2/9/2015

1

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Dr. Kevin Streff

Founder, Secure Banking Solutions

4th Annual UBA Bank Executive

Winter ConferenceFebruary, 2015

1

Board of Directors and Management Team is Responsible for Security

2

On a scale of 1 to 10, grade your board’s ability to:Understand cyber risksGive attention and resources to cyber risks

2/9/2015

2

What Can You Do?

3

Layered Security Approach

4

2/9/2015

3

Top Security Threats

1. Hacking

2. Data Leakage

3. Social Engineering

4. Corporate Account Takeover

5. ATM

“Small and medium sized banks are in the cross-hairs of the cyber criminal”

Howard Schmidt, Cybersecurity Secretary for the White House 5

Most threats involveinstalling MALWARE

Hacking

Threat #1

6

2/9/2015

4

Hacker Tools Examples

• Tools to hack your bank are downloadable– http://sectools.org/

• Default passwords are all available– http://www.phenoelit.org/dpl/dpl.html

• Economy is available to sell stolen data (“underground markets”)– http://krebsonsecurity.com/2013/12/cards-

stolen-in-target-breach-flood-underground-markets/

7

Data Leakage

Threat #2

8

2/9/2015

5

Data Leakage

• Data Leakage is about insiders leaking customer information out of your bank

• Most attention is paid to outsiders breaking into your network (aka hackers)

• Malicious Behavior

• Accidental

9

Misuse of Bank Computers

10

2/9/2015

6

Social Engineering

Threat #3

11

12

Social Engineering

• What is Social Engineering?– Exploitation of human nature for

the gathering of sensitive information.

– Tool attackers use to gain knowledge about employees, networks, vendors or other business associates.

2/9/2015

7

13

Sample Social Engineering Methods

• Phishing/Pharming

• Telephone (Remote Impersonation)

• Dumpster Diving

• Impersonation

• E-mail Scams

• USB Sticks

Corporate Account Takeover

Threat #4

14

2/9/2015

8

Small Business Security

• 70% lack basic security controls

• Conduct a risk assessment looking for these basic security controls

– Firewall,

– Strong passwords,

– Malware Protection

– Etc.

15

Finger Pointing?

16

2/9/2015

9

Bottom Line: You Lose Customers

17

ATM Fraud

Threat #5

18

2/9/2015

10

Skimmer Camera

19

Question

• How long does it take to install a skimmer?

• http://krebsonsecurity.com/2010/05/fun-with-atm-skimmers-part-iii/

20

2/9/2015

11

21

ATM Cyber Heists

22

2/9/2015

12

Question for Boards & Mgmt Team

What is your bank doing to mitigate the risks of:

– Hacking

– Data Leakage

– Social Engineering

– Corporate Account Takeover

– ATM Fraud

Answer Should Be:

1.Layered Security Program

2.Risk Assessment

3.Customer Awareness and Education

4.Effective Auditing

23

• I.T. Risk Assessment• Asset Management• Vendor Management• Penetration Testing• Vulnerability Assessment• Security Awareness• Business Continuity• Incident Response• I.T. Audit

24

Layered Information Security Program for Your Bank

Documentation

Boards & Committees

2/9/2015

13

25

26

2/9/2015

14

2014 FFIEC Cybersecurity Assessments

Cybersecurity & Critical Infrastructure Working Group (CCWIG)

• Targeted Regulatory Exams

• June 2013, the FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG)

• Approximately 500 assessments with $1 billion or less in assets

• Information gathering and learning mode

• Finalized report in mid 2014 for all exams moving forward

28

2/9/2015

15

Cybersecurity Assessment Scope• Exams build upon key aspects of existing supervisory

expectations addressed in the FFIEC IT Handbook• Assesses the complexity of an institution’s operating

environment.• Assesses an institution’s current practices and overall

cybersecurity preparedness, with a focus on the following key areas: – Risk Management and Oversight – Threat Intelligence and Collaboration – Cybersecurity Controls – External Dependency Management – Cyber Incident Management and Resilience

• https://www.ffiec.gov/pdf/cybersecurity/2014_June_FFIEC-Cybersecurity-Assessment-Overview.pdf

29

Summary of Results• Strong risk management program• Enhanced vulnerability assessment program• Share and collaborate cyber security information

with other institutions• Enhanced vendor management program• Enhanced incident response plans• Training and education on information (cyber)

security is going to be emphasized• Board participation and education involving

information security is going to be EXAMINED and REGULATED

• Are you keeping your Boards appraised of cyber security issues and how your institution is responding? 30

2/9/2015

16

Cybersecurity Training1. “Routinely discussing cybersecurity issues in

board and senior management meetings will help the financial institution set the tone from the top and build a security culture.”

