va’s, pt’s, and the ffiec (oh my)...the ffiec is the regulatory body that assesses the security...
TRANSCRIPT
W. Jackson Schultz, CISASenior IT Audit & Security Consultant
25 Braintree Hill Office Park, Suite 102, Braintree, MA 02184 • Phone: (617) 471-1120 • Fax: (617) 472-7560 • http://www.ocd-tech.com
A Division of O’Connor & Drew, P.C.
VA’S, PT’S, AND THE FFIEC(OH MY)
SESSION GOALS
Goals:
•Provide an overview of cybersecurity
•Current and emerging threats
•Regulations and requirements
•Commonly discovered vulnerabilities
AGENDA
Introductions
Current state of cybersecurity
Compare vulnerability assessment and penetration test
What the regulations actually mean
Vulnerabilities that we discover on a regular basis
W. JACKSON SCHULTZJackson is a senior auditor with OCD Tech. Prior to joining the firm, Jackson was a
security consultant for a boutique consulting firm with a focus on financial services and
HIPAA covered entities. In addition, Jackson has assisted multiple organizations align
their governance structure to ISO 27001. Currently, Jackson performs IT audit control
testing for O’Connor & Drew clients.
Recent assignments include:
• Managed CISO
• Interim CTO
• ITGC and Audit
• IT and Information Security Risk Assessment
• Disaster Recovery and Business Continuity Planning (DR/BCP)
• Digital Forensics
Education
• Candidate for Executive Master in Cybersecurity, Brown University
• Bachelor of Science in Computer Science with Upsilon Pi Epsilon Distinction, Salem
State University
Certifications & Memberships
• Certified Information Systems Auditor (CISA), ISACA
• Information Systems Audit & Control Association
• Information Systems Security Association (ISSA)
• Member, InfraGard, a partnership between the private sector and FBI
• Member, Cloud Security Alliance (CSA)
• Member, ISSA New England
ESTABLISHED
1949
HIGHLY COMPETENT:
CISA CRISC CISSP C|EH
STANDARDS-DRIVEN:
COBIT NIST SANS ISO
A Division of O’Connor & Drew, P.C.
INDUSTRIES• Financial Services
• Automobile Dealerships
• Real Estate
• Higher Education
• Not-for-Profit
• Government Entities
SERVICES• IT Audit• IT Vulnerability Assessments• Physical Security Evaluation• Penetration Testing• Wi-Fi Vulnerability Assessment• Confidential Data Review• Backup Infrastructure Evaluation• Firewall Testing• End User Education• Sarbanes Oxley 404 Testing• FFIEC Cybersecurity Assessment• Service Organization Control (SOC) Reports• NIST Cybersecurity Framework Evaluations
WHY IS THIS IMPORTANT?
WHY IS THIS IMPORTANT?
WHY IS THIS IMPORTANT?
WHY IS THIS IMPORTANT?
WHY IS THIS IMPORTANT?
HTTP://FORTUNE.COM/2016/06/15/DATA-BREACH-
“Data Breaches Now Cost $4 Million on Average” - Fortune 6/15/16
SMALL BUSINESS HEADTRASH
“I’m too small to be a target - I won’t get breached”
DATA is what makes a target… not size.
It’s easier to rob a home than a museum.
As community bankers know, the Federal Financial Institution’s Examination Council (FFIEC) is the governing body for financial institutions.
FFIEC GUIDANCE
This group is made up of individual regulators, namely, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). Additionally, they include a state liaison representative.
FFIEC GUIDANCE
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a consumer protection law put in place to protect US Citizens Banking with US Financial Institutions.
Mandates under GLBA can be covered through periodic vulnerability scanning as well.
GLBA
1) Identify and recognize the various risks that could lead to customer/member information compromise (and financial goals and liquidity of the institution).
5 GOALS
5 GOALS
2) Ensure a written plan exists that contains relevant policies and procedures commensurate to the level of risk within the institution.
5 GOALS
3) Implement security controls that meet compliance requirements, are in line with internal policies, and truly lower risk to the institution.
5 GOALS
4) Consistently test security within the technical environment to ensure that the technical safeguards put in place exist and are functioning as intended.
5 GOALS
5) Monitor the plan and adapt as needed. As the technical environment, business objectives, and risk ratings change, the security plan should be adjusted as appropriate.
The FFIEC uses the IT Examination Handbook as its document with which they expect financial institutions to comply.
The area of focus during today’s discussion is going to be IT Booklets » E-Banking » Risk Management of E-Banking Activities » Information Security Program » Information Security Controls
FFIEC GUIDANCE
Specifically, this section states:
FFIEC GUIDANCE
The Regulators are looking to see that financial institutions have a formal testing plan in place to identify control effectiveness and remediation within the technical environment.
WHAT DOES THIS MEAN?
CAT - CYBERSECURITY ASSESSMENT TOOL
The FFIEC rolled out the CAT, and its last update was in May, 2017.
The goal of this is to help provide financial institutions with a better understanding of where their risks lie.
They say, “The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”
CAT - CYBERSECURITY ASSESSMENT TOOL
Additionally, the FFIEC has rolled out the Cybersecurity Assessment Tool - also called the CAT, to help guide financial institutions towards maturing their cyber environment.
CAT - CYBERSECURITY ASSESSMENT TOOL
Baseline controls are the minimum standards under which financial institutions should fall. These map to the FFIEC IT Handbook
CAT - CYBERSECURITY ASSESSMENT TOOL
If you really want to impress them… advanced is a 4/5, innovative is 5/5.
CAT - CYBERSECURITY ASSESSMENT TOOL
One more - this is another area, change management and remediation. Vulnerability scans can be performed here too, with the goal of making sure that nothing was overlooked.
