3 - cybersecurity - soukup€¦ · compliance benefits to your credit union • identifies factors...
TRANSCRIPT
Cybersecurity:A Practical 3-point Checklist for
Executives
Presented by
Steve Soukup, Chief Revenue Officer
DefenseStorm
Today’s Cybersecurity Discussion
1. Trends
2. Controls– Written Plans
– Vulnerability Assessments
– Penetration Testing
3. Action Plan2
About DefenseStorm
3
Platform links cybersecurity, policy andcybercompliance in the cloud in real time
1
Co-managed daily assistance from cyber banking experts
3
Purpose-built for regional & community credit unions and banks
2
C L O U D - B A S E D C O - M A N A G E DC O M P L I A N C E -
A U T O M A T E D
4
Trends
Data Breach Defined
The release of sensitive, protected or confidential information to an untrusted environment. • Intentional or unintentional
• Outside attack or inside actors
• Data is copied, transmitted, viewed, stolen or used by someone unauthorized to do so
5
Breach Notification Laws
• National Conference of State Legislatures– List of enacted and proposed notification laws
• National Credit Union Administration (NCUA)– NCUA Rules and Regulations, Part 748,
Appendix A & B
6
7
The Big
Hurtis on for
Community FIs
Cyber Breaches
Up 50%
Regulatory Pressures
#1 Fed Focus
Cyber Staff Shortages
3M gap by 2019
8
Cyber Threat Challenge to Credit Unions
20Mcyber events per day per FI*DefenseStorm average
200Kcyber alerts per day per FI*American Banker research average
2 hour recovery time expectation*FFIEC official
Each credit union is a unique, high-value target
9
• Threat data: sources, types, volume
• Regulatory pressure: external, internal
• Staffing needs: competition, skill sets, utilization
• Budget realities: big demands, fewer resources
Averaging more 20 million potential cyber events every single day. With unique:
Increasing Odds of a Material Breach
10
1 in 292,000,000
1 in 12,000
1 in1,000,000
1 in 160
1 in 4
The Cyber Arms Race• $600 Million Annual Spend on Cyber
• #8 largest breach of 21C
11
Breaches Are Escalating
12
At least 1 data breach
No data breach reported
US enterprises reporting at least 1 data breach “over the past few years”
71%
46%
24%
0% 10% 20% 30% 40% 50%
2017 Survey 2018 Survey
% reporting a breach “in the past year” HAS NEARLY DOUBLED
2017 Annual Data Breach Year-End Review, Identity Resource Center2017 Data Breach Investigations Report (Verizon)2018 Global Threat Report (451 Group for Thales)
2017 Cost of a Data Breach Study (Ponemon Institute for IBM Security)Gartner, The 2018 Security Threat Landscape
Long Resolution, Compliance Helps
13
191 days
66days
257 days
Average days to identify and resolve one data breach
Identify Resolve
"Very" or "extremely" important
"Somewhat" important or less
74%Compliance is “very” or “extremely” important in
improving security
2017 Annual Data Breach Year-End Review, Identity Resource Center2017 Data Breach Investigations Report (Verizon)2018 Global Threat Report (451 Group for Thales)2017 Cost of a Data Breach Study (Ponemon Institute for IBM Security)Gartner, The 2018 Security Threat Landscape
Meaningful People Shortage70% of cybersecurity professionals in 2017 report their organizations are
impacted by a cybersecurity skills shortage. 2017 Enterprise Security Group and Information Systems Security Association (ISSA) research project
In the expanding universe of IT FTEs, only are dedicated to cyber security Gartner, The 2018 Security Threat Landscape
53% of entities take up to 6 months to find qualified cyber security staffISACA, https:/cybersecurity.isaca.org
6.8%
3 million shortfall in cybersecurity professionals globally by 20191 UK House of Lords Digital Skills Committee, cited on https://cybersecurity.isaca.org
Most Breaches Involve Outsiders
15
Contrary to the belief that insiders are the biggest threat.
Most Breaches Involve Hacking
16
Hacking: Using an electronic device to circumvent security to break into a network, computer or file, usually with malicious intent.