• Boards are going to be held to a higher standard!• Do you review loans at Board meetings? Better start

reviewing Information Security items as well!

2. “While most financial institutions understand the need to train employees on cybersecurity risk management, the outcome and benefits improve when training and awareness programs are kept current and are provided on a routine basis.”

• The more educated and knowledgeable your people are, the more risk you reduce!

31

• Regulators are concerned that you don’t have all your connections, systems, and products inventoried

• Regulators are concerned that every connection, system, and product is not hardened

• Regulators are concerned that your risk assessment process is inadequate

• Regulators are concerned that your enterprise risk management program does not accurately reflect cyber risk

32

Section 1 – Cybersecurity Inherent RiskFindings and Concerns

2/9/2015

17

Section 1 – Cybersecurity Inherent RiskFFIEC Questions

1. What type of connections does your bank have?

2. How are you managing these connections to deal with evolving threats and vulnerabilities?

3. Do you need all your connections?

4. How do you evaluate evolving threats and vulnerabilities in your risk assessment process?

5. How do your connections and technologies collectively affect your bank’s risk posture?

33

• Expand your bank’s network diagram to include all bank connections

• Update your risk assessment to reflect the additional inherent risk these connections introduce

• Automate risk assessment to calculate inherent risk metrics and measurements

• Mature bank’s enterprise risk management program to include cybersecurity inherent risk

• Ensure next I.T. audit thoroughly examines cybersecurity inherent risk

34

Section 1 – Cybersecurity Inherent RiskManagement Actions

2/9/2015

18

Section 2 – Cybersecurity PreparednessFIVE Topics

1. Risk Management and Oversight

2. Threat Intelligence and Collaboration

3. Cybersecurity Controls

4. External Dependency Management

5. Cyber Incident Management & Resilience

35

Section 2 – Cybersecurity PreparednessTopic 1 - Risk Management & Oversight

1. Involves risk assessment and management

2. Involves allocating human and financial resources

3. Includes governance and compliance

4. Includes awareness, training and education

36

2/9/2015

19

Section 2 – Cybersecurity PreparednessTopic 1-Risk Management & Oversight

Findings and Concerns1. Board and senior management is not regularly

discussing cyber threats.

2. Board and senior management is not setting the tone at the top

3. Board and senior management is not properly trained to do their jobs to manage cyber risks

4. Training must be current and regular (not once a year)

5. Banks are vulnerable to social engineering attacks

37

Section 2-Cybersecurity PreparednessTopic 1-Risk Management & Oversight

FFIEC Questions1. What is the process to ensure ongoing and

routine discussions by the board and senior management about cyber threats to your bank?

2. How is accountability determined for managing cyber risks across the bank? Does this include management’s accountability for business decisions that may introduce new cyber risks?

3. What is the process for ensuring ongoing employee awareness and effective response to cyber risks?

38

2/9/2015

20

• Draft information security strategy and have all management and board members sign off

• Have standing item on board agenda: cybersecurity

• Set the tone from the top

39

Section 2-Cybersecurity PreparednessTopic 1-Risk Management & Oversight

Management Actions

• Automate risk assessment to calculateresidual risk metrics and measurements

• Mature bank’s enterprise risk management program to include cybersecurity residual risk

40

Section 2-Cybersecurity PreparednessTopic 1-Risk Management & Oversight

Management Actions

2/9/2015

21

41

42

2/9/2015

22

43

44

2/9/2015

23

• Ensure next I.T. audit thoroughly examines cybersecurity residual risk

• Conduct social engineering tests each quarter:– Q1 : Dumpster Dive

– Q2 : Phishing Scam

– Q3 : Pretext Calling

– Q4 : Physical Impersonation

• Ensure next I.T. audit thoroughly examines security awareness program, management/board credentials, and roles/responsibilities

45

Section 2-Cybersecurity PreparednessTopic 1-Risk Management & Oversight

Management Actions

What Can You Do?

• Focus on a program

• Get good at risk assessment– Focus them on the big 5 threats

• Put information in a form they can understand

• Involve Board members in your bank’s security awareness program

• Train them

46

2/9/2015

24

Section 2-Cybersecurity PreparednessTopic 2-Threat Intelligence/Collaboration

FFIEC Questions1. What is the process to gather and analyze threat?

2. How is accountability determined for managing cyber risks across the bank? Does this include management’s accountability for business decisions that may introduce new cyber risks?

