Welcome to Today s Web Seminar!

Transcription

1 Welcome to Today s Web Seminar! December 12, :00 PM ET Hosted By:

2 MODERATOR: PENNY CROSMAN Editor in Chief, Bank Technology News Technology Editor, American Banker newspaper In her roles at BTN and American Banker, Penny oversees technology coverage for the daily newspaper and monthly magazine. Penny has been writing about technology for more than 20 years.

3 PRESENTER: Richard E. Bradfute Director, Senior Vice President, Chief Information Officer (CIO) James Polk Stone Community Bank The James Polk Stone Community Bank is a $200 million, 9 branch (8 physical plus the online branch) institution based in southeastern New Mexico. Founded in 1906, it is the oldest family owned bank in the state. Richard Bradfute has 23 years experience in Information Technology Management. Richard is actively involved the Independent Community Bankers Association of New Mexico and the Independent Community Bankers of America. He is a Past Chairman for the Western States School of Banking, and currently chairs the Education Committee.

4 PRESENTER: Amy McHugh, JD, CISA, Network+, Security+ Senior Associate, IT Consulting Clifton Larson Allen, LLP Years of Experience: 20 years of IT experience; 4 years of IT examination and auditing Areas of Specialization: Gramm-Leach-Bliley Act Compliance, Electronic Banking Consulting and Audit, Information Systems General Controls Reviews, Risk Assessment and Policy Development, Information Security Program Development and Implementation, Vendor Management and Contract Review, and Cloud Computing.

5 PRESENTER: Mark G. Clancy Managing Director, Technology Risk Management The Depository Trust & Clearing Corporation Mark Clancy is managing director of Technology Risk Management at The Depository Trust & Clearing Corporation (DTCC), a position established in January The department comprises Information Security and Information Technology (IT) Risk Management. Clancy joined DTCC in 2009 as Corporate Information Security Officer. In his broadened position, he has enterprise-wide responsibility for developing and implementing global security and business continuity policies, standards, guidelines, procedures and threat assessments pertaining to DTCC. He also chairs the DTCC Security Steering Committee, which is composed of senior IT management as well as business-line and other corporate managers.

6 PRESENTER: Mercedes K. Tunstall Partner Pillsbury Winthrop Shaw Pittman LLP Mercedes Tunstall is a partner in the law firm s Public Policy practice and is located in the Washington, DC office. Ms. Tunstall counsels clients on compliance with consumer financial services laws, including unfair, deceptive, and abusive acts or practices, as well as the investigations, rulemakings, and proceedings of the Consumer Financial Protection Bureau and the Federal Trade Commission. Her practice covers a range of consumer products, including deposits, credit cards, reverse mortgages, prepaid cards and electronic fund transfers. Ms. Tunstall has substantial experience working with clients to develop new financial products and services, including mobile wallets, virtual currencies, and prepaid cards. These engagements typically include negotiating agreements with technology vendors, reviewing technical designs, privacy and data security concerns. She also works with clients from a spectrum of industries on mobile and other e-commerce initiatives, privacy and cybersecurity issues, and the use of social networking sites for marketing, customer service, and crowdsourcing purposes. She has testified on virtual currencies before two subcommittees of the U.S. Senate Committee on Banking, Housing and Urban Affairs.

7 Polling Question What security threats keep you up at night? -Corporate account takeovers -Phishing attacks that lead to data breaches and online banking fraud -A DDoS attack that could take down the bank s web servers -Theft of customers personal or card data

8 Areas of Cyber Security Concern: The Bank Network and systems Employees Third Party Software and Service Providers Customers Retail Commercial

9 Low Hanging Fruit Victims of our own success Good security at Banks makes customers easier marks EMV Unaware of threats Culture of Convenience

10 Mitigations for Commercial Customers EDUCATION Strong ACH Agreements Commercial Customer Information Security Standards Strong Technical Controls MFA is outdated Tokens are outdated True Out of Band Authentication

11 Mitigations for Commercial Customers Internal Bank Procedures Look out for Them They don t think Security First Anomaly detection Low Tech works, too! (ACH Calendar, Callback)

12 Polling Question What are you most concerned about the FFIEC s cybersecurity assessment zeroing in on at your bank? -Cybersecurity controls -Third-party vendor relationships -Cybersecurity incident response plans -Disaster recovery/ business continuity plans

13 May 7, 2014 FFIEC Executive Leadership Cybersecurity webinar Importance of identifying emerging cyber threats and the need for Board/C-level involvement, including: Setting the tone at the top and building a security culture Identifying, measuring, mitigating, and monitoring risks Developing risk management processes commensurate with the risks and complexity of the institutions Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future Creating a governance process to ensure ongoing awareness and accountability Ensuring timely reports to senior management that include meaningful information addressing the institution's vulnerability to cyberrisks

14 Cyber Security Assessments In the Summer of 2014, the Federal Financial Institutions Examination Council (FFIEC) agencies piloted new Cyber Security Assessment procedures at over 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. Integrated into regular IT Examination process Cyber Risk Management and Oversight Cyber Security Controls External Dependency Management Threat Intelligence and Collaboration Cyber Resilience

15 FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11/3/14) All FIs AND their critical technology service providers must have appropriate threat identification, information sharing, and response procedures. Recommendation to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) Improved identification and mitigation of attacks Better identification and understanding of specific vulnerabilities and necessary mitigating controls for systems Sharing information to help other FIs

16 FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (11/3/14) FI Management should: Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly Establish procedures to evaluate and apply the various types and quantity of cyber threat and vulnerability information to meet the needs of their organization FS-ISAC: FBI Infragard: U.S. Computer Emergency Readiness Team at US-CERT: U.S. Secret Service Electronic Crimes Task Force:

17 FFIEC Cybersecurity Assessment General Observations Cybersecurity Inherent Risk Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness Connection Types: identify and assess the threats to all access points to the internal network VPN Wireless Telnet/FTP Vendor LAN/WAN access BYOD

18 FFIEC Cybersecurity Assessment General Observations Cybersecurity Inherent Risk (cont.) Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness Products and Services: identify and assess threats to all products and services currently offered and planned Online ACH and Wire Transfer origination External funds transfers (A2A, P2P, bill pay)

19 FFIEC Cybersecurity Assessment General Observations Cybersecurity Inherent Risk (cont.) Management must understand the FIs INHERENT RISK when assessing cybersecurity preparedness Technologies Used: identify and assess threats to all technologies currently used and planned Core systems ATMs Internet and mobile applications Cloud computing

20 FFIEC Cybersecurity Assessment General Observations Cybersecurity Preparedness Current cybersecurity practices and overall preparedness should include: Risk Management and Oversight: Governance, allocation of resources, employee, and BOARD training and awareness Set a tone from the top includes regular board and senior management discussion of an involvement in cyber and information security programs Ongoing employee training and testing, including social engineering attack vectors

21 FFIEC Cybersecurity Assessment General Observations Cybersecurity Preparedness Current cybersecurity practices and overall preparedness should include: Threat Intelligence and Collaboration: Information acquisition, analysis, and sharing to identify, track, predict, and respond to cyber threats Participation in FS-ISAC and other information sharing groups Participation in local, regional peer groups and industry groups Implementation of network activity/security log monitoring

22 FFIEC Cybersecurity Assessment General Observations Cybersecurity Preparedness Current cybersecurity practices and overall preparedness should include: Cybersecurity Controls: Preventive, detective, or corrective procedures for mitigating identified cybersecurity threats Patching, encryption, limited user access Intrusion detection/prevention systems, firewall alerts Formal audit program with scope and schedule based on an asset s inherent risk, prompt and documented remediation of findings, regular activity report reviews

23 FFIEC Cybersecurity Assessment General Observations Cybersecurity Preparedness Current cybersecurity practices and overall preparedness should include: Cyber Incident Management and Resilience: Incident detection, response, mitigation, escalation, reporting, and resilience Formal Incident Response Programs, including regulatory and customer notification guidelines and procedures Senior management and board incident reporting

24 FFIEC Cybersecurity Assessment Implications? Increased Board and C-Level Involvement Participation in information-sharing group(s) Cybersecurity scenario testing with employees and management Increased oversight of third-party service providers Documentation on how FI is addressing the FFIEC Cybersecurity Assessment findings

25 The Need for Speed Initial Attack to Initial Attackers Compromise have honed (Shorter Time Worse) their skills to come at you rapidly Initial Compromise to Data Exfiltration (Shorter Time Worse) Seconds Minutes Hours Days Weeks Months Defenders take a long time to feel the impact of an attack 10% 75% 12% 2% 0% 1% Initial Compromise to Discovery (Longer Time Worse) 8% 38% 14% 25% 8% 8% TLP White Data Source: Radware 0% 0% 2% 13% 29% 54%

26 How threat response works today All these sources, all this data, how do you process it efficiently? TLP White Source: Forrester Research

27 Machines Need a Language to Talk about Threats STIX Machines Can Help, But First Structured Threat Intelligence expression Structured language used by machines to describe cyber threats TAXII Trusted Automated exchange of Indicator Information Transport mechanism for cyber threat information represented in STIX Similar to FIX, which connects global trading markets; STIX & TAXII connects intelligence sharing communities STIX is like Financial Information exchange Protocol TLP White stix.mitre.org taxii.mitre.org

28 STIX Constructs Atomic What threat activity are we seeing? Tactical What threats should I look for on my networks and systems and why? Operational Where has this threat been seen? What can I do about it? Strategic TLP White Who is responsible for this threat? Why do they do this? What do they do? What weaknesses does this threat exploit?

29 Community Defense Model Organization Attacked Automated Defense Local Soltra Edge FS-ISAC Local Soltra Edge Community Soltra Edge Trusted Organizations Protected ISAC TLP White Community Soltra Edge Extended Trusted Organizations Protected = EDGE

30 Polling Question How many security breaches took place at your bank in the past month (as far as you know)? -0 -Between 1 and 10 -Between 11 and 50 -Between 51 and 1,000 -More than 1,000

31 Best Practices for Financial Institutions Cross-functional cybersecurity team that includes not just IT, but also lines of business, compliance, risk, audit, legal Regular routines to inform executives and the Board of cybersecurity intrusions, risks and controls Including security assessments in: Initial and on-going due diligence of vendors; New product development processes; Reviews of legacy system impacts on existing products/services Technology budgets that are not pegged to specific expenditures, as risks can change quickly

32 Cybersecurity Topics for Thought Leadership Authentication How to develop common definitions across financial institutions Cybersecurity workforce How data analytics can help in your cybersecurity program Correlation between cybersecurity concerns and privacy standards

33 Q&A Session Questions???

34 For More Information Contact: Richard E. Bradfute Director, Senior Vice President, Chief Information Officer (CIO) James Polk Stone Community Bank Amy McHugh, JD, CISA Senior Associate, IT Consulting, Clifton Larson Allen, LLP Mark G. Clancy Managing Director, Technology Risk Management The Depository Trust & Clearing Corporation Mercedes K. Tunstall Partner, Pillsbury Winthrop Shaw Pittman LLP