Fundamentals of Cybersecurity Controls Thursday, February 11 10:00 a.m. 11:00 a.m.

Transcription

1 Fundamentals of Cybersecurity Controls Thursday, February 11 10:00 a.m. 11:00 a.m. The frequency and sophistication of cyber-attacks are increasing, and it is imperative to have fundamental controls in place to manage risk and reduce the threat. During this session, panelists discuss some of the big-impact controls such as one-time passwords, anti-malware tools, limiting administrative privileges, vulnerability and patch management that firms should consider. Moderator: John Brady Vice President and Chief Information Security Officer FINRA Technology Administration Panelists: Moriah L. Hara Senior Vice President, Enterprise Information Security Wells Fargo Wendy Lanton Chief Operations and Compliance Officer Latern Investments, Inc. Jason Lish Senior Vice President, Hosting & Security Charles Schwab and Company 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

2 Fundamentals of Cybersecurity Controls Panelist Bios: Moderator: John Brady is a Vice President in Technology for Cyber and Information Security for FINRA, and is the organization s Chief Information Security Officer (CISO). In this capacity, he is responsible for all aspects of FINRA s information and cyber security programs, as well as ensures compliance with related laws and regulations. He oversees staff focused in four primary information security areas: security architecture and controls, security management tools, application security, and identity management. Mr. Brady, along with counterparts in FINRA s Data Privacy Office, establishes policy and technical controls to ensure information is appropriately protected throughout its lifecycle. He began his career with FINRA over 10 years ago as the Director of Networks and Firewalls. He then broadened and deepened his technical knowledge by taking on responsibility for server and storage infrastructure, where he led system engineering efforts to expand capacity and performance of Market Regulation systems in response to data volumes growing more than 40 percent year over year. Mr. Brady recently led the establishment, design, and implementation of FINRA s new data centers and the seamless migration of more than 175 applications from an outsourcer to those new data centers. Prior to the commencement of his work with FINRA in October 2002, Mr. Brady was Director of Networks at VeriSign from 2000 to 2002 and Network Solutions from 1998 to From 1995 to 1998, he built and operated Citibank s Internet Web and services as Vice President, Internet Services. From 1993 to 1995, Mr. Brady worked for Sun Microsystems as Senior Consultant, where he built integrated network systems for prominent customers. Mr. Brady began his professional career as a member of technical staff at The Aerospace Corporation from 1987 to 1993, designing satellite systems and command and control networks for the Air Force Space Command. Mr. Brady holds a bachelor s degree in Computer and Electrical Engineering from Purdue University of West Lafayette in Indiana, and a master s degree in Industrial Engineering and Operations Research from the University of California at Berkeley. He also is an (ISC) 2 Certified Information Systems Security Professional (CISSP). Panelists: Moriah L. Hara is Senior Vice President, Enterprise Information Security for Wells Fargo Enterprise Technology Operations. In this role, she is responsible for leading the cybersecurity strategy for the technology supporting multiple businesses including the Wholesale bank. Ms. Hara has more than 17 years of information security experience and has worked with dozens of Fortune 500 companies as a trusted advisor on their enterprise security requirements. Before working at Wells Fargo, Ms. Hara worked at Credit Suisse, where she was Global Head of Information Security, Governance, and Compliance for the Networks Technology division. Previously, she was at Bank of America, where she co-developed the Threat Management team as well as managed the global Payment Card Industry (PCI) security program at the bank. Ms. Hara spent extensive time securing the payment space by creating the PCI Qualified Security Assessor (QSA) program for Visa and the global payment brands. Ms. Hara is a graduate of Harvard University, Executive Cybersecurity Program and has numerous industry certifications, including the CSSLP, CISSP, CISM, PCI QSA, and MCSE. She is a passionate leader in the financial security space and is a frequent speaker and participant in Financial Services Information Sharing and Analysis Center (FS-ISAC), Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC), and other industry forums. She is also the author of a patent pending-risk Assessment and Prioritization Framework that she developed for FSSCC. Wendy Lanton is the Chief Operations and Compliance Officer for Lantern Investments. Ms. Lanton has been working in the financial services industry for over 20 years. Ms. Lanton is one of the founding principals of Lantern Investments, a FINRA registered broker dealer and Lantern Wealth Advisors, an SEC registered investment advisor. She has been the Chief Compliance Officer of Lantern Investments since its inception in The firm has multiple business lines and currently has 50 registered representatives and operates 13 branch offices across the country. Ms. Lanton is responsible for both the firm s compliance and the day to day operations of the firm. She currently serves on the Steering Committee for her firm s current clearing firm and was the co-chairperson on the steering committee at her previous clearing firm. As a steering committee member, her industry experience is called upon to help direct both compliance and technology resources. Ms. Lanton has also served as the chairperson for multiple Compliance Forums for retail brokerage firms. She was a speaker/panelist at the FINRA 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 2

