5 it security trends for credit unions - nacusac · 2017. 6. 12. · wealth advisory | outsourcing...

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©2017 CliftonLarsonAllen LLP

5 IT Security Trends for Credit Unions

NACUSAC 2017

©20

17 C

lifto

nLar

sonA

llen

LLP


Intro

I am going to share with you:• whoami• 5 IT Security Trends for CUs

• Common Issues Are No Longer Common• Assume Breach Philosophy• Vendor Management• Future of Authentication• FFIEC Updates

©20

17 C

lifto

nLar

sonA

llen

LLP


whoami

David Anderson• Farm kid turned hacker• Worked in IT/IT Security for 9 years• Yes, I am older than 18

©20

17 C

lifto

nLar

sonA

llen

LLP

Common Issues No MoreDon’t fall behind…

©20

17 C

lifto

nLar

sonA

llen

LLP


Poor Admin Hygiene

• Users were traditionally given admin rights– Poorly written software required it– Less “strain” on IT– Users complained less

• Easier for attackers if user has admin rights– Move between systems– Extract user passwords from memory

• Users should not have admin rights to any system– Power users (admins) that need it should have two user

accounts and highly protect the privileged account

©20

17 C

lifto

nLar

sonA

llen

LLP


Poor Admin Hygiene

• Admins do everything with their privileged account– Browse web– Check email

• Attackers “hunt” the domain administrators– They have the “keys to the kingdom”

• Protect privileged accounts from dangerous activity– Any user who has admin rights to systems or critical

applications should have separate, privileged account

©20

17 C

lifto

nLar

sonA

llen

LLP


Poor Admin Hygiene

• Domain Admins log into workstations with their privileged account– Even if they have separate user accounts– Things are “easier” when you run with the highest

privileges

• This can be controlled by policy and by technical controls– Prohibit DA’s from logging into workstations– Active Directory Group Policy can enforce this

©20

17 C

lifto

nLar

sonA

llen

LLP


Password Issues

• Users will choose weak passwords if they are not trained or if you don’t stop them– Summer2017!

• We can crack *any* 8 character password in ~1 day• We are seeing CU’s enforce 10-14 character

passwords– We recommend 14

• Train users how to pick passPHRASES– Pick 3, non-related words – E.g. Fedex (Sciccors)Lam*p

©20

17 C

lifto

nLar

sonA

llen

LLP


Password Issues

• “Standard” password for new users• Same password for all workstations• Same passwords for service accounts• IT using same passwords between their two

accounts

• Ensure policies prohibit shared passwords• IT can use passwords managers to help

– Ensure the password manager requires 2FA

©20

17 C

lifto

nLar

sonA

llen

LLP


Poor Patching

• Not pushing out patches in a timely manner– E.g. Windows Updates, third-party apps (Java, Acrobat)

• Vendor systems– Who is responsible for maintaining and updating these?

• There are several options for managing patches and for auditing the patch status of systems– We see many CU’s have these systems in place

©20

17 C

lifto

nLar

sonA

llen

LLP


Unnecessary Ports and Services

• By default, most systems have unneeded ports and services open– Increases the “attack surface”

• Network segmentation– Do teller workstations need to talk to each other?

• System hardening– Turn off unneeded “stuff”

• Segment systems and only allow needed services

©20

17 C

lifto

nLar

sonA

llen

LLP


Unnecessary Ports and Services

• There are several “default” services that don’t use strong encryption– FTP, Telnet, SMB (without signing)

• These services are easy to abuse• Historically, we have compromised CU’s networks

easily because SMB signing was not required• Ensure your network is only using strong encryption

– Act as if your internal network was exposed to the Internet

©20

17 C

lifto

nLar

sonA

llen

LLP


Two Factor Authentication (2FA)

• Attackers like to use your legitimate pathways into your network– VPN, webmail, Citrix, etc.

• “Why break a window when I can walk in the front door?”

