Cybersecurity Strategy: A Frank Discussion of the Risks, Solutions & Priorities Cybersecurity Strategy - Speaker Alan Grandoff, Director of Audit MBA, CPA, CISA • A bank CFO, COO, or ISO for almost 20 years. In those roles, he acquired, designed or implemented information technology that increased employee productivity from one employee per $1 million in assets managed to more than $5 million per employee. • During the last 5 years, he has been a consultant designing and performing audits and risk assessments for numerous financial institutions. His specialties include: Strategic Planning, IT Audits, GLBA and Operational Risk Assessments, BSA Model Validations and Interest Rate Risk Independent Audits. Slide 2 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Cybersecurity Strategy - Agenda • What Changed in 2015? • Threat Evolution, Trends & Origination • Controlling Cybersecurity Costs • What is Motivating Regulators? • Evolving Cybersecurity Issues • How Can We Help? Slide 3 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What Changed in 2015? Slide 4 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What Changed in 2015? • It was a year of escalating Uncertainty of Perimeter Control Effectiveness. • Increased dependence on Outsourcing allows more actors access inside the perimeter • Nine confirmed attacks leveraged stolen, compromised or unprotected cryptographic keys and digital certificates • Pre-installed Superfish Malware on Lenovo Computers which scanned SSL Traffic • Unauthorized or Fake Bank certificates from Google, CNNIC, Symantec, Comodo and GoDaddy • The Department of Personnel Management suffered a significant data breach, exposing 21.5 million federal workers • Carbanak – a cyber criminal ring targeted over 100 banks using a spear phishing technique to steal more than a billion dollars Slide 5 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What Changed in 2015? • It was a year of Uncertainty of the dependability of Vendor Resilience. • Increased reliance upon technology service providers weakens the institution. • Institution oversight of the resilience of outsourced technology services needs to be enhanced. • Institutions must eliminate single points of failure. • Service providers need to prove resilience (especially in the face of cyber events) and security. • Plans need to be made to survive critical vendor and infrastructure failure. • Institutions can’t depend upon constant support for infrastructure. Slide 6 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What Changed in 2015? • It was a year that government officials admit that the Private Sector is Relatively Defenseless. • Threat identification efforts need to improve. • Threat response times need to be significantly reduced by preplanning. • Diminishing the value of data would reduce incentives to breach bank records: de-identification or encryption. Slide 7 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What Changed in 2015? • It was a year that government officials emphasized Increased Threats to the Integrity of Data. • Backups may need to be supplemented with write once copies or air gapped copies. • Data integrity checking will become more prevalent for backup files. • Malware scans may be performed on backups to detect malware not known at the time of the backup. Slide 8 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Threat Evolution, Trends & Origination Slide 9 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Threat Evolution, Trends & Origination Source: 2015 Verizon Data Breach Investigations Report Slide 10 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Threat Evolution, Trends & Origination • Efforts to mitigate Web App and Crimeware threats should achieve the most efficient cost savings for financial institutions. • Know what software is on your system: not just the packages but what supports them (i.e. OpenSSL, MySQL, etc.). • Improve monitoring of activity to recognize suspicious web activity. Establish rapid feedback with customers for alternative authorization. Slide 11 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Threat Evolution, Trends & Origination • Stolen credentials are the hackers low hanging fruit. • Software of almost any kind can have backdoors • Manage the external doors and end points attaching to your network Slide 12 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Controlling Cybersecurity Costs Slide 13 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Controlling Cybersecurity Costs • Micro-Economics & Decision Theory Assumes You Are • The ideal decision maker • Fully informed • Able to compute with perfect accuracy • Rational • Since most of us do not have the technical expertise necessary to evaluate solutions, we instead rely on others to perform these tasks. Slide 14 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Controlling Cybersecurity Costs • Is There a Reasonable Limit? • There is a very simple theory – Don’t spend more money than you risk losing • Costs • A 2015 study found that average cost is $217 per record stolen • Sources & Likelihoods • A recent Price Waterhouse Coopers survey estimated that 39% of respondents experienced cybercrimes. Slide 15 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Controlling Cybersecurity Costs • Taking the $217 per record stolen and the 39% As the Possibility of the Organization Being Impacted, Let’s Design a Simple Budget Strategy. Cybersecurity Budget Total # of Records Stored Cost per Record Stolen Total Cost If All Records Lost Likelihood Per Year Budget