Digital Crime and Cybersecurity. Scott D. Ramsey, Managing Director May 2017

Transcription

1 Digital Crime and Cybersecurity Scott D. Ramsey, Managing Director May 2017

2 Agenda I. Cybersecurity Issues, Trends & Compliance II. Public Private Partnerships III. FFIEC & NYDFS 500 Rule IV. Third Party Risk Management V. Social Media VI. Payment Systems & Card Security VII. Data Protection & Retention VIII. FinTech 2

3 Cybersecurity Issues, Trends & Compliance

4 Interesting Cybersecurity Statistics Growth of New Malware 1 In Q alone, 18 million new malware samples were captured. Virus Adwares Dialers Ransomware on the Rise 2 More than 4,000 ransomware attacks daily since the beginning of % increase over Troyanos MALWARES Backdoors Gusanos Keyloggers 1 PandaLabs Report October 20, US Government Computer Crime and Intellectual Property Section (CCIPS) Spywares Otros 4

5 Threat Advancements IoT Zombie Army Toasters to cars connected Hacking Machines Smart machines learning to circumvent controls Cyber Warfare Cybergangs providing HaaS (Hacking as a Service) Increased Attacks on Financial Systems Nation State sponsoring FUD (Fear, Uncertainty, Doubt) Intelligence Sharing Increased gathering of information by Nations for sharing Blockchain Adoption Securing inter-device transactions 5

6 Point of View Existing methods for detecting malware are not keeping pace with advanced malware attacks A robust defense in depth strategy incorporates tool and technology along with education and training of end users People continue to be the weakest link in cybersecurity programs Security budgets continue to be static because the return on security investments are not tied to business risk Machine learning (smart computing) is playing a larger role both in cyber defense and cyberattacks 6

7 Public Private Partnerships

8 Groups and Professional Societies InfraGard is a partnership between the FBI and members of the private sector. As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industryleading knowledge and practices for information systems. Conferences The Information Systems Security Association (ISSA) is a not-for-profit, international organization of information security professionals and practitioners.

9 Point of View You get out what you put in Certifications Get your return on investment Continue Professional Education (CPE) Be selective Network 9

10 FFIEC & 23 NYCRR 500

11 FFIEC Cybersecurity Assessment Regulatory expectation is that each financial institution will: Use the Cybersecurity Assessment Tool Have Board and CEO lead the effort Identify gap and target state Implement action plan to attain and sustain target state Update Cybersecurity Assessment periodically 11

12 NY DFS Part 500 Highlights WHEN? WHO? WHAT? HOW? The regulation became effective March 1, 2017 Covered Entities: Banks Insurance Companies Others Enhanced Cybersecurity Program Detection of Cybersecurity Event and 72 Hour Reporting Audit Trail Board Resolution or Senior Officer needs to sign certification of compliance by Feb.15 of each year starting in 2018 Incident Response Plan 12

13 NYDFS & FFIEC Compared Examples Enhanced Requirements under New NYDFS Rule 13

14 Point of View The regulations being enacted are pragmatic and reasonable, but are late and behind Cybersecurity program needs to take both business and technology risks into account DFS 500 follows FFIEC, but puts more bite into regulations State regulatory agencies are taking Federal issuances and adding their own specifications for compliance (23 NYCRR 500) 14

15 Third Party Risk Management

16 Third Parties Who or What is Connected? 16

17 Point of View Third parties should be viewed as any other user Establish standards and requirements for all third parties Include right to audit for compliance to standards Third Parties should adhere to your cybersecurity policies 17

18 Social Media

19 Social Media Do s and Don ts Facebook: Don t post NPI in profile Don t post public out-of-town pictures until back home LinkedIn: Keep separate personal and professional IDs Don t post NPI in profiles DNA Discovery: Don t post family tree for public view Potential giveaway of Mother s maiden name, Father s middle name, birthdate, etc. 19

20 Point of View Social media is a treasure trove of information Used to obtain information on targets for identity theft, phishing, etc. Develop, implement and enforce Use Policy for corporate social media Engage with clientele to make them aware of risks and exposures 20

21 Payment Systems and Card Security

22 Payment System Security PCI DSS OBJECTIVE Build and maintain a secure network CONTROL 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data and sensitive information across open public networks Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 22

23 Credit Card Security Europay, MasterCard and VISA (EMV) Points: Card issues have spent between $200 and $800 Million to distribute chip cards Large retailers have spent over $8 billion to install new card readers Chip n Signature are majority of cards issued Readers do not authentic signature Chip n Pin cards are much more secure However, if Card n Pin are compromised and used in ATM, bank is responsible Chips contain the same card holder data as mag strips Card not present fraud has increased Phone and on-line purchase with stolen card 23

24 Point of View Chip & Pin should be mandatory eliminating Chip & Signature New POS hardware must capture and store only information required after transaction Pattern analysis is a good offense Push alerts to cardholders Query large purchases Query out of country purchases 24

25 Data Protection and Retention

26 Data Protection and Retention Data is a unique asset that can exist in multiple states simultaneously At rest In transit Being processed Archived Data Cycle Management program Based on value of data Ensures RPO can be met Controls Encryption Use of data policy 26

27 Point of View Data Classification should be based on value of data Confidential Company Public Encryption Keys Changed frequently Known by 2 personnel Secured with physical access controls for 3d person Formal Retention Policy Off-site audits Point of sunset Destruction procedures 27

28 FinTech

29 FinTech Defined [A]n economic industry composed of companies that use technology to make financial services more efficient. Financial technology companies are generally startups trying to disintermediate incumbent financial systems and challenge traditional corporations that are less reliant on software. FinTech is a Financial Disruptor 29

30 Forbe s FinTech Hot 5 30

31 Point of View FinTech and traditional financial institutions who will interface with them will need to understand cybersecurity from multiple aspects and infrastructures Pressures to adopt FinTech will increase as delivery platforms mature and evolve Regulatory controls will increase as FinTech is adopted Effective and pro-active cybersecurity controls must be implemented, monitored and sustained 31

32 Resources White Papers and Intelligence Briefings WHITE PAPER: Recalibrating Your AML Risk Program INTELLIGENCE BRIEFINGS: Trade-based Money Laundering Risk and Regulatory Agency Priorities Trending Anti-Money Laundering (AML) Compliance Standards and Cybersecurity Requirements Cybersecurity and Cyber Risk Solutions Cybersecurity Assessment Reverse Stress Testing Exam Readiness Training Online Phishing, Malware and Social Engineering Prevention Training CyberForce Anomalous Activity & Threat Intelligence Monitoring BSA/AML and Fraud Solutions BSA/AML Consulting Risk Managed Services Center (RMSC) Alert Clearing Services Enhanced Due Diligence review Vendor risk management Complaint management Financial Crime Management (FCM) Monitoring and Detection

33 Questions? Scott Ramsey CDRP, CISM (561) Visit us in the expo hall to learn more