cybersecurity - idob. kevin... · incident response 5. information sharing 6. ... • most of these...
TRANSCRIPT
Building Your Cyber
Security Program
Dr. Kevin Streff
Founder & Chief Security Strategist,
SBS Cybersecurity, LLC
www.sbscyber.com
Iowa's Day with the Superintendent
What is Cyber Security?
Protecting
• Confidentiality
• Integrity
• Availability
Where
• Networks
• Vendors
• Customers
• Buildings
• Enterprise
• Endpoints
www.sbscyber.com 34/17/2017
Top Security Threats
• Hacking
• Data Leakage – Insider Threat
• Social Engineering
• Corporate Account Takeover
• ATM
• Spear Phishing
• Ransomware
• DDoS
5www.sbscyber.com4/17/2017
Hacker Tools Examples
• Tools to hack your bank are downloadable
– http://sectools.org/
• Default passwords are all available
– http://www.phenoelit.org/dpl/dpl.html
• Economy is available to sell stolen data
(“underground markets”)
– http://krebsonsecurity.com/2013/12/cards-
stolen-in-target-breach-flood-underground-
markets/7www.sbscyber.com4/17/2017
Data Leakage
• Data Leakage is about insiders leaking
customer information out of your bank
• Most attention is paid to outsiders breaking
into your network (aka hackers)
• Malicious Behavior
• Accidental
10www.sbscyber.com4/17/2017
Sample Social Engineering
Methods
• Phishing/Pharming
• Telephone (Remote Impersonation)
• Dumpster Diving
• Impersonation
• E-mail Scams
• USB Sticks
www.sbscyber.com 124/17/2017
Small Business Security
• 70% lack basic security controls
• ACH fraud and wire fraud
• Conduct a risk assessment looking for
these basic security controls– Firewall,
– Strong passwords,
– Malware Protection
– Etc.
14www.sbscyber.com4/17/2017
ATMs
• The ATM environment has changed
• Used to be most banks:
– Closed network
– Non Windows
• Today, most ATMs are on your bank’s
network and run Windows
17www.sbscyber.com4/17/2017
• 91% of cyberattacks and the resulting data breach
begin with a “spear phishing” email – Trend Micro
• The IRS saw an approximate 400 percent surge in
phishing and malware incidents in the 2016 tax
season.
• IRS has issued “guidance”. – https://www.irs.gov/uac/newsroom/phishing-schemes-lead-the-irs-dirty-dozen-
list-of-tax-scams-for-2017-remain-tax-time-threat
– https://www.irs.gov/uac/tax-scams-consumer-alerts
Phishing Trends
19www.sbscyber.com4/17/2017
Ransomware
• Cyber extortion
• A ransom message is displayed on the
victim’s screen that demands a
particular sum (usually between $100-
1,500 for ordinary users) in exchange
for a decryption key (usually claimed
to be unique), thus completing a
vicious cycle of cyber extortion crime
done with the help of malware.23www.sbscyber.com4/17/2017
Webcam
• Malware can even take control of a
webcam and record its owner.
Hundreds of Australian visitors of adult
websites were literally caught with
their pants down and later
blackmailed.
24www.sbscyber.com4/17/2017
Pornography
• Malware planted child pornography,
which cannot be deleted easily, and
asked for a fee, otherwise a
notification would be forwarded to the
authorities.
25www.sbscyber.com4/17/2017
Catching and Punishing
• Identification and arrest of cyber
extortionists are low because they
usually operate from countries other
than those of their victims and use
anonymous accounts and fake e-mail
addresses.
26www.sbscyber.com4/17/2017
Bitcoins
• Even the process of collecting
payments from victims - often payable
in bitcoins - and providing decryption
keys can be automated.
• Criminals prefer Bitcoin because it's
easy to use, fast, publicly available,
decentralized and provides a sense of
heightened security/anonymity
27www.sbscyber.com4/17/2017
• Amassing a large number of compromised hosts to send useless packets to jam a victim or its Internet connection or both.
• Typical methods:
– To exploit system design weaknesses such as ping to death.
– Impose computationally intensive tasks on the victim such as encryption and decryption
– Flooding based DDoS Attack.
