Breakout Session – Sept. 29 th , 2016 IT Security Pick the Low Hanging Fruit First !
A little bit about me • Degree in Computer Science • Began my professional IT career in 1982 at Dow Chemical • Held technical engineering positions in Fortune 500 companies • Started my first company in 1989, a software development firm • Since 2003, building 4IT Special Honors South Florida Business Journal – 2013 CIO of the Year, Finalist South Florida Business and Wealth - 2014 Apogee Award for Chief Information Officer South Florida Business Journal - 2015 CIO of the Year, Winner 8/22/2016
A small plug …. Very small Founded in 2003, 4IT is an award winning South Florida based Managed Service Provider that delivers a full suite of IT services including management of premise and cloud infrastructure, IT security consulting, customized IT management tools, L1/L2/L3 helpdesk, project management, enterprise communications systems, and datacenter engineering and disaster recovery services. 4IT currently provides contracted information technology services to approximately 75 companies across South Florida in widely diversified industries including non-profit, legal, medical, federal government, retail, wholesale distribution, and financial services . Special Honors South Florida Business Journal – 2013 Top 25 IT Consulting Companies Inc. 5000 – 2014 Americas Fastest Growing Private Companies South Florida Business Journal - 2014 50 Fastest Growing Companies in South Florida South Florida Business Journal - 2015 Top 10 Systems Integrators in South Florida CRN, The Channel Company - 2016 Managed Service Provider Elite 150 Charitable Efforts Joe DiMaggio Children’s Hospital - Annual Technology Sponsor of the Tour De Broward American Cancer Society - Annual Sponsor “Relay for Life” in Kendall Family Resource Center of South Florida - Annual Sponsor “Strike Against Child Abuse” South Florida Digital Alliance - Member 8/22/2016
The Only Thing We Have to Fear … • Fortune.com, June 2016 - “Larger banks are getting harder to penetrate since they’ve invested in security for years”, said Bill Stewart, an EVP with Booz Allen. “Now, the adversaries are moving down the food chain. In practice, this means the same hackers who once targeted big banks are seeking easier prey: credit unions , small hedge funds, PR firms, and a wide variety of other mid- tier enterprises.” • Isheriff.com, June 2016 - As early as 2006, it was found that credit unions are even more frequently targeted than banks. Hackers target credit unions for a simple reason: they are easier to hack. • The Cheatsheet, May 2015 - For retailers and banks, the cost of data breaches can be astronomical. According to the Ponemon Institute’s annual study, the total average cost of a data breach worldwide has increased 15% over the past year to more than $3.5 million . Debbie Matz, 8 th Board Chair NCUA - NCUA’s first Supervisory Letter for 2014 described our top priorities. • Examiners will be looking to see how credit unions are implementing risk mitigation controls to better protect, detect, and recover from cyber-attacks. This includes vendor due diligence, strong password policies, proper patch management, employee training and network monitoring. 8/22/2016
10 Reasons Hackers Target Credit Unions 1. Smaller - Credit unions rarely have security staff and resources on par with larger financial institutions. 2. Adaptation – Hackers adapt quickly. Credit unions are perceived as slow to adopt new technology. Money - Previous attacks have seen millions of dollars lost. Hackers have reasons to attempt more attacks. 3. 4. Low Visibility - Credit unions are not seen as big targets. Hackers assume they have less cyber security in place. 5. Element of Surprise - Attacks against credit unions are rarely publicized yielding a false sense of security. 6. Complexity - Credit unions have their own set of products, personnel, and budget. No common security strategy. 7. Internal Threats – Employees are also perpetrators of cyber crimes and frequently targets of social engineering and phishing scams. 8. Seeking IT-only Solutions - The IT department should be the start but not the end cyber security efforts. 9. Weaknesses - Credit unions often don't see the flaws in their security and fail to correct them accordingly. 10. Defense vs Offense - Investing in only defensive measures ensures that hackers will exploit security flaws. Proactive monitoring, auditing, and IT security training are rare. 8/22/2016
Fundamentals of IT Security • Prevention • Detection • Remediation 8/22/2016
What’s the Point? • Reduced Accidental Loss • Reduced Purposeful Loss • Reduced Legal Liability • Data Retention • Disaster Recovery 8/22/2016
FFIEC Cybersecurity Assessment Tool Domain Assessment Factors A. Governance 1. Cyber Risk Management & Oversight B. Risk Management C. Resources D. Training & Culture 2. Threat Intelligence & Collaboration A. Threat Intelligence B. Monitoring & Analyzing C. Information Sharing 3. Cybersecurity Controls A. Preventative Control B. Detective Controls C. Corrective Controls 4. External Dependency Management A. Connections B. Relationships Management 5. Cyber Incident Management & Resilience A. Incidence Resilience Planning & Strategy B. Detection, Response, Mitigation C. Escalation & Reporting 8/22/2016
FFIEC Assessment Definitions Domain 1 - Cyber Risk Management and Oversight Cyber risk management and oversight addresses the board of directors’ (board’s) oversight and management’s development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight. A. Governance includes oversight, strategies, policies, and IT asset management to implement an effective governance of the cybersecurity program. B. Risk Management includes a risk management program, risk assessment process, and audit function to effectively manage risk and assess the effectiveness of key controls. C. Resources include staffing, tools, and budgeting processes to ensure the institution’s staff or external resources have knowledge and experience commensurate with the institution’s risk profile. D. Training and Culture includes the employee training and customer awareness programs contributing to an organizational culture that emphasizes the mitigation of cybersecurity threats. 8/22/2016
FFIEC Assessment Definitions Domain 2 – Threat Intelligence and Collaboration Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties A. Threat Intelligence refers to the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making. B. Monitoring and Analyzing refers to how an institution monitors threat sources and what analysis may be performed to identify threats that are specific to the institution or to resolve conflicts in the different threat intelligence streams. C. Information Sharing encompasses establishing relationships with peers and information-sharing forums and how threat information is communicated to those groups as well as internal stakeholders. 8/22/2016
FFIEC Assessment Definitions Domain 3 – Cybersecurity Controls Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring. A. Preventative Controls deter and prevent cyber attacks and include infrastructure management, access management, device and end-point security, and secure coding. B. Detective Controls include threat and vulnerability detection, anomalous activity detection, and event detection, may alert the institution to network and system irregularities that indicate an incident has or may occur. C. Corrective Controls are utilized to resolve system and software vulnerabilities through patch management and remediation of issues identified during vulnerability scans and penetration testing . 8/22/2016
FFIEC Assessment Definitions Domain 4 – External Dependency Management External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and oversight. A. Connections incorporate the identification, monitoring, and management of external connections and data flows to third parties. B. Relationship Management includes due diligence, contracts, and ongoing monitoring to help ensure controls complement the institution’s cybersecurity program. 8/22/2016
Recommend
More recommend