WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©2017 CliftonLarsonAllen LLP
5 IT Security Trends for Credit Unions
NACUSAC 2017
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Intro
I am going to share with you:• whoami• 5 IT Security Trends for CUs
• Common Issues Are No Longer Common• Assume Breach Philosophy• Vendor Management• Future of Authentication• FFIEC Updates
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
whoami
David Anderson• Farm kid turned hacker• Worked in IT/IT Security for 9 years• Yes, I am older than 18
©20
17 C
lifto
nLar
sonA
llen
LLP
Common Issues No MoreDon’t fall behind…
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Admin Hygiene
• Users were traditionally given admin rights– Poorly written software required it– Less “strain” on IT– Users complained less
• Easier for attackers if user has admin rights– Move between systems– Extract user passwords from memory
• Users should not have admin rights to any system– Power users (admins) that need it should have two user
accounts and highly protect the privileged account
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Admin Hygiene
• Admins do everything with their privileged account– Browse web– Check email
• Attackers “hunt” the domain administrators– They have the “keys to the kingdom”
• Protect privileged accounts from dangerous activity– Any user who has admin rights to systems or critical
applications should have separate, privileged account
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Admin Hygiene
• Domain Admins log into workstations with their privileged account– Even if they have separate user accounts– Things are “easier” when you run with the highest
privileges
• This can be controlled by policy and by technical controls– Prohibit DA’s from logging into workstations– Active Directory Group Policy can enforce this
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Password Issues
• Users will choose weak passwords if they are not trained or if you don’t stop them– Summer2017!
• We can crack *any* 8 character password in ~1 day• We are seeing CU’s enforce 10-14 character
passwords– We recommend 14
• Train users how to pick passPHRASES– Pick 3, non-related words – E.g. Fedex (Sciccors)Lam*p
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Password Issues
• “Standard” password for new users• Same password for all workstations• Same passwords for service accounts• IT using same passwords between their two
accounts
• Ensure policies prohibit shared passwords• IT can use passwords managers to help
– Ensure the password manager requires 2FA
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Patching
• Not pushing out patches in a timely manner– E.g. Windows Updates, third-party apps (Java, Acrobat)
• Vendor systems– Who is responsible for maintaining and updating these?
• There are several options for managing patches and for auditing the patch status of systems– We see many CU’s have these systems in place
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Unnecessary Ports and Services
• By default, most systems have unneeded ports and services open– Increases the “attack surface”
• Network segmentation– Do teller workstations need to talk to each other?
• System hardening– Turn off unneeded “stuff”
• Segment systems and only allow needed services
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Unnecessary Ports and Services
• There are several “default” services that don’t use strong encryption– FTP, Telnet, SMB (without signing)
• These services are easy to abuse• Historically, we have compromised CU’s networks
easily because SMB signing was not required• Ensure your network is only using strong encryption
– Act as if your internal network was exposed to the Internet
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Two Factor Authentication (2FA)
• Attackers like to use your legitimate pathways into your network– VPN, webmail, Citrix, etc.
• “Why break a window when I can walk in the front door?”
• Any authentication service exposed to the Internet that employees use NEED to require 2FA
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Email Filtering
• By default, many spam filters don’t prevent spoofing of your own domain
• Allows attackers to impersonate employees
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Email FilteringConnected to mail.cogentco.com (38.9.X.X).MAIL FROM: <[email protected]>250 OKRCPT TO: <[email protected]>250 Accepted
DATA354 Enter message, ending with "." on a line by itselfFROM: <[email protected]>TO: <[email protected]>Subject: Need access to W2s
SMTP Envelope
SMTP Message
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Email Filtering - Mitigation
• Configure spam filter to look at both the Envelope FROM field and Message FROM field
– If it contains your domain, block
• Implement SPF– SPF checks typically occur on the SMTP Envelope FROM
address, NOT the Message FROM address
• Apply extra scrutiny to emails that come from domain without a SPF record
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Common Issues Summary
• Majority of CU’s have addressed these items
• If you have “low hanging fruit” you are behind your peers
• Most of these can be addressed with current tools and processes
©20
17 C
lifto
nLar
sonA
llen
LLP
Assume BreachYou can’t prevent 100% of attacks…
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Assume Breach Approach
“Assume Breach” limits the trust placed in applications, services, identities and networks by treating them all, both
internal and external, as not secure and possibly already compromised.
