer?
• http://krebsonsecurity.com/2010/05/fun-with-atm-skimmers-part-iii/
20
2/9/2015
12
Question for Boards & Mgmt Team
What is your bank doing to mitigate the risks of:
– Hacking
– Data Leakage
– Social Engineering
– Corporate Account Takeover
– ATM Fraud
Answer Should Be:
1.Layered Security Program
2.Risk Assessment
3.Customer Awareness and Education
4.Effective Auditing
23
• I.T. Risk Assessment• Asset Management• Vendor Management• Penetration Testing• Vulnerability Assessment• Security Awareness• Business Continuity• Incident Response• I.T. Audit
24
Layered Information Security Program for Your Bank
Documentation
Boards & Committees
2/9/2015
14
2014 FFIEC Cybersecurity Assessments
Cybersecurity & Critical Infrastructure Working Group (CCWIG)
• Targeted Regulatory Exams
• June 2013, the FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG)
• Approximately 500 assessments with $1 billion or less in assets
• Information gathering and learning mode
• Finalized report in mid 2014 for all exams moving forward
28
2/9/2015
15
Cybersecurity Assessment Scope• Exams build upon key aspects of existing supervisory
expectations addressed in the FFIEC IT Handbook• Assesses the complexity of an institution’s operating
environment.• Assesses an institution’s current practices and overall
cybersecurity preparedness, with a focus on the following key areas: – Risk Management and Oversight – Threat Intelligence and Collaboration – Cybersecurity Controls – External Dependency Management – Cyber Incident Management and Resilience
• https://www.ffiec.gov/pdf/cybersecurity/2014_June_FFIEC-Cybersecurity-Assessment-Overview.pdf
29
Summary of Results• Strong risk management program• Enhanced vulnerability assessment program• Share and collaborate cyber security information
with other institutions• Enhanced vendor management program• Enhanced incident response plans• Training and education on information (cyber)
security is going to be emphasized• Board participation and education involving
information security is going to be EXAMINED and REGULATED
• Are you keeping your Boards appraised of cyber security issues and how your institution is responding? 30
2/9/2015
16
Cybersecurity Training1. “Routinely discussing cybersecurity issues in
board and senior management meetings will help the financial institution set the tone from the top and build a security culture.”
• Boards are going to be held to a higher standard!• Do you review loans at Board meetings? Better start
reviewing Information Security items as well!
2. “While most financial institutions understand the need to train employees on cybersecurity risk management, the outcome and benefits improve when training and awareness programs are kept current and are provided on a routine basis.”
• The more educated and knowledgeable your people are, the more risk you reduce!
31
• Regulators are concerned that you don’t have all your connections, systems, and products inventoried
• Regulators are concerned that every connection, system, and product is not hardened
• Regulators are concerned that your risk assessment process is inadequate
• Regulators are concerned that your enterprise risk management program does not accurately reflect cyber risk
32
Section 1 – Cybersecurity Inherent RiskFindings and Concerns
2/9/2015
17
Section 1 – Cybersecurity Inherent RiskFFIEC Questions
1. What type of connections does your bank have?
2. How are you managing these connections to deal with evolving threats and vulnerabilities?
3. Do you need all your connections?
4. How do you evaluate evolving threats and vulnerabilities in your risk assessment process?
5. How do your connections and technologies collectively affect your bank’s risk posture?
33
• Expand your bank’s network diagram to include all bank connections
• Update your risk assessment to reflect the additional inherent risk these connections introduce
• Automate risk assessment to calculate inherent risk metrics and measurements
• Mature bank’s enterprise risk management program to include cybersecurity inherent risk
• Ensure next I.T. audit thoroughly examines cybersecurity inherent risk
34
Section 1 – Cybersecurity Inherent RiskManagement Actions
2/9/2015
18
Section 2 – Cybersecurity PreparednessFIVE Topics
1. Risk Management and Oversight
2. Threat Intelligence and Collaboration
3. Cybersecurity Controls
4. External Dependency Management
5. Cyber Incident Management & Resilience
35
Section 2 – Cybersecurity PreparednessTopic 1 - Risk Management & Oversight
1. Involves risk assessment and management
2. Involves allocating human and financial resources
3. Includes governance and compliance
4. Includes awareness, training and education
36
2/9/2015
19
Section 2 – Cybersecurity PreparednessTopic 1-Risk Management & Oversight
Findings and Concerns1. Board and senior management is not regularly
discussing cyber threats.
2. Board and senior management is not setting the tone at the top
3. Board and senior management is not properly trained to do their jobs to manage cyber risks
4. Training must be current and regular (not once a year)
5. Banks are vulnerable to social engineering attacks
37
Section 2-Cybersecurity PreparednessTopic 1-Risk Management & Oversight
FFIEC Questions1. What is the process to ensure ongoing and
routine discussions by the board and senior management about cyber threats to your bank?
2. How is accountability determined for managing cyber risks across the bank? Does this include management’s accountability for business decisions that may introduce new cyber risks?
3. What is the process for ensuring ongoing employee awareness and effective response to cyber risks?
38
2/9/2015
20
• Draft information security strategy and have all management and board members sign off
• Have standing item on board agenda: cybersecurity
• Set the tone from the top
39
Section 2-Cybersecurity PreparednessTopic 1-Risk Management & Oversight
Management Actions
• Automate risk assessment to calculateresidual risk metrics and measurements
• Mature bank’s enterprise risk management program to include cybersecurity residual risk
40
Section 2-Cybersecurity PreparednessTopic 1-Risk Management & Oversight
Management Actions
2/9/2015
23
• Ensure next I.T. audit thoroughly examines cybersecurity residual risk
• Conduct social engineering tests each quarter:– Q1 : Dumpster Dive
– Q2 : Phishing Scam
– Q3 : Pretext Calling
– Q4 : Physical Impersonation
• Ensure next I.T. audit thoroughly examines security awareness program, management/board credentials, and roles/responsibilities
45
Section 2-Cybersecurity PreparednessTopic 1-Risk Management & Oversight
Management Actions
What Can You Do?
