10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Transcription

1 4 th Annual UBA Bank Executive Winter Conference February, Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors and Management Team is Responsible for Security On a scale of 1 to 10, grade your board s ability to: Understand cyber risks Give attention and resources to cyber risks 2 1

2 What Can You Do? 3 Layered Security Approach 4 2

3 Top Security Threats 1. Hacking 2. Data Leakage 3. Social Engineering 4. Corporate Account Takeover 5. ATM Most threats involve installing MALWARE Small and medium sized banks are in the cross-hairs of the cyber criminal Howard Schmidt, Cybersecurity Secretary for the White House 5 Hacking Threat #1 6 3

4 Hacker Tools Examples Tools to hack your bank are downloadable Default passwords are all available Economy is available to sell stolen data ( underground markets ) 7 Data Leakage Threat #2 8 4

5 Data Leakage Data Leakage is about insiders leaking customer information out of your bank Most attention is paid to outsiders breaking into your network (aka hackers) Malicious Behavior Accidental 9 Misuse of Bank Computers 10 5

6 Social Engineering Threat #3 11 Social Engineering What is Social Engineering? Exploitation of human nature for the gathering of sensitive information. Tool attackers use to gain knowledge about employees, networks, vendors or other business associates. 12 6

7 Sample Social Engineering Methods Phishing/Pharming Telephone (Remote Impersonation) Dumpster Diving Impersonation Scams USB Sticks 13 Corporate Account Takeover Threat #4 14 7

8 Small Business Security 70% lack basic security controls Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc. 15 Finger Pointing? 16 8

9 Bottom Line: You Lose Customers 17 ATM Fraud Threat #5 18 9

10 Skimmer Camera 19 Question How long does it take to install a skimmer?

11 21 ATM Cyber Heists 22 11

12 Question for Boards & Mgmt Team What is your bank doing to mitigate the risks of: Hacking Data Leakage Social Engineering Corporate Account Takeover ATM Fraud Answer Should Be: 1.Layered Security Program 2.Risk Assessment 3.Customer Awareness and Education 4.Effective Auditing 23 Layered Information Security Program for Your Bank I.T. Risk Assessment Asset Management Vendor Management Penetration Testing Vulnerability Assessment Security Awareness Business Continuity Incident Response I.T. Audit Documentation Boards & Committees 24 12

13

14 2014 FFIEC Cybersecurity Assessments Cybersecurity & Critical Infrastructure Working Group (CCWIG) Targeted Regulatory Exams June 2013, the FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG) Approximately 500 assessments with $1 billion or less in assets Information gathering and learning mode Finalized report in mid 2014 for all exams moving forward 28 14

15 Cybersecurity Assessment Scope Exams build upon key aspects of existing supervisory expectations addressed in the FFIEC IT Handbook Assesses the complexity of an institution s operating environment. Assesses an institution s current practices and overall cybersecurity preparedness, with a focus on the following key areas: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience Cybersecurity-Assessment-Overview.pdf 29 Summary of Results Strong risk management program Enhanced vulnerability assessment program Share and collaborate cyber security information with other institutions Enhanced vendor management program Enhanced incident response plans Training and education on information (cyber) security is going to be emphasized Board participation and education involving information security is going to be EXAMINED and REGULATED Are you keeping your Boards appraised of cyber security issues and how your institution is responding? 30 15

16 Cybersecurity Training 1. Routinely discussing cybersecurity issues in board and senior management meetings will help the financial institution set the tone from the top and build a security culture. Boards are going to be held to a higher standard! Do you review loans at Board meetings? Better start reviewing Information Security items as well! 2. While most financial institutions understand the need to train employees on cybersecurity risk management, the outcome and benefits improve when training and awareness programs are kept current and are provided on a routine basis. The more educated and knowledgeable your people are, the more risk you reduce! 31 Section 1 Cybersecurity Inherent Risk Findings and Concerns Regulators are concerned that you don t have all your connections, systems, and products inventoried Regulators are concerned that every connection, system, and product is not hardened Regulators are concerned that your risk assessment process is inadequate Regulators are concerned that your enterprise risk management program does not accurately reflect cyber risk 32 16

17 Section 1 Cybersecurity Inherent Risk FFIEC Questions 1. What type of connections does your bank have? 2. How are you managing these connections to deal with evolving threats and vulnerabilities? 3. Do you need all your connections? 4. How do you evaluate evolving threats and vulnerabilities in your risk assessment process? 5. How do your connections and technologies collectively affect your bank s risk posture? 33 Section 1 Cybersecurity Inherent Risk Management Actions Expand your bank s network diagram to include all bank connections Update your risk assessment to reflect the additional inherent risk these connections introduce Automate risk assessment to calculate inherent risk metrics and measurements Mature bank s enterprise risk management program to include cybersecurity inherent risk Ensure next I.T. audit thoroughly examines cybersecurity inherent risk 34 17

18 Section 2 Cybersecurity Preparedness FIVE Topics 1. Risk Management and Oversight 2. Threat Intelligence and Collaboration 3. Cybersecurity Controls 4. External Dependency Management 5. Cyber Incident Management & Resilience 35 Section 2 Cybersecurity Preparedness Topic 1 - Risk Management & Oversight 1. Involves risk assessment and management 2. Involves allocating human and financial resources 3. Includes governance and compliance 4. Includes awareness, training and education 36 18

19 Section 2 Cybersecurity Preparedness Topic 1-Risk Management & Oversight Findings and Concerns 1. Board and senior management is not regularly discussing cyber threats. 2. Board and senior management is not setting the tone at the top 3. Board and senior management is not properly trained to do their jobs to manage cyber risks 4. Training must be current and regular (not once a year) 5. Banks are vulnerable to social engineering attacks 37 Section 2-Cybersecurity Preparedness Topic 1-Risk Management & Oversight FFIEC Questions 1. What is the process to ensure ongoing and routine discussions by the board and senior management about cyber threats to your bank? 2. How is accountability determined for managing cyber risks across the bank? Does this include management s accountability for business decisions that may introduce new cyber risks? 3. What is the process for ensuring ongoing employee awareness and effective response to cyber risks? 38 19

20 Section 2-Cybersecurity Preparedness Topic 1-Risk Management & Oversight Management Actions Draft information security strategy and have all management and board members sign off Have standing item on board agenda: cybersecurity Set the tone from the top 39 Section 2-Cybersecurity Preparedness Topic 1-Risk Management & Oversight Management Actions Automate risk assessment to calculate residual risk metrics and measurements Mature bank s enterprise risk management program to include cybersecurity residual risk 40 20

21

22

23 Section 2-Cybersecurity Preparedness Topic 1-Risk Management & Oversight Management Actions Ensure next I.T. audit thoroughly examines cybersecurity residual risk Conduct social engineering tests each quarter: Q1 : Dumpster Dive Q2 : Phishing Scam Q3 : Pretext Calling Q4 : Physical Impersonation Ensure next I.T. audit thoroughly examines security awareness program, management/board credentials, and roles/responsibilities 45 What Can You Do? Focus on a program Get good at risk assessment Focus them on the big 5 threats Put information in a form they can understand Involve Board members in your bank s security awareness program Train them 46 23

24 Section 2-Cybersecurity Preparedness Topic 2-Threat Intelligence/Collaboration FFIEC Questions 1. What is the process to gather and analyze threat? 2. How is accountability determined for managing cyber risks across the bank? Does this include management s accountability for business decisions that may introduce new cyber risks? 3. What is the process for ensuring ongoing employee awareness and effective response to cyber risks? 47 Section 2-Cybersecurity Preparedness Topic 2-Threat Intelligence/Collaboration Findings and Concerns 1. Threat intelligence is lacking in banks 2. Banks rely on media reports which is reactionary and insufficient 3. Monitoring of event logs is insufficient 48 24

25 Section 2-Cybersecurity Preparedness Topic 2-Threat Intelligence/Collaboration Management Actions 1. Build threat intelligence capability 2. Build relationships with FS-ISAC, InfraGard, and other threat intelligence groups 3. Improve monitoring of event logs to identify patterns and problems 4. Build relationships with law enforcement prior to an incident occurring 49 InfraGard Certification Training program for staff on information security The InfraGard Awareness information security awareness course is FREE to all individuals and small businesses with 25 or fewer employees. Send your Board thru this program! Tweleve lessons (4-9 minutes each) Optional certificate to hang in the workplace 50 25

26 Section 2-Cybersecurity Preparedness Topic 3-Cybersecurity Controls Findings and Recommendations 1. Preventative controls have been the focus 2. Detective and corrective controls are lacking 3. Vulnerability assessments are insufficient 4. Penetration testing is insufficient 5. Banks should take an enterprise view to IT risk 6. Vulnerability remediation is lacking 51 Section 2-Cybersecurity Preparedness Topic 3-Cybersecurity Controls FFIEC Questions 1. What is the process for determining and implementing controls? 2. Does the process call for a review and update of controls when changing the I.T. environment? 3. What is the process for classifying data and determining appropriate controls based on risk? 4. What is the process for ensuring that risks identified are remediated? 52 26

27 Section 2-Cybersecurity Preparedness Topic 3-Cybersecurity Controls Management Actions 1. Improve detective and corrective controls 2. More frequent and deeper vulnerability assessments 3. More frequent and deeper penetration testing 4. Implement/mature enterprise risk management 5. Improve vulnerability remediation 53 Action Tracking 54 27

28 Section 2-Cybersecurity Preparedness Topic 4-Vendor Management Findings and Recommendations 1. Many banks have processes in place to manage vendors 2. Many banks lack documented roles & responsibilities in the contract/incident response plan 55 Section 2-Cybersecurity Preparedness Topic 4-Vendor Management FFIEC Questions 1. How is bank connecting to third parties and ensuring that are managing cybersecurity controls? 2. What are third parties responsibilities during a cyber attack? Are they outlined in an incident response plan? 56 28

29 Section 2-Cybersecurity Preparedness Topic 4-Vendor Management Management Actions 1. Documents how the bank is connecting to third parties and ensuring that are managing cybersecurity controls 2. Document in the contract/incident response plan the roles & responsibilities of third parties during a cyber attack 57 Section 2-Cybersecurity Preparedness Topic 5-Incident Management Findings and Recommendations 1. Internal and external communication is often lacking to handle a cyber incident 2. Cyber incident scenarios are inadequately incorporated into bank s business continuity and disaster recovery plans 3. BCP/DR plans are often not sufficiently tested 58 29

30 Section 2-Cybersecurity Preparedness Topic 5-Incident Management FFIEC Questions 1. In the event of a cyber attacks, how will bank respond internally and with customers, third parties, regulators and law enforcement? 2. How are cyber incident scenarios incorporated into bank s business continuity and disaster recovery plans? 3. Have BCP/DR plans been tested? 59 Section 2-Cybersecurity Preparedness Topic 5-Incident Management Management Actions 1. Work to improve internal and external communication to handle a cyber incident 2. Incorporate Cyber incident scenarios into bank s business continuity and disaster recovery plans 3. Sufficiently test BCP/DR plans 60 30

31 SBS Certified Board Member 61 Risk Assessment Schedule 62 31

32 Auditing Results 63 U.S. Department of Treasury Press Release December, Is cyber risk part of our current risk management framework? 2. Do we follow the NIST Cybersecurity Framework? 3. Do we know the cyber risks that our vendors and third-party service providers expose us to, and do we know the rigor of their cybersecurity controls? 4. Do we have cyber risk insurance? 5. Do we engage in basic cyber hygiene? 6. Do we share incident information with industry groups? If so, when and how does this occur? 7. Do we have a cyber-incident playbook and who is the point person for managing response and recovery? 8. What roles do senior leaders and the board play in managing and overseeing the cyber incident response? 9. When and how do we engage with law enforcement after a breach? 10. After a cyber incident, when and how do we inform our customers, investors, and the general public? 32

33 False Sense of Security 65 Contact Info Dr. Kevin Streff Dakota State University Secure Banking Solutions, LLC