sifma cybersecurity - small firms cybersecurity guidance ... · cybersecurity small firms...
TRANSCRIPT
CYBERSECUR I TY
SMALL FIRMS CYBERSECURITY GUIDANCEHOW SMALL FIRMS CAN BETTER PROTECT THEIR BUSINESSJULY 2014
3
SMALL F IRM CYBERSECURITY
DISCLAIMERThis document was prepared as an account of work within the private and public sector. Neither SIFMA or any of this members, or any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by SIFMA.
EXECUTIVE SUMMARYSmall businesses are becoming increasingly dependent on devices, services and applications that connect to the internet such as smartphones, email, social media, and cloud computing services in an effort to increase effi-ciency and revenues. Through this dependence they become larger targets for cybercriminals looking to exploit technological vulnerabilities. Cybersecurity firm Symantec reports that in 2012, 31% of all cyber attacks targeted businesses with fewer than 250 employees, up from 18% in 2011.1 Furthermore, in its 2013 Cost of Cyber Crime Study, research firm Ponemon Institute reported that smaller organizations incur a higher per capita cost than larger organizations ($1,564 and $371, respectively) due to cyber attacks.2 The SEC and FINRA have also begun examinations of cybersecurity preparedness among broker-dealers. As a result, it is crucial for small financial firms to take proper cybersecurity measures - measures to protect all computing devices, networks, and information - to ensure their business data remains secure. This guide builds upon the National Institute of Standards and Tech-nology’s (NIST) Cybersecurity Framework which is derived from existing industry standards. Firms should apply the best practices in this guide in a risk-based, threat-informed approach based on the resources available and in support of their firm’s overall business model. The end goal is not compliance to a standard but to increase their cybersecurity and ensure the protection of their customers.
THREATSCHEW (CRIMINAL - HACTIVIST - ESPIONAGE - WAR)Cybersecurity threats can vary in scale and motive. Understanding the likelihood of different cyber threats and their potential impacts should be the first step in helping firms understand what types of protections they need. Counter-terrorism expert Richard Clarke, who has worked as a Special Adviser to the President for Cyber Security, developed a simple way to classify the different “cyber threat actors” into four distinct categories – Crime, Hack-tivism, Espionage and War (CHEW).3
Small firms are at greatest risk of a criminal cyber attack, that could take the form of data theft, fraud or extortion. Criminal organizations profit greatly from these attacks and are continually seeking new firms to exploit and devel-oping methods of acquiring vital information. Hacktivism refers to actors seeking to make a political statement
1 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf2 http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf3 http://www.dtcc.com/~/media/Files/Downloads/Congressional%20Testimony/DTCC_Cyber-Security-Testimony_FI-NAL_6-01-12.ashx
4
CYBERSECURITY
through attacks that are generally disruptive in nature. These attacks often involve shutting down websites or defacing insecure websites to convey their message and can pose reputational risks to a firm’s brand. Espionage and War attacks are largely perpetrated with the support of nation states and aim to inflict serious financial or physical harm to the intended target and may look at a small firm as a gateway to disrupting the larger financial system or markets that they operate within.
In the case of a systemic attack or sector wide disruption the Financial Services Sector Coordinating Council (FSSCC) has created the Cyber Response Coordination Guide, which enumerates sector-wide procedures for addressing the technical aspects of an attack. SIFMA’s Capital Markets Response Committee will address the busi-ness impacts and make recommendations for market open and close decisions.
As a small firm, criminal actors will pose the greatest threat. In most cases, however, prior to making security investments, we recommend contacting your local US Secret Service or FBI field office from a law enforcement standpoint and the Office of Critical Infrastructure Protection at the US Department of the Treasury for the latest information on the specific threats your firm may be facing.
C.H.E.W. - Motivations and Capabilities
CRIMINAL HACTIVIST ESPIONAGE WAR
Definition Organized groups of criminals who hide in “cyber sanctuary” countries to launch broad based attacks against individuals and companies for financial gain.
Loosely organized collections of hackers launching targeted campaigns against specific entities or web sites and able to cause embarrassment and financial damage.
