Ed McMurray, CISA, CISSP, CTGACoNetrix

AGENDA

• Introduction• Cybersecurity

– Recent News– Regulatory Statements– NIST Cybersecurity Framework– FFIEC Cybersecurity Assessment

• Questions• Information Security Stats (if we have time)

DISCLAIMER

• The information contained in this session may contain privileged and confidential information.

• This presentation is for information purposes only. Before acting on any ideas presented in this session; security, legal, technical, and reputational risks should be independently evaluated considering the unique factual circumstances surrounding each institution.

• No computer system can provide absolute security under all conditions.• Any views or opinions presented do not necessarily state or reflect those

of CoNetrix or ICBA NM.• The following information presented is confidential and/or proprietary and

is intended for the express use by attendees. Any unauthorized release of this information is prohibited.

• All original CoNetrix material is Copyright © 2015 CoNetrix

CoNetrix

CYBERSECURITY RECENT HISTORY

• Feb. 2013 – Presidential Executive Order 13636

• June 2013 – FFIEC forms Cybersecurity and Critical Infrastructure Working Group

• Aug. 2013 – Council on Cybersecurity launched

• Feb. 2014 – NIST Released Cybersecurity Framework

• May 2014 – NY Report on Cybersecurity in the Banking Sector

• May 2014 – FFIEC Cybersecurity webinar

• June 2014 – FFIEC Launches Cybersecurity Web Page

• June – July 2014 – FFIEC Commences Cybersecurity Assessments

• Nov. 2014 – FFIEC Released Observation from Cybersecurity Assessment

• Feb. 2015 – FFIEC Revised BCP IT Exam Booklet

• Mar. 2015 – FFIEC Provides Overview of Cybersecurity Priorities

• Mar. 2015 – Office of Inspector General releases report on FDIC’s Supervisory Approach to Cyberattack Risks

• Mar. 2015 – FFIEC Releases 2 Statements on Compromised Credentials and Destructive Malware

• June 2015 – FFIEC Releases Cybersecurity Assessment Tool

2015 2014

FEDERAL RESERVE SR 15-9

“In particular, the Federal Reserve will work to tailor expectations to minimize burden for financial institutions with low cybersecurity risk profiles and, potentially, supplement expectations for financial institutions with significant cybersecurity risk profiles. Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.”

OCC BULLETIN 2015-31

“The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts.”“While use of the Assessment is optional for financial institutions, OCC  examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.OCC examiners will begin incorporating the Assessment into examinations in late 2015.”

FDIC FIL-28-2015

Use of the Cybersecurity Assessment Tool is voluntary.”“FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”

CONFERENCE OF STATE BANK SUPERVISORS (CSBS)

“The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely considered an IT problem, the rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of bank CEOs that management of a bank’s cybersecurity risk is not simply an IT issue, but a CEO and Board of Directors issue.”

- CSBS Cybersecurity 101

NY STATE – REPORT ON CYBER SECURITY

CHALLENGE

We are now have multiple information security frameworks. How do they fit together?

IT/GLBA Information Security Program

NIST Cybersecurity Framework

FFIEC Cybersecurity Assessment Tool

PCI DSS

NACHA Security

HIPAA

HOPEFULLY . . .

We would like to see integration. One information security program with components addressing malicious attacks, credit/debit threats, 

ACH threats, medical info threats, etc.