30
DDoS
www.sbscyber.com4/17/2017
• 38% - suffered one or more DDoS attacks
in the past 12 months
• $5-$100 – amount needed per hour to
down a target.
31www.sbscyber.com4/17/2017
Agenda
Item
• Top Security Threats
• Technology Regulation
• What Do You Need To Do?
Time
20 minutes
5 minutes
35 minutes
32www.sbscyber.com4/17/2017
34
Gramm-Leach-Bliley Act
• Management must develop a written
information security
• What is the “M” in the CAMEL rating?
The Information Security Program is the way
management demonstrates to regulators that
information security is being managed at the bank
www.sbscyber.com4/17/2017
Important Guidance
• FFIEC ATM
• FFIEC DDoS
• FFIEC Social Media Guidance
• FFIEC Cybersecurity Assessments
• FFIEC Business Continuity Handbook
(Appendix J)
• FFIEC Retail Payment System (Appendix
E – Mobile Financial Services)
35www.sbscyber.com4/17/2017
New Bills
• MAIN STREET Cybersecurity Act of 2017
• Cyber Disclosure Act of 2017
• Amendment to Cybersecurity Act of 2002
4/17/2017 www.sbscyber.com 37
Successful I.T. Exam
Supervisory Expectations:
1. Layered Security Program
2. Risk Assessments
3. Awareness and Education
4. Incident Response
5. Information Sharing
6. Audits38www.sbscyber.com4/17/2017
Agenda
Item
• Top Security Threats
• Technology Regulation
• What Do You Need To Do?
Time
20 minutes
5 minutes
35 minutes
39www.sbscyber.com4/17/2017
Question for you…What is your bank
doing to mitigate:
• Hacking
• Data Leakage
• Social Engineering
• CATO
• ATM Fraud
• Ransomware
• Spear Phishing
• DDoS
Answer Should Be:
1.Layered Security
Program
2.Risk Assessment
3.Customer Awareness
and Education
4.Effective Auditing
5. Incident Response
6. Information Sharing
40www.sbscyber.com4/17/2017
• Assessments
• Asset Management
• Vendor Management
• Penetration Testing
• Vulnerability Assessment
• Security Awareness
• Business Continuity
• Incident Response
• Audits
41
Layered Information Security
Program for Your Bank
Documentation
Boards &
Committees
www.sbscyber.com4/17/2017
I.T. Risk Management Practices
• Your layered information security program
starts with a management process to
evaluate the use of technology at your
bank (to assess the cyber risk)
43www.sbscyber.com4/17/2017
IT Risk Management
• Financial institution management should develop an effective ITRM process that supports the broader risk management process to perform the following: – Identify risks to information assets within the financial
institution or controlled by third-party providers.
– Categorize the risk.
– Measure the level of risk quantitatively.
– Mitigate the risks to an acceptable residual risk level in conformance with the board’s risk appetite.
– Monitor changing risk levels and report the results of the process to the board and senior management.
44www.sbscyber.com4/17/2017
Top Risk Assessment Products
45
Archer KansasbSECURE TexasCoNetrix TexasModulo Seattle
Riskkey Texas
RiskWatch Maryland
Scout WisconsinTRAC South Dakota
WolfPAC Marylandwww.sbscyber.com4/17/2017
• The more important the asset, the more
risk you want to reduce risk.
• Acceptable levels of risk are identified and
measured against.
Risk Appetite
Bottom Line
• Need to develop a way for your bank to
assess the risk of commercial accounts
www.sbscyber.com 544/17/2017
Anti-Phishing Call to Action
Layered Security Program (blueprint)
Phishing Tests - Management
CATO Assessment Tool – Bank and
Customers
Continuous and Specific Cyber Training
Phishing Posters
Phishing Metrics
Social Engineering and Penetration Tests
- Audit www.sbscyber.com 554/17/2017
Other Phishing Tools
• Wombat
• Phishme
• QuickPhish
• Tandem Phishing
• Most of these tools offer a free trial
61www.sbscyber.com4/17/2017
Phishing Metrics
• Businesses manage through establishing quantitative goals. Phishing can be managed this way
• Conduct a baseline test
• Establish a goal
• Run specific campaigns– Software
– Posters
– Training
– Etc.
