decrease cyber risk at your community bank

DECREASE CYBER RISK AT YOUR COMMUNITY BANKManish Rai & Ty Powers, Great Bay Software

2

AGENDA

• Current challenges faced by community banks

• Getting started with the new CAT tool & FFIEC Audits

• Best practices for:

- Plugging potential cyber gaps

- Addressing network access control

3

GREATEST CHALLENGES FACING FINANCIAL SERVICES ORGANIZATIONS

4

FFIEC CYBERSECURITY ASSESSMENT TOOL (CAT) MEASURES RISK AND MATURITY ACROSS 5 DOMAINS

D1. Cybersecurity Risk Management & Oversight

• Governance

• Risk Management

• Resources

• Training & Culture

D2. Threat Intelligence & Collaboration

• Threat Intelligence

• Monitoring & Analysis

• Information Sharing

D3. Cybersecurity Controls

• Preventative

• Detective

• Corrective

D4. External Dependency Management

• Connections

• Relationship Management

D5. Cybersecurity Incidence Management & Resilience

• Incidence Resilience Planning & Strategy

• Detection, Response and Mitigation

• Escalation & Reporting

5

FFIEC CAT INHERENT RISK AND MATURITY LEVELS MEASUREMENT MODEL

6

FFIEC CYBERSECURITY ASSESSMENT TOOL

• Why the FFIEC CAT?• Developed by the Federal Financial Institutions Examination Council (FFIEC) to help

institutions identify their risks and determine their cybersecurity maturity.

• What is it used for?• Provides institutions with a repeatable and measureable process to inform

management of their institution’s risks and level of cybersecurity preparedness

7

COMPLETING THE CAT ASSESSMENT

• Assess the institution’s inherent risk profile based on five categories• Technologies and Connection Types

• VPN, Wireless, LAN to LAN, ISP • Delivery Channels

• Online, Mobile delivery, ATM• Online/Mobile Products and Technology Services

• Payment services, wire transfers, remote banking• Organizational Characteristics

• M&A, # employees, # contractors, locations (branch, office, and data centers)• External Threats

• Volume and type of attacks (attempted or successful)

8

COMPLETING THE CAT ASSESSMENT

• Evaluate the institution’s Cybersecurity Maturity level for the five domains• Cyber Risk Management and Oversight

• Cybersecurity program including policies and procedures• Threat Intelligence and Collaboration

• Tools and processes to effectively discover, analyze, and understand cyber threats• Cybersecurity Controls

• Practices and processes used to protect assets, infrastructure, and information• Continuous, automated protection and monitoring

• External Dependency Management• Program to oversee and manage external connections and third-party relationships

• Cyber Incident Management and Resilience• Establishing, identifying, and analyzing cyber events

9

DESIGN AND IMPLEMENT SECURITY CONTROLS

• Access controls on customer information systems• Authenticate and permit access only to authorized individuals• Prevent employees from providing customer information to unauthorized

individuals

• Physical Access Restrictions• Restrict access at physical locations containing customer information, to authorized

individuals only

• Employ the use of Encryption• Encrypt electronic customer information, while in transit as well as in storage

• on networks or systems to which unauthorized individuals may have access

10

DESIGN SECURITY CONTROLS

• Minimum Security Baseline and Control Process• Procedures designed to ensure that system modifications are consistent with the

community bank’s information security program

• Personnel Controls• Implement segregation of duties and personnel background checks

• Monitoring Systems• Monitoring systems and procedures to detect actual and attempted attacks on, or

intrusions into, customer information systems

• Incident Response• Implement procedures to be taken when unauthorized access or other incidents are

detected• Actions including reporting to regulatory and law enforcement agencies

11

EDUCATE, TEST, AND OVERSEE

• Educate and Train Staff• Train staff to recognize and respond to threats including fraud and identity theft• Provide staff with adequate training around computing and information security• Train staff on how to properly dispose of customer data

• Test Key Controls• Test and validate the procedures and systems put in place

• The risk assessment should drive frequency and scope

• Oversee Service Providers• Exercise due diligence in selecting service providers• Monitor and hold them accountable for adhering to the FFIEC Security Guidelines

12

BEST PRACTICES

• Policies, Procedures, and Action• Practice what you preach

• Execute the information security strategy and plans as designed

• Leverage the Network Infrastructure• Control access to the network

• Limit network access to approved devices (Authenticate, Authorize, and Audit)• Ensure proper network segmentation

• Reduce the available attack surface and limit the contamination or threat• Keep the perimeter intact

• Avoid internet-facing endpoints and services where possible

13

BEST PRACTICES

• Don’t Forget About the Endpoints• Make sure that you can answer the following at all times:

• What’s connecting to the network?• Where is it located?• How is it behaving?• Do I trust it? Should I?

• Disable remote access to devices as possible• Remote access provides a conduit to vulnerable devices

• Change default credentials immediately• Disable default admin accounts

14

BEST PRACTICES

• Don’t Forget About the Endpoints - Continued• Disable/Limit protocol usage

• Disable unsecure protocols such as Telnet and FTP as possible• Best practice for many regulatory guidelines

• Ensure that communication ports that should be open are• Are SSH, Telnet and HTTP ports still open?• Some attacks disable remote access to limit remediation

• Patch, patch, patch• Patch early and patch often• Not always possible

15

BEST PRACTICES

• Don’t Forget About Tomorrow• Choose solutions not point products• Deploy highly scalable systems that will mature with the organization• Look for solutions that enhance existing systems• Avoid creating information siloes• Choose vendors and integrators that provide the same level of service that you

provide to your customers

16

SECURITY AND MANAGEMENT TOOLS NEEDED FOR COMPLIANCE

Vulnerability ScannerAdvanced Threat Detection

Anti-Virus Firewall Discovery, Visibility andNetwork Access Control

Log and EventManagement

Intrusion Detectionand Prevention

17

KEY CAT TOOL NETWORK ACCESS CONTROL REQUIREMENTS UNDER PREVENTATIVE AND DETECTIVE CONTROLS

Disc

over

y • Unregistered / Unauthorized Devices

• Rogue Access Points• Critical Systems

Running Legacy Technologies

Visib

ility

/Mon

itorin

g • Network Ports• FTP / Telnet Traffic• Anomalous Behavior• Real-time Network

Monitoring

Cont

rol • Unauthorized Access

• Unregistered Device Access

• Roque Access Points• Network

Segmentation• Traffic Between

Trusted / Untrusted Zones

• Wi-Fi Security Settings (Strong)

18

GREAT BAY VISION

Network Access Control

Know• Monitor Port Usage• Networking Monitoring• Anomalous Behavior Detection• FTP/Telnet Traffic

Control• Unauthorized Access• Rogue Access Points• Network Segmentation• Trusted/Untrusted Zones

Enhance• Asset Inventory/Management• Incidence Response• Troubleshooting

See• Discover in Real-time• Unauthorized/Unregistered• Rogue Access Points

THANK YOU! QUESTIONS?