Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank NJ Bankers Association Annual Convention May 19, 2017 Presented by: Jeremy Burris, Principal, S.R. Snodgrass, P.C. Michael Barrack, Managing Director, Accume Partners
About the Speaker Jeremy Burris, Principal S.R. Snodgrass, P.C. CISA, CISSP, MCP, L PT, CPTS, C EH, CICP, ECSA, Security+ jburris@srsnodgrass.com Jeremy is a Principal in the Technology Services practice of the S.R. Snodgrass, P.C. Financial Institution Services Group. He worked as a Network Administrator for a Bank for 4 years and has over 15 years of experience in IT. At Snodgrass, Jeremy specializes in security. He performs attack and penetration tests as well as Information Technology audits for hundreds of financial institutions each year and has numerous certifications and licenses in the area of security..
Michael Barrack Accume Partners, Managing Director mbarrack@accumepartners.com Provides technology compliance and cybersecurity services for community Financial Institutions (FIs) nationwide More than 30 years as a Banker and working in adjacent industries Served as CIO for several Community Banks ($1-3 Billion in Assets) As ipay Technologies CEO led company through period of explosive growth Has been the accountable executive in IT examinations as both a banker and service provider
Agenda Introduction Facing the Cybersecurity Challenge Prevention Technical and Administrative Controls Detection Response Questions & Answers 2016 Accume Partners 4
Prevention Technical Controls Firewall IDS/IPS Devices/Anti-Malware Network Review Considerations Cloud Computing Wireless Computing 5
II. Firewall/IPS/IDS Devices/Anti-Malware Firewall/IPS/IDS Devices A. How often are these patched? 1. If patches are skipped, is it documented why they were skipped (i.e., they are not applicable to the environment, they don t address critical or high-ranking vulnerabilities)? B. Is there a dual control or segregation of duties when firewall changes are made? C. Are there periodic firewall ruleset reviews? D. How well did these types of devices perform during the last penetration test? Were any problems noted and how were they addressed? Were these results compared to expected results (ports open were expected and reacted as expected)? E. How quickly can these devices detect a threat and how quickly can your IT staff respond appropriately to the threat if action is required?
II. Firewall/IPS/IDS Devices/Anti-Malware Firewall/IPS/IDS Devices/Anti-Malware F. Anti-Malware 1) How well do your anti-malware systems (antivirus, antispyware, anti-spam) protect you? 2) How well do they protect against zero-day exploits? 3) Do you keep employees from accessing potentially harmful websites? 4) If these systems require an agent to be installed on every machine, how do you ensure all machines have received the agents? 5) Effectiveness of Anti-Malware software against a good hacker?
IV. Audits Network Review Considerations A. File and folder permissions B. Service-level accounts C. Accounts not regularly used D. Remote access 1. How is it approved? 2. Who currently has access? 3. How is it monitored? 4. Do vendors have remote access? E. Security settings F. Audit settings 1. What is being recorded? 2. What is the retention of the logs? 3. How often are these being reviewed? G. Review of administrative activity
IV. Audits Cloud Computing A. What data is being stored? Whether a cloud vendor or not, do you know where the critical and sensitive data is being stored and how it is transmitted to and from these vendors securely? B. Where is the data stored now? C. Does the contract include notification if your data moves? D. How is the data secured? Does the cloud vendor have independent audits to show control effectiveness? E. Where are the backups sent? F. If you stop/end your contract, what is done with all copies of the data?
IV. Audits Wireless A. Is it used? B. If it s used, is it segregated from the internal network? 1. Has this segregation been independently tested? C. If it s not segregated, what controls are in place? 1. Physical security of the access point 2. Turned off when not in use 3. Client acceptance (Mac address filtering) 4. WEP/WPA/WPA2 encryption 5. Radius server 6. Hidden network name (SSID)
Prevention Administrative Controls Self-Assessment (Cybersecurity Assessment Tool) Threat Intelligence & Collaboration 11
CAT Results Too Pristine to be Believed? Zero baseline exceptions Alignment of assessment Inherent Risk = Least Cybersecurity Maturity = Baseline No action required No immediate plans to strengthen 12
The Emperor Has no Clothes 13
Key Weaknesses in Candid CAT Results Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience Practical Tip Perform your self-assessment candidly; if it looks too good to be true, and you show no baseline exceptions, take a second look 14
Where are the weaknesses? 15
Threat Intelligence and Collaboration The Good: Many clients are members of FS-ISAC or CERT The Bad: These same clients get hundreds of emails per month which are relevant and how to act on them are unknowns 16
Threat Intelligence It s in There 17
Threat Intelligence and Collaboration The Ugly: Intelligence that could strengthen resilience are easily missed in technical strengthening, employee education or policy development Practical Tip Ensure the threat intelligence your Bank is receiving is relevant and actionable for your people. Information must meet both tests. Questions you should be asking: Who is getting the information? From where? What are they doing with it? Show me. 18
Detection Penetration Testing Email Phishing/Social Engineering Cybersecurity Enhanced Controls Testing 19
V. Penetration Tests Penetration Tests A. Internal testing looks at ALL systems on the network and reviews patching, configurations, and other vulnerabilities from inside the network 1) Authenticated versus non-authenticated 2) Sniffing 3) Social engineering 4) Vulnerability scanning 5) Penetration attempts 6) Web services (internally) 7) Privilege escalation (authenticated scans only) 8) Email system (relaying/spoofing) 9) Null sessions, banner grabbing, etc. 10) Was your IT management able to detect the attacks of the tester (incident response and monitoring)
Penetration Tests B. External testing - what can be done from the Internet? 1) Passive reconnaissance 2) Port scanning/banner grabbing 3) Vulnerability scanning 4) Exploitation attempts 5) OWASP Top 10 website vulnerabilities 6) Email relaying/spoofing 7) Was your IT management able to detect the attacks of the tester (incident response and monitoring)
Penetration Tests C. Reporting 1) Is there an executive summary and a detailed report? 2) Are there easy to interpret/easy to follow remediation steps for IT managers? 3) If vulnerability scanning was performed, did the tester use other tools to check for false-positive results? 4) Did the tester provide all keystrokes of his or her work? 5) How did our management respond to the observations/findings? Are any risks being accepted and is the Board/executive management in agreement with this risk acceptance?
Response Cybersecurity Incident Response Incident Forensics 23
Cybersecurity Incident Response The Good: Many Banks recognize this as an area of weakness The Bad: These same clients are updating their Business Continuity Plans with gratuitous references with little meat The Ugly: Examiners are calling out absence of detailed procedures Banks are experiencing security incidents and finding out the hard way that they are not well prepared 24
Incident Response at Most Organizations Over reliance on Business Continuity Plans, which: don t account for security incidents with detailed procedures don t deal with the necessity for forensic investigations don t detail information to retain in the event of an incident don t account for how to preserve chain of custody Practical Tip An ineffective program will fail you when you need it the most. Build out a playbook sufficiently detailed, and then test it!
Forensics Many of the Major Forensics Firms: Require the purchase of a large block of hours Bill the block at a rate of $300+ Sell the time on a use it or lose it basis Aren t focused on the small to mid-sized community Bank 26
Cybersecurity Incident Response
Cybersecurity Incident Response Practical Tip While an end to end approach may not prevent an incident from occurring, it can mitigate the size of the $/reputational damage.
QUESTIONS?