Cybersecurity and Data Security - Elliott Davis · bank has any segregation of duties (SoD) of...

Cybersecurity and Data Security

Richard Cook Director IT Audit & Security

Bonnie Bastow Manager, IT Audit & Security May 2015

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.

Cybersecurity and Data Security

2 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

• Cybersecurity

•Data Security

Information Technology Topics for Today


• Cybersecurity Update for 2015

- Intel Security Report - 2015

- Kaspersky Carbanak Report - 2015

- Verizon’s Data Breach Investigations Report - 2015

• Common Themes

• Integrating Cybersecurity Responses into your Existing Programs

Cybersecurity Agenda


• Intel Report About Social Engineering

• Kaspersky Report on Carbanak

•Verizon Security Report

Cybersecurity Update - 2015


• People, processes and technology are needed to help mitigate risk

• Technology alone is not enough to protect users

- email is the most prevalent initial target

• 2015 and beyond, no slowdown in sight for social engineering attacks

- "The reality is that social-based attacks will continue for the foreseeable future."

Intel Security Report


Global Spam and Email Volume


Intel Security Report

• Launched an online quiz to show how easy it is to get people hooked on a social engineering phishing email

• Social engineering >> low-tech attack due to the limited technical resources required to execute

•Organizations must channel resources into education and cultural change


Kaspersky – Carbanak Report

•Attacks still active

•Motivation – Financial gain (not espionage or access to private information)

• Started with a spear phishing email that appeared to be legitimate banking communications

• Email attachments exploited Microsoft Office 2003, 2007, 2010 vulnerabilities


•Highly sophisticated once they gained ‘some’ access

• Important point >> Initial access was via phishing emails and then exploitation of known vulnerabilities

Kaspersky - Carbanak Report


• Phishability

•Not patching or using outdated systems

• Posting too much information about self or work

• Reusing passwords across sites

• Indiscriminate use of mobile media

• Lack of situational awareness (believing you are not a target)

•Accidental loss or disclosure of sensitive information

Verizon - Top Seven Human Risks


• 23% of recipients open phishing email and 11% click on the attachments

• 99.9% of the exploited vulnerabilities were compromised more than a year after the Common Vulnerabilities and Exposures (CVE) was published

Verizon Security Report


Verizon Security Report – Attack Patterns

The first 4 account for 90% - and are all ‘People’ related


•Multi-frontal approach is mandatory

• Social Engineering is here to stay

- Human nature

•Virus Protection and Patching Programs

- As important as ever

•Monitoring tools – necessary, but not preventive

•Assessment tools

Common Themes


You already have…

• Information Security Program

• IT and Information Security (GLBA) Risk Assessments

• Incident Response Plan

• Business Continuity Plan

• Training Programs

• IT Strategic Plan

Integrating Cyber Security Responses


• It’s about integrating your: - Programs

- Training

- Response plans

- Effectiveness testing

• With your: - Employees

- Contractors

- Vendors

- Physical assets

What to Do Next


•Must be aware of your current security posture

- What do we have in place

- How does it all work/fit together

•Assessment – how do I know how we’re doing?

- Scans – Internal and External

- Social Engineering assessments

- IT General Controls

Where Do I Stand?


•Does your Information Security training program adequately cover security awareness?

- Have you conducted testing of the program’s effectiveness?

•Does your Incident Response plan include provisions for cyber events (internal and external)?

- Do employees know how and when to report and respond to possible cyber events?

•Are your IT General Controls providing adequate coverage for anti-virus and patch management?

What do I need to Check


• State Bank Supervisors

• FFIEC

• FDIC

• ABA

• COSO

• COBIT

• ISACA

• Verizon Cybersecurity survey

Cybersecurity Resources, Tools, Frameworks


Conference of State Bank Supervisors

• Cybersecurity 101 – framework is organized according to the 5 core cybersecurity functions (presented at the 2015 Conference of State Bank Supervisors)


•Assesses an institution’s current practices and overall cybersecurity preparedness, with a focus on the following key areas:

- Risk Management and Oversight

- Threat Intelligence and Collaboration

- Cybersecurity Controls

- External Dependency Management

- Cyber Incident Management and Resilience

FFIEC – Cybersecurity Assessment


• https://www.ffiec.gov/pdf/cybersecurity/2014_June_FFIEC-Cybersecurity-Assessment-Overview.pdf

• The FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG) to collaborate

• The FFIEC is currently focusing on providing resources to support community institutions that may not have access to the resources available to larger institutions

FFIEC – Cybersecurity Assessment


https://www.ffiec.gov/pdf/cybersecurity/2014_June_FFIEC-Cybersecurity-Assessment-Overview.pdf








•November 3, 2014 – Press release

• https://www.ffiec.gov/press/pr110314.htm

• Recommends that financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) https://www.fsisac.com/

• FS-ISAC is non-profit, information sharing forum established by the industry to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information

FFIEC


https://www.ffiec.gov/press/pr110314.htm

https://www.fsisac.com/

• The FDIC created “Cyber Challenge: A Community Bank Cyber Exercise” to encourage community banks to conduct short exercises or facilitated discussions around four operational risk-related scenarios. The “Cyber Challenge” is available at

- https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html

FDIC


https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html

https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html

•Vendor Management

• System Security/User Access Reviews

Data Security - Agenda


•Most financial institutions are doing a good job with vendor management review, however:

- Management should be sure to tie out the User Control Considerations (UCCs) to validate that these controls are in place

- Often times these controls are covered by other testing (management can leverage this testing), such as:

• FFIEC Internal Audit review

• FDICIA testing

• SOX testing

Data Security – Vendor Management


•Management should review their third party agreements to determine exactly who owns what processes. Consider:

- Does the third party host the productions servers or are they housed by the financial institution?

- Who is responsible for supporting the production servers, maintaining security (user provisioning), making changes to parameter settings (tolerances, system enforced approvals), adding of administrator access?

- There should be a very distinct delineation of responsibilities

- Management does not have the luxury of solely depending on the third party without understanding our responsibilities

Data Security – Vendor Management


• If the bank houses the systems on site, management must review the application, operating and database users

• Management be sure to review users to determine if the bank has any segregation of duties (SoD) of conflicts. If conflicts exist management should have mitigating controls (business process controls) to reduce the risk, such as:

- Reviewing master data changes (file maintenance changes, changes standing data, changes to customer information, changes to vendor information), review of GL entries, review of parameter changes.

Data Security – System Security


• To appropriately address SoD conflicts we should incorporate a risk based approach

•Management should consider SoD conflicts across systems (i.e. client setup and loan approval, vendor setup and vendor approval)

Data Security – System Security cont.


• Administrator Access – the riskiest access levels should receive the highest level of scrutiny

• All vendor accounts should be reviewed to ensure that access is appropriately restricted (are the vendors using a shared account?). Management should always want individual accountability

• All IT access to financial applications should be questioned

• Management should not use generic accounts or shared accounts if the users have access to production data

Data Security – User Access Reviews


• Management should always remember that the business owns the data while it is the IT group’s responsibility to secure the data

• The user access reviews should be performed by the business (not IT). It is okay to use ITs assistance

• If changes are noted during the User Access Reviews – management should determine the nature of the changes being requested. Is there some underlying reason why the changes are being requested? Does the bank have an inherent problem with their user provisioning process?

Data Security – User Access Reviews cont.


• If production systems are hosted by the financial institution – management should also review the operating system and database layers

- Direct access to the operating systems should be very limited. Be sure to review users that have local administrator access to the operating system (these would generally be IT users)

- Direct access to the production database should be the most restricted access. Every user with direct access to the database should be questioned (just being a member of the IT group is not sufficient support to have this high level of access)



- To emphasize one more time – the business is ultimately responsible for limiting access to the operating system and the database (as well as the application). There should be a business case for each user that has administrator or elevated access to the operating system and/or the database. Direct access to the database should be the most limited for all systems.

• In most instances – we see the IT group reviewing access to the operating system and database – if the access is being reviewed at all

• IT can facilitate the review – but the business should sign off on the review



• Third party access to systems should be logged and actively monitored if systems are hosted in house. A formal process should be in place (using a risk based approach, consider the approach of what can wrong?) to ensure that the vendor is not making unapproved changes to production data.

• Users should not review their own access rights

• In summary I challenge you with two questions - How do you know that only approved users have access to systems and that

their access is appropriate for their job functions?

- Do you have a process in place to identify if unapproved changes are occurring to production data?



Questions


Richard Cook [email protected]

704.808.5275

Bonnie Bastow [email protected]

704.808.5243

Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


mailto:[email protected]

mailto:[email protected]

http://www.elliottdavis.com/

Date post:	05-Jul-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Cybersecurity and Data Security - Elliott Davis · bank has any segregation of duties (SoD) of...

Documents