• Focus on a program
• Get good at risk assessment– Focus them on the big 5 threats
• Put information in a form they can understand
• Involve Board members in your bank’s security awareness program
• Train them
46
2/9/2015
24
Section 2-Cybersecurity PreparednessTopic 2-Threat Intelligence/Collaboration
FFIEC Questions1. What is the process to gather and analyze threat?
2. How is accountability determined for managing cyber risks across the bank? Does this include management’s accountability for business decisions that may introduce new cyber risks?
3. What is the process for ensuring ongoing employee awareness and effective response to cyber risks?
47
Section 2-Cybersecurity PreparednessTopic 2-Threat Intelligence/Collaboration
Findings and Concerns1. Threat intelligence is lacking in banks
2. Banks rely on media reports which is reactionary and insufficient
3. Monitoring of event logs is insufficient
48
2/9/2015
25
Section 2-Cybersecurity PreparednessTopic 2-Threat Intelligence/Collaboration
Management Actions1. Build threat intelligence capability
2. Build relationships with FS-ISAC, InfraGard, and other threat intelligence groups
3. Improve monitoring of event logs to identify patterns and problems
4. Build relationships with law enforcement prior to an incident occurring
49
InfraGard Certification
• Training program for staff on information security – The InfraGard Awareness information security
awareness course is FREE to all individuals and small businesses with 25 or fewer employees.
• Send your Board thru this program!
• https://infragardawareness.com/
• Tweleve lessons (4-9 minutes each)
• Optional certificate to hang in the workplace50
2/9/2015
26
Section 2-Cybersecurity PreparednessTopic 3-Cybersecurity Controls
Findings and Recommendations1. Preventative controls have been the focus
2. Detective and corrective controls are lacking
3. Vulnerability assessments are insufficient
4. Penetration testing is insufficient
5. Banks should take an enterprise view to IT risk
6. Vulnerability remediation is lacking
51
Section 2-Cybersecurity PreparednessTopic 3-Cybersecurity Controls
FFIEC Questions1. What is the process for determining and
implementing controls?
2. Does the process call for a review and update of controls when changing the I.T. environment?
3. What is the process for classifying data and determining appropriate controls based on risk?
4. What is the process for ensuring that risks identified are remediated?
52
2/9/2015
27
Section 2-Cybersecurity PreparednessTopic 3-Cybersecurity Controls
Management Actions1. Improve detective and corrective controls
2. More frequent and deeper vulnerability assessments
3. More frequent and deeper penetration testing
4. Implement/mature enterprise risk management
5. Improve vulnerability remediation
53
Action Tracking
54
2/9/2015
28
Section 2-Cybersecurity PreparednessTopic 4-Vendor Management
Findings and Recommendations1. Many banks have processes in place to manage
vendors
2. Many banks lack documented roles & responsibilities in the contract/incident response plan
55
Section 2-Cybersecurity PreparednessTopic 4-Vendor Management
FFIEC Questions1. How is bank connecting to third parties and
ensuring that are managing cybersecurity controls?
2. What are third parties’ responsibilities during a cyber attack? Are they outlined in an incident response plan?
56
2/9/2015
29
Section 2-Cybersecurity PreparednessTopic 4-Vendor Management
Management Actions1. Documents how the bank is connecting to third
parties and ensuring that are managing cybersecurity controls
2. Document in the contract/incident response plan the roles & responsibilities of third parties during a cyber attack
57
Section 2-Cybersecurity PreparednessTopic 5-Incident Management
Findings and Recommendations1. Internal and external communication is often
lacking to handle a cyber incident
2. Cyber incident scenarios are inadequately incorporated into bank’s business continuity and disaster recovery plans
3. BCP/DR plans are often not sufficiently tested
58
2/9/2015
30
Section 2-Cybersecurity PreparednessTopic 5-Incident Management
FFIEC Questions1. In the event of a cyber attacks, how will bank
respond internally and with customers, third parties, regulators and law enforcement?
2. How are cyber incident scenarios incorporated into bank’s business continuity and disaster recovery plans?
3. Have BCP/DR plans been tested?
59
Section 2-Cybersecurity PreparednessTopic 5-Incident Management
Management Actions1. Work to improve internal and external
communication to handle a cyber incident
2. Incorporate Cyber incident scenarios into bank’s business continuity and disaster recovery plans
3. Sufficiently test BCP/DR plans
60
2/9/2015
32
Auditing Results
63
U.S. Department of TreasuryPress Release December, 2014
1. Is cyber risk part of our current risk management framework?2. Do we follow the NIST Cybersecurity Framework?3. Do we know the cyber risks that our vendors and third-party service providers expose us to, and do we know the rigor of their cybersecurity controls?4. Do we have cyber risk insurance?5. Do we engage in basic cyber hygiene?6. Do we share incident information with industry groups? If so, when and how does this occur?7. Do we have a cyber-incident playbook and who is the point person for managing response and recovery?8. What roles do senior leaders and the board play in managing and overseeing the cyber incident response?9. When and how do we engage with law enforcement after a breach?10. After a cyber incident, when and how do we inform our customers, investors, and the general public?
2/9/2015
33
False Sense of Security
65
Contact Info
• Dr. Kevin Streff
– Dakota State University• [email protected]
• 605.256.5698
– Secure Banking Solutions, LLC• www.protectmybank.com
• 605.270.0790
66