Cyber Security Update - Surrey 1- North… · • Programme Maturity Evaluation (External Firm) •...
Transcript of Cyber Security Update - Surrey 1- North… · • Programme Maturity Evaluation (External Firm) •...
1 northerntrust.com | © 2017 Northern Trust northerntrust.com | © 2017 Northern Trust
CORPORATE RISK MANAGEMENT
Darren Seary
Senior Vice President
Information Security and Technology Risk Management
Business and Cyber Security Update
Surrey County Council Pension Fund
Richard Smith
Relationship Manager
Institutional Investor Group
Page 93
2 northerntrust.com | © 2017 Northern Trust
NORTHERN TRUST: BUSINESS PROFILE A highly focused business model supporting two client bases across a single operating platform.
Strength and Stability Value
Assets under custody (Q2 2017) US$ 7.4 trillion
Assets under management (Q2 2017) US$ 1 trillion
S&P long term date rating AA-
Tier 1 capital ratio 13.4 %
Office locations (countries) 25
Client locations (countries) 56
Revenue (Full Year 2016) US$ 4.96 billion
Net income (Full Year 2016) US$ 1.03 billion
Wealth Management
Leading advisor to the affluent market
Individuals
Families
Family offices
Foundations
Endowments
Privately held businesses
Institutional Services
Global provider of investment
services for institutional investors
Pensions
Sovereign entities
Fund managers
Foundations & endowments
Insurance companies
Asset
Management Asset
Servicing
Banking
As at 31/12/2016 (updated annually) Source: Northern Trust
Page 94
3 northerntrust.com | © 2017 Northern Trust
New York
Toronto
Chicago
Dublin London
Guernsey
Amsterdam
Luxembourg Tokyo
Beijing
Hong Kong
Bangalore
Singapore
Melbourne
Abu Dhabi
Limerick
As at 03/31/2017 (updated quarterly)
Source: Northern Trust
*Total employees, 17,604 of which are permanent
Stockholm
Frankfurt
Riyadh
Kuala Lumpur
Seoul
Manila
Tempe
Clients in 56 countries
20,839 Staff Worldwide*
Services in 103 markets
A Network of Offices in 19
States and Washington D.C.
Sydney
Pune
GLOBAL COVERAGE, LOCAL EXPERTISE
Page 95
4 northerntrust.com | © 2017 Northern Trust
INDUSTRY THREATS AND RISKS TO NORTHERN TRUST
Cyber attacks growing in size
and complexity…
Ransomware
Attacks on Payment Systems
(Swift)
DDoS Attacks
Social Engineering
Boards More Cyber
Conscious
Increased Regulatory
Attention
Increased Client Attention and
Transparency
Threat Landscape
Next-Gen Malware Malicious Insiders
Hacktivists & Nation
States
Advanced Spear
Phishing
Page 96
5 northerntrust.com | © 2017 Northern Trust
SWIFT CYBER SECURITY CONTROLS
• Northern Trust did not use the SWIFT configuration compromised in the attack on
the Central Bank of Bangladesh.
• Northern Trust has conducted an assessment against SWIFT security programme
requirements which showed a high-level of compliance and robust control
environment.
• Additionally, all SWIFT patches have been implemented and are up-to-date.
• Any patches sent by SWIFT are applied same-day in test and put into production as
soon as change windows allow.
• Deputy CISO and Director of SWIFT Operations are on US SWIFT group
subcommittee for technology.
• Northern Trust continues to make significant investments in our security
infrastructure, including isolation of certain systems, increased use of two-factor
authentication, enhanced logging and monitoring, and additional anti-malware
controls for computers accessing the SWIFT network.
• Finally, Northern Trust has engaged an independent firm to evaluate end-to-end
SWIFT and Payment controls.
Following high-profile reports of incidents affecting members of their global payments network,
SWIFT launched a security programme to clearly define an operational and security baseline that
members must meet to protect the processing and handling of their SWIFT transactions.