3 2014 Annual Conference in Washington DC discussing Anti-Money Laundering and Effective Risk- Based Examinations for small firms. In December 2015 she was appointed to the FINRA Small Firm Advisory Board. Ms. Lanton has also written numerous compliance-centric articles focusing on topics ranging from client suitability to cyber-security. Ms. Lanton graduated from George Washington University where she majored in International Finance. Prior to becoming a founding member of Lantern Investments, Ms. Lanton worked for a regional bank where she managed assets for high net worth individuals and medium sized businesses. Jason Lish is currently Senior Vice President of Hosting & Security for Charles Schwab and Company. In this role Mr. Lish is responsible for operational and architecture security services to strengthen Schwab s security posture and enhance the protection of Schwab s critical assets. Mr. Lish also has responsibility for Enterprise IT Hosting, which includes all aspect of application and mainframe hosting. Prior to Charles Schwab, Mr. Lish was Senior Director of Cyber Security Operations at Honeywell International. In this role, he was responsible for the design and maintenance of cyber security program and delivery of cost-effective and efficient secure IT security services. Mr. Lish began his career in the United States Air Force as a telecommunication specialist where he administered large network, communication, and cryptographic systems. Mr. Lish resides in Phoenix, Arizona and holds a Bachelor of Science degree and a Master's in Business Administration. He holds several certifications in security, networking, and process management Financial Industry Regulatory Authority, Inc. All rights reserved. 3

4 Cybersecurity Conference February 11, 2016 New York, NY Fundamentals of Cybersecurity

5 Panelists Moderator: John Brady, Vice President and Chief Information Security Officer, FINRA Technology Administration Panelists: Moriah L. Hara, Senior Vice President, Enterprise Information Security, Wells Fargo Wendy Lanton, Chief Operations and Compliance Officer, Lantern Investments, Inc. Jason Lish, Senior Vice President, Hosting & Security, Charles Schwab and Company Cybersecurity Conference 2016 FINRA. All rights reserved. 1

6 Cybersecurity Hierarchy of Needs * * Source: Retail Cyber Intelligence Sharing Center (R-CISC) Cybersecurity Conference 2016 FINRA. All rights reserved. 2

7 NIST Cybersecurity Framework Core IDENTIFY Functions Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. PROTECT Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. DETECT Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. RESPOND Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. RECOVER Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. IDENTIFY DETECT RECOVER PROTECT RESPOND NIST Cybersecurity Framework Cybersecurity Conference 2016 FINRA. All rights reserved. 3

8 IDENTIFY Insider Threat 5 Top Cybersecurity Risks DETECT Disrupt -ive Attack Unauth orized Access Data Breach PROTECT RESPOND RECOVER Supply Chain Compro mise Application of the NIST Cybersecurity Framework Cybersecurity Conference 2016 FINRA. All rights reserved. 4

9 IDENTIFY Asset Mgmnt Governance Insider Threat An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. NIST CSF PROTECT DETECT RESPOND RECOVER Access Control Anomalies & Events Assess, Analyze and Mitigate Recovery Planning Awareness & Training Continuous Monitoring Make Data Protection Detection Process & Exercises Contain & Eradicate Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 5

10 IDENTIFY Asset Mgmnt Risk Mgmnt Risk Assessment Disruptive Attack A Disruptive Attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. NIST CSF PROTECT DETECT RESPOND RECOVER Access Control Anomalies & Events Response Planning Recovery Planning Data Security Continuous Monitoring Protective Technology Detection Process & Exercises Analysis, Mitigation, and Improve Communications Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 6