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Old Model – Prevent Breach
• Focused on preventing a breach– Build the walls higher/thicker
• $$ went towards perimeter controls– “Next-gen” firewalls– Intrusion Detection and Prevention– Antivirus/Antimalware Software
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Prevent Breach• Firewall / Perimeter• Static Defense• “Set and Forget”• Code Review• Antivirus• Threat Modeling
Assume Breach• Constant Monitoring• Logical Defense• Awareness• Testing• Continual Improvement• Read Team Simulation
Approach Comparison
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Security Evolution
• Preventing breaches is critical, but does not adequately address modern threats
• Practices must be continually tested and augmented to effectively address modern adversaries such as APTs, cyber criminals, etc.
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Security Evolution
• Prepare for an “inevitable” breach
• Build and maintain robust, repeatable and thoroughly tested security response procedures (playbook)
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Security Evolution
We do not expect firefighters to learn how to fight a fire when we call them!
We should NOT expect our IT staff to handle incidents without training or proper tools.
©20
17 C
lifto
nLar
sonA
llen
LLP
Vendor ManagementVendors: Your biggest risk?
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Vendor Management
• As Credit Unions lock down and secure their environment, vendors can become one of their biggest risks
• Many vendors do not follow the same controls, processes, and audits that Credit Unions perform
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Case Study #1 – DocuSign Breach
• DocuSign notification system was compromised– Attackers accessed email addresses of customers and
users
• Attackers used this to target “Vendor”– Gained access to employee webmail account who is the
DocuSign administrator for “Vendor”
• CLA client received fake DocuSign email from “Vendor”– Email not “spoofed” – used Vendor’s legit email server– Malicious document was attached
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Case Study #2 – DocuSign Breach
• Credit Union started receiving spoofed DocuSign emails– 20+ emails in one day, 50 total throughout week
• Days later read about DocuSign incident on Krebs on Security blog
• DocuSign published info on their website, but did NOT proactively reach out to their clients until it was in the news
• CU can protect employees, but does not have to ability to know which members may be affected
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Vendor Management
• For managed services, require vendors to agree to operate up to your standards– CIS Critical Controls– Vulnerability Management– Change default settings / account passwords– Align with YOUR incident response program– Right to audit
• Understand your contracts and SLAs– Contracts set these expectations– SSAE16 – SOC reports or other due diligence reports are
your mechanism to measure
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Vendor Management
• IT should have one place to see all technical information related to vendor systems/services– System names/IP addresses/Diagrams– Technical contact info of vendor– Purpose / Criticality / Risk Rating– Vendor remote access– SLA
©20
17 C
lifto
nLar
sonA
llen
LLP
Future of AuthenticationWeak passwords will no longer destroy businesses
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Forms of Authentication
• Something you know– Username and password– Mother’s sister’s friend’s dogs name
• Something you have– Physical token– Software token
• Something you are– Biometrics– Fingerprint, facial recognition, etc.
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Death to Passwords
• Everyone hates passwords
• Password abuse is one of the most common attack vectors– Stealing passwords– Guessing passwords
• Research is focused on – Bringing biometrics into the workplace– Providing better hardware and software tokens
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Biometrics
• Windows Hello– Use facial recognition or fingerprint to access computer– Being extended to support authentication with
applications (even web applications :D)
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Multi Factor Authentication (MFA)
• New software MFA apps make it easy– Google/Microsoft Authenticator
• Hardware keys– E.g. Yubikey
• Not all MFA options are the same– SMS text is NOT as secure as software/hardware tokens
©20
17 C
lifto
nLar
sonA
llen
LLP
FFIEC UpdatesIncreased focus on cybersecurity
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Recent