iba cybersecurity 2017-11-15 · 2017. 11. 15. · network online banking development and...

11/13/2017

1

Cybersecurity

CHAD KNUTSON

SBS CYBERSECURITY, LLC

©2017 SBS CyberSecurity, LLC www.sbscyber.com 1

Contact Information

• Chad Knutson◦ President SBS Institute, Sr. Consultant◦ SBS Cybersecurity, LLC◦ CISSP, CISA, CRISC◦ 605‐480‐3366◦ [email protected]

• Robb Nielsen◦ Sr. Account Executive ◦ 712‐369‐0139 ◦ [email protected]

• SBS Institute◦ 605‐269‐0909◦ [email protected]


Follow Us:https://www.linkedin.com/company/sbs‐cybersecurityhttps://sbscyber.com/join‐our‐mailing‐listhttps://www.facebook.com/trustSBS/https://twitter.com/SBSCyber

11/13/2017

2

Technology & Cybercrime

New Products/Services◦ Mobile Solutions Mobile Cash Management Mobile Payments Mobile Capture

◦ Virtualization◦ Electronic Payments◦ Cloud◦ Online Account Opening◦ Interactive Teller Machines

Technology Cybercrime

Financial Institution

CustomerThird Party


Criminal Types


11/13/2017

3

Equifax Issues


Equifax Issues

3 of 65 antiviruses picked up on the adware (Panda, Symantec, and Webroot)


11/13/2017

4

• Free credit freezes until January 31, 2018

• 143 145.5 M records (increased 2.5M)◦ Consumer Names

◦ Social Security Numbers

◦ Birthdates

◦ Addresses

◦ Driver’s License Numbers (10.9M)

◦ 209,000 credit cards

◦ 400,000 693,665 U.K. residents

Equifax Update


• However, Equifax was far from the first large SSN breach in recent history.

• In July, the Kansas Department of Commerce lost 5 million SSNs.

• Before that, the IRS was breached for 700,000 SSNs.

• The Anthem breach before that revealed 80 million SSNs,

• OPM breach before that lost 21.5 million SSNs.

• That is almost all Americans statistically having their SSNs compromised, but it gets worse. Since 2010, nearly 2,500 reported data breaches have involved the theft of SSNs.

Other SSN Breaches


11/13/2017

5

Internal Vulnerability Assessment

Patch Management

External Web Application Testing

Asset‐Based Risk Assessment Web Application Firewall?

Separate Database/Webserver

Improve Vendor Management

Incident Response Program

Business Lessons Learned


• 2013 breach of 1B (reported in Dec 2016)

• 2014 breach 0f 500 M(reported in Sept 2016) ◦ stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords

• 2017 update to 2014 breach:◦ 3 Billion (every account)

Yahoo Breach


11/13/2017

6

Reduce or Illuminate Password Reuse ‐Keeper Security says more than 80 percent of folks reuse

Use 2‐factor Authentication

Employee Training

Weekly/Monthly Phishing Tests

Consider corporate password manager

Change passwords after a breachhttps://haveibeenpwned.com/

Yahoo Lessons Learned


• Short for Key Reinstallation Attacks

• Affects WPA2 encryption (most devices)

• Man‐in‐the‐Middle attack, must in person

• Weakness in the 4‐way handshake

• Allows an attacker to decrypt the traffic you exchange over WiFi. Just by listening.

• Issue is in the protocol (the standard)

KRACK


11/13/2017

7

Apply patches immediatelyEndpoints devices and Firmware Appliances

Layer SecurityUse SSL Encrypted Websites

Use VPN over Wifi

KRACK Lessons Learned


US‐CERT – Jeep Hacked

• https://www.youtube.com/watch?v=MK0SrxBC1xs


11/13/2017

8

http://www.foxnews.com/tech/2016/12/28/amazon‐alexa‐data‐wanted‐in‐murder‐investigation.html

Alexa wanted in murder investigation


Patch ALL devicesCars, TV’s, phones, computers, firewalls, virtual machines…

Network SegregationIoT Separation, Servers, Funds Transfer, Departments, Branches…