• Any authentication service exposed to the Internet that employees use NEED to require 2FA

©20

17 C

lifto

nLar

sonA

llen

LLP


Poor Email Filtering

• By default, many spam filters don’t prevent spoofing of your own domain

• Allows attackers to impersonate employees

©20

17 C

lifto

nLar

sonA

llen

LLP


Poor Email FilteringConnected to mail.cogentco.com (38.9.X.X).MAIL FROM: <[email protected]>250 OKRCPT TO: <[email protected]>250 Accepted

DATA354 Enter message, ending with "." on a line by itselfFROM: <[email protected]>TO: <[email protected]>Subject: Need access to W2s

SMTP Envelope

SMTP Message

©20

17 C

lifto

nLar

sonA

llen

LLP


Poor Email Filtering - Mitigation

• Configure spam filter to look at both the Envelope FROM field and Message FROM field

– If it contains your domain, block

• Implement SPF– SPF checks typically occur on the SMTP Envelope FROM

address, NOT the Message FROM address

• Apply extra scrutiny to emails that come from domain without a SPF record

©20

17 C

lifto

nLar

sonA

llen

LLP


Common Issues Summary

• Majority of CU’s have addressed these items

• If you have “low hanging fruit” you are behind your peers

• Most of these can be addressed with current tools and processes

©20

17 C

lifto

nLar

sonA

llen

LLP

Assume BreachYou can’t prevent 100% of attacks…

©20

17 C

lifto

nLar

sonA

llen

LLP


Assume Breach Approach

“Assume Breach” limits the trust placed in applications, services, identities and networks by treating them all, both

internal and external, as not secure and possibly already compromised.

©20

17 C

lifto

nLar

sonA

llen

LLP


Old Model – Prevent Breach

• Focused on preventing a breach– Build the walls higher/thicker

• $$ went towards perimeter controls– “Next-gen” firewalls– Intrusion Detection and Prevention– Antivirus/Antimalware Software

©20

17 C

lifto

nLar

sonA

llen

LLP


Prevent Breach• Firewall / Perimeter• Static Defense• “Set and Forget”• Code Review• Antivirus• Threat Modeling

Assume Breach• Constant Monitoring• Logical Defense• Awareness• Testing• Continual Improvement• Read Team Simulation

Approach Comparison

©20

17 C

lifto

nLar

sonA

llen

LLP


Security Evolution

• Preventing breaches is critical, but does not adequately address modern threats

• Practices must be continually tested and augmented to effectively address modern adversaries such as APTs, cyber criminals, etc.

©20

17 C

lifto

nLar

sonA

llen

LLP


Security Evolution

• Prepare for an “inevitable” breach

• Build and maintain robust, repeatable and thoroughly tested security response procedures (playbook)

©20

17 C

lifto

nLar

sonA

llen

LLP


Security Evolution

We do not expect firefighters to learn how to fight a fire when we call them!

We should NOT expect our IT staff to handle incidents without training or proper tools.

©20

17 C

lifto

nLar

sonA

llen

LLP

Vendor ManagementVendors: Your biggest risk?

©20

17 C

lifto

nLar

sonA

llen

LLP


Vendor Management

• As Credit Unions lock down and secure their environment, vendors can become one of their biggest risks

• Many vendors do not follow the same controls, processes, and audits that Credit Unions perform

©20

17 C

lifto

nLar

sonA

llen

LLP


Case Study #1 – DocuSign Breach

• DocuSign notification system was compromised– Attackers accessed email addresses of customers and

users

• Attackers used this to target “Vendor”– Gained access to employee webmail account who is the

DocuSign administrator for “Vendor”

• CLA client received fake DocuSign email from “Vendor”– Email not “spoofed” – used Vendor’s legit email server– Malicious document was attached

©20

17 C

lifto

nLar

sonA

llen

LLP


Case Study #2 – DocuSign Breach

• Credit Union started receiving spoofed DocuSign emails– 20+ emails in one day, 50 total throughout week

• Days later read about DocuSign incident on Krebs on Security blog

• DocuSign published info on their website, but did NOT proactively reach out to their clients until it was in the news

• CU can protect employees, but does not have to ability to know which members may be affected

©20

17 C

lifto

nLar

sonA

llen

LLP


Vendor Management

• For managed services, require vendors to agree to operate up to your standards– CIS Critical Controls– Vulnerability Management– Change default settings / account passwords– Align with YOUR incident response program– Right to audit

• Understand your contracts and SLAs– Contracts set these expectations– SSAE16 – SOC reports or other due diligence reports are

your mechanism to measure

©20

17 C

lifto

nLar

sonA

llen

LLP


Vendor Management

• IT should have one place to see all technical information related to vendor systems/services– System names/IP addresses/Diagrams– Technical contact info of vendor– Purpose / Criticality / Risk Rating– Vendor remote access– SLA

©20

17 C

lifto

nLar

sonA

llen

LLP

Future of AuthenticationWeak passwords will no longer destroy businesses

©20

17 C

lifto

nLar

sonA

llen

LLP


Forms of Authentication

• Something you know– Username and password– Mother’s sister’s friend’s dogs name

• Something you have– Physical token– Software token

• Something you are– Biometrics– Fingerprint, facial recognition, etc.