Cyber espionage opera-tions are largely carried out by nation-states are extremely well-orga-nized and well-funded. They use this stolen intellectual property to enhance their own economies.
This is when the moti-vations of a nation-state or a terrorist group turn from intellec-tual property theft towards damage and destruction.
Motivation • Money• Information to sell
(e.g. credit card numbers)
• Protest• Revenge• Demonstration of
power
• Acquiring secrets• National security• Economic benefit
• Destroy, degrade, deny
• Political motivation
Capability • Large number of actors
• Basic to Advanced skills
• Present in nearly all countries
• Large number of actors
• Tend to have limited skills
• Few with advanced skill sets and motivations
• Small but growing number of countries with capability
• Larger array of ‘support’
• Limited number of actors
• Potential non-state actors
• Expensive to maintain
5
SMALL F IRM CYBERSECURITY
COMPONENTS OF AN EFFECTIVE PROGRAM
STRATEGIC VIEW4
NIST has created an approach for firms of all sizes to improve their cyber protections. This framework was the result of a collaborative effort between NIST and leading industry professionals and companies, including SIFMA. The framework is specifically designed as a broad strategic overview of cybersecurity policies, written from a business context that allows both technical and non-technical individuals to discuss the topic. The Framework is comprised of five functional categories:
NIST Cybersecurity Framework
Function Summary Description
Identify- Identification of at-risk data (PII1, accounts, transactions, etc.)- Assess the threat to and vulnerability of existing infrastructure- Understand all devices connected to the network and network structure
Protect
- Limit network access to authorized users and devices- Educate all users on cybersecurity awareness and risk management- Employ programs and services that secure data and networks (e.g. firewalls, file
encryption, password protection, data backups)
Detect
- Exercise network monitoring to detect threats in a timely manner- Evaluate threat and understand potential impact- Look for anomalies in physical environment among users, including presence of
unauthorized users or devices
Respond
- Contain and mitigate the event to prevent further damage- Coordinate with stakeholders to execute a response plan and notify proper authorities.
Once detected, notification to proper authorities- Evaluate response effort to improve response plan
Recover
- Execute recovery systems to restore systems and data- Update response plan with lessons learned- Resume business activities with internal and external stakeholders and manage public
relations
This framework provides a holistic view of how small businesses can approach cybersecurity planning. We encourage firms to use these guidelines and the suggested approach to begin the dialogue of how to assess and improve their current cybersecurity protocols.
In order to cooperatively tackle the issue of cybersecurity across the financial industry, SIFMA strongly recom-mends participating in the Financial Services - Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC provides financial services firms a platform to share up-to-date threat information and best practices to mitigate these threats. As the cybersecurity threat to small businesses increases, cooperatives such as the FS-ISAC will continue to play a large role in mitigating, informing, and preventing cyber attacks.
4 http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
6
CYBERSECURITY
IMMEDIATE ACTION ITEMSAccording to Verizon’s 2013 Data Breach Investigations Report, 76% of network intrusions and the top five methods of hacking both utilized weak or stolen credentials.5 SIFMA has adapted from the NSA cybersecurity checklist and the SANS Institute “First Five” a list of eight low-cost actions that can be implemented with relative ease and limited technical experience to combat such intrusions.
While these recommendations are not exhaustive in that they will not protect against all types of attacks and human error, they will provide small firms with adequate defense against the most common ones. For more detailed guidance on further security measures, we suggest using the SANS Institute’s Top Twenty Critical Security Controls list or the NIST Small Business Information Security guide. Links to both are included in the Additional References section at the end of the guide.
Action Item Checklist
Function Summary Description
Username and Password Protection
Strictly enforce robust password security per NIST standards that include: - Upper and lower case letters, numbers, and symbols - A minimum of 8 characters, avoiding common words and dates- Password is not used for any other credential- Changing passwords regularly- Deploy multi-factor authentication
Control Administrative and Privileged Access
Restrict administrative and privileged access to systems and data through preventative and detective controls to prevent unauthorized access or alteration of systems and/or data.
Application Whitelisting
Allow only trusted software to execute on operating systems. Prevent the execution of all other software through the use of application whitelists.
Anti-Virus, Email and Website Filters
Updated anti-virus software, in addition to web security software, greatly reduces the risk of unintentional and intentional computer infection. Additionally, personal vigilance against suspicious emails and attachments greatly reduces cyber threats.
Secure Standard Operating Systems
Standardize on trusted operating systems that meet Common Criteria. Using unsupported or outdated operating systems, such as Windows XP, presents risks to the network and critical data.
Automated Patching Tools and Processes
Utilize automatic software updates and spot-check that updates are applied frequently to ensure software currency and reduce the risks associated with out-of-date, vulnerable software.
Back Up Data Regularly
Investing in and using cloud or physical external hard-drive backup systems provides an additional level of security for important data in the event that information is destroyed.
Mobile Device Security and Encryption of Data
Ensure that mobile devices are secure with passwords and the data is encrypted in the event of loss.
5 http://www.tripwire.com/state-of-security/security-data-protection/five-quick-wins-from-verizons-2013-data-breach-investigations-report-2/
7
SMALL F IRM CYBERSECURITY
TECHNICAL SOLUTIONSFirms in most cases need third party solutions to enable an effective cybersecurity program. In order to enable the seven suggested actions above we’ve listed below a few cybersecurity solutions within each category firms should consider to jumpstart their search for the correct solution to fit their needs. It is important to note that third party vendors must be held to high standards, especially if they have access sensitive information or are critical to busi-ness operations.
BUSINESS CYBERSECURITY SOLUTIONS6:
Resources
USERNAME AND PASSWORD
PROTECTION
LastPassDashlane Roboform Keeper Passpack Common KeyZoho (Vault)
CONTROL ADMINISTRATIVE
PRIVILEGES
BeyondTrust (PowerBroker) Cyber-Ark (PIM) Dell SecureWorks (eDMZ) HP Enterprise Security (ArcSight ESM, ArcSight Identity View) Intellitactics (SecurityManager) nCircle (CCM) Security Compliance Corp (Access Auditor)Symantec (CCS) Tripwire (Enterprise, Log Center) Xceedium (Xsuite)
APPLICATION WHITELISTING
Bit9 IBM (Tivoli Endpoint Manager {BigFix}) Lumension (Vulnerability Management) Microsoft (System Center) Tripwire (Enterprise, Log Center)
ANTI-VIRUS, EMAIL AND WEBSITE
FILTERS
Bromium (vSentry) Invincea (Enterprise)Kaspersky (Administration Kit) McAfee (ePolicy Orchestrator) Microsoft (Forefront, System Center) Sophos (Endpoint Protection) Symantec (SEP)
6 Vendors sourced from the SANS Institute
8
CYBERSECURITY
Resources
SECURE STANDARD OPERATING
SYSTEM
Tripwire (Enterprise)
NETWORK SECURITY ANALYSIS
Algosec (Firewall Analyzer & FireFlow) Athena (FirePAC) Firemon (Security Manager) RedSeal Networks (Network Advisor) SolarWinds (Network Configuration Manager)
VULNERABILITY SCANNING &
MANAGEMENT
Dell SecureWorks (Managed Web App Firewall, Web Application Testing) Qualys (Qualys Guard WAS) NTO (NTO Spider) WhiteHat Security (Sentinel) Tenable (Nessus, Security Center) nCircle (CCM, IP360) Qualys (QualysGuard Policy Compliance Module) Secunia (Corporate Software Inspector)
SECURE APPLICATION DEVELOPMENT
Cenzic (Hailstorm Enterprise) Checkmarx (Checkmarx) Coverity (Save) Hp (Fortify 360, Fortify on Demand, WebInspect) IBM (Ounce Labs Core, Appscan) Veracode (Static/Dynamic)
FORENSIC TOOLS
AccessData (AccessData FTK and PRTK) ElcomSoft (ElcomSoft EFDD – Bitlocker, Guidance Software (Encase Enterprise Edition) Mandiant (Mandiant Platform)
BACKUP TOOLS
Acronis Backup & Recovery Genie Backup Manager Paragon Backup & Recovery NTI Backup Now Rebit Acronis TrueImage Norton GhostParagon Hard Disk Manger Suite ShadowProtect Desktop NovaBACKUP
9
SMALL F IRM CYBERSECURITY
TRAININGThere are a variety of service providers that offer comprehensive training in cybersecurity best practices. Recur-ring cybersecurity training helps ensure a uniform understanding of policies and practices within the company and limits human error. InfraGard is a cooperative between the FBI and private companies that operate over 80 chapters across the United States and offer free membership to businesses seeking to learn more about cyberse-curity issues and training. Along with becoming a member of the FS-ISAC it is recommended that that firm join this organization in order to gain access to threat alerts and regular briefings from law enforcement. Additional IT training is available through a variety of organizations and certification programs.
