Cyber and Information Security Focused Audit Strategy WNY ISACA May 9, 2017 Shamus McMahon CISA, CISSP

Transcription

1 Cyber and Information Security Focused Audit Strategy WNY ISACA May 9, 2017 Shamus McMahon CISA, CISSP All materials presented here and discussed within represent the view of the speaker and are not necessarily the policy or practices of KeyCorp.

2 Agenda Evolution of Cyber Threats and Internet Threat proximity to assets and business value drivers (KeyBank Overview) Internet evolution Threat overview and population Threat risk intelligence & anticipation Cyber Security Focused Audit Strategy (FAS) Understand how technology supports the business, customers, clients, affiliates, and 3 rd parties Align likely threats to technology, products, and services Delivery channels are often the attack vectors Copyright KeyBank, N.A. (Proprietary) KeyCorp Internal 1

3 KeyBank Overview 15 States Key Community Bank branches & Key Corporate Bank offices Additional Key Corporate Bank offices $136B Assets 8K-3/31/16 1,500+ ATMs $5.8B Revenue 8K-12/31/15 1,200+ Branches 20,000+ (FTE) Employees Key Consumer Banking Key Private Bank Key Business Banking Key Commercial Banking Key Corporate Bank Source: 2

4 The Internet Evolution 1972 Host 1975 Altair Global/ DNS /Commercial TCP/IP MOSAIC SSL, IE, RFC & IETF, MP3, VoIP, ^, Blogs, DNSSEC, Craigslist BOOM! MS Money 14 million/ 130sites 19M US (H) OLB BUST! Modem ARPAnet TCP/IP, Telnet, CSNET, Internet 1 million PCs IPSEC, PGP, ISPs, Global, Al Gore, www public, 1 million PCI DSS1.0 12/ RSS program created, Wikipedia, 450 million China users 3

5 Internet Commercialization / Criminalization Source: 5

6 Leading Incidents and Expensive Lessons Source: 6

7 Customers, Partners, Employees, and Threats Source: 7

8 Internet Commercialization / Criminalization 2016 Verizon Data Breach Investigation Report 91% of attacks start with 61% of breaches weak / default PW 89% of breaches Financial / Espionage 52% of breaches exposed SS# 2016 Cisco Visual Networking Index Internet Users B (40%) B (52%) Devices Per Capita Wearables M M Bank Access B (57%) B (58%) Source: Verizon / Cisco 8

9 9

10 Malware Trends By System 2015/2016 Source : 10

11 Internet Criminalization: Sources & Methods Source: 11

12 New Malware Trends Source: 12

13 Total Malware Trends Source: 13

14 Cyber Security Focused Audit Strategy The purpose for executing a cyber and information security focused audit strategy is to develop a comprehensive view of an organization s overall cyber & information security posture. The cyber and information security focused audit strategy can be supported through the following activities: Plan and execute reviews and evaluations focused on assessing multiple layers of technology, security controls and processes, while aligning each risk review or audit to the unique threats, risks, and impacts to a given product, service delivery channel, and other value drivers. Through ongoing risk intelligence and monitoring, continually assess emerging threats based on their ability to impact an organizations clients through multiple delivery or communication channels (ex. voice, network, internet, applications, and servers) Continually review and assess internal (e.g. Information Security) and external security assessments, results, and remediation activities Reviews supporting the Cyber and Information Security FAS are designed to assess multi-layered control, security and technology environments implemented to mitigate cyber and information security threats. Focused cyber and information security reviews will be conducted on a 24 month review cycle, with the potential to vary the review cycle and or scope based on review results, ongoing risk intelligence, technology investments, and external events or security incidents. 14

15 Cyber & Information Security Technology & Controls Physical Data Centers (Physical Boundary) Employee Network Segment Corporate Assets & Value Drivers Customer Applications Data Processing, Support & Financial Apps Employees Sensitive Customer Data (GLBA / PCI) Confidential & Proprietary Data (MNPFI) Reputation / Branding E-commerce Network Segment VPN, Partner, Affiliates, Contractors 15

16 Malware High Population Cyber Threat Population Assessment Employee Network Segment Malware Impact DDoS High Population E-Commerce Network Segment DDoS Impact Criminals High Population VPN, Partner, Affiliates, Contractors Criminal Impact Physical Data Centers (Physical Boundary) TELECOM Corporate Assets & Value Drivers Customer Applications Data Processing, Support & Financial Apps Employees Sensitive Customer Data (GLBA / PCI) Confidential & Proprietary Data (MNPFI) Reputation / Branding WIFI 16

17 Cyber Focused Info. Sec. Focused Standard SOX/GCC (A) Annual (R) Risk Based Cycle Anti Malware Review (R) Cyber Threats & Audit Projects Employee Network Segment Info. Sec. & Conf. Review (R) Multi-Factor Auth Review (R) E-Commerce Network Segment Technology(SOX Scope) (A) ATM Sec. & Infrastructure(R) Social Engineering (R) Internet & E-commerce Review (R) Infrastructure Reviews (A) Application Reviews (A) Offshore Security Review (R) Partner, Affiliates, Contractors Tech Risk Mgmt. & Gov. (A) Physical Data Centers (Physical Boundary) Vulnerability & Patch Mgmt. (R) PCI Sec. & Infrastructure (R) 17

18 Cyber Security FAS Benefits and Challenges Risk Intelligence Formal Process / Budgeted Hours Monitor security investments, strategic programs, industry trends Risk evaluations on specific security projects / initiatives Learn expensive lessons from somebody else (e.g. data breach retrospectives) Assessing risk culture relative to cyber threat Transparency / close calls or incidents Audit findings / issues Physical Security / Data Disposal Still Critical Benefits Holistic view of threat / security posture over defined period Cross training for resource development Improved partnerships and client interaction Challenges Increased complexity (audit project) Evolving an Established Strategy Improve efficiency, lower impact to client (assistance) Compartmentalization of scope across projects Opportunities to leverage analytics to develop continuous monitoring (ex. incidents, vulnerabilities) / structured data is a challenge 18

19 Cyber Security FAS Helpful Sources Statistics and studies from more than 18,000 sources. Limited free stats / graphs available with easy import to PPT, xls, PNG. Reasonable single license user fees. Public data breaches since 2005, includes volumes, details, sources and methods, by industry categories, with export via csv / excel files. FREE! The independent IT-Security Institute, German based company, great research, stats and graphs, for malware risk intelligence and personal product performance, and malware news letters, annual security reports. Future trends in technology and saturation FFIEC Cyber Assessment Tool (CAT) NIST Cyber Security Framework 19

20 Closing Comments / Questions Thank you! Cyber and Information Security Focused Audit Strategy WNY ISACA March 9, 2017 Shamus McMahon CISA, CISSP