©20

17 C

lifto

nLar

sonA

llen

LLP


Death to Passwords

• Everyone hates passwords

• Password abuse is one of the most common attack vectors– Stealing passwords– Guessing passwords

• Research is focused on – Bringing biometrics into the workplace– Providing better hardware and software tokens

©20

17 C

lifto

nLar

sonA

llen

LLP


Biometrics

• Windows Hello– Use facial recognition or fingerprint to access computer– Being extended to support authentication with

applications (even web applications :D)

©20

17 C

lifto

nLar

sonA

llen

LLP


Multi Factor Authentication (MFA)

• New software MFA apps make it easy– Google/Microsoft Authenticator

• Hardware keys– E.g. Yubikey

• Not all MFA options are the same– SMS text is NOT as secure as software/hardware tokens

©20

17 C

lifto

nLar

sonA

llen

LLP

FFIEC UpdatesIncreased focus on cybersecurity

©20

17 C

lifto

nLar

sonA

llen

LLP


Recent Key Milestones

• 2015 - Guidance on Cybersecurity Governance and Cybersecurity Controls

• 2015 - Business Continuity Planning Booklet update• 2015 - Cybersecurity Risk Assessment Tool (CAT)• 2015 - Update to FFIEC IT Management Handbook• 2016 - Exams incorporate cybersecurity review• 2016 - Update to FFIEC Information Security Booklet

©20

17 C

lifto

nLar

sonA

llen

LLP

Business Continuity Planning

©20

17 C

lifto

nLar

sonA

llen

LLP


2015 BCP Update

• Addition of Appendix J• Strengthening the Resilience of Outsourced

Technology Services• The BCP appropriately addresses cyber-resiliency

issues and events, including malware, insider threats, destruction or corruption of data or systems, disruptions of communication infrastructure, and simultaneous attacks on institutions and service providers.

©20

17 C

lifto

nLar

sonA

llen

LLP


2015 BCP Update

• Focus on vendor management– Due Diligence– Contracts– Monitoring and Testing

• Credit Unions need to ensure outsourced activities are performed in a “safe and sound manner”

• Credit Unions need to be able to recover critical services whether the service is in-house or provided by a third-party

©20

17 C

lifto

nLar

sonA

llen

LLP

IT Management Handbook

©20

17 C

lifto

nLar

sonA

llen

LLP


“CYBER”

• Large focus on “cyber” threats– The original Handbook contained only a single reference

to “cyber.” The revised Handbook contains 53 references.

• A lot more focus on “cybersecurity,” vendor management being incorporated into enterprise risk assessment, and ITRM.

• New section on Risk Measurement which details techniques and criteria for measuring IT risk

©20

17 C

lifto

nLar

sonA

llen

LLP


Enterprise Architecture

• New section for Enterprise Architecture (“EA”)– Closer partnership between business groups and IT– Improved focus on institution’s goals– Reduce complexity / Improve agility

©20

17 C

lifto

nLar

sonA

llen

LLP


Risk Assessments

• More focus on Risk Assessments and Risk Management

• IT Risk Management support Enterprise-Wide Risk Management– Risk identification– Risk measurement– Risk mitigation– Risk monitoring

• Risk Appetite– Cybersecurity Assessment Tool (CAT) introduced term,

Handbook makes additional 11 references

©20

17 C

lifto

nLar

sonA

llen

LLP


Board Oversight

• The expectations of the Board’s level of involvement in and, ultimately, oversight responsibility for IT and Cybersecurity have increased dramatically

• Board should be:– Actively reviewing and approving policies– Intimately aware of current IT environment for their

organization

©20

17 C

lifto

nLar

sonA

llen

LLP


Board Oversight

• The Board and a steering committee are still responsible for overall IT management, but the guidance now introduces a new obligation for the Board, requiring that they provide a “credible challenge” to management.

• Specifically, this means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”.

• No more “rubber stamps”. The Board is expected to actually govern, and that means they need access to accurate, timely and relevant information.