Compromises were generally a
result of weak client side controls*
Actions taken by Northern Trust
• Hackers gained access to and manipulated the
SWIFT Alliance Access server software.
• Hackers took control of credentials that were
used to log into the SWIFT system.
• Members computer security measures were
seriously deficient, lacking even basic
precautions like firewalls.
*http://www.reuters.com/investigates/special-report/cyber-heist-federal/
Page 97
6 northerntrust.com | © 2017 Northern Trust
DISTRIBUTED DENIAL OF SERVICE ATTACKS
There have been a number of high-profile Distributed
Denial of Service (DDoS) attacks reported in the press.
A notable feature of these attacks is that much of the
traffic originated from ‘Internet of Things’ devices
(Internet-connected webcams, digital video recorders
etc.). DDoS attacks are unquestionably increasing
significantly in both size and number.
Northern Trust’s DDoS protection incorporates:
• Series of DDoS solutions both internally and externally through the industry's leading
provider of DDoS mitigation (volumetric and application layer).
• Cyber threat intelligence programme to proactively identify and respond to new
threats.
• Participation in industry working groups including those focussed on Denial of Service
analysis and response.
Page 98
7 northerntrust.com | © 2017 Northern Trust
RANSOMWARE
Ransomware is a cyberattack involving malware that
encrypts data in order to prevent user access. A
ransom demand requests payment – typically in virtual
currency (such as Bitcoin) – to provide the key to
decrypt the data. These attacks are becoming
increasingly common, affecting institutions (private and
public) and individuals alike.
Northern Trust’s response to the threat posed by ransomware (and other malware) includes:
• Multiple layers of anti-malware solutions to detect and prevent malicious emails.
• User awareness training, including regular phishing simulations, to educate staff on email
safe practice.
• Robust data backup and recovery procedures.
• A well-defined incident response structure, incorporating the Cyber Threat Fusion (CTF)
incident response group, and involving risk workshops/table-top exercises to prepare for
different threat scenarios.
Page 99
8 northerntrust.com | © 2017 Northern Trust
INFORMATION SECURITY GOVERNANCE
Risk management culture and organizational structure key to ensuring security and stability
Chief Information Security Officer
Regional oversight and client and partner engagement
Governance and technology risk Cyber security testing Security technology and
operations
Chief Risk Officer
Chief Technology Officer
Chief Operating Officer
Risk Mitigation Disciplines
Information Security Organisation
Robust governance and
leading risk
management practices
Enterprise-wide threat
monitoring and
vulnerability
management
Comprehensive staff
awareness programs
on security and privacy
risks
Rigorous assessment
and management of
3rd party vendors
Use of external
security SWAT teams
to validate effective IT
controls
Page 100
9 northerntrust.com | © 2017 Northern Trust
INFORMATION SECURITY RISK GOVERNANCE
In addition to the various information security controls managed and monitored within the organisation,
Northern Trust uses external third party security teams on a regular basis to assess effectiveness.
Page 101
10 northerntrust.com | © 2017 Northern Trust
Northern Trust manages information security risks with the same commitment to excellence that we
apply to understanding our client’s financial needs.
Protecting Northern Trust’s client information is a top priority requiring attention at all levels.
• Enterprise-wide threat and
vulnerability risk management
• Active Vendor Risk Management
Framework (Assessment, Due
Diligence, Review, Off-boarding)
• Frequent independent audits,
assessments and penetration
testing
• Business continuity management
(Backup & Recovery,
Contingency Plans, Crisis
Management)
• Cyber simulations and resiliency
exercises
Oversight and
Assessment
• Robust information security
framework and control standards
(NIST, ISO, COBIT)
• Physical and logical security
perimeter
• Layered and comprehensive
defenses including:
• IPS, anti-malware,
patching, DLP, and
encryption
• 24x7x365 security monitoring
and incident response
• Access management (least
privilege principle and separation
of duties)
Layered
Design
• Secure online platform for
transaction services (Passport®)
• Secure application development
life cycle
• Advanced security measures
providing strong authentication
and identification protection
• Fraud detection using machine
and user behavior
• Strict data protection policy
including access rules and
procedures for personal
information
Secure
Services
NORTHERN TRUST’S APPROACH TO INFORMATION SECURITY
Page 102
11 northerntrust.com | © 2017 Northern Trust
ASSESSMENT OF EFFECTIVENESS
Northern Trust’s security programme and controls are validated at various levels.