Should be Less Than: 2,000 $217 $434,000 $39% $169,260 Slide 16 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Controlling Cybersecurity Costs • Don’t Overspend on Your IT Expenditures • This 12 Drawer Sorter Cost $250k new (Now $8k on eBay) • Technology in use Today Cost Less than $1k Slide 17 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Controlling Cybersecurity Costs • Credential Theft & Phishing are the biggest risks to Financial Institutions • Multi-factor authentication makes credential theft more difficult • Constant Training is the best means to combat Phishing Source: 2015 Verizon Data Breach Investigations Report Slide 18 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What is Motivating Regulators? Slide 19 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What is Motivating Regulators? • 23% OF RECIPIENTS NOW OPEN PHISHING MESSAGES AND 11% CLICK ON ATTACHMENTS. • 99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED. • 0.03% OUT OF TENS OF MILLIONS OF MOBILE DEVICES, THE NUMBER OF ONES INFECTED WITH TRULY MALICIOUS EXPLOITS WAS NEGLIGIBLE. Slide 20 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What is Motivating Regulators? Slide 21 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What is Motivating Regulators? Financial Stability Oversight Council Cybersecurity: Vulnerabilities to Attacks on Financial Services Several technical and administrative best practices have been identified to mitigate the potential damage from future cyber incidents, including: • Using the NIST Cybersecurity Framework to assist with vendor management. • Requiring Two-Factor Layered Authentication for privileged accounts and sensitive systems. • Detecting Compromised Administrative Access through continuous and routine monitoring • Assuming they will be subject to destructive attacks and Develop Capabilities and Procedures to Resume Operations Slide 22 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What is Motivating Regulators? FDIC: Federal Deposit Insurance Corporation Cybersecurity: Awareness Resources Recommended Enhancements for Cybersecurity Risks • Threat Intelligence • Third-Party Management • Cyber Resilience • Incident Response Slide 23 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What is Motivating Regulators? FFIEC: Federal Financial Institutions Examination Council IT Examination Handbook InfoBase - Appendix J: Strengthening the Resilience of Outsourced Technology Services Financial Institutions Must Demonstrate the Ability to Recover After Adverse Event • Third-party management addresses a financial institution management's responsibility to control the business continuity risks associated with its TSPs and their subcontractors. • Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer's ability to restore services to multiple clients. • Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program. • Cyber resilience covers aspects of BCP unique to disruptions caused by cyber events. Slide 24 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What is Motivating Regulators? FFIEC: Federal Financial Institutions Examination Council Cybersecurity Assessment Tool This Tool was Developed to Help Financial Institutions: • Identify factors contributing to and determining the institution’s overall cyber risk. • Assess the institution’s cybersecurity preparedness. • Evaluate whether the institution’s cybersecurity preparedness is aligned with its risks. • Determine risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state. • Inform risk management strategies. Slide 25 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What is Motivating Regulators? FFIEC: Federal Financial Institutions Examination Council Information Technology Examination Handbook: Management IT Risk Management as a Component of Overall Risk Management: • IT governance objectives are to ensure that IT generates business value and mitigates the risks posed by using technology. • The institution should have an adequate ITRM structure. • Management should ensure that lines of authority are established for enforcing and monitoring controls. • Management should have a comprehensive view of operations and business processes that are supported by technology. Slide 26 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC What is Motivating Regulators? IT Risk Management as a Component of Overall Risk Management: (Continued) • Financial institution management should develop risk measurement processes that include the following elements: • Measuring risk using qualitative, quantitative, or a hybrid of methods. • Recognizing that risks do not exist in isolation. • Prioritizing the risks based on the results of risk measurement • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. • Financial institution management should ensure satisfactory monitoring and reporting of IT activities and risk. Slide 27 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Upcoming Security Initiatives Slide 28 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Evolving Cybersecurity Issues • Encryption: To Encrypt or Not To Encrypt • Encryption is a fairly effective means of protecting the confidentiality and integrity of data. That being said, encryption has significant costs: • Encryption hampers content monitoring so integrity checking and data loss prevention can be hampered. • Encryption is expensive to initiate from an initial cost standpoint and taxes computing power resulting in slower responses. • Encryption is not always effective. At certain times, data in transit may require