iba cybersecurity 2017-11-15 · 2017. 11. 15. · network online banking development and...
TRANSCRIPT
11/13/2017
1
Cybersecurity
CHAD KNUTSON
SBS CYBERSECURITY, LLC
©2017 SBS CyberSecurity, LLC www.sbscyber.com 1
Contact Information
• Chad Knutson◦ President SBS Institute, Sr. Consultant◦ SBS Cybersecurity, LLC◦ CISSP, CISA, CRISC◦ 605‐480‐3366◦ [email protected]
• Robb Nielsen◦ Sr. Account Executive ◦ 712‐369‐0139 ◦ [email protected]
• SBS Institute◦ 605‐269‐0909◦ [email protected]
©2017 SBS CyberSecurity, LLC www.sbscyber.com 2
Follow Us:https://www.linkedin.com/company/sbs‐cybersecurityhttps://sbscyber.com/join‐our‐mailing‐listhttps://www.facebook.com/trustSBS/https://twitter.com/SBSCyber
11/13/2017
2
Technology & Cybercrime
New Products/Services◦ Mobile Solutions Mobile Cash Management Mobile Payments Mobile Capture
◦ Virtualization◦ Electronic Payments◦ Cloud◦ Online Account Opening◦ Interactive Teller Machines
Technology Cybercrime
Financial Institution
CustomerThird Party
©2017 SBS CyberSecurity, LLC www.sbscyber.com 3
Criminal Types
©2017 SBS CyberSecurity, LLC www.sbscyber.com 4
11/13/2017
3
Equifax Issues
©2017 SBS CyberSecurity, LLC www.sbscyber.com 5
Equifax Issues
3 of 65 antiviruses picked up on the adware (Panda, Symantec, and Webroot)
©2017 SBS CyberSecurity, LLC www.sbscyber.com 6
11/13/2017
4
• Free credit freezes until January 31, 2018
• 143 145.5 M records (increased 2.5M)◦ Consumer Names
◦ Social Security Numbers
◦ Birthdates
◦ Addresses
◦ Driver’s License Numbers (10.9M)
◦ 209,000 credit cards
◦ 400,000 693,665 U.K. residents
Equifax Update
©2017 SBS CyberSecurity, LLC www.sbscyber.com 7
• However, Equifax was far from the first large SSN breach in recent history.
• In July, the Kansas Department of Commerce lost 5 million SSNs.
• Before that, the IRS was breached for 700,000 SSNs.
• The Anthem breach before that revealed 80 million SSNs,
• OPM breach before that lost 21.5 million SSNs.
• That is almost all Americans statistically having their SSNs compromised, but it gets worse. Since 2010, nearly 2,500 reported data breaches have involved the theft of SSNs.
Other SSN Breaches
©2017 SBS CyberSecurity, LLC www.sbscyber.com 8
11/13/2017
5
Internal Vulnerability Assessment
Patch Management
External Web Application Testing
Asset‐Based Risk Assessment Web Application Firewall?
Separate Database/Webserver
Improve Vendor Management
Incident Response Program
Business Lessons Learned
©2017 SBS CyberSecurity, LLC www.sbscyber.com 9
• 2013 breach of 1B (reported in Dec 2016)
• 2014 breach 0f 500 M(reported in Sept 2016) ◦ stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords
• 2017 update to 2014 breach:◦ 3 Billion (every account)
Yahoo Breach
©2017 SBS CyberSecurity, LLC www.sbscyber.com 10
11/13/2017
6
Reduce or Illuminate Password Reuse ‐Keeper Security says more than 80 percent of folks reuse
Use 2‐factor Authentication
Employee Training
Weekly/Monthly Phishing Tests
Consider corporate password manager
Change passwords after a breachhttps://haveibeenpwned.com/
Yahoo Lessons Learned
©2017 SBS CyberSecurity, LLC www.sbscyber.com 11
• Short for Key Reinstallation Attacks
• Affects WPA2 encryption (most devices)
• Man‐in‐the‐Middle attack, must in person
• Weakness in the 4‐way handshake
• Allows an attacker to decrypt the traffic you exchange over WiFi. Just by listening.