Regulatory Oversight and Examinations
• Examined regularly by various global regulatory
entities
• Focus on Information Security Examinations
• One-Off security questionnaires/surveys
Third Party Testing/Validations
• Ongoing Penetration Testing (External Firm)
• Programme Maturity Evaluation (External Firm)
• SSAE/16 SOC1 Technology Control Assessment
(KPMG)
Industry Participation and Best Practices
• Cyber simulations, table-tops, industry threat
sharing exercises
Self Assessment
• Control Validation
• Northern Trust ‘Red Team’
• Phishing Simulations
• Comparative Analysis to Industry Frameworks
(e.g. NIST, FFIEC etc.)
• Application Code Analysis Tools
• Comprehensive Risk Assessment
Internal Audit
• Independent Review of Control Adequacy
• Targeted Assessments of Cyber Protections
and Security Awareness
Page 103
12 northerntrust.com | © 2017 Northern Trust
NORTHERN TRUST PARTNERS – A CULTURE OF PROTECTION
The importance of Privacy and Security is embedded within the organisation.
• Over 340 Privacy & Security champions globally
• A collaborative partnership between Corporate Risk &
Compliance and Business Units
• Defined aims and objectives:
• Reducing the number of privacy incidents
• Increasing awareness of external threats (phishing)
• Raising awareness of secure communication
requirements
• Identify their business unit’s privacy & security risks
• Embed EU GDPR requirements
• Tools and resources:
• Sharepoint site for collaborative working
• Monthly newsletter
• Regional and global knowledge sharing sessions
Privacy & Security Champions
Global initiatives • Th!nk Privacy
• Protect The Trust
• EveryDay Secure
• Security on Demand
• Phishing Simulations
Page 104
13 northerntrust.com | © 2017 Northern Trust
THE CYBER THREAT FUSION (CTF) PROGRAMME
The NT CTF programme provides intelligence-driven capabilities to proactively prevent, detect and
respond to cyber threats in a consistent fashion. The CTF programme considers a holistic approach to
cyber security by defining the processes and collaboration required between NT teams (such as the
teams listed below).
Page 105
14 northerntrust.com | © 2017 Northern Trust
ALIGNMENT WITH CLIENTS, INDUSTRY, & GOVERNMENT
Our approach is refined through effective engagements with clients, government entities, regulatory
bodies, and industry groups, incorporating methods from industry, government, military and academic
research.
• Strategic, frontline intelligence -
multiple providers
• Alignment of Threat Sharing
Organisations – FS-ISAC, US
CERT, UK Cybersecurity
Information Sharing Partnership
(CiSP), local law enforcement
• Investment in expertise
• Investment in industry
partnerships
Page 106
15 northerntrust.com | © 2017 Northern Trust
DISCLAIMER
© 2017 Northern Trust Corporation. Head Office: 50 South La Salle Street, Chicago, Illinois 60603 U.S.A.
These presentation materials are the proprietary and confidential information of Northern Trust. A
recipient (including a body corporate) which has received these materials direct from Northern Trust is
permitted to store, print and use them for the recipient’s own use only. A recipient who/which has not
received these materials direct from Northern Trust is granted no permission or licence to use the
materials in any way. In no event may any recipient publish, retransmit, redistribute or otherwise
reproduce any of the presentation materials in any format for any third party, nor use the presentation
materials in, or in connection with, any business or commercial enterprise, without the express written
permission of Northern Trust. No changes or deletions may be made to any copyright notice included
within the presentation materials.
Page 107
16 northerntrust.com | © 2017 Northern Trust
Page 108