Fundamentals of Cybersecurity Controls Thursday, February 11 10:00 a.m. 11:00 a.m.

Similar documents
Vice President and Chief Information Security Officer FINRA Technology, Cyber & Information Security

Cybersecurity: Ongoing Challenges and Increasing Threats (Medium and Large Firm Focus) Wednesday, May 25 10:00 a.m. 11:00 a.m.

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Cybersecurity Guidance for Small Firms Thursday, November 8 9:00 a.m. 10:00 a.m.

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Designing and Building a Cybersecurity Program

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

K12 Cybersecurity Roadmap

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

ISE North America Leadership Summit and Awards

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Les joies et les peines de la transformation numérique

Emerging Issues: Cybersecurity. Directors College 2015

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

Cyber Security Program

Effective Practices for Insider Threats and Third-Party Risk Management Thursday, February 22 10:00 a.m. 11:00 a.m.

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

NYDFS Cybersecurity Regulations

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m.

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

What It Takes to be a CISO in 2017

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Cybersecurity and the Board of Directors

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

PROPOSED INTERPRETIVE NOTICE

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Hacking and Cyber Espionage

Defense in Depth Security in the Enterprise

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

External Supplier Control Obligations. Cyber Security

Why you should adopt the NIST Cybersecurity Framework

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Operations & Technology Seminar. Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ

Gujarat Forensic Sciences University

CompTIA Cybersecurity Analyst+

2017 Annual Meeting of Members and Board of Directors Meeting

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Cyber Hygiene: A Baseline Set of Practices

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Secure Access & SWIFT Customer Security Controls Framework

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

CISO as Change Agent: Getting to Yes

Defensible Security DefSec 101

EU General Data Protection Regulation (GDPR) Achieving compliance

How Secure is Blockchain? June 6 th, 2017

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Global Security Consulting Services, compliancy and risk asessment services

Cybersecurity & Privacy Enhancements

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cybersecurity Session IIA Conference 2018

Incident Response Table Tops

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Cybersecurity Auditing in an Unsecure World

Cyber Risks in the Boardroom Conference

Cybersecurity and Data Protection Developments

Ingram Micro Cyber Security Portfolio

the SWIFT Customer Security

Click to edit Master title style. DIY vs. Managed SIEM

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Information Security in Corporation

Cybersecurity The Evolving Landscape

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

CYBERSECURITY RISK LOWERING CHECKLIST

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cybersecurity Overview

Global Statement of Business Continuity

PROFESSIONAL SERVICES (Solution Brief)

AT&T Endpoint Security

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Session ID: CISO-W22 Session Classification: General Interest

locuz.com SOC Services

The Realities of Data Security and Compliance: Compliance Security

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Sage Data Security Services Directory

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Juniper Vendor Security Requirements

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

PCI compliance the what and the why Executing through excellence

Aligning with the Critical Security Controls to Achieve Quick Security Wins

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Cybersecurity for Health Care Providers

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

SECURITY PRACTICES OVERVIEW

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

Transcription:

Fundamentals of Cybersecurity Controls Thursday, February 11 10:00 a.m. 11:00 a.m. The frequency and sophistication of cyber-attacks are increasing, and it is imperative to have fundamental controls in place to manage risk and reduce the threat. During this session, panelists discuss some of the big-impact controls such as one-time passwords, anti-malware tools, limiting administrative privileges, vulnerability and patch management that firms should consider. Moderator: John Brady Vice President and Chief Information Security Officer FINRA Technology Administration Panelists: Moriah L. Hara Senior Vice President, Enterprise Information Security Wells Fargo Wendy Lanton Chief Operations and Compliance Officer Latern Investments, Inc. Jason Lish Senior Vice President, Hosting & Security Charles Schwab and Company 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Fundamentals of Cybersecurity Controls Panelist Bios: Moderator: John Brady is a Vice President in Technology for Cyber and Information Security for FINRA, and is the organization s Chief Information Security Officer (CISO). In this capacity, he is responsible for all aspects of FINRA s information and cyber security programs, as well as ensures compliance with related laws and regulations. He oversees staff focused in four primary information security areas: security architecture and controls, security management tools, application security, and identity management. Mr. Brady, along with counterparts in FINRA s Data Privacy Office, establishes policy and technical controls to ensure information is appropriately protected throughout its lifecycle. He began his career with FINRA over 10 years ago as the Director of Networks and Firewalls. He then broadened and deepened his technical knowledge by taking on responsibility for server and storage infrastructure, where he led system engineering efforts to expand capacity and performance of Market Regulation systems in response to data volumes growing more than 40 percent year over year. Mr. Brady recently led the establishment, design, and implementation of FINRA s new data centers and the seamless migration of more than 175 applications from an outsourcer to those new data centers. Prior to the commencement of his work with FINRA in October 2002, Mr. Brady was Director of Networks at VeriSign from 2000 to 2002 and Network Solutions from 1998 to 2000. From 1995 to 1998, he built and operated Citibank s Internet Web and email services as Vice President, Internet Services. From 1993 to 1995, Mr. Brady worked for Sun Microsystems as Senior Consultant, where he built integrated network systems for prominent customers. Mr. Brady began his professional career as a member of technical staff at The Aerospace Corporation from 1987 to 1993, designing satellite systems and command and control networks for the Air Force Space Command. Mr. Brady holds a bachelor s degree in Computer and Electrical Engineering from Purdue University of West Lafayette in Indiana, and a master s degree in Industrial Engineering and Operations Research from the University of California at Berkeley. He also is an (ISC) 2 Certified Information Systems Security Professional (CISSP). Panelists: Moriah L. Hara is Senior Vice President, Enterprise Information Security for Wells Fargo Enterprise Technology Operations. In this role, she is responsible for leading the cybersecurity strategy for the technology supporting multiple businesses including the Wholesale bank. Ms. Hara has more than 17 years of information security experience and has worked with dozens of Fortune 500 companies as a trusted advisor on their enterprise security requirements. Before working at Wells Fargo, Ms. Hara worked at Credit Suisse, where she was Global Head of Information Security, Governance, and Compliance for the Networks Technology division. Previously, she was at Bank of America, where she co-developed the Threat Management team as well as managed the global Payment Card Industry (PCI) security program at the bank. Ms. Hara spent extensive time securing the payment space by creating the PCI Qualified Security Assessor (QSA) program for Visa and the global payment brands. Ms. Hara is a graduate of Harvard University, Executive Cybersecurity Program and has numerous industry certifications, including the CSSLP, CISSP, CISM, PCI QSA, and MCSE. She is a passionate leader in the financial security space and is a frequent speaker and participant in Financial Services Information Sharing and Analysis Center (FS-ISAC), Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC), and other industry forums. She is also the author of a patent pending-risk Assessment and Prioritization Framework that she developed for FSSCC. Wendy Lanton is the Chief Operations and Compliance Officer for Lantern Investments. Ms. Lanton has been working in the financial services industry for over 20 years. Ms. Lanton is one of the founding principals of Lantern Investments, a FINRA registered broker dealer and Lantern Wealth Advisors, an SEC registered investment advisor. She has been the Chief Compliance Officer of Lantern Investments since its inception in 1993. The firm has multiple business lines and currently has 50 registered representatives and operates 13 branch offices across the country. Ms. Lanton is responsible for both the firm s compliance and the day to day operations of the firm. She currently serves on the Steering Committee for her firm s current clearing firm and was the co-chairperson on the steering committee at her previous clearing firm. As a steering committee member, her industry experience is called upon to help direct both compliance and technology resources. Ms. Lanton has also served as the chairperson for multiple Compliance Forums for retail brokerage firms. She was a speaker/panelist at the FINRA 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 2

2014 Annual Conference in Washington DC discussing Anti-Money Laundering and Effective Risk- Based Examinations for small firms. In December 2015 she was appointed to the FINRA Small Firm Advisory Board. Ms. Lanton has also written numerous compliance-centric articles focusing on topics ranging from client suitability to cyber-security. Ms. Lanton graduated from George Washington University where she majored in International Finance. Prior to becoming a founding member of Lantern Investments, Ms. Lanton worked for a regional bank where she managed assets for high net worth individuals and medium sized businesses. Jason Lish is currently Senior Vice President of Hosting & Security for Charles Schwab and Company. In this role Mr. Lish is responsible for operational and architecture security services to strengthen Schwab s security posture and enhance the protection of Schwab s critical assets. Mr. Lish also has responsibility for Enterprise IT Hosting, which includes all aspect of application and mainframe hosting. Prior to Charles Schwab, Mr. Lish was Senior Director of Cyber Security Operations at Honeywell International. In this role, he was responsible for the design and maintenance of cyber security program and delivery of cost-effective and efficient secure IT security services. Mr. Lish began his career in the United States Air Force as a telecommunication specialist where he administered large network, communication, and cryptographic systems. Mr. Lish resides in Phoenix, Arizona and holds a Bachelor of Science degree and a Master's in Business Administration. He holds several certifications in security, networking, and process management. 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 3

Cybersecurity Conference February 11, 2016 New York, NY Fundamentals of Cybersecurity

Panelists Moderator: John Brady, Vice President and Chief Information Security Officer, FINRA Technology Administration Panelists: Moriah L. Hara, Senior Vice President, Enterprise Information Security, Wells Fargo Wendy Lanton, Chief Operations and Compliance Officer, Lantern Investments, Inc. Jason Lish, Senior Vice President, Hosting & Security, Charles Schwab and Company Cybersecurity Conference 2016 FINRA. All rights reserved. 1

Cybersecurity Hierarchy of Needs * * Source: Retail Cyber Intelligence Sharing Center (R-CISC) Cybersecurity Conference 2016 FINRA. All rights reserved. 2

NIST Cybersecurity Framework Core IDENTIFY Functions Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. PROTECT Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. DETECT Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. RESPOND Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. RECOVER Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. IDENTIFY DETECT RECOVER PROTECT RESPOND NIST Cybersecurity Framework Cybersecurity Conference 2016 FINRA. All rights reserved. 3

IDENTIFY Insider Threat 5 Top Cybersecurity Risks DETECT Disrupt -ive Attack Unauth orized Access Data Breach PROTECT RESPOND RECOVER Supply Chain Compro mise Application of the NIST Cybersecurity Framework Cybersecurity Conference 2016 FINRA. All rights reserved. 4

IDENTIFY Asset Mgmnt Governance Insider Threat An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. NIST CSF PROTECT DETECT RESPOND RECOVER Access Control Anomalies & Events Assess, Analyze and Mitigate Recovery Planning Awareness & Training Continuous Monitoring Make Data Protection Detection Process & Exercises Contain & Eradicate Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 5

IDENTIFY Asset Mgmnt Risk Mgmnt Risk Assessment Disruptive Attack A Disruptive Attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. NIST CSF PROTECT DETECT RESPOND RECOVER Access Control Anomalies & Events Response Planning Recovery Planning Data Security Continuous Monitoring Protective Technology Detection Process & Exercises Analysis, Mitigation, and Improve Communications Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 6

IDENTIFY Risk Assessment Data Breach A Data Breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data Breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. NIST CSF PROTECT DETECT RESPOND RECOVER Awareness & Training Continuous Monitoring Assess, Analyze and Mitigate Recovery Planning Info Protection Process & Procedure Detection Process & Exercises Protective Technology Vulnerability Scanning & Patch Mgmt Contain & Eradicate Make Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 7

IDENTIFY Asset Mgmnt Risk Assessment Unauthorized Access Unauthorized Access refers to gaining logical or physical access without permission to a computer network, system, application software, data or other resource. NIST CSF PROTECT DETECT RESPOND RECOVER Access Control Anomalies & Events Response Planning Recovery Planning Data Security Continuous Monitoring Protective Technology Detection Process & Exercises Contain & Eradicate Communications Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 8

