decrease cyber risk at your community bank
TRANSCRIPT
DECREASE CYBER RISK AT YOUR COMMUNITY BANKManish Rai & Ty Powers, Great Bay Software
2
AGENDA
• Current challenges faced by community banks
• Getting started with the new CAT tool & FFIEC Audits
• Best practices for:
- Plugging potential cyber gaps
- Addressing network access control
3
GREATEST CHALLENGES FACING FINANCIAL SERVICES ORGANIZATIONS
4
FFIEC CYBERSECURITY ASSESSMENT TOOL (CAT) MEASURES RISK AND MATURITY ACROSS 5 DOMAINS
D1. Cybersecurity Risk Management & Oversight
• Governance
• Risk Management
• Resources
• Training & Culture
D2. Threat Intelligence & Collaboration
• Threat Intelligence
• Monitoring & Analysis
• Information Sharing
D3. Cybersecurity Controls
• Preventative
• Detective
• Corrective
D4. External Dependency Management
• Connections
• Relationship Management
D5. Cybersecurity Incidence Management & Resilience
• Incidence Resilience Planning & Strategy
• Detection, Response and Mitigation
• Escalation & Reporting
5
FFIEC CAT INHERENT RISK AND MATURITY LEVELS MEASUREMENT MODEL
6
FFIEC CYBERSECURITY ASSESSMENT TOOL
• Why the FFIEC CAT?• Developed by the Federal Financial Institutions Examination Council (FFIEC) to help
institutions identify their risks and determine their cybersecurity maturity.
• What is it used for?• Provides institutions with a repeatable and measureable process to inform
management of their institution’s risks and level of cybersecurity preparedness
7
COMPLETING THE CAT ASSESSMENT
• Assess the institution’s inherent risk profile based on five categories• Technologies and Connection Types
• VPN, Wireless, LAN to LAN, ISP • Delivery Channels
• Online, Mobile delivery, ATM• Online/Mobile Products and Technology Services
• Payment services, wire transfers, remote banking• Organizational Characteristics
• M&A, # employees, # contractors, locations (branch, office, and data centers)• External Threats
• Volume and type of attacks (attempted or successful)
8
COMPLETING THE CAT ASSESSMENT
• Evaluate the institution’s Cybersecurity Maturity level for the five domains• Cyber Risk Management and Oversight
• Cybersecurity program including policies and procedures• Threat Intelligence and Collaboration
• Tools and processes to effectively discover, analyze, and understand cyber threats• Cybersecurity Controls
• Practices and processes used to protect assets, infrastructure, and information• Continuous, automated protection and monitoring
• External Dependency Management• Program to oversee and manage external connections and third-party relationships
• Cyber Incident Management and Resilience• Establishing, identifying, and analyzing cyber events
9
DESIGN AND IMPLEMENT SECURITY CONTROLS
• Access controls on customer information systems• Authenticate and permit access only to authorized individuals• Prevent employees from providing customer information to unauthorized
individuals
• Physical Access Restrictions• Restrict access at physical locations containing customer information, to authorized
individuals only
• Employ the use of Encryption• Encrypt electronic customer information, while in transit as well as in storage
• on networks or systems to which unauthorized individuals may have access
10
DESIGN SECURITY CONTROLS
• Minimum Security Baseline and Control Process• Procedures designed to ensure that system modifications are consistent with the
community bank’s information security program
• Personnel Controls• Implement segregation of duties and personnel background checks
• Monitoring Systems• Monitoring systems and procedures to detect actual and attempted attacks on, or
intrusions into, customer information systems
• Incident Response• Implement procedures to be taken when unauthorized access or other incidents are
detected• Actions including reporting to regulatory and law enforcement agencies
11
EDUCATE, TEST, AND OVERSEE
• Educate and Train Staff• Train staff to recognize and respond to threats including fraud and identity theft• Provide staff with adequate training around computing and information security• Train staff on how to properly dispose of customer data
• Test Key Controls• Test and validate the procedures and systems put in place
• The risk assessment should drive frequency and scope
• Oversee Service Providers• Exercise due diligence in selecting service providers• Monitor and hold them accountable for adhering to the FFIEC Security Guidelines
12
BEST PRACTICES
• Policies, Procedures, and Action• Practice what you preach
• Execute the information security strategy and plans as designed
• Leverage the Network Infrastructure• Control access to the network
• Limit network access to approved devices (Authenticate, Authorize, and Audit)• Ensure proper network segmentation
• Reduce the available attack surface and limit the contamination or threat• Keep the perimeter intact
• Avoid internet-facing endpoints and services where possible
13
BEST PRACTICES
• Don’t Forget About the Endpoints• Make sure that you can answer the following at all times:
• What’s connecting to the network?• Where is it located?• How is it behaving?• Do I trust it? Should I?
• Disable remote access to devices as possible• Remote access provides a conduit to vulnerable devices
• Change default credentials immediately• Disable default admin accounts
14
BEST PRACTICES
• Don’t Forget About the Endpoints - Continued• Disable/Limit protocol usage
• Disable unsecure protocols such as Telnet and FTP as possible• Best practice for many regulatory guidelines
• Ensure that communication ports that should be open are• Are SSH, Telnet and HTTP ports still open?• Some attacks disable remote access to limit remediation
• Patch, patch, patch• Patch early and patch often• Not always possible
15
BEST PRACTICES
• Don’t Forget About Tomorrow• Choose solutions not point products• Deploy highly scalable systems that will mature with the organization• Look for solutions that enhance existing systems• Avoid creating information siloes• Choose vendors and integrators that provide the same level of service that you
provide to your customers
16
SECURITY AND MANAGEMENT TOOLS NEEDED FOR COMPLIANCE
Vulnerability ScannerAdvanced Threat Detection
Anti-Virus Firewall Discovery, Visibility andNetwork Access Control
Log and EventManagement
Intrusion Detectionand Prevention
17
KEY CAT TOOL NETWORK ACCESS CONTROL REQUIREMENTS UNDER PREVENTATIVE AND DETECTIVE CONTROLS
Disc
over
y • Unregistered / Unauthorized Devices
• Rogue Access Points• Critical Systems
Running Legacy Technologies
Visib
ility
/Mon
itorin
g • Network Ports• FTP / Telnet Traffic• Anomalous Behavior• Real-time Network
Monitoring
Cont
rol • Unauthorized Access
• Unregistered Device Access
• Roque Access Points• Network
Segmentation• Traffic Between
Trusted / Untrusted Zones
• Wi-Fi Security Settings (Strong)
18
GREAT BAY VISION
Network Access Control
Know• Monitor Port Usage• Networking Monitoring• Anomalous Behavior Detection• FTP/Telnet Traffic
Control• Unauthorized Access• Rogue Access Points• Network Segmentation• Trusted/Untrusted Zones
Enhance• Asset Inventory/Management• Incidence Response• Troubleshooting
See• Discover in Real-time• Unauthorized/Unregistered• Rogue Access Points
THANK YOU! QUESTIONS?