11 IDENTIFY Risk Assessment Data Breach A Data Breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data Breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. NIST CSF PROTECT DETECT RESPOND RECOVER Awareness & Training Continuous Monitoring Assess, Analyze and Mitigate Recovery Planning Info Protection Process & Procedure Detection Process & Exercises Protective Technology Vulnerability Scanning & Patch Mgmt Contain & Eradicate Make Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 7

12 IDENTIFY Asset Mgmnt Risk Assessment Unauthorized Access Unauthorized Access refers to gaining logical or physical access without permission to a computer network, system, application software, data or other resource. NIST CSF PROTECT DETECT RESPOND RECOVER Access Control Anomalies & Events Response Planning Recovery Planning Data Security Continuous Monitoring Protective Technology Detection Process & Exercises Contain & Eradicate Communications Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 8

13 IDENTIFY Asset Mgmnt Business Environment Risk Mgmnt Supply Chain Compromise A Supply Chain Attack seeks to damage an organization by targeting less-secure elements in the supply network. NIST CSF PROTECT DETECT RESPOND RECOVER Access Control Anomalies & Events Assess, Analyze and Mitigate Recovery Planning Data Security Continuous Monitoring Protective Technology Detection Process & Exercises Contain & Eradicate Make Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 9

14 Appendix Illustrative examples of technical controls to protect network, device and crown jewels Cybersecurity Conference 2016 FINRA. All rights reserved. 10

15 DEFENSE IN DEPTH MODEL Firewalls Provide network segmentation and port filtering capabilities Hardened Tier 0 SoD, 2-factor auth, Monitoring & Alerting Denial of Service Volumetric - WAF DDOS Firewall Super Access Partitioning Data Protection Data Discovery: & Protection Mechanisms Transparent Data Encryption, Data Masking, PCI: Tokenization NETWORK CROWN JEWELS DEVICE NIDS Inspect traffic in near real-time SIEM Advanced security intelligence, correlation and alerting Packet Inspection Full packet inspection to detect anomalies Security Event Management Intrusion Detection Network Forensics USER AWARENESS & TRAINING USER AWARENESS VULNERABILITY & TRAINING SCANNING & PATCH MANAGEMENT Privilege Management Endpoint Encryption Mobile Security Management Access Control & Elevated privilege account management for applications and systems Enterprise Mobile Device mgmt & compliance enforcement for phones and tablets Full Disk Encryption on Mobile Workstations Filter filtering to protect against Spam and Malware Website / Spam Filtering Proxy Near real-time assessment of web traffic NAC ensures only trusted devices connect to the network Network Access Control Application Whitelisting Endpoint Protection Execute only approved applications on high risk assets Traditional Anti-Virus and Anti- Malware Protection on Endpoints and Servers Cybersecurity Conference 2016 FINRA. All rights reserved. 11

16 NIST Cyber Security Framework & SANS Top 20 NIST Cyber Security Framework SANS Institute Function Category Top 20 Critical Security Controls Identify Protect Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Inventory of Devices Inventory of Software Vulnerability Assessment and Remediation Application Software Security Secure Computer Configurations Secure Network Configurations Malware Defenses Wireless Access Control Security Skills Training Firewalling of Ports, Protocols, and Services Controlled use of Administrator Privileges Boundary Defense Controlled Access Based on Need to Know Data Protection Secure Network Engineering Cybersecurity Conference 2016 FINRA. All rights reserved. 12

17 NIST Cyber Security Framework & SANS Top 20 NIST Cyber Security Framework SANS Institute Function Category Top 20 Critical Security Controls Detect Respond Recover Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Recovery Planning Communications Maintenance, Monitoring and Analysis of Audit Logs Account Monitoring and Control Incident Response and Management Penetration Tests and Red Team Exercises Data Recovery Capability Cybersecurity Conference 2016 FINRA. All rights reserved. 13

18 References National Institute of Standards and Technology (NIST) Cybersecurity Framework ( Federal Communications Commission (FCC) Small Biz Cyber Planner ( Cybersecurity Tip Sheet ( DOC A1.pdf) Small Business Administration (SBA) Cybersecurity for Small Business self-paced training ( US Chamber of Commerce Commonsense Guide to Cyber Security for Small Business ( gacy/reports/cybersecurityguide923.pdf) Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool ( SANS Institute Critical Controls ( Australian Signals Directorate Strategies to Mitigate Targeted Cyber Intrusions ( es.htm) Cybersecurity Conference 2016 FINRA. All rights reserved. 14