DHS/FEMA STATE CYBERSECURITY TRAINING PROGRAM
Cybersecurity for Everyone – Non-Technical Courses:AWR 175 – Information Security for Everyone AWR 174 – Cyber EthicsAWR 168 – Cyber Law and White Collar Crime
Cybersecurity for Business Professionals – Business Managers Courses:AWR 176 - Business Information ContinuityAWR 177 - Information Risk ManagementAWR 169 - Cyber Incident Analysis and Response
For a complete list of courses visit: http://teex.com/teex.cfm?pageid=NERRTCprog&area=NERRTC&templateid=1856
CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE (SEI) CERT TRAINING
Risk Assessment Courses:Introduction to the CERT Resilience Management Model Practical Risk Management: Framework and Methods
CENTER FOR INFORMATION SECURITY AWARENESS (CFISA) COURSES
InfraGard Awareness Course / Information Security Awareness In The Workplace Course
ADDITIONAL TRAINING RESOURCES:
MS-ISAC – https://msisac.cisecurity.org/resources/videos/free-training.cfmStay Safe Online – http://staysafeonline.org/business-safe-online/train-your-employees
10
CYBERSECURITY
POINTS OF CONTACTIn the event of a security breach, it is important to alert authorities and have an business continuity or disaster recovery plan, including internal points of contact. File a report with the local law enforcement so there is an official record of the incident. Further more, firms should report online crime or fraud to their local office of the United States Secret Service (USSS) or FBI. In addition, make sure your primary regulator is aware as well.
Points of Contact
Agency Contact
FBI Field Offices www.fbi.gov/contact-us/field
USSS Field Offices www.secretservice.gov/field_offices.shtml
CY-WATCH (FBI/USSS) Phone : 855.292.3937
SIFMA Market Emergency Phone : 646.934.6406
FS-ISAC Security Operations Center Phone : 877.612.2622
Department of Homeland Security National Cybersecurity and Communications Integration Center (NCCIC)
Phone : 703.235.8832
US Department of the Treasury Office of Critical Infrastructure Protection and Compliance Policy (OCIP)
In addition, 47 states have enacted laws that outline who must be notified in the event of a security breach. The list below indicates the reporting requirements per state.
National Conference of State Legislatures Security Breach Notification Laws
FEEDBACKPlease direct any questions or comments about this product to the Operations, Technology and Business Conti-nuity team at SIFMA via Karl Schimmeck at [email protected].
11
SMALL F IRM CYBERSECURITY
ADDITIONAL RESOURCES
• Australian Department of Defense Strategies to Mitigate Targeted Cyber Intrusions
• FBI InfraGard Program
• FCC Cybersecurity for Small Businesses
• FCC Cybersecurity Planner
• FINRA Cybersecurity Targeted Examination Letter
• FINRA Cybersecurity Targeted Examination Letter Questions
• Financial Services-Information Sharing and Analysis Center
• FFIEC Cybersecurity Resource Center
• National Cyber Security Alliance
• NIST Computer Security Resource Center
• NIST Cybersecurity Framework
• NIST Small Business Corner
• NIST Small Business Information Security: The Fundamentals
• NSA/IDA Top 10 Information Assurance Mitigation Strategies
• On Guard Online
• Sans Top 20 Critical Security Controls
• Securities and Exchange Commission Office of Compliance Inspections and Examinations Cybersecurity
Initiative (SEC OCIE)
• US Chamber of Commerce Internet Security Essentials for Small Business
• US Computer Emergency Readiness Team (CERT) Home Network Security Guide