©20

17 C

lifto

nLar

sonA

llen

LLP


Summary

• Increased focus on:– Board oversight and management– Effective risk management programs– Vendor management programs– Modern cybersecurity risks

©20

17 C

lifto

nLar

sonA

llen

LLP


Key Observations

• Re-enforced accountability for information security• ISO independence from IT operations• Leveraging industry data for risk management• Focus on third party risk management• ISP built from risk management process• Continuous monitoring and auditing of ISP

components• New section - Security Operations; addresses

incident response

©20

17 C

lifto

nLar

sonA

llen

LLP


Four Major Categories

1. Governance of the Information Security Programa) Security Cultureb) Responsibility and Accountabilityc) Resources

2. Information Security Program Management a) Risk Identificationb) Risk Measurementc) Risk Mitigationd) Risk Monitoring and Reporting

©20

17 C

lifto

nLar

sonA

llen

LLP


Four Major Categories

3. Security Operationsa) Threat Identification and Assessmentb) Threat Monitoringc) Incident Identification and Assessmentd) Incident Response

4. Information Security Program Effectivenessa) Assurance and Testing

©20

17 C

lifto

nLar

sonA

llen

LLP


Governance of Information Security Program

• Updated management structure (changes in bold)– Board of Directors / Steering CommitteeExecutive Management– Chief Information Officer or Chief Technology OfficerChief Information Security Officer (ISO)

This role needs to be independent from IT Operations

– IT Line Management– Business Unit Management

©20

17 C

lifto

nLar

sonA

llen

LLP


Information Security Program Management

• Risk Identification

• Risk Measurement

• Risk Mitigation

• Risk Monitoring and Reporting

©20

17 C

lifto

nLar

sonA

llen

LLP



• Assets– People, processes, locations– Who we are and what we do

• Threats and Vulnerabilities– What could go wrong

• Likelihood and Impact– What if it does go wrong

©20

17 C

lifto

nLar

sonA

llen

LLP



• Updates for consistency with the FFIEC Cybersecurity Assessment Tool (CAT) and the NIST Cybersecurity Framework as appropriate

• The booklet contains updated examination procedures to help examiners measure the adequacy of an institution's culture, governance, information security program, security operations, and assurance processes

©20

17 C

lifto

nLar

sonA

llen

LLP



• Inherent risk profile• Cybersecurity inherent risk is the level of risk posed

to the institution by the following:

1. Technologies and Connection Types2. Delivery Channels3. Online/Mobile Products and Technology Services4. Organizational Characteristics5. External Threats

©20

17 C

lifto

nLar

sonA

llen

LLP


Determine desired

maturity

Perform gap analysis

Prioritize and plan changes

Implement changes

Communicate results

Reevaluate

©20

17 C

lifto

nLar

sonA

llen

LLP


Security Operations

• Threat Identification and Assessment

• Threat Monitoring

• Incident Identification and Assessment

• Incident Response

©20

17 C

lifto

nLar

sonA

llen

LLP


Security Operations

• Threat Intelligence: Where and how do you get updated info– Internal and External

• Information sharing and associations– FS-ISAC– FBI Infraguard– National and regional associations

• Training and Information Feeds– SANS Internet Storm Center– User groups

©20

17 C

lifto

nLar

sonA

llen

LLP


Security Operations

• Monitoring– System and application logs– Account usage– Vulnerability scanning– Network traffic

• *Need to know what is normal*

©20

17 C

lifto

nLar

sonA

llen

LLP


Security Operations

• Incident Response– Proactive – need to be prepared– Everyone needs to know their role– Understand communication channels– Have proper training and simulations

©20

17 C

lifto

nLar

sonA

llen

LLP


Program Effectiveness

• Periodic testing of the program– Table top exercises (NIST 800-61)– DRP and BCP testing– Penetration testing– Social engineering– True breach / red team simulation

©20

17 C

lifto

nLar

sonA

llen

LLP


Summary

• Ensure you are not “falling behind”• Have to prepare for and plan for a breach• Increased focus on vendor management• Ensure proper governance and oversight• Validate controls work as expected

twitter.com/CLAconnectfacebook.com/cliftonlarsonallen

linkedin.com/company/cliftonlarsonallen

©20

17 C

lifto

nLar

sonA

llen

LLP

CLAconnect.com

Thank you!

David Anderson, OSCPManager, Information Security, Direct: 612-376-4699Email: [email protected]

http://www.twitter.com/CLA_CPAs

http://www.facebook.com/CliftonLarsonAllen

http://www.linkedin.com/company/cliftonlarsonallen

5 it security trends for credit unions - nacusac · 2017. 6. 12. · wealth advisory | outsourcing...

Documents