• Issue is in the protocol (the standard)
KRACK
©2017 SBS CyberSecurity, LLC www.sbscyber.com 12
11/13/2017
7
Apply patches immediatelyEndpoints devices and Firmware Appliances
Layer SecurityUse SSL Encrypted Websites
Use VPN over Wifi
KRACK Lessons Learned
©2017 SBS CyberSecurity, LLC www.sbscyber.com 13
US‐CERT – Jeep Hacked
• https://www.youtube.com/watch?v=MK0SrxBC1xs
©2017 SBS CyberSecurity, LLC www.sbscyber.com 14
11/13/2017
8
http://www.foxnews.com/tech/2016/12/28/amazon‐alexa‐data‐wanted‐in‐murder‐investigation.html
Alexa wanted in murder investigation
©2017 SBS CyberSecurity, LLC www.sbscyber.com 15
Patch ALL devicesCars, TV’s, phones, computers, firewalls, virtual machines…
Network SegregationIoT Separation, Servers, Funds Transfer, Departments, Branches…
Change Default Passwords
Use Strong Passwords, Stop Reuse
Weekly/Monthly Vulnerability Scans
Weekly/Monthly Phishing Test
Continuous Employee and Customer Awareness
Back to the Basics
©2017 SBS CyberSecurity, LLC www.sbscyber.com 16
11/13/2017
9
FDIC InTREx
17©2017 SBS CyberSecurity, LLC www.sbscyber.com
• Released June 30th, effective immediately
• FDIC FIL‐43‐2016
• Risk‐based IT Examination
• New Uniform Rating System for Information Technology (URSIT)
• Combined GLBA and Cybersecurity Program
• Replaces IT Officer’s Questionnaire and FIL‐81‐2005 (IT Risk Management Program IT‐RMP)
FDIC InTREx
18©2017 SBS CyberSecurity, LLC www.sbscyber.com
11/13/2017
10
• 26 Questions◦ Core Processing◦ Network◦ Online Banking◦ Development and Programming◦ Software and Services
Inherent Risk
19©2017 SBS CyberSecurity, LLC www.sbscyber.com
• 89 Risk Mitigating Controls◦ Audit◦ Management◦ Development and Acquisition◦ Support and Delivery
Residual Risk
20©2017 SBS CyberSecurity, LLC www.sbscyber.com
11/13/2017
11
©2017 SBS CyberSecurity, LLC www.sbscyber.com 21
Audit Question #1
• Section URSIT Summary
• Cybersecurity Rating
• GLBA Rating
Exam Summary
22©2017 SBS CyberSecurity, LLC www.sbscyber.com
11/13/2017
12
FFIEC Cybersecurity Assessment Tool
23©2017 SBS CyberSecurity, LLC www.sbscyber.com
• What does GLBA require?
• Are we asking the right question?
Do we need to do the CAT?
24
https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017_All_Documents_Combined.pdf
©2017 SBS CyberSecurity, LLC www.sbscyber.com
11/13/2017
13
FFIEC CA Tool (3 parts)
• Three (3) major components1. Rating your Inherent Risk for Cybersecurity
threats based on your size and complexity
2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats
3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.
25©2017 SBS CyberSecurity, LLC www.sbscyber.com
Risk Management Approach
• Tier 1 FFIEC CAT = Organizational Risk Assessment◦ Cyber‐Risk: https://cyber‐risk.protectmybank.com/
• Tier 3 TRAC = Asset Based Risk Assessment◦ TRAC: https://www.protectmybank.com/products/software/it‐risk‐assessment/
26©2017 SBS CyberSecurity, LLC www.sbscyber.com
11/13/2017
14
Web based FFIEC Cybersecurity Assessment Tool www.sbscyber.com
Complimentary Access
1501 active users
977 completed assessments
100% Follows FFIEC CAT
SBS Cyber‐Risk
27©2017 SBS CyberSecurity, LLC www.sbscyber.com
Risk Ratings per Category
28©2017 SBS CyberSecurity, LLC www.sbscyber.com
11/13/2017
15
Cybersecurity Inherent Risk
• Five Inherent Risk Areas1. Technologies and Connection Types2. Delivery Channels3. Online/Mobile Products and
Technology Services4. Organizational Characteristics5. External Threats
73% 23% 2% <1% <1%
Number shows average ratings for the 900+ assessments completed
29©2017 SBS CyberSecurity, LLC www.sbscyber.com
Answer Declarative Statements
Y
Y
Y
Y
Y
YN
Identify GapsY
Y(C)
30©2017 SBS CyberSecurity, LLC www.sbscyber.com
11/13/2017
16
31
Document Compensating Controls
©2017 SBS CyberSecurity, LLC www.sbscyber.com
32
New Mappings (Appendix Only)
©2017 SBS CyberSecurity, LLC www.sbscyber.com
11/13/2017
17
Review –Maturity Goals
You’reHere
33©2017 SBS CyberSecurity, LLC www.sbscyber.com
1. Data flow diagrams are in place and document information flow to external parties.
2. Firewall rules are audited or verified at least quarterly.
3. A normal network activity baseline is established.
4. Customer awareness materials are readily available.
5. Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards.
©2017 SBS CyberSecurity, LLC www.sbscyber.com 34
Top 10 Missing Baseline
11/13/2017
18
6. Patches are tested before being applied to systems and/or software.
7. Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.
8. Controls are in place to restrict the use of removable media to authorized personnel.
9. Elevated privileges are monitored.
10.Access to critical systems by third parties is monitored for unauthorized or unusual activity.
©2017 SBS CyberSecurity, LLC www.sbscyber.com 35
Top 10 Missing Baseline
Action List
Audits
Exams
Risk Assessments
Committee Actions
Contract Reviews
Policy Reviews
Incident Reports/SARS
Conduct Activities
Tracking Items
36©2017 SBS CyberSecurity, LLC www.sbscyber.com
11/13/2017
19
Reporting on Actions
37©2017 SBS CyberSecurity, LLC www.sbscyber.com
Contact Information
• Chad Knutson◦ President SBS Institute, Sr. Consultant◦ SBS Cybersecurity, LLC◦ CISSP, CISA, CRISC◦ 605‐480‐3366◦ [email protected]
• Robb Nielsen◦ Sr. Account Executive ◦ 712‐369‐0139 ◦ [email protected]
• SBS Institute◦ 605‐269‐0909◦ [email protected]
©2017 SBS CyberSecurity, LLC www.sbscyber.com 38
Follow Us:https://www.linkedin.com/company/sbs‐cybersecurityhttps://sbscyber.com/join‐our‐mailing‐listhttps://www.facebook.com/trustSBS/https://twitter.com/SBSCyber