• Re-measure results
• Repeat
63www.sbscyber.com4/17/2017
• Employees and customers
• Having all employees watch a 60-minute video on phishing once a year = not good enough
• What can you do to keep Cybersecurity and other banking threats on their minds?
• Have you documented a formal, ongoing Information Security Awareness Program?
• Does your Board and executive team participate in training?
• What about… customers?
Ongoing Training
64www.sbscyber.com4/17/2017
KnowB4 Training Modules
• Augment Phishing Tests
– Provides specific training to those who fail
specific tests / scams
– https://www.youtube.com/watch?v=UZe2Kdk
AfiU
65www.sbscyber.com4/17/2017
Corporate Training Sessions
• Inviting corporate customers to cyber
security training
• Using KnowB4 to test and train
• Offering community training session (i.e.,
identity theft, tax fraud, etc.)
• People (customers, employees,
community, etc.) don’t think it will happen
to them
66www.sbscyber.com4/17/2017
Employees: Security Awareness
Ideas
• Acceptable Use Policy
• Annual Security Awareness Training
• Email Reminders
• Online Training System
• Posters/Calendars
• Security Awareness Day
• Customer Appreciation Day
• Games
• Social Engineering Tests
• InfraGard Certification69www.sbscyber.com4/17/2017
Social Engineering Tests
• USB/Media Tests
• Dumpster Diving
• Phishing Tests
• E-Mail Scams
• Physical Impersonation
• Phone Impersonation
73www.sbscyber.com4/17/2017
Customers: Security Awareness
Ideas
• Awareness Information on Website
• Posters
• Security Awareness Day
• Customer Appreciation Day
• Lunch and Learns
MAIN STREET Cybersecurity Act of 2017
74www.sbscyber.com4/17/2017
Comprehensive Audit
• Audits will assess people, processes,
and technology.
• A balanced audit program works as
follows:
– people are assessed with a social
engineering test,
– processes are assessed with an IT audit, and
– technology is assessed with a penetration
test and vulnerability assessment.
78www.sbscyber.com4/17/2017
Minimum ISP Documentation• Risk Assessment
• Policies
• Procedures
• Standards
• Guidelines
• Plans– Audit
– Business Continuity
– Incident Response
• Security Awareness Materials
• Vendor Assessments
• Minutes– Board of Director Meetings
– I.T. Committee Meetings
– Audit Committee Meetings
• Strategies
• Test Results– Audit
– Penetration Test
– Vulnerability Assessment
– Social Engineering
– Configuration Test
– Web Test
– Wireless Test
• Exams– State
– Federal
• Misc.– Network Diagram
– Organizational Chart
www.sbscyber.com 794/17/2017
Firewall Review
• Independence
• CIS Hardening Checklist (CIS)
– Example in System Configuration Section
• Verify changes and rules
– Verify change control forms against
configuration of firewall
– Review firewall rules for applicability and
accuracy
www.sbscyber.com 814/17/2017
User Access Review
• Driven by your risk assessment
• Compare HR Employee list against active
system users
www.sbscyber.com 824/17/2017
Continuous Auditing
• Continuous auditing is a method used by
the IT audit and assurance professional to
perform control and risk assessments on a
more frequent basis.
• It is a method allows IT audit and
assurance professionals to monitor
controls and risk on a continuous basis.
• “security with a heartbeat”
www.sbscyber.com 834/17/2017
Boards and Committees
• If you don’t have a security expert on
staff, get someone for your I.T. committee
• If you don’t have a security expert on
staff, have someone annually report to
your board (Cyber Disclosure Act of 2017)
• Keep minutes
• Set audits up on a schedule (see
handout)
www.sbscyber.com 844/17/2017
What did we learn?What is your bank
doing to mitigate:
• Hacking
• Data Leakage
• Social Engineering
• CATO
• ATM Fraud
• Ransomware
• Spear Phishing
• DDoS
Answer Should Be:
1.Layered Security
Program
2.Risk Assessment
3.Customer Awareness
and Education
4.Effective Auditing
5. Incident Response
6. Information Sharing
87www.sbscyber.com4/17/2017
Contact Info
• Dr. Kevin Streff
– Dakota State University
• 605.270.0790
– SBS Cybersecurity, LLC
• www.sbscyber.com
• 605.270.0790
88www.sbscyber.com4/17/2017