cybersecurity (emerging risks) 2.10.15
TRANSCRIPT
![Page 1: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/1.jpg)
kaufCAN.com
CyberSecurity
(Emerging Threats, Managing Controls
and Best Practices)
Per NCUA
February 10, 2015
E. Andrew Keeney, Esq.Kaufman & Canoles, P.C.
![Page 2: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/2.jpg)
kaufCAN.com
Slideshow originally prepared by Jerald L. Garner, MS, CRMA, ISO 27001,
CRISC, CISA, CISSPNational Field Supervisor
National Credit Union AdministrationOffice of National Examinations and Supervision
Presented today by E. Andrew Keeney, Esq., with permission.
![Page 3: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/3.jpg)
kaufCAN.com
3
E. Andrew Keeney, Esq.
Kaufman & Canoles, P.C.
150 West Main Street, Suite 2100
Norfolk, VA 23510
(757) 624-3153
http://www.kaufmanandcanoles.com/movies/credit-unions.html
![Page 4: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/4.jpg)
kaufCAN.com
4
� This presentation is for information sharing purposes only. All contents of this presentation are based on my independent research efforts and years of experience. Mention of trade names or commercial products does not constitute endorsement or recommendation of use by NCUA. The existence of hyperlinks does not constitute endorsement by NCUA or of these Web sites or documents or of the information contained therein. Interested parties should do their own research, and the list of references may provide a starting point. Additionally, participants of this presentation assume the risk of use or reliance on such information.
![Page 5: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/5.jpg)
kaufCAN.com
5
Overview� CyberSecurity
� What is it?
� What about Information Security?
� Threat Sources� Nation State
� Organized Crime (underground)
� Hackers
� Consumers/EndUsers/Employees
� Recent Events� Threat Environment
�Disturbed Denial of Service Attacks (DDoS)
�Data Breaches
�Open Systems
�Contributing Factors� Consumerization of Information Technology (IT)
� Threat Mitigation� Awareness� Training� Guidance� Policies
� Best Practices� SANS’s� NIST Framework � 2015 Exam Focus
�Questions and Answers
![Page 6: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/6.jpg)
kaufCAN.com
6
CYBERSECURITY
Understanding
![Page 7: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/7.jpg)
kaufCAN.com
7
CyberSecurity
• Cybersecurity
– The process for managing cyber threats and vulnerabilities and for protecting information and information systems by identifying, defending against, responding to, and recovering from attacks.
• Information Security
– Information security is the process by which an organization protects and secures its systems, media, and facilities that process and maintain information vital to its operations. (Source: FFIEC IT Handbooks –Information Security)
![Page 8: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/8.jpg)
kaufCAN.com
8
Cyberattacks
• Cyberattack
– A cyberattack is deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.
http://www.techopedia.com
![Page 9: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/9.jpg)
kaufCAN.com
9
CyberSecurity continued
• Presidential Executive Order
– 13636
– February 2013
– Improving Critical Infrastructure CyberSecurity
• Cybersecurity Framework
– A set of standards, methodologies, policies and procedures that align policy, business, and technological approaches to manage cyber risks
![Page 10: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/10.jpg)
kaufCAN.com
10
ACTORS (SOURCES)
Threat
![Page 11: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/11.jpg)
kaufCAN.com
11
Threats
• Nation State Sponsored
– South Korea (2013)• Banks, Media Outlets
• Systems Compromised – Patch Management
– Why?• Cyber-attacks
– Project national power @ low-cost, and
– High-payoff way to defend national sovereignty
– Power Grid (US)
![Page 12: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/12.jpg)
kaufCAN.com
12
The Underground
• Internet source for cybercriminals
– Buy/sell different products and services
– 2014 security predictions• Leverage Targeted Attacks (TrendMicro)
– Spear Phishing
– Remote Access Trojans
![Page 13: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/13.jpg)
kaufCAN.com
13
Most Requested - Underground
– Download sales
– DDoS services
– Traffic sales
– File encryption
services
– Trojan sales
– Exploit writing services
and sales
�Attack Tools
� Programming services and software sales
� Hacking services
� Dedicated server sales and bulletproof-hosting services
� Spam and flooding services, including call and SMS flooding services
![Page 14: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/14.jpg)
kaufCAN.com
14
Organized Crime• Organized Crime
– Low Cost
– Utilize proofing effective attack tools
– Effective Attacks
– Large Payoffs• Social engineering attack tricks companies into large wire transfers
- (May 2014) TrustedSec study
• Consumers (Technology Users, Employees)
– Utilize advance technology
– Negligence and user errors• Insider Theft soared 80% over 2012 stats
- Identity Theft Resource Center Study (ITRC) 2014
![Page 15: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/15.jpg)
kaufCAN.com
15
RECENT EVENTS
Media Attention
![Page 16: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/16.jpg)
kaufCAN.com
16
Recent Events• Distributed Denial of Services (DDoS) Attacks
– Financial and government entities have become the target
– Increased attack efforts• Difficult to defend (3rd party or Internet Service Provider (ISP) involvement)
• Data Breaches
– 1st Qtr 2014 – 200,000 million records breached (SafeNet)• Approximately 93,000 records per hour,
• 233 percent increase over the same quarter in 2013
– State Laws – Data Breach notification laws
![Page 17: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/17.jpg)
kaufCAN.com
17
Recent Events continued
• Incident Sources and Costs– Attacks
• Malicious insider – Cost the most ($213,542) (rarest)
• DDoS attacks – Cost ($166,545)
– Energy and utility organizations priciest attacks ($13.18 million)
– Financial services ($12.97 million)
• Per-capita– Small organizations are higher than large ones ($1,601 versus $437)
Ponemon Institute
![Page 18: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/18.jpg)
kaufCAN.com
18
Recent Events Continued
• Merchants
– Target – 30 million card credentials (vendor management)
– Michaels – Kmart (Oct 2014)
• Banks
– JPMorgan Chase• 76 million, and 7 million businesses
– Other Financial Institutions (FIs)
• Fast Food
– DQ – Jimmy Johns• POS Malware - BackOff
![Page 19: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/19.jpg)
kaufCAN.com
19
Recent Events Continued
• Technology Management Issues
– Open Systems• Heartbleed (OpenSSL) - Patch management issue
• Shellshock Bash
• NACH - ACH file
– Microsoft Windows XP (Dropped support April 14, 2014)• ATM’s (Status)
• Desktops (Status) - Lifecycle issue
![Page 20: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/20.jpg)
kaufCAN.com
20
Methods/Process
• Attacking the weakest link
– Humans
• Unpatched systems
– Attackers know which systems
• Easy access to code builders and other tools make carrying out attacks easier
• Cybercriminal precisely target individuals with access to information they want
![Page 21: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/21.jpg)
kaufCAN.com
21
FACTORS
Contributing
![Page 22: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/22.jpg)
kaufCAN.com
22
Contributing Factors
• Consumerization of Information Technology (IT)
Meship.com
� Mobile
�Bring Your Own Device (BYOD)
� Social Media
�Messaging
![Page 23: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/23.jpg)
kaufCAN.com
23
Factors Continued
– Mobile Payments
• Many Options– ISIS - Softcard
– PayPal – 44%
– Starbucks
– Apple Pay
– Paydiant
– Digital Currency
• Exchanges
• Mining
![Page 24: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/24.jpg)
kaufCAN.com
24
Factors Continued• Financial Entities Out-Sourcing
– Cloud
– Payment Solutions
• Systems Complexity
– Network Infrastructure
– Virtualized environment
• Majority of financial services
– Internet accessible
– Mobile device capable
– Requires data encryption in transit and storage
– Demands continuity of operations procedures
![Page 25: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/25.jpg)
kaufCAN.com
25
MITIGATION
Threat
![Page 26: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/26.jpg)
kaufCAN.com
26
Understand the Threats• Awareness of the Cyber Environment
– Threat Intelligence• Alert Services
– SANS - SysAdmin, Audit, Networking, and Security SANS
» NewsBites – Executive Summary
» @RISK: The Consensus Security Alert - advanced
» Ouch! - basic
» http://www.sans.org/newsletters/
– CERT – US-Computer Emergency Response Team
» Alerts - advanced
» Bulletins - advanced
» Tips – basic
» http://www.us-cert.gov/ncas
• NCUA - http://www.ncua.gov/Resources/Pages/cyber-security-resources.aspx
![Page 27: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/27.jpg)
kaufCAN.com
27
Shifts
• Layered Approaches to Security
– Confidential, Integrity, and Availability (CIA) • Administrative controls
• Delivery methods (User interface)
• Data communications
• Active monitoring
• Encryption
![Page 28: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/28.jpg)
kaufCAN.com
28
Training and Guidance
• Training
– SANS Institute – http://www.SANS.org
– Multi-State Information Sharing & Analysis Center• https://msisac.cisecurity.org/resources/videos/free-training.cfm
– NCUA/OSCUI
• Guidance