Change Default Passwords

Use Strong Passwords, Stop Reuse

Weekly/Monthly Vulnerability Scans

Weekly/Monthly Phishing Test

Continuous Employee and Customer Awareness

Back to the Basics


11/13/2017

9

FDIC InTREx

17©2017 SBS CyberSecurity, LLC www.sbscyber.com

• Released June 30th, effective immediately

• FDIC FIL‐43‐2016

• Risk‐based IT Examination

• New Uniform Rating System for Information Technology (URSIT)

• Combined GLBA and Cybersecurity Program

• Replaces IT Officer’s Questionnaire and FIL‐81‐2005 (IT Risk Management Program IT‐RMP)

FDIC InTREx


11/13/2017

10

• 26 Questions◦ Core Processing◦ Network◦ Online Banking◦ Development and Programming◦ Software and Services

Inherent Risk


• 89 Risk Mitigating Controls◦ Audit◦ Management◦ Development and Acquisition◦ Support and Delivery

Residual Risk


11/13/2017

11


Audit Question #1

• Section URSIT Summary

• Cybersecurity Rating

• GLBA Rating

Exam Summary


11/13/2017

12

FFIEC Cybersecurity Assessment Tool


• What does GLBA require?

• Are we asking the right question?

Do we need to do the CAT?

24

https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017_All_Documents_Combined.pdf

©2017 SBS CyberSecurity, LLC www.sbscyber.com

11/13/2017

13

FFIEC CA Tool (3 parts)

• Three (3) major components1. Rating your Inherent Risk for Cybersecurity

threats based on your size and complexity

2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats

3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity.


Risk Management Approach

• Tier 1 FFIEC CAT = Organizational Risk Assessment◦ Cyber‐Risk: https://cyber‐risk.protectmybank.com/

• Tier 3 TRAC = Asset Based Risk Assessment◦ TRAC: https://www.protectmybank.com/products/software/it‐risk‐assessment/


11/13/2017

14

Web based FFIEC Cybersecurity Assessment Tool www.sbscyber.com

Complimentary Access

1501 active users

977 completed assessments

100% Follows FFIEC CAT

SBS Cyber‐Risk


Risk Ratings per Category


11/13/2017

15

Cybersecurity Inherent Risk

• Five Inherent Risk Areas1. Technologies and Connection Types2. Delivery Channels3. Online/Mobile Products and

Technology Services4. Organizational Characteristics5. External Threats

73% 23% 2% <1% <1%

Number shows average ratings for the 900+ assessments completed


Answer Declarative Statements

Y

Y

Y

Y

Y

YN

Identify GapsY

Y(C)


11/13/2017

16

31

Document Compensating Controls


32

New Mappings (Appendix Only)


11/13/2017

17

Review –Maturity Goals

You’reHere


1. Data flow diagrams are in place and document information flow to external parties.

2. Firewall rules are audited or verified at least quarterly.

3. A normal network activity baseline is established.

4. Customer awareness materials are readily available.

5. Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards.


Top 10 Missing Baseline

11/13/2017

18

6. Patches are tested before being applied to systems and/or software.

7. Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.

8. Controls are in place to restrict the use of removable media to authorized personnel.

9. Elevated privileges are monitored.

10.Access to critical systems by third parties is monitored for unauthorized or unusual activity.


Top 10 Missing Baseline

Action List

Audits

Exams

Risk Assessments

Committee Actions

Contract Reviews

Policy Reviews

Incident Reports/SARS

Conduct Activities

Tracking Items


11/13/2017

19

Reporting on Actions


Contact Information

• Chad Knutson◦ President SBS Institute, Sr. Consultant◦ SBS Cybersecurity, LLC◦ CISSP, CISA, CRISC◦ 605‐480‐3366◦ [email protected]

• Robb Nielsen◦ Sr. Account Executive ◦ 712‐369‐0139 ◦ [email protected]

• SBS Institute◦ 605‐269‐0909◦ [email protected]


Follow Us:https://www.linkedin.com/company/sbs‐cybersecurityhttps://sbscyber.com/join‐our‐mailing‐listhttps://www.facebook.com/trustSBS/https://twitter.com/SBSCyber