NIST Cybersecurity Framework

FFIEC Cybersecurity Assessment Tool

PCI DSS NACHA Security

HIPAA

IT/GLBA Information Security Program

More alignment

REQUEST FOR ALIGNMENT OF FFIEC & NIST CYBERSECURITY DOCUMENTS

CALL FOR CYBERSECURITY FRAMEWORK

Voluntary risk-based set of

industry standards & best

practices

Methodology to protect individual

privacy & civil liberties through

cybersecurity activities

Framework for Improving

Critical Infrastructure Cybersecurity v1.0 (NIST)

NIST CYBERSECURITY FRAMEWORK CORE

NIST CYBERSECURITY FRAMEWORK

FRAMEWORK CORE

Identify

Protect

DetectRespond

Recover

IMPLEMENTATION TIERS

Partial

Risk Informed

Repeatable

Adaptive

PROCESS FLOW

FFIEC CYBERSECURITY ASSESSMENT TOOL

• Part One: Inherent Risk Profile• Part Two: Cybersecurity Maturity• Interpreting & Analysis

– Senior management and Board reporting

PART ONE: INHERENT RISK PROFILE

Consists of 78 questions across 5 categories:• Technology and Connection Types• Delivery Channels• Online/Mobile Products and Technology Services• Organizational Characteristics• External Threats

INHERENT RISK PROFILE LAYOUT

DETERMINE INHERENT RISK PROFILE

PART TWO: CYBERSECURITY MATURITY

• Cyber Risk Management and Oversight• Threat Intelligence and Collaboration• Cybersecurity Controls• External Dependency Management• Cyber Incident Management and Resilience

Ser

vice

s

CYBERSECURITY MATURITY LEVELS

CYBERSECURITY MATURITY

MATURITY MODEL

Domain > Assessment Factor > Contributing Components > Declarative Statements

CYBERSECURITY MATURITY EXCERPT

MATURITY

CYBERSECURITY MATURITY LEVELS

SETTING MATURITY LEVELS

• All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.

• While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.

MATURITY

INTERPRETING & ANALYZING RESULTS

INTERPRETING AND ANALYZING RESULTS

BENEFITS

• Identifying factors contributing to and determining the institution’s overall cyber risk.

• Assessing the institution’s cybersecurity preparedness.• Evaluating whether the institution’s cybersecurity 

preparedness is aligned with its risks.• Determining risk management practices and controls that 

could be enhanced and actions that could be taken to achieve the institution’s desired state of cyber preparedness.

• Informing risk management strategies.

FFIEC PRIORITIES

• Cybersecurity Self-Assessment Tool• Incident Analysis• Crisis Management• Training• Policy Development• Technology Service Provider Strategy• Collaboration with Law Enforcement and

Intelligence Agencies

RESOURCES

• FFIEC Cybersecurity Awareness Web Page: www.ffiec.gov/cybersecurity.htm

• NCUA Cyber Security Resources: www.ncua.gov/Resources/Pages/cyber-security-resources.aspx

• NIST Cybersecurity Framework: www.nist.gov/cyberframework• Financial Services Information Sharing and Analysis Center (FS-ISAC):

www.fsisac.com• InfraGard: www.infragard.org• US Computer Emergency Readiness Team: www.us-cert.gov• US Secret Service Electronic Crimes Task Force:

www.secretservice.gov/ectf.shtml• ISACA Cybersecurity NEXUS: www.isaca.org/cyber/Pages/default.aspx• Council on CyberSecurity: www.counciloncybersecurity.org• CSBS Conference of State Bank Supervisors

http://www.csbs.org/cybersecurity/Pages/default.aspx

FDIC – CYBER CHALLENGE VIDEOS

https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html

QUESTIONS

Ed McMurrayCoNetrix800.356.6568emcmurray@conetrix.com

www.conetrix.com

CASE STUDY

A review of high risk and common repeat findings from IT Audits, Penetration Tests, and Cybersecurity Assessments.

SOCIAL ENGINEERING TESTS – 99 TESTS

13%

87%

99 Social Engineering Tests in 2014

Passed Failed

SOCIAL ENGINEERING TESTS

0

10

20

30

40

50

60

70

80

90

Phishing Email Social Engineering Call

Social Engineering Tests conducted in 2014

Failed Passed

SOCIAL ENGINEERING TESTS -DETAILS

Type of Test Total Tests Total Responses

% Failure

Phishing Email 5,935 1,180 19.9%

Social Engineering Call

313 92 29.4%

MODEMS DISCOVERED

51%49%

Modems Discovered from 91 tests in 2014

Yes No

REVIEW OF IT AUDIT OBSERVATIONS

• 50 IT Audits and Assessments conducted in between 8/2014 - 2/2015– 45 IT/GLBA Audit & Assessments– 4 IT Security Reviews– 1 Network Assessments

REVIEW OF IT AUDIT OBSERVATIONSDEMOGRAPHICS

• Customers by Regulating Body:– 53% FDIC– 31% OCC– 16% Other

• Customers by Asset Size:– 10% <100M– 42% 100M-300M– 23% 300M-500M– 11% 500M-1B– 6% >1B– 8% N/A

IT AUDIT OVERALL STATUS

53%

34%

11%2%

Overall Security and Compliance Rating

Strong Satisfactory Needs Improvement Weak

% OF FINDINGS REPEAT

18%

82%

Repeat

Yes No

RISK LEVELS DEFINED

In the determination of risk levels associated with deficiencies discovered in the audit process, consideration is given to:• The likelihood a deficiency is exploited• The impact on the bank or its customers• Any existing controls used to mitigate associated risk levelsRisk levels are defined as follows:• High: A deficiency posing a direct threat to availability, integrity, and/or

confidentiality of customer or bank information due to little or no mitigating controls

• Medium: A deficiency posing a direct threat to availability, integrity, and/or confidentiality of customer or bank information whose mitigating controls are not sufficient to reduce risk to an acceptable level

• Low:A deficiency posing a possible threat to the availability, integrity, and/or confidentiality of customer or bank information

FIREWALL OBSERVATIONS

2%

68%

16%

14%

Router/Firewall Findings

High Risk Medium Risk Low Risk No Finding

PATCH MANAGEMENT OBSERVATIONS

4%

44%

30%

22%

Patch Management Findings

High Risk Medium Risk Low Risk No Finding

LOCAL ADMINISTRATOR OBSERVATIONS

2%

32%

28%

38%

Users Running as Local Administrator

High Risk Medium Risk Low Risk No Finding

ANTIVIRUS OBSERVATIONS

2%

26%

18%

54%

Antivirus Findings

High Risk Medium Risk Low Risk No Finding

MOBILE DEVICE OBSERVATIONS

8%

10%

14%

68%

Mobile Device Findings

High Risk Medium Risk Low Risk No Finding

LAPTOP ENCRYPTION OBSERVATIONS

4%8%

10%

78%

Laptops Not Encrypted Findings

High Risk Medium Risk Low Risk No Finding

REMOVABLE MEDIA OBSERVATIONS

2%

20%

14%64%

Removable Media Findings

High Risk Medium Risk Low Risk No Finding

PASSWORD OBSERVATIONS

PASSWORD OBSERVATIONS

6%

26%

36%

32%

Password Findings

High Risk Medium Risk Low Risk No Finding

AUTHENTICATION OBSERVATIONS

4%10%

86%

Multi-factor Authentication Findings

High Risk Medium Risk Low Risk No Finding

THIRD PARTY OVERSIGHT OBSERVATIONS

6%

38%

26%

30%

Vendor Management Findings

High Risk Medium Risk Low Risk No Finding

BUSINESS CONTINUITY OBSERVATIONS

BUSINESS CONTINUITY OBSERVATIONS

10%

42%30%

18%

BCP/DR Findings

High Risk Medium Risk Low Risk No Finding

INCIDENT RESPONSE OBSERVATIONS

INCIDENT RESPONSE OBSERVATIONS

22%

14%64%

Incident Response Findings

High Risk Medium Risk Low Risk No Finding

RISK MANAGEMENT OBSERVATIONS

4%

28%

28%

40%

Risk Assessment Findings

High Risk Medium Risk Low Risk No Finding