– NCUA Rules & Regs:• 12 CFR Part 748: Security Program, Report of Crime and Catastrophic Act, Bank Secrecy Act Compliance, and
• 12 CFR Part 749: Records Preservation Program
– FFIEC – Information Technology Manuals
![Page 29: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/29.jpg)
kaufCAN.com
29
Policy
• Part 748
– Information Security Program• Security Awareness Training Program
• Incident Response Policy
• Patch Management Policy
• Part 749
– Business Continuity Plan/Policy• Document Destruction Procedures
• Pandemic Procedures
• Response Plan/Policy
• Disaster Recovery Plan/Policy
![Page 30: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/30.jpg)
kaufCAN.com
30
PRACTICES
Best
![Page 31: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/31.jpg)
kaufCAN.com
31
Best Practices
• Basic’s of Information Security
– Confidential, Integrity, and Availability (CIA)
• Layered Security
– arises from the desire to cover for the failings of each component by combining components into a single, comprehensive strategy, the whole of which is greater than the sum of its parts, focused on technology implementation with an artificial goal of securing the entire system against threats
http://www.techrepublic.com/
![Page 32: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/32.jpg)
kaufCAN.com
32
The Layers
![Page 33: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/33.jpg)
kaufCAN.com
33
Firewalls (FW), routers (ACL's), and segmented
systems
Intrusion Detection / Prevention
Systems (IDS/IPS)
Active Monitoring
Admin Lockdown
Anti-virus, FW, updates, host IDS, etc
Authentication
Methodology
IP Address Lockdown &
Dual Controls, etc
Secure Transactions/privacy
data access
![Page 34: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/34.jpg)
kaufCAN.com
34
Best Practices• Controls
– Policies• Employee Acceptable Use Policy
• Social Media Policy
• Vendor Management Policy
– Networking Environment• Utilize Firewalls
• Intrusion Detection and Prevention (ID/IP) Systems
– Desktop and Server• Malware Protection (Anti-Virus)
• Administrative Permissions
• Patch Management Program
![Page 35: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/35.jpg)
kaufCAN.com
35
Breach Ready Credit Union
• Maintain
– Current network diagram that shows data flows
• Logs – critical ones
– Security Logs• Server and workstation operating system logs
• Application logs (e.g., web server, database server)
• Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system, end-user apps)
• Hostname-IP addresses
– Dynamic Host Configuration Protocol (DHCP) rotates the mapping of IP addresses to internal systems
![Page 36: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/36.jpg)
kaufCAN.com
36
Breach Ready continued
• Know how to find files in your environment
– If malicious files are spotted on the network
– Be able to locate where that file exists
• Incident Response Plans
– Incident Response Policies and procedures are controls – test them!
• Public notification – know the answers
– What and how it happen?
– Prevention and protection steps
![Page 37: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/37.jpg)
kaufCAN.com
37
Cyber Security
• National Institute of Science and Technology (NIST) - The ability to protect or defend the use of cyberspace from cyber attacks.
– The National Institute of Science and Technology (NIST) developed a Cybersecurity Framework for critical industry entities
– Basic Cybersecurity/information security functions (CORE)• Identify (Asset inventory/risk assessments; systems, software, hardware, personnel, information, etc)
![Page 38: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/38.jpg)
kaufCAN.com
38
2015 Examination Focus
• IS&T
– eBanking
– Business Continuity Planning
– Vendor Management
– Cyber Security
• Payments
– Ach
– IP/RDC
– Wires
![Page 39: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/39.jpg)
kaufCAN.com
39
Sources
http://www.cert.org/insider-threat/
http://www.us-cert.gov/ncas
http://www.sans.org/newsletters/
http://www.ncua.gov/Resources/Pages/cyber-security-resources.aspx
http://www.ready.gov
http://www.prolexic.com/knowledge-center/
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html
http://www.privacyrights.org/data-breach
![Page 40: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/40.jpg)
kaufCAN.com
40
E. Andrew Keeney, Esq.
Kaufman & Canoles, P.C.
150 West Main Street, Suite 2100
Norfolk, VA 23510
(757) 624-3153
http://www.kaufmanandcanoles.com/movies/credit-unions.html
![Page 41: CyberSecurity (Emerging Risks) 2.10.15](https://reader034.vdocuments.net/reader034/viewer/2022042716/55a780ae1a28ab193e8b45c0/html5/thumbnails/41.jpg)
kaufCAN.com
CyberSecurity
(Emerging Threats, Managing
Controls and Best Practices)
February 10, 2015
E. Andrew Keeney, Esq.Kaufman & Canoles, P.C.