IDENTIFY Asset Mgmnt Business Environment Risk Mgmnt Supply Chain Compromise A Supply Chain Attack seeks to damage an organization by targeting less-secure elements in the supply network. NIST CSF PROTECT DETECT RESPOND RECOVER Access Control Anomalies & Events Assess, Analyze and Mitigate Recovery Planning Data Security Continuous Monitoring Protective Technology Detection Process & Exercises Contain & Eradicate Make Communications Cybersecurity Conference 2016 FINRA. All rights reserved. 9

Appendix Illustrative examples of technical controls to protect network, device and crown jewels Cybersecurity Conference 2016 FINRA. All rights reserved. 10

DEFENSE IN DEPTH MODEL Firewalls Provide network segmentation and port filtering capabilities Hardened Tier 0 SoD, 2-factor auth, Monitoring & Alerting Denial of Service Volumetric - WAF DDOS Firewall Super Access Partitioning Data Protection Data Discovery: & Protection Mechanisms Transparent Data Encryption, Data Masking, PCI: Tokenization NETWORK CROWN JEWELS DEVICE NIDS Inspect traffic in near real-time SIEM Advanced security intelligence, correlation and alerting Packet Inspection Full packet inspection to detect anomalies Security Event Management Intrusion Detection Network Forensics USER AWARENESS & TRAINING USER AWARENESS VULNERABILITY & TRAINING SCANNING & PATCH MANAGEMENT Privilege Management Endpoint Encryption Mobile Security Management Access Control & Elevated privilege account management for applications and systems Enterprise Mobile Device mgmt & compliance enforcement for phones and tablets Full Disk Encryption on Mobile Workstations Filter Email filtering to protect against Spam and Malware Website / Spam Filtering Proxy Near real-time assessment of web traffic NAC ensures only trusted devices connect to the network Network Access Control Application Whitelisting Endpoint Protection Execute only approved applications on high risk assets Traditional Anti-Virus and Anti- Malware Protection on Endpoints and Servers Cybersecurity Conference 2016 FINRA. All rights reserved. 11

NIST Cyber Security Framework & SANS Top 20 NIST Cyber Security Framework SANS Institute Function Category Top 20 Critical Security Controls Identify Protect Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Inventory of Devices Inventory of Software Vulnerability Assessment and Remediation Application Software Security Secure Computer Configurations Secure Network Configurations Malware Defenses Wireless Access Control Security Skills Training Firewalling of Ports, Protocols, and Services Controlled use of Administrator Privileges Boundary Defense Controlled Access Based on Need to Know Data Protection Secure Network Engineering Cybersecurity Conference 2016 FINRA. All rights reserved. 12

NIST Cyber Security Framework & SANS Top 20 NIST Cyber Security Framework SANS Institute Function Category Top 20 Critical Security Controls Detect Respond Recover Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Recovery Planning Communications Maintenance, Monitoring and Analysis of Audit Logs Account Monitoring and Control Incident Response and Management Penetration Tests and Red Team Exercises Data Recovery Capability Cybersecurity Conference 2016 FINRA. All rights reserved. 13

References National Institute of Standards and Technology (NIST) Cybersecurity Framework (http://www.nist.gov/cyberframework/) Federal Communications Commission (FCC) Small Biz Cyber Planner (https://www.fcc.gov/cyberplanner) Cybersecurity Tip Sheet (https://apps.fcc.gov/edocs_public/attachmatch/ DOC-306595A1.pdf) Small Business Administration (SBA) Cybersecurity for Small Business self-paced training (https://www.sba.gov/tools/sba-learningcenter/training/cybersecurity-small-businesses) US Chamber of Commerce Commonsense Guide to Cyber Security for Small Business (https://www.uschamber.com/sites/default/files/le gacy/reports/cybersecurityguide923.pdf) Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (https://www.ffiec.gov/cyberassessmenttool.htm) SANS Institute Critical Controls (https://www.sans.org/criticalsecurity-controls) Australian Signals Directorate Strategies to Mitigate Targeted Cyber Intrusions (http://www.asd.gov.au/infosec/mitigationstrategi es.htm) Cybersecurity Conference 2016 FINRA. All rights reserved. 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback