MANAGING SECURITY RISK IN BANKING. Kevin F. Streff Managing Partner SBS CyberSecurity, LLC Madison, SD

Transcription

1 MANAGING SECURITY RISK IN BANKING Kevin F. Streff Managing Partner SBS CyberSecurity, LLC Madison, SD August 8-10, 2018

2 IT Risk Assessment 2018 Graduate School of Banking at University of Wisconsin Dr. Kevin Streff Founder: SBS Cybersecurity, LLC 1

3 Goals Cybersecurity Overview Understand the top risk assessment issues that cause problems and inefficiencies Learn to expand and mature risk assessment programs: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices 2

4 Security and Privacy Identity Theft New Threat Landscape Cyber Terrorists Critical Infrastructure Protection Hacktivists

5 What is Cyber Security? PROTECTING Confidentiality Integrity Availability Where Networks Vendors Customers Buildings Enterprise Endpoints

6 Top Security Threats Spear Phishing Ransomware DDoS Hacking Data Leakage Social Engineering Corporate Account Takeover ATM Vendor Risk

7 Spear Phishing

8 91% of cyberattacks and the resulting data breach begin with a spear phishing 7

9 Ransomware

10 Ransomware Cyber extortion A ransom message is displayed on the victim s screen that demands a particular sum (usually between $100-1,500 for ordinary users) in exchange for a decryption key

11 DDoS

12 DDoS Amassing a large number of compromised hosts to send useless packets to jam a victim or its Internet connection or both.

13 How? Layered Security Approach

14 Risk Assessment Identify -> Categorize -> Measure -> Mitigate -> Monitor Risk assessment products are replacing spreadsheets SBS TRAC and Conetrix Tandem are the top products in the market

15 Regulator Requirements: Gramm-Leach-Bliley Act Gramm-Leach-Bliley Act requires you to develop and implement an Information Security Program and conduct Risk Assessments A comprehensive written information security program which defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a bank s operations and the nature and scope of its activities. Prior to implementing an information security program, a bank must first conduct a risk assessment which entails: Identification of reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems. Evaluation of the likelihood and potential damage from the identified threats, taking into account the sensitivity of the member information. Assessment of the sufficiency of the policies, procedures and member information systems in place to control the identified risks. 14

16 Gramm-Leach-Bliley Act Management must develop a written information security program What is the M in the CAMELS rating? Don t just do good security things, have a well managed program Don t rely on individual heroism, have a well managed program The Information Security Program is the way management demonstrates to regulators that information security is being managed at the financial institution 15

17 Gramm-Leach-Bliley Act Gramm-Leach-Bliley Act requires your financial institution to develop and implement 1) an Information Security Program and 2) Risk Assessments Information Security Program: Defines administrative, technical, and physical safeguards that are appropriate given the size and complexity of a financial institution s operations and the nature and scope of its activities. Risk Assessment Program: Prior to implementing an information security program, a financial institution must first conduct a risk assessment

18 Layered Information Security Program I.T. Risk Assessment Asset Management Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Business Continuity Incident Response I.T. Audit Documentation Boards & Committees 17

19 2016 Secure Banking Solutions, LLC 18

20 Question What is the OUTCOME of good IT risk assessment? 19

21 Exercise 1 Allocating Resources 20

22 21

23 Exercise 1 Your bank has $25,000 of additional spending to put towards security in You were just provided the chart How would you allocate the $25,000? 22

24 Maturing Your Risk Assessment Bank Internal & External System & Organizational Third Party Vendors Business Partners Downstream Partners Commercial Merchant Correspondent Banking ACH Origination Enterprise Risk Bank Secrecy Act Cyber Risk 23

25 Capability Maturity Model Level 0 Initial Any sort of process at all Level 1 Repeatable Processes are documented and practiced Level 2 Defined Processes are consistent and known within the organization Level 3 Quantitatively Managed Processes are measured quantitatively and evaluated Level 4 Optimized Processes continually improve with new technologies or methods 24

26 4 Commercial Threats Goal 3 3 rd Party Threats Goal Bank Threats Goal Level of Assessment (CMM Levels) Low Medium High Level of Risk 25

27 Bank Assessments 26

28 What is IT Risk Assessment? The evaluation of the risks to information resources to determine adequacy of current controls so that management can allocate resources - Streff,

29 Exercise 2 Reviewing a Risk Assessment 28

30 Asset Value Threat Likelihood Impact Control Traditional IT Risk Core Processor High Unauthorized User Access High High Password Controls Assessment Process View Core Processor example in attached spreadsheet Physical Access End-User Responsibilities Access Controls Insurance Unauthorized Physical Access Low Medium Motion Sensors and Alarm System Security Cameras Control Authorized Use Hardware Security Physical Security Unauthorized Viewing Medium Medium Screen Savers Privacy Screens Electrical Anomalies Medium High Electrical Services Contingency Plan Physical Security Hardware Failure Medium High Data Integrity Bank Processing Hardware EDP Contingency Procedures Software Failure Medium High Data Software Availability Bank Processing Software Incident Response Plan Host Processing Systems Software Security Data and Software Availability Media Failure Medium Low Data Integrity Disaster Recovery Data and Software Availability Overall Risk Rating Communications Failure Low Medium Telecommunications Services Low 29 High Medium Medium High High Medium Low

31 Asset Value Threat Likelihood Impact Control Traditional IT Risk Natural Disaster Low High Contingency and Plan Business Resumption Assessment Process View Core Processor example in attached spreadsheet Data Integrity Incident Response Plan Insurance Other Disasters Low High Contingency and Business Resumption Plan Data Integrity Fire Control Incident Response Plan Insurance Overall Risk Rating Medium Medium Malicious Software Low Medium Anti-Virus/Malware Software Protection Medium User Error Medium Low Dual Control Procedures Low Accidental Disclosure, Social Engineering Medium Medium Dial-up Access Encryption Information Requests File Transfers Fraudulent Transactions Medium High Separation of Duties System Activity Logs Maintenance Error Medium Low Modifications Modification Procedures Software Change Control Host Processing Systems Improper Use Medium Medium System Activity Logs Modifications, Dual Control Procedures Acceptable Use Medium Medium Low Medium 30

32 Exercise 2 - Instructions What do you agree with? What do you disagree with? What story is this risk assessment telling? How would the bank allocate resources if you provided them with this assessment? 31

33 Risk Assessment is: A process A management process A management process to identify A management process to identify, measure A management process to identify, measure, mitigate A management process to identify, measure, mitigate and monitor A management process to identify, measure, mitigate and monitor to allocate resources 32

34 5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 33

35 Step 1 - Inventory: 5 Step IT Risk Assessment Process Identify all assets, vendors and service providers Step -5-Demonstrate Compliance: Reporting Improve the process Document Residual Risk Step 2 - Develop Priorities: Protection Profile (CIAV) Residual Risk Step 4 - System Controls: What system safeguards does the bank want to implement? Step 3 - Identify Threats: What are the threats to each asset (including impact and probability of each threat)? Inherent Risk 34

36 IT Risk Management Tools Efficiency Repeatability Quality Automate processes Examiners like them BOTTOM LINE #1: Act as your security expert BOTTOM LINE #2: Allow bank to spend time examining information and making decisions (not compiling a risk assessment spreadsheet) 35

37 Top Risk Assessment Products Archer Kansas bsecure Texas CoNetrix Texas Modulo Seattle Riskkey Texas RiskWatch Maryland Scout Wisconsin TRAC South Dakota WolfPAC Maryland 36

38 IT Assets

39 Protection Profile

40 Threats

41 Controls

42 Protection Profile Report

43

44 Risk Appetite The more important the asset, the more risk you want to reduce risk. Acceptable levels of risk are identified and measured against.

45 Commercial Account Assessments Commercial Banking Fraud 44

46 Commercial Account Takeover Cyber-criminals are targeting commercial accounts Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E) Schumer Bill introduced in 2012 to Reg E Schools and Municipalities 45

47 Commercial Banking Fraud January 22, 2009 Experi-Metal Inc. - Sterling Heights, MI Sues Comerica Bank ($60M) - Dallas, TX An EMI employee opened and clicked on links within a phishing $1.9M stolen, $560,000 was not recoverable 47 wires in one day to foreign and domestic accounts which EMI never wire to before Ruling: Bank failed to detect the fraud and must pay Experi- Metal $560,000 in losses. 46

48 Small Business Security 70% lack basic security controls Get to the basics with each small business Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc. 47

49 48

50 Finger Pointing and ACH Risk 49

51 Mitigating ACH Fraud in Community Banks Layered Information Security Program Enhanced Focus on Security Awareness Risk Assess Corporate Account Portfolio and Take Action 50

52 Commercial Account Takeover FFIEC Guidance FFIEC s Interagency Supplement to Authentication in an Internet Banking Environment states the following activities to mitigate commercial account takeover: Risk Assess to better understand and respond to emerging threats. Increased multi-factor authentication. Layered security controls. Improved device identification and protection. Improved customer and employee fraud awareness. CSBS CATO Guidance 51

53 Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts 52

54 ACH Regulatory Compliance REGULATION Board of Directors at the bank are responsible to: Reduce/Control ACH Fraud Meet FFIEC Guidance Meet CSBS Guidance Actions Controls at the Bank Corporate account security is part of your layered security program Minimum list of 9 security controls in the FFIEC supplement Controls at the Business CATO Risk Assessment List of controls in the CSBS guidance Customer Education Contracts/Documentation 53

55 Controls at Your Bank Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out-Of-Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment recipients IP reputation-based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education 54

56 How do You Assess Merchant Risk? 55

57 5 Step IT Risk Assessment Process Step 0 Inventory: Step 4 Risk Monitoring Step 1 Risk Identification Residual Risk Step 3 Risk Mitigation Step 2 Risk Measurement Inherent Risk 56

58 Commercial Account Assessments Commercial Banking Fraud

59 Bottom Line Need to develop a way for your bank to assess the risk of commercial accounts

60 59

61 60

62 Assessment Results 61

63 Track Progress 62

64 Easily Create a campaign 63 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit

65 Choose from a huge library of phishing templates 64 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit

66 Realistic Templates 65 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit

67 Educate them WHEN they click 66 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit

68 Other Phishing Tools Wombat Phishme QuickPhish Tandem Phishing Most of these tools offer a free trial 67 SBS CyberSecurity, LLC Con sulti ng Net wor k Sec urit

69 Enterprise Risk Management 68

70 Enterprise Risk Management (ERM) ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (FDIC Internal ERM Program and COSO) ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity s risk management in a changing operating environment. (Protiviti consulting firm) 69

71 Business Processes Administrative Affiliate Back-Office Customer Service Finance Lending Marketing Regulatory Retail (Deposits) Information Technology 70

72 Threat Areas Operational Reputational Compliance Financial Strategic Categories commonly used in FFEIC booklets. 71

73 ERM Risk Mitigation Goals 72

74 ERM Protection Profile 73

75 ERM - Threats 74

76 ERM - Controls 75

77 ERM - Reporting 76

78 Report Risk Mitigation 77

79 Report Threat Source 78

80 REPORT PEER COMPARISON 79

81 Bank Secrecy Act Assessments 80

82 Bank Secrecy Act (BSA) The Currency and Foreign Transactions Reporting Act of 1970 (which legislative framework is commonly referred to as the Bank Secrecy Act or BSA ) requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. Specifically, the act requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities. It was passed by the Congress of the United States in The BSA is sometimes referred to as an anti-money laundering law ( AML ) or jointly as BSA/AML. Several AML acts, including provisions in Title III of the USA PATRIOT Act of 2001, have been enacted up to the present to amend the BSA. (See 31 USC and 31 CFR Chapter X [formerly 31 CFR Part 103] ). 81

83 BSA Program Components Program is driven by a risk assessment. A system of internal controls to ensure ongoing compliance. Independent testing of BSA compliance. A specifically designated person or persons responsible for managing BSA compliance (BSA compliance officer). Training for appropriate personnel htm 82

84 BSA Account Types 83

85 BSA Risk Areas 84

86 BSA Controls 85

87 BSA Reports 86

88 Report Account Risk 87

89 Cyber Security Assessment Sec ure Ban king

90 FFIEC CA Tool (3 parts) Three (3) major components 1. Rating your Inherent Risk for Cybersecurity threats based on your size and complexity 2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats 3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity Sec ure Ban king

91 Cybersecurity Inherent Risk Very PRESCRIPTIVE Really getting to the Size and Complexity issue originally stated by GLBA Allows organizations to determine how much Inherent Risk (before controls) their institution faces regarding these new Cybersecurity threats Sec ure Ban king

92 Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats Sec ure Ban king

93 Cybersecurity Maturity Measure Maturity in 5 Domains (+ Assessment Factors) 1. Cyber Risk Management and Oversight Governance, Risk Management, Resources, and Training 2. Threat Intelligence and Collaboration Threat Intelligence, Monitoring & Analyzing, and Info Sharing 3. Cybersecurity Controls Preventative, Detective, and Corrective controls 4. External Dependency Management External Connections and (Vendor) Relationship Management 5. Cyber Incident Management and Resilience Incident Resilience Planning, Detection, Response, & Mitigation, and Escalation & Reporting Sec ure Ban king

94 What is Cybersecurity Maturity? Determining whether an institution s behaviors, practices, and processes can support cybersecurity preparedness I.E. are you prepared to handle new cybersecurity threats and vulnerabilities, breaches, or other incidents? Sec ure Ban king

95 Increasing Maturity Sec ure Ban king

96

97

98

99

100

101

102

103

104

105

106

107

108 Risk Assessment Best Practices Determine which kind of assessment is the most important for your bank and invest accordingly Mature your program Have repeatable processes for each kind of assessment Assign an owner for each kind of assessment Create a policy and program for each kind of assessment Leverage tools to promote consistency and good decision-making Don t use the manual spreadsheet technique! Produce your documentation along the way Ensure management/board involvement 107

109 Review of Goals Overview of Cybersecurity Understand IT risk assessment law and regulation Understand the top risk assessment issues that cause problems and inefficiencies Learn how to expand and mature: IT risk assessment Corporate account assessments (CATO) Enterprise Risk Management BSA Risk Management Review effective risk assessment policy Watch how leading tools enable quicker and better risk assessment Review risk assessment best practices Big 5: Tools, KnowB4, repeatable processes, policies, schedules 108

110 Risk Assessment Schedule 109

111 Dr. Kevin Streff Professor of Cybersecurity at Dakota State University (605) Founder: SBS Cybersecurity, LLC. (605)