CAT - CYBERSECURITY ASSESSMENT TOOL
Gold star - innovative control. These controls are not for everyone. This assessment is more or less a risk assessment, and controls should be commensurate to risk level.
CAT - CYBERSECURITY ASSESSMENT TOOL
As you can see, vulnerability assessments are talked about a lot.
But what exactly are they looking for?
VULNERABILITY ASSESSMENT
A vulnerability assessment is a scan designed to identify flaws in a network design that could lead to business interruption or be exploited by a malicious individual.
VULNERABILITY ASSESSMENT
A vulnerability scan is used in the preliminary stages of a penetration testing engagement, or when an individual is trying to get a sense of what vulnerabilities or assets exist on a network.
VULNERABILITY SCANS APPLIED
When assessing an environment, our first step is to perform a vulnerability scan. Through this, our hope is to gain a sense of what assets are maintained within the institution. We will want to gather a list of what equipment, human resources, and services are running in the background.
From here, we will identify vulnerabilities that affect the institution’s environment and could carry both a technical and organizational impact.
VULNERABILITY ASSESSMENT
NESSUS OUTPUT
THE PERSONAL TOUCH
There needs to be a personal assessment performed to follow up on findings reported through vulnerability assessment.
PENETRATION TEST
A penetration test is best described as the exploitation of the discovered vulnerabilities, with the goal of seeing how far they lead.
PENETRATION TEST
A penetration test is typically performed by a third-party company who is engaged to test the security of the technical environment. These tests can be performed in black box, white box, or gray box style.
PENETRATION TEST
Black box testing - the testing of a system without prior knowledge of the environment itself. Often times, this type of testing best simulates a hacker’s intrusion.
BLACK BOX TESTING
PENETRATION TEST
White box testing - also called clear box testing, this involves testing a system with full knowledge of the architecture, network diagrams, and source code (if applicable). This type of testing helps a company understand where a majority of the risks truly lie.
WHITE BOX TESTING
PENETRATION TEST
Gray box testing - somewhere in the middle. This type of testing typically involves some prior knowledge of the system or environment. In gray box testing engagements, the assessor has typically reviewed network design or architecture documents, but nothing more.
GRAY BOX TESTING
PENETRATION TEST
There is no one-size-fits-all approach to the type of testing your that your environment will benefit from.
This all depends on what you hope to gain from the results of the test.
PENETRATION TEST
Often times, when we are contracted to perform a black box testing engagement, we do our best to leverage open source intelligence (OSINT) information found on the public domain. This could be information related to a corporate-sponsored initiative, email addresses that can be found on a website, or a netblock of IP addresses that the institution is using.
PENETRATION TEST
We will visit a variety of sources or utilize a number of tools to gain this information.
We will leverage an internally developed Pastebin scraping technology, or use theHarvester, Discover, Hunter, or Maltego to provide us with this information.
PENETRATION TEST
Typically, we will look for and record:
-Physical Locations
-Employees/Email Addresses
-Registered Public Domain Names
-Registered Netblock IP Addresses
-Registered Public IP Addresses
-Wireless SSIDs
COMMON ITEMS IDENTIFIED
When we perform this kinds of testing, many of the organizations for whom we work share similar items noted by our auditors. Some of the most common ones are here:
UNPATCHED SYSTEMS
Typically, when a vulnerability assessment is performed, it’s very common for us to find unpatched software, in both Windows and third-party systems (including antivirus).
It’s important to run a Windows patching software, like Windows Server Update Services (WSUS), and also use a product that allows for the patching of third-party software, such as Adobe and Java.
Internal scans can be performed to check the status of the software being patched.
DEFAULT CREDENTIALS
Another commonly found vulnerability is default credentials on a variety of systems.
These have even appeared on domain controllers in the past.
It’s important to mandate in policy that default credentials are required to be changed when rolling out new systems or devices.
This is a vulnerability often overlooked, and one that malicious individuals will try to exploit when attempting to virtually break in.
SUBNET VS. VLAN
Many times, subnets can be confused with virtual local area networks (VLANs). This is a common misconception which can lead to a misconfiguration.
VLANs allow for an organization to create separate logical and physical networks.
Subnetting, however, only allows for separate logical networks. This means that the information traveling across one subnet can be access by an individual on another subnet through a shared asset - a switch.
Traffic traveling through a switch can seen by all other hosts also traveling through this switch.
END OF LIFE SYSTEMS
The major technology companies consistently make upgrades to their software and systems.
This means that inevitably, older technologies will be outdated and these companies will no longer support them.
They will issue a statement that these are no longer receiving updates, which makes them vulnerable to attack.
Examples of this are Windows XP and Windows Server 2003.
Windows XP machines can be found (somewhat commonly) on ATMs.
AS A BONUS
The regulators want to see information sharing about vulnerabilities found in your network!
IN CONCLUSION
The FFIEC is the regulatory body that assesses the security of financial institutions.
Vulnerability scanning and penetration testing are required under FFIEC guidelines and GLBA.
Vulnerability scanning yields a solid understanding of how an environment is configured.
Penetration testing is the act of mimicking a hacker in an attempt to break in.
Many of the same types of findings are found at each institution with whom we work.
Perform both vulnerability assessments and penetration tests regularly to help keep a strong level of security.
25 Braintree Office Hill Park
Suite 102
Braintree, MA 02184
Telephone: (844) OCD-TECH
A DIVISION OF O’CONNOR & DREW, P.C.
Thank
You!
Questions
? @TheOCDTech
@OCDCPA
http://www.ocd-tech.com
http://www.ocd.com