translation into clear text and the device or software that performs that function is vulnerable (think ram scrapping). • If encryption keys are lost or corrupted it could be a catastrophic event (see the Hunt for Red October). Slide 29 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Evolving Cybersecurity Issues • The Hackers Workload: Who is Helping Them? • The hacker’s workload is a factor that traditionally has worked in our favor. The amount of effort we expend to defend our information assets is generally proportionately less than the cost of defeating the defenses. Certain factors are now working against us. • Governments are using sophisticated software with zero day threats in the cyberwar and cyberespionage arenas. These devastating weapons are being discovered by hackers who then repurpose them for gain without the R&D costs. • Governmental agencies are finding and stockpiling zero day threats and hacking processes for use in furtherance of their purposes: instead of identifying them and fixing them. Thus vulnerabilities are left unchecked and can be found and used by criminals. • Hackers are developing markets for exploits and exploit kits; thus monetizing the development side of hacking and making software available to persons who have access. Slide 30 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Evolving Cybersecurity Issues • Two Factor Authentication • Properly structured and limited two factor authentication is a somewhat effective plan, but as mobile devices become more ubiquitous and multifunctional, the two factors become one. If I log into a site with a mobile browser and obtain the OTP with the same device, how effective is the combination of factors? • In some documented cases, the OTP was forwarded from the device to an adversary’s device. While this threat is not common, it cost millions of Euros which is a significant reward that justified significant efforts. Slide 31 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Evolving Cybersecurity Issues • Quantum Computing as a Disruptive Force • Quantum computing is considered to me more science fact that science fiction. It’s no longer a matter of if but when they become available. • Nation states, with their vast financial and manpower advantages, will be the first to take advantage of this technology and they’ll be able to decrypt any messages encrypted with today’s technology. • Large commercial and criminal organizations will get the next chance at technology. • Some experts are stating that we need to start protecting our data from them now. Slide 32 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Evolving Cybersecurity Issues • Biometrics • The history of biometrics has been one of promise without delivery. High cost and variable reliability have hampered development have hampered rates of utilization. The big problem with biometrics is that you cannot really rely on them as at the first line of defense or your only authentication system. It’s not secret. You can’t change it. So you always have to have something else. • Biometrics will be useful for layering of authentication for commercial applications if it can be more cheaply and accurately delivered in comparison with the alternative of something you have (token or cell phone for instance). Until then, only governmental agencies are likely to adopt biometrics. Slide 33 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC In Review Slide 34 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC In Review… • Identify Threats Early • Monitor Your Environment & Prevent Access Escalation or Data Exfiltration • Protect the Integrity of Your Data • Be Resilient to Cybersecurity Threats Internally & At The Vendor Level • Don’t Tie Yourself to One Solution • Adversaries will adapt their attacks to your industry and circumstances. Seek to defend to your greatest advantage. Slide 35 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC In Review… • Know who has access to your network. • Purchase from known vendors. • Don’t invest in an inflexible, long-term solution. • Manage your budget based upon the value of what you are protecting. • Training the Human Element is just as important as investing in Technology. • Be alert and agile. Know what is happening on the Internet and on your own systems. Respond to threats and attacks. Be resilient. Slide 36 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC In Review… • Make sure that devices & applications are patched regularly • Ensure that devices are correctly configured • Testing is key in identifying • Outdated applications & firmware • Misconfigured devices • Abandoned or rogue applications, databases & devices • Layering security is the best strategy to protect sensitive customer information Slide 37 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC How We Can Help? Slide 38 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC How Can We Help? Audit • IT Audits • Cyber Security Risk Assessments • General Risk Assessments • ACH Annual Audit Ethical Hacking Compliance • Vulnerability Assessment • Vendor Management • Penetration Testing • Business Continuity Management • (External & Internal) • Incident Response • Social Engineering • Policy Development • User Access • Interest Rate Risk Independent Audit • Bank Secrecy Act Model Validations Slide 39 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Questions? Slide 40 800-544-0376 / auditally.com / © 2016 AuditAlly, LLC Cybersecurity Strategy: A Frank Discussion of the Risks, Solutions & Priorities
© Copyright 2026 Paperzz