3. What is the process for ensuring ongoing employee awareness and effective response to cyber risks?

47

Section 2-Cybersecurity PreparednessTopic 2-Threat Intelligence/Collaboration

Findings and Concerns1. Threat intelligence is lacking in banks

2. Banks rely on media reports which is reactionary and insufficient

3. Monitoring of event logs is insufficient

48

2/9/2015

25

Section 2-Cybersecurity PreparednessTopic 2-Threat Intelligence/Collaboration

Management Actions1. Build threat intelligence capability

2. Build relationships with FS-ISAC, InfraGard, and other threat intelligence groups

3. Improve monitoring of event logs to identify patterns and problems

4. Build relationships with law enforcement prior to an incident occurring

49

InfraGard Certification

• Training program for staff on information security – The InfraGard Awareness information security

awareness course is FREE to all individuals and small businesses with 25 or fewer employees.

• Send your Board thru this program!

• https://infragardawareness.com/

• Tweleve lessons (4-9 minutes each)

• Optional certificate to hang in the workplace50

2/9/2015

26

Section 2-Cybersecurity PreparednessTopic 3-Cybersecurity Controls

Findings and Recommendations1. Preventative controls have been the focus

2. Detective and corrective controls are lacking

3. Vulnerability assessments are insufficient

4. Penetration testing is insufficient

5. Banks should take an enterprise view to IT risk

6. Vulnerability remediation is lacking

51

Section 2-Cybersecurity PreparednessTopic 3-Cybersecurity Controls

FFIEC Questions1. What is the process for determining and

implementing controls?

2. Does the process call for a review and update of controls when changing the I.T. environment?

3. What is the process for classifying data and determining appropriate controls based on risk?

4. What is the process for ensuring that risks identified are remediated?

52

2/9/2015

27

Section 2-Cybersecurity PreparednessTopic 3-Cybersecurity Controls

Management Actions1. Improve detective and corrective controls

2. More frequent and deeper vulnerability assessments

3. More frequent and deeper penetration testing

4. Implement/mature enterprise risk management

5. Improve vulnerability remediation

53

Action Tracking

54

2/9/2015

28

Section 2-Cybersecurity PreparednessTopic 4-Vendor Management

Findings and Recommendations1. Many banks have processes in place to manage

vendors

2. Many banks lack documented roles & responsibilities in the contract/incident response plan

55

Section 2-Cybersecurity PreparednessTopic 4-Vendor Management

FFIEC Questions1. How is bank connecting to third parties and

ensuring that are managing cybersecurity controls?

2. What are third parties’ responsibilities during a cyber attack? Are they outlined in an incident response plan?

56

2/9/2015

29

Section 2-Cybersecurity PreparednessTopic 4-Vendor Management

Management Actions1. Documents how the bank is connecting to third

parties and ensuring that are managing cybersecurity controls

2. Document in the contract/incident response plan the roles & responsibilities of third parties during a cyber attack

57

Section 2-Cybersecurity PreparednessTopic 5-Incident Management

Findings and Recommendations1. Internal and external communication is often

lacking to handle a cyber incident

2. Cyber incident scenarios are inadequately incorporated into bank’s business continuity and disaster recovery plans

3. BCP/DR plans are often not sufficiently tested

58

2/9/2015

30

Section 2-Cybersecurity PreparednessTopic 5-Incident Management

FFIEC Questions1. In the event of a cyber attacks, how will bank

respond internally and with customers, third parties, regulators and law enforcement?

2. How are cyber incident scenarios incorporated into bank’s business continuity and disaster recovery plans?

3. Have BCP/DR plans been tested?

59

Section 2-Cybersecurity PreparednessTopic 5-Incident Management

Management Actions1. Work to improve internal and external

communication to handle a cyber incident

2. Incorporate Cyber incident scenarios into bank’s business continuity and disaster recovery plans

3. Sufficiently test BCP/DR plans

60

2/9/2015

31

SBS Certified Board Member

61

Risk Assessment Schedule6

2

2/9/2015

32

Auditing Results

63

U.S. Department of TreasuryPress Release December, 2014

1. Is cyber risk part of our current risk management framework?2. Do we follow the NIST Cybersecurity Framework?3. Do we know the cyber risks that our vendors and third-party service providers expose us to, and do we know the rigor of their cybersecurity controls?4. Do we have cyber risk insurance?5. Do we engage in basic cyber hygiene?6. Do we share incident information with industry groups? If so, when and how does this occur?7. Do we have a cyber-incident playbook and who is the point person for managing response and recovery?8. What roles do senior leaders and the board play in managing and overseeing the cyber incident response?9. When and how do we engage with law enforcement after a breach?10. After a cyber incident, when and how do we inform our customers, investors, and the general public?

2/9/2015

33

False Sense of Security

65

Contact Info

• Dr. Kevin Streff

– Dakota State University• kevin.streff@dsu.edu

• 605.256.5698

– Secure Banking Solutions, LLC• www.protectmybank.com

• kevin@protectmybank.com

• 605.270.0790

66