Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Similar documents
Must Have Items for Your Cybersecurity or IT Budget in 2018

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

FDIC InTREx What Documentation Are You Expected to Have?

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Emerging Issues: Cybersecurity. Directors College 2015

Sage Data Security Services Directory

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Information Technology General Control Review

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Oracle Data Cloud ( ODC ) Inbound Security Policies

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Defense in Depth Security in the Enterprise

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

Juniper Vendor Security Requirements

Cybersecurity The Evolving Landscape

What It Takes to be a CISO in 2017

ACM Retreat - Today s Topics:

Cyber security tips and self-assessment for business

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Assessing Your Incident Response Capabilities Do You Have What it Takes?

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Background FAST FACTS

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Data Security and Privacy Principles IBM Cloud Services

Information Security Controls Policy

K12 Cybersecurity Roadmap

Keys to a more secure data environment

Designing and Building a Cybersecurity Program

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Information Security in Corporation

Understanding IT Audit and Risk Management

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cybersecurity and Data Protection Developments

Web Cash Fraud Prevention Best Practices

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

CS 356 Operating System Security. Fall 2013

Cyber Hygiene: A Baseline Set of Practices

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Interpreting the FFIEC Cybersecurity Assessment Tool

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

External Supplier Control Obligations. Cyber Security

CompTIA Cybersecurity Analyst+

WELCOME ISO/IEC 27001:2017 Information Briefing

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

EC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

SECURITY & PRIVACY DOCUMENTATION

ISE North America Leadership Summit and Awards

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Design your network to aid forensics investigation

Cyber Resilience. Think18. Felicity March IBM Corporation

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Ransomware A case study of the impact, recovery and remediation events

the SWIFT Customer Security

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

University of Pittsburgh Security Assessment Questionnaire (v1.7)

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

InfoSec Risks from the Front Lines

Cybersecurity Guidance for Small Firms Thursday, November 8 9:00 a.m. 10:00 a.m.

Securing Information Systems

Tips for Passing an Audit or Assessment

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cybersecurity Today Avoid Becoming a News Headline

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

CIT 480: Securing Computer Systems. Putting It All Together

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Ingram Micro Cyber Security Portfolio

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

ANATOMY OF AN ATTACK!

Cybersecurity Overview

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Request for Proposal (RFP)

SFC strengthens internet trading regulatory controls

IT Security Update on Practical Risk Mitigation Strategies

Cybersecurity Auditing in an Unsecure World

Transcription:

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank NJ Bankers Association Annual Convention May 19, 2017 Presented by: Jeremy Burris, Principal, S.R. Snodgrass, P.C. Michael Barrack, Managing Director, Accume Partners

About the Speaker Jeremy Burris, Principal S.R. Snodgrass, P.C. CISA, CISSP, MCP, L PT, CPTS, C EH, CICP, ECSA, Security+ jburris@srsnodgrass.com Jeremy is a Principal in the Technology Services practice of the S.R. Snodgrass, P.C. Financial Institution Services Group. He worked as a Network Administrator for a Bank for 4 years and has over 15 years of experience in IT. At Snodgrass, Jeremy specializes in security. He performs attack and penetration tests as well as Information Technology audits for hundreds of financial institutions each year and has numerous certifications and licenses in the area of security..

Michael Barrack Accume Partners, Managing Director mbarrack@accumepartners.com Provides technology compliance and cybersecurity services for community Financial Institutions (FIs) nationwide More than 30 years as a Banker and working in adjacent industries Served as CIO for several Community Banks ($1-3 Billion in Assets) As ipay Technologies CEO led company through period of explosive growth Has been the accountable executive in IT examinations as both a banker and service provider

Agenda Introduction Facing the Cybersecurity Challenge Prevention Technical and Administrative Controls Detection Response Questions & Answers 2016 Accume Partners 4

Prevention Technical Controls Firewall IDS/IPS Devices/Anti-Malware Network Review Considerations Cloud Computing Wireless Computing 5

II. Firewall/IPS/IDS Devices/Anti-Malware Firewall/IPS/IDS Devices A. How often are these patched? 1. If patches are skipped, is it documented why they were skipped (i.e., they are not applicable to the environment, they don t address critical or high-ranking vulnerabilities)? B. Is there a dual control or segregation of duties when firewall changes are made? C. Are there periodic firewall ruleset reviews? D. How well did these types of devices perform during the last penetration test? Were any problems noted and how were they addressed? Were these results compared to expected results (ports open were expected and reacted as expected)? E. How quickly can these devices detect a threat and how quickly can your IT staff respond appropriately to the threat if action is required?

II. Firewall/IPS/IDS Devices/Anti-Malware Firewall/IPS/IDS Devices/Anti-Malware F. Anti-Malware 1) How well do your anti-malware systems (antivirus, antispyware, anti-spam) protect you? 2) How well do they protect against zero-day exploits? 3) Do you keep employees from accessing potentially harmful websites? 4) If these systems require an agent to be installed on every machine, how do you ensure all machines have received the agents? 5) Effectiveness of Anti-Malware software against a good hacker?

IV. Audits Network Review Considerations A. File and folder permissions B. Service-level accounts C. Accounts not regularly used D. Remote access 1. How is it approved? 2. Who currently has access? 3. How is it monitored? 4. Do vendors have remote access? E. Security settings F. Audit settings 1. What is being recorded? 2. What is the retention of the logs? 3. How often are these being reviewed? G. Review of administrative activity

IV. Audits Cloud Computing A. What data is being stored? Whether a cloud vendor or not, do you know where the critical and sensitive data is being stored and how it is transmitted to and from these vendors securely? B. Where is the data stored now? C. Does the contract include notification if your data moves? D. How is the data secured? Does the cloud vendor have independent audits to show control effectiveness? E. Where are the backups sent? F. If you stop/end your contract, what is done with all copies of the data?

IV. Audits Wireless A. Is it used? B. If it s used, is it segregated from the internal network? 1. Has this segregation been independently tested? C. If it s not segregated, what controls are in place? 1. Physical security of the access point 2. Turned off when not in use 3. Client acceptance (Mac address filtering) 4. WEP/WPA/WPA2 encryption 5. Radius server 6. Hidden network name (SSID)

Prevention Administrative Controls Self-Assessment (Cybersecurity Assessment Tool) Threat Intelligence & Collaboration 11

CAT Results Too Pristine to be Believed? Zero baseline exceptions Alignment of assessment Inherent Risk = Least Cybersecurity Maturity = Baseline No action required No immediate plans to strengthen 12

The Emperor Has no Clothes 13

Key Weaknesses in Candid CAT Results Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience Practical Tip Perform your self-assessment candidly; if it looks too good to be true, and you show no baseline exceptions, take a second look 14

Where are the weaknesses? 15

Threat Intelligence and Collaboration The Good: Many clients are members of FS-ISAC or CERT The Bad: These same clients get hundreds of emails per month which are relevant and how to act on them are unknowns 16

Threat Intelligence It s in There 17

Threat Intelligence and Collaboration The Ugly: Intelligence that could strengthen resilience are easily missed in technical strengthening, employee education or policy development Practical Tip Ensure the threat intelligence your Bank is receiving is relevant and actionable for your people. Information must meet both tests. Questions you should be asking: Who is getting the information? From where? What are they doing with it? Show me. 18

Detection Penetration Testing Email Phishing/Social Engineering Cybersecurity Enhanced Controls Testing 19

V. Penetration Tests Penetration Tests A. Internal testing looks at ALL systems on the network and reviews patching, configurations, and other vulnerabilities from inside the network 1) Authenticated versus non-authenticated 2) Sniffing 3) Social engineering 4) Vulnerability scanning 5) Penetration attempts 6) Web services (internally) 7) Privilege escalation (authenticated scans only) 8) Email system (relaying/spoofing) 9) Null sessions, banner grabbing, etc. 10) Was your IT management able to detect the attacks of the tester (incident response and monitoring)

Penetration Tests B. External testing - what can be done from the Internet? 1) Passive reconnaissance 2) Port scanning/banner grabbing 3) Vulnerability scanning 4) Exploitation attempts 5) OWASP Top 10 website vulnerabilities 6) Email relaying/spoofing 7) Was your IT management able to detect the attacks of the tester (incident response and monitoring)

Penetration Tests C. Reporting 1) Is there an executive summary and a detailed report? 2) Are there easy to interpret/easy to follow remediation steps for IT managers? 3) If vulnerability scanning was performed, did the tester use other tools to check for false-positive results? 4) Did the tester provide all keystrokes of his or her work? 5) How did our management respond to the observations/findings? Are any risks being accepted and is the Board/executive management in agreement with this risk acceptance?

Response Cybersecurity Incident Response Incident Forensics 23

Cybersecurity Incident Response The Good: Many Banks recognize this as an area of weakness The Bad: These same clients are updating their Business Continuity Plans with gratuitous references with little meat The Ugly: Examiners are calling out absence of detailed procedures Banks are experiencing security incidents and finding out the hard way that they are not well prepared 24

Incident Response at Most Organizations Over reliance on Business Continuity Plans, which: don t account for security incidents with detailed procedures don t deal with the necessity for forensic investigations don t detail information to retain in the event of an incident don t account for how to preserve chain of custody Practical Tip An ineffective program will fail you when you need it the most. Build out a playbook sufficiently detailed, and then test it!

Forensics Many of the Major Forensics Firms: Require the purchase of a large block of hours Bill the block at a rate of $300+ Sell the time on a use it or lose it basis Aren t focused on the small to mid-sized community Bank 26

Cybersecurity Incident Response

Cybersecurity Incident Response Practical Tip While an end to end approach may not prevent an incident from occurring, it can mitigate the size of the $/reputational damage.

QUESTIONS?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback