The New FFIEC Cyber Security Guidelines:

What should a CU do?

Kevin A. RussoVice President of Technology

Agenda

• Who am I and who is KEMBA Financial• Themes and Trends• Cyber Security Executive Order• FFIEC Guidelines and Recommendations• Getting Started Action Plan

Who am I and Who is KEMBA Financial?

• 27 years in computer industry– Mainly software– Helped found a network security software company in

1999 (SmartPipes, Inc)– 4 years at KEMBA Financial

• KEMBA Financial Credit Union– What the heck does KEMBA stand for?– $950 million in assets– Serving Central Ohio

• Derived from a NAFCU sponsored web presentation by Clifton Larson Allen

Themes of Cyber Fraud Risks

• Hackers are:– Continuously getting more sophisticated– Starting to target smaller institutions

• Social engineering on the rise– Targeting both members and member businesses

3 Largest Trends

• Wholesale theft of personal information (financial – PFI and not e.g. Anthem)

• Corporate Account Takeover (CATO)

• Ransomware

Executive Order 13636• Improving Critical Infrastructure Cybersecurity

– Issued February 12, 2013• National security threat

– Enhance security and resilience of nation’s critical infrastructure

– Maintain an efficient, innovative, and economically sound environment

– Partner with owners and operations of critical infrastructure

https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

http://www.dhs.gov/sites/default/files/publications/EO-13636-PPD-21-Fact-Sheet-508.pdf

FFIEC Recommendations• Executive Leadership Involvement

– Senior management’s role in cybersecurity• Cybersecurity Assessments

– Information and Cyber Security Program• Build and test

• Defensive strategies to mitigate risk• Manage Risk• Information sharing

Executive Leadership’s Involvement

• Sets the tone of importance from the top• Aligning with the business strategy• Governance process, on-going awareness and

accountability• Risk Management as part of culture

Building Information Security Program

• Risk Assessment• Risk Management• Audit• Business Continuity/Disaster Recovery/Incident

Response• Vendor Management• Board and Committee Oversight• Test

Defensive Strategies

• Informed associates

• Incident Response

• Resistant networks and systems

Defensive Strategies

• Security Information and Event Monitoring (SEIM) – centralized monitoring and alerting– Security devices logs and events– Operating system logs and events

• Consolidated, pattern-recognition• Import or learn new patterns

Risk Management Strategy• Foundation built on policies• Train the associates• Assess Risks• Recognize, React, Respond• Validate Controls

– High expectations of your vendors– Penetration testing– Application testing– Vulnerability scanning– Social engineering testing

• Cybersecurity Assessment Tool– V 1.2 in CTC online file library

People

Tools

Rules

Information Sharing• Financial Services Information Sharing and Analysis

Center (FS-ISAC) – Improved identification and mitigation of attacks – Better identification and understanding of specific

vulnerabilities and necessary mitigating controls for systems

• Department of Homeland Security• CUNA Technology Council online

– Listserv with archive & File Library

Getting Started• Inform your C-Suite and Board

– Board report section– Publish security audit/testing results

• Create your Cyber Incident Response Plan– Test it!– Inform associates

• SIEM– Find a tool that works for you and your environment

• Participate in information sharing– CTC listserv is a good start!

• Consider/Plan for a dedicated Security Resource• Review Information Security Program for Cybersecurity

Questions?

References for you to use• FFIEC Cybersecurity Awareness Page:

– https://www.ffiec.gov/cybersecurity.htm– CTC revised assessment tool in file library:

http://www.cunacouncils.org/resources/file-library/• Webinar on senior management’s role in cybersecurity:

– https://www.fdic.gov/news/news/financial/2014/fil14021.html• Department of Homeland Security Cybersecurity site

– http://www.dhs.gov/topic/cybersecurity• Information Sharing:

– Financial Services Information Sharing and Analysis Center (FS-ISAC)• https://www.fsisac.com

– Homeland Security on Information Sharing• http://www.dhs.gov/topic/cybersecurity-information-sharing

– US Computer Emergency Readiness Team – automated sharing• https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity (TAXII, STIX

& CybOX)

Automated Information Sharing Specs• TAXII (the Trusted Automated eXchange of Indicator Information) defines a set of services and

message exchanges that, when implemented, enable sharing of actionable cyber threat information across organizational, product line and service boundaries. TAXII is not an information sharing program itself and does not define trust agreements, governance, or other non-technical aspects of collaboration. Instead, TAXII empowers organizations to share the information they choose with the partners they choose.

• STIX (the Structured Threat Information eXpression) is a collaborative effort to develop a standardized, structured language to represent cyber threat information. The STIX framework intends to convey the full range of potential cyber threat data elements and strives to be as expressive, flexible, extensible, automatable, and human-readable as possible. All interested parties are welcome to participate in evolving STIX as part of its collaborative community.

• CybOX (the Cyber Observable eXpression) is a standardized schema for the specification, capture, characterization, and communication of events or stateful properties that are observable in all system and network operations. A wide variety of cybersecurity use cases rely on such information including event management/logging, malware characterization, intrusion detection/prevention, incident response, and digital forensics. CybOX aims to provide a common structure and content types for addressing cyber observables across this wide range of use cases to improve consistency and interoperability.