Most Breaches Are Financially Motivated & Take Months to Discover
17
Financial & Insurance Sector Findings
18
Frequency
598 incidents146 w/confirmed data disclosure
Threat Actors 92% external, 7% internal, 1% partner
Actor Motives 93% financial 5% espionage
Data Compromised
36% personal 34% payment, 13% bank
19
Controls
A Simple Executive Framework
1. Are we doing the right things?
2. Are we doing the right things right?
3. How can we prove that we are doing the right things right?
20
FFIEC ComplianceThe Federal Financial Institutions Examination Council provides cybersecurity standards and auditing for financial institutions and regulatory agencies:
– Board of Governors of the Federal Reserve System (FRB)
– Federal Deposit Insurance Corporation (FDIC)
– National Credit Union Administration (NCUA)
– Office of the Comptroller of the Currency (OCC)
– Consumer Financial Protection Bureau (CFPB)
21
Compliance Benefits to Your Credit Union
• Identifies factors contributing to overall cyber risk
• Assesses cybersecurity preparedness
• Evaluates whether your cybersecurity preparedness is aligned with your risks
• Determines what risk management practices and controls you need and actions to take
• Informs your risk management strategies. 22
Compliance RelationshipsFFIEC-CCIWG
• Working group
• Studies cyber threats to financial institutions
• Coordinated industry & agency assessment
• Internal reports & action plans
Cybersecurity Assessment Tool (CAT)
• Repeatable & measurable assessment
• Optimized for community institutions
• Considers different levels of maturity & capability
• Compatible with all major security frameworks
• NIST and Cyber Community vetted and accepted
Automated Cyber Examination Tool (ACET)
• National Credit Union Association (NCUA) created
• Content matches FFIEC CAT & adds:
• Plain language definitions
• Supporting materials
• Mapping to other standards
• Streamlined document request list
• Users Guide
23
Using ACET
for Ongoing
Assessment &
Improvement
24
Assess maturity & inherent
risk
Identify gaps in
alignment
Determine desired state of maturity
Implement plans to
attain and sustain maturity
Reevaluate
Board of Directors Role1. Help establish vision, risk appetite, & strategic direction
2. Review management & third-party analysis of maturity level
3. Review findings regarding how cybersecurity preparedness aligns with risks
4. Review & approve plans to address risk management & control weaknesses
5. Review the results of management’s ongoing monitoring of exposure to and preparedness for cyber threats
25
Must Have Written Policies & Controls
26
Policies &
Controls
Information Security Policy
Business Continuity Plan
Incident Response Plan
Information Security Policy
27
1. Define Implementation– How are your expectations translated into processes, actions
& responsibilities?
2. Define Monitoring How will you know if your policies are being adhered to?
3. Define Testing– How will you ensure policies remain up-to-date & effective as
your environment changes
4. Define Reporting Who will you keep apprised? By whom? How often? By what
method?
Business Continuity Plan
28
How your credit union will respond to & recover from business disruptions, defined in 4 phases:1. Response
Assess disruption & impact
2. Resumption
Establish a Control Center and activate your teams
3. Recovery
Prepare & implement procedures to recover time-sensitive operations
4. Restoration
Prepare & implement procedures to fully restore services
Define & Document Threats in Advance for Solid Business Continuity Planning
• Types of threats
– Assign probabilities to each threat
– Define likely severity of each threat
• Likely scenarios for each threat
• Strategies to apply in each scenario
• Stress test/simulate with your team regularly29
Incident Response Plan
30
• Define the team
– Specific names, roles, contact info and back-up assigned
• Define incidents
– List all events that could impact the confidentiality, integrity and availability of credit union resources
• Define security investigation procedure
– Information to document in order to declare an incident and assign initial impact rating and priority
Define Specifics for Each StagePreparation
Identification
Evidence Gathering
ContainmentEradication
Recovery
Follow-up
31
Incident Response
Phases
1. Who will coordinate the response?
2. Who will manage communication?
3. Who will decide what support teams to involve at what time?
4. Who will coordinate external communication content, recipients & timing?
5. Who will coordinate the timing of internal and external legal involvement?
Risk Management Function
32
• Balance tradeoffs between member/employee experience/service & controlling risk
• Understand the interplay among assets, threats and vulnerabilities
• Make informed decisions on what risks you are willing to tolerate based on your goals
Vulnerability Assessments
Your credit union and bad actor skills and methods are continuously changing
33
Ongoing Assessment and Improvement
No “Finish Line”
Vulnerability Management Elements
34
Assess current architecture against latest
security threat landscape and identify gaps
Creates a proactive risk management posture
An outside party intentionally attempts to
exploit digital and physical vulnerabilities
Systematic & for everyone: employees,
executives, Boards of Directors, vendors
Security Architecture
Review
InfoSec Program
Development
Security Awareness
Training
Penetration Testing
• Fat report = better
• Endless lists of vulnerabilities
• Patch-all mindset without priorities
• No clear strategy for risk treatment
• 60+ pages of glossary
35
Look For Look Out For• Metrics based on industry-specific
framework FFIEC CAT, ACET
CIS Critical Security Controls
• Analyzed & prioritized findings
• Risk treatment methodology
• Forensic style evidence of vulnerability or exploit
InfoSec Program Framework
36
Identify Protect Detect Respond Recover
Use the National Institute of Standards & Technology (NIST)
Cybersecurity Framework (NIST CSF) to shift your credit
union to a proactive cybersecurity risk management posture
Penetration Testing
37
1. Targets systems and users
2. Digital and physical “attacks”
3. Identifies weaknesses in business processes & technical controls
4. Mimics a threat source's search for & exploitation of vulnerabilities
5. Demonstrates potential for loss
Penetration Testing Rules of Engagement
• Permission to test
• Time of day/day of week
• Denial of Service (DOS) OK?
• Out of scope systems/users
• Exploitation
• Handling evidence
• Status meetings
38
You Can’t be Cybersecure without being Cybercompliant
• Credit unions are held to a higher regulatory standard: UNDERSTAND THE BASELINE, STRIVE FOR EXCELLENCE
• Multiple tools & manual processes = complexity & resource intensiveness: BE PREPARED
• People are the weakest link AND the strongest defense: CULTURE STRENGTHENS
39
40
Action Plan
Educate & Test Your TeamPolicies around:
• Email usage & attachments
• Web usage
Controls:
• Email Filtering
• Web Filtering-Anti-Virus & Malware
Training:
• Ongoing
• Formal
• Pop-Quizzes
• Stress Test drills
Get Prepared1. Create or verify your credit union’s written:
Information Security Policy
Business Continuity Plan
Incident Response Plan
2. Consider hiring a 3rd party for Vulnerability Assessment & Penetration Testing
3. Meet with your Board of Directors to discuss expectations, strategies and investments
42