IT Security & New Regulatry Requirements May 29, 2014 Rn Hulshizer, CMA, CGEIT Managing Directr IT Risk Services rhulshizer@bkd.cm T Receive CPE Credit Individual Attendee Participate in entire webinar Answer plls when they are prvided Grup Attendees Cmplete grup attendance frm with Title & date f live webinar Yur cmpany name Yur printed name, signature & email address All grup attendance sheets must be submitted t training@bkd.cm within 24 hurs f live webinar Answer plls when they are prvided If all eligibility requirements are met, each participant will be emailed a CPE certificate within 15 business days f live webinar 2 // experience precisin 1
Cybersecurity Learning bjectives Discuss emerging technlgies Review the dark side f security Cver the weakest link t security Review new regulatry requirements 3 // experience precisin 4 // experience precisin 2
Technlgy The Dark Side 5 // experience precisin Gd Guys Versus Bad Guys White hat A security cnsultant during the day Black hat A hacker after midnight Grey hat A security cnsultant during the day; a hacker after midnight 6 // experience precisin 3
CryptLcker Surce: Krebs On Security, Nvember 6, 2013 7 // experience precisin IT Security Starts with Risk HeartBleed Mistake in prgramming Flaw was ut fr apprximately tw years Estimated that apprximately 2/3 f servers were affected As f May 8, 2014, 318,239 f the public web servers remained vulnerable Slutin is straight-frward 1) apply the patch 2) change passwrds Impact is unclear There is n clear way t determine impact t leakage f user names & passwrds Mst financial institutins have identified & addressed since Ggle security team identified flaw n April 1, 2014 8 // experience precisin 4
IT Security Starts with Risk Emplyees Weakest link Change Enemy f security 9 // experience precisin IT Security Starts with Risk Bank fraud A few examples Technical Website/Internet banking $70,000 hack Over a weekend Emplyee Classic wire fraud $80,000 Segregatin f duties/trusted emplyee Management Abuse f psitin $5,000,000 19 years in the making 10 // experience precisin 5
Scial Engineering Starts with prfiling the rganizatin Obtain IT directr s name Prepare strategy fr explit Mckup website Originate email campaign Harvest user names & passwrds Execute explitatin strategy Experience 5% t 46% f users tested prvide inf 11 // experience precisin Scial Engineering 12 // experience precisin 6
Scial Engineering 13 // experience precisin New Regulatry Ht Buttns Unlimited Operatins Surce data preparatin Distributed denial f service attacks New guidance n bank s respnsibility 14 // experience precisin 7
New Regulatry Ht Buttns Unlimited Operatins Financial Institutin Letter, FIL-10-2014 Release April 2, 2014 Highlights Cyber attacks n financial institutins fr purpse f gaining access t, & altering settings n, ATM Web-based cntrl panels used by small- t medium-sized institutins have increased Unlimited peratins are a categry f ATM cash-ut fraud in which criminals are able t extract funds beynd cash balance in custmer accunts r beynd ther cntrl limits typically applied t ATM withdrawals Financial institutins shuld ensure their risk management prcesses address risks frm these types f cyber attacks cnsistent with risk management guidance cntained in FFIEC IT Examinatin Handbk & applicable industry standards 15 // experience precisin New Regulatry Ht Buttns Unlimited Operatins Methd In an unlimited peratins attack, criminals are able t withdraw funds beynd cash balance in custmer accunts r beynd ther cntrl limits typically applied t ATM withdrawals Accrding t guidance, criminals perpetrate fraud by initiating cyber attacks t gain access t web-based ATM cntrl panels, which enables them t withdraw custmer funds frm ATMs using stlen custmer debit, prepaid r ATM card accunt Accrding t guidance, an unlimited peratins attack may begin with phishing emails sent t bank emplyees as a means t install malicius sftware nt bank s netwrk. Criminals use malicius sftware t mnitr bank s netwrk t determine hw bank accesses ATM cntrl panels & btain emplyee lgin credentials 16 // experience precisin 8
New Regulatry Ht Buttns Distributed Denial f Service Attack Financial Institutin Letter, FIL-11-2014 Release April 2, 2014 Highlights DDS attacks are cntinuing against financial institutins public-facing websites DDS attacks may be a diversinary tactic by criminals attempting t cmmit fraud Financial institutins are expected t address DDS readiness as part f their nging business cntinuity & disaster recvery plans & t take certain specific steps, as apprpriate, t detect & mitigate such attacks 17 // experience precisin New Regulatry Ht Buttns Distributed Denial f Service Attack Methd Mtive may be destructive r diversinary Extent f damage caused by DDS t business varies based n time f attack, duratin f utage & type f services prvided by targeted system It may range frm an increased number f calls frm incnvenienced custmers t lst business r failure t meet a service level agreement In case f banking, hwever, DDS attacks present an additinal layer f threat because DDS attacks may be launched t divert bank s resurces & distract bank persnnel s intruders can simultaneusly create an pprtunity fr cmputer fraud & infrmatin theft that may hamper bank s peratins & cmprmise valuable accunt infrmatin 18 // experience precisin 9
IT Security Best Practices Training Emplyee training Management training Educatin Awareness f security risks Third-party review External, independent view f rganizatin Self assessment risk assessment Review rganizatin s security psture 19 // experience precisin 20 Critical Security Cntrls V4.1 (SANS Institute) Critical Cntrl 1: Inventry f Authrized and Unauthrized Devices Critical Cntrl 2: Inventry f Authrized and Unauthrized Sftware Critical Cntrl 3: Secure Cnfiguratins fr Hardware and Sftware n Mbile Devices, Laptps, Wrkstatins, and Servers Critical Cntrl 4: Cntinuus Vulnerability Assessment and Remediatin Critical Cntrl 5: Malware Defenses Critical Cntrl 6: Applicatin Sftware Security Critical Cntrl 7: Wireless Device Cntrl Critical Cntrl 8: Data Recvery Capability Critical Cntrl 9: Security Skills Assessment and Apprpriate Training t Fill Gaps Critical Cntrl 10: Secure Cnfiguratins fr Netwrk Devices such as Firewalls, Ruters, and Switches 20 // experience precisin 10
20 Critical Security Cntrls V4.1 (SANS Institute) Critical Cntrl 11: Limitatin and Cntrl f Netwrk Prts, Prtcls, and Services Critical Cntrl 12: Cntrlled Use f Administrative Privileges Critical Cntrl 13: Bundary Defense Critical Cntrl 14: Maintenance, Mnitring, and Analysis f Audit Lgs Critical Cntrl 15: Cntrlled Access Based n the Need t Knw Critical Cntrl 16: Accunt Mnitring and Cntrl Critical Cntrl 17: Data Lss Preventin Critical Cntrl 18: Incident Respnse and Management Critical Cntrl 19: Secure Netwrk Engineering Critical Cntrl 20: Penetratin Tests and Red Team Exercises 21 // experience precisin Useful Links Krebs On Security: www.krebsnsecurity.cm Security newsletter SANS www.sans.rg SysAdmin, audit, netwrking & security Bank inf security: www.bankinfsecurity.cm Security newsletter specifically fr financial institutins 22 // experience precisin 11
Cntact Infrmatin Rn Hulshizer, Managing Directr IT Risk Services 405.606.2580 rhulshizer@bkd.cm 23 // experience precisin BKD Tday $418M in annual revenue 2,100 emplyees, including apprximately 250 partners Diverse client base spanning health care, manufacturing, distributin, financial services, cnstructin, real estate, ntfr-prfit, gvernmental & higher educatin Netwrk f 30+ ffices serves clients in all 50 states & internatinally Largest U.S. member f Praxity, AISBL, a glbal alliance f independent firms 24 24 // // experience precisin precisin 12
Cntinuing Prfessinal Educatin (CPE) Credits BKD, LLP is registered with the Natinal Assciatin f State Bards f Accuntancy (NASBA) as a spnsr f cntinuing prfessinal educatin n the Natinal Registry f CPE Spnsrs. State bards f accuntancy have final authrity n the acceptance f individual curses fr CPE credit. Cmplaints regarding registered spnsrs may be submitted t the Natinal Registry f CPE Spnsrs thrugh its website: www.learningmarket.rg. The infrmatin in BKD webinars is presented by BKD prfessinals, but applying specific infrmatin t yur situatin requires careful cnsideratin f facts & circumstances. Cnsult yur BKD advisr befre acting n any matters cvered in these webinars. 25// experience precisin CPE Credit One CPE credit in Specialized Knwledge & Applicatins field f study may be awarded upn verificatin f participant attendance Fr questins, cncerns r cmments regarding CPE credit, please email the BKD Learning & Develpment Department at training@bkd.cm 26 // experience precisin 13
14