IT Security & New Regulatory Requirements May 29, 2014

Similar documents
Keeping Dynamics GP Secure

To Receive CPE Credit

Cyber Security for Accounting and Auditing Professionals

Succeed in ISO/IEC Audit Checks. Bob Cordisco Systems Engineer

IS315T IS Risk Management and Intrusion Detection [Onsite]

Patch Management Policy

ITIL 2011 Service Offerings and Agreements (SOA)

SEMA Memorial Scholarship Fund Scholarship & Loan Forgiveness Programs

Register online at

SIEM Use Cases 45 use cases for Security Monitoring

Your New Service Request Process: Technical Support Reference Guide for Cisco Customer Journey Platform

IS312T Information Security Essentials [Onsite]

INFORMATION TECHNOLOGY SERVICES NIST COMPLIANCE AT FSU - CONTROLLED UNCLASSIFIED INFORMATION

NCTA-Certified Cloud Technologist (NCT) Exam NCT-110

OBSERVATIONS FROM CYBERSECURITY EXAMINATIONS

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

E. G. S. Pillay Engineering College, Nagapattinam Computer Science and Engineering

John R. Robles CISA, CISM, CRISC

Atlona Academy Partner Program Outline for Becoming a Certified Partner

FUNDAMENTALS OF INFORMATION SYSTEMS AUDIT

Welcome to Manage Risk to Your Organization with Effective Data Security

F5 Technical Boot Camp - Partner Edition

CCNA Security v2.0 Chapter 1 Exam Answers

Creating an Online Account

Security of Information Technology Resources

Things I Wish I Knew

CCNA 1 Chapter v5.1 Answers 100%

Genesys Certification Study Guide

ITD Information Security October 19, 2015

Information Technology Services MCG New Student Orientation Fall 2016

Imagine for MSDNAA Student SetUp Instructions

SafeDispatch SDR Gateway for MOTOROLA TETRA

IMPACT PLUS Navigator Program Guide NACE INTERNATIONAL INSTITUTE

Date: October User guide. Integration through ONVIF driver. Partner Self-test. Prepared By: Devices & Integrations Team, Milestone Systems

CAMPBELL COUNTY GILLETTE, WYOMING

Town of Warner, New Hampshire Information Security Policy

Customer Information. Agilent 2100 Bioanalyzer System Startup Service G2949CA - Checklist

CLOUD & DATACENTER MONITORING WITH SYSTEM CENTER OPERATIONS MANAGER. Course 10964B; Duration: 5 Days; Instructor-led

Chapter 10: Information System Controls for System Reliability Part 3: Processing Integrity and Availability

IMPACT PLUS Navigator Program Guide NACE INTERNATIONAL INSTITUTE

How To: Submit a Training Request Through ZenDesk

OATS Registration and User Entitlement Guide

Secure File Transfer Protocol (SFTP) Interface for Data Intake User Guide

Request for Proposal Technology Services Maintenance and Support

ISMPP Membership FAQs

SUB-USER ADMINISTRATION HELP GUIDE

Access the site directly by navigating to in your web browser.

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

The following information must be submitted to the Central Office to renew your certificate(s).

Overview of Data Furnisher Batch Processing

Registering for FEMA assistance

Independent Adjudication for Customers. Royal Institution of Chartered Surveyors (RICS) Application Form

Computer Science Department cs.salemstate.edu. ITE330 Web Systems. Catalog description:

PRIVACY AND E-COMMERCE POLICY STATEMENT

ERS IT Portfolio Report

Instruction Guide. General Information Services (GIS) equest+ Ordering and Viewing Process. Client Name Here. Account Manager s Info:

IT103T Operating Systems [Onsite]

TDR and Kaspersky. Integration Guide

Regroup Quick Start User Guide

For students to participate in BYOD please follow these two steps

TDR and Trend Micro. Integration Guide

Dear Student, Here is a sample of how the immunization process will work for Fall 2018:

General Data Protection Regulation (GDPR) for CEO s Quick overview & impact

Changing the game on cyber risk: The imperative to become secure, vigilant, and resilient

CLIENT. Corporation. Hosting Services. August 24, Marc Gray Flywire Technology CLIENT. 104 West Candler St Winder, GA

APPLICATION FORM. CISAS opening hours: 9:00am to 5:00pm, Monday to Friday

Program Overview for Web Pros

DELL EMC PERSONALIZED SUPPORT SERVICES

CCNA 1 v5.1 Practice Final Exam Answers %

Avigilon Control Center Server User Guide. Version 6.8

RSA CONFERENCE Call for Speakers Offline Submission Form

Point-to-Point Encryption (P2PE)

Building a Strategic Plan for Your Security Awareness Program

Web Application Security Version 13.0 Training Course

Enrolling onto the Open Banking Directory How To Guide

Verizon Mobile Device Enrollment Instructions & Candidate Information Form Samsung KNOX Mobile Enrollment (KME)

Admin Report Kit for Exchange Server

UNMETERED LOAD GUIDELINE - DETERMINATION OF DEVICE LOAD AND ANNUAL ENERGY CONSUMPTION FOR UNMETERED DEVICE TYPES

UPGRADING TO DISCOVERY 2005

COMPLETE ENDPOINT DEFENSE INTEGRATING PROTECTION, DETECTION, RESPONSE AND REMEDIATION IN A SINGLE SOLUTION

Data Processing Information for Users of the Career and Alumni Portal of HTW Berlin (Data Privacy Policy)

Privacy Policy. Information We Collect. Information You Choose to Give Us. Information We Get When You Use Our Services

Wide Area Network (WAN)

All members of the UNNC Community and users of the University network.

Registrations - Participant Registration Process. Registration Process

USING THE ACCOUNT MANAGER. Getting started. Logging in and out. Welcome screen

55114: Planning, Deploying and Managing Microsoft Project Server 2010 Duration: 3 Days Method: Instructor-Led

Frequently Asked Questions

CNS-301 Citrix NetScaler 10.5 Advanced Implementation

OmniPCX Record PCI Compliance 2.3

IHIS Research Access Request Guidelines

Background Check Procedures for Sponsors

TPP: Date: October, 2012 Product: ShoreTel PathSolutions System version: ShoreTel 13.x

Software Usage Policy Template

MARYLAND PHYSICIANS CARE (00247) ERA ENROLLMENT INSTRUCTIONS

UML : MODELS, VIEWS, AND DIAGRAMS

istartsmart 3.5 Upgrade - Installation Instructions

BlackBerry Server Installation and Upgrade Service

SmartPass User Guide Page 1 of 50

Transcription:

IT Security & New Regulatry Requirements May 29, 2014 Rn Hulshizer, CMA, CGEIT Managing Directr IT Risk Services rhulshizer@bkd.cm T Receive CPE Credit Individual Attendee Participate in entire webinar Answer plls when they are prvided Grup Attendees Cmplete grup attendance frm with Title & date f live webinar Yur cmpany name Yur printed name, signature & email address All grup attendance sheets must be submitted t training@bkd.cm within 24 hurs f live webinar Answer plls when they are prvided If all eligibility requirements are met, each participant will be emailed a CPE certificate within 15 business days f live webinar 2 // experience precisin 1

Cybersecurity Learning bjectives Discuss emerging technlgies Review the dark side f security Cver the weakest link t security Review new regulatry requirements 3 // experience precisin 4 // experience precisin 2

Technlgy The Dark Side 5 // experience precisin Gd Guys Versus Bad Guys White hat A security cnsultant during the day Black hat A hacker after midnight Grey hat A security cnsultant during the day; a hacker after midnight 6 // experience precisin 3

CryptLcker Surce: Krebs On Security, Nvember 6, 2013 7 // experience precisin IT Security Starts with Risk HeartBleed Mistake in prgramming Flaw was ut fr apprximately tw years Estimated that apprximately 2/3 f servers were affected As f May 8, 2014, 318,239 f the public web servers remained vulnerable Slutin is straight-frward 1) apply the patch 2) change passwrds Impact is unclear There is n clear way t determine impact t leakage f user names & passwrds Mst financial institutins have identified & addressed since Ggle security team identified flaw n April 1, 2014 8 // experience precisin 4

IT Security Starts with Risk Emplyees Weakest link Change Enemy f security 9 // experience precisin IT Security Starts with Risk Bank fraud A few examples Technical Website/Internet banking $70,000 hack Over a weekend Emplyee Classic wire fraud $80,000 Segregatin f duties/trusted emplyee Management Abuse f psitin $5,000,000 19 years in the making 10 // experience precisin 5

Scial Engineering Starts with prfiling the rganizatin Obtain IT directr s name Prepare strategy fr explit Mckup website Originate email campaign Harvest user names & passwrds Execute explitatin strategy Experience 5% t 46% f users tested prvide inf 11 // experience precisin Scial Engineering 12 // experience precisin 6

Scial Engineering 13 // experience precisin New Regulatry Ht Buttns Unlimited Operatins Surce data preparatin Distributed denial f service attacks New guidance n bank s respnsibility 14 // experience precisin 7

New Regulatry Ht Buttns Unlimited Operatins Financial Institutin Letter, FIL-10-2014 Release April 2, 2014 Highlights Cyber attacks n financial institutins fr purpse f gaining access t, & altering settings n, ATM Web-based cntrl panels used by small- t medium-sized institutins have increased Unlimited peratins are a categry f ATM cash-ut fraud in which criminals are able t extract funds beynd cash balance in custmer accunts r beynd ther cntrl limits typically applied t ATM withdrawals Financial institutins shuld ensure their risk management prcesses address risks frm these types f cyber attacks cnsistent with risk management guidance cntained in FFIEC IT Examinatin Handbk & applicable industry standards 15 // experience precisin New Regulatry Ht Buttns Unlimited Operatins Methd In an unlimited peratins attack, criminals are able t withdraw funds beynd cash balance in custmer accunts r beynd ther cntrl limits typically applied t ATM withdrawals Accrding t guidance, criminals perpetrate fraud by initiating cyber attacks t gain access t web-based ATM cntrl panels, which enables them t withdraw custmer funds frm ATMs using stlen custmer debit, prepaid r ATM card accunt Accrding t guidance, an unlimited peratins attack may begin with phishing emails sent t bank emplyees as a means t install malicius sftware nt bank s netwrk. Criminals use malicius sftware t mnitr bank s netwrk t determine hw bank accesses ATM cntrl panels & btain emplyee lgin credentials 16 // experience precisin 8

New Regulatry Ht Buttns Distributed Denial f Service Attack Financial Institutin Letter, FIL-11-2014 Release April 2, 2014 Highlights DDS attacks are cntinuing against financial institutins public-facing websites DDS attacks may be a diversinary tactic by criminals attempting t cmmit fraud Financial institutins are expected t address DDS readiness as part f their nging business cntinuity & disaster recvery plans & t take certain specific steps, as apprpriate, t detect & mitigate such attacks 17 // experience precisin New Regulatry Ht Buttns Distributed Denial f Service Attack Methd Mtive may be destructive r diversinary Extent f damage caused by DDS t business varies based n time f attack, duratin f utage & type f services prvided by targeted system It may range frm an increased number f calls frm incnvenienced custmers t lst business r failure t meet a service level agreement In case f banking, hwever, DDS attacks present an additinal layer f threat because DDS attacks may be launched t divert bank s resurces & distract bank persnnel s intruders can simultaneusly create an pprtunity fr cmputer fraud & infrmatin theft that may hamper bank s peratins & cmprmise valuable accunt infrmatin 18 // experience precisin 9

IT Security Best Practices Training Emplyee training Management training Educatin Awareness f security risks Third-party review External, independent view f rganizatin Self assessment risk assessment Review rganizatin s security psture 19 // experience precisin 20 Critical Security Cntrls V4.1 (SANS Institute) Critical Cntrl 1: Inventry f Authrized and Unauthrized Devices Critical Cntrl 2: Inventry f Authrized and Unauthrized Sftware Critical Cntrl 3: Secure Cnfiguratins fr Hardware and Sftware n Mbile Devices, Laptps, Wrkstatins, and Servers Critical Cntrl 4: Cntinuus Vulnerability Assessment and Remediatin Critical Cntrl 5: Malware Defenses Critical Cntrl 6: Applicatin Sftware Security Critical Cntrl 7: Wireless Device Cntrl Critical Cntrl 8: Data Recvery Capability Critical Cntrl 9: Security Skills Assessment and Apprpriate Training t Fill Gaps Critical Cntrl 10: Secure Cnfiguratins fr Netwrk Devices such as Firewalls, Ruters, and Switches 20 // experience precisin 10

20 Critical Security Cntrls V4.1 (SANS Institute) Critical Cntrl 11: Limitatin and Cntrl f Netwrk Prts, Prtcls, and Services Critical Cntrl 12: Cntrlled Use f Administrative Privileges Critical Cntrl 13: Bundary Defense Critical Cntrl 14: Maintenance, Mnitring, and Analysis f Audit Lgs Critical Cntrl 15: Cntrlled Access Based n the Need t Knw Critical Cntrl 16: Accunt Mnitring and Cntrl Critical Cntrl 17: Data Lss Preventin Critical Cntrl 18: Incident Respnse and Management Critical Cntrl 19: Secure Netwrk Engineering Critical Cntrl 20: Penetratin Tests and Red Team Exercises 21 // experience precisin Useful Links Krebs On Security: www.krebsnsecurity.cm Security newsletter SANS www.sans.rg SysAdmin, audit, netwrking & security Bank inf security: www.bankinfsecurity.cm Security newsletter specifically fr financial institutins 22 // experience precisin 11

Cntact Infrmatin Rn Hulshizer, Managing Directr IT Risk Services 405.606.2580 rhulshizer@bkd.cm 23 // experience precisin BKD Tday $418M in annual revenue 2,100 emplyees, including apprximately 250 partners Diverse client base spanning health care, manufacturing, distributin, financial services, cnstructin, real estate, ntfr-prfit, gvernmental & higher educatin Netwrk f 30+ ffices serves clients in all 50 states & internatinally Largest U.S. member f Praxity, AISBL, a glbal alliance f independent firms 24 24 // // experience precisin precisin 12

Cntinuing Prfessinal Educatin (CPE) Credits BKD, LLP is registered with the Natinal Assciatin f State Bards f Accuntancy (NASBA) as a spnsr f cntinuing prfessinal educatin n the Natinal Registry f CPE Spnsrs. State bards f accuntancy have final authrity n the acceptance f individual curses fr CPE credit. Cmplaints regarding registered spnsrs may be submitted t the Natinal Registry f CPE Spnsrs thrugh its website: www.learningmarket.rg. The infrmatin in BKD webinars is presented by BKD prfessinals, but applying specific infrmatin t yur situatin requires careful cnsideratin f facts & circumstances. Cnsult yur BKD advisr befre acting n any matters cvered in these webinars. 25// experience precisin CPE Credit One CPE credit in Specialized Knwledge & Applicatins field f study may be awarded upn verificatin f participant attendance Fr questins, cncerns r cmments regarding CPE credit, please email the BKD Learning & Develpment Department at training@bkd.cm 26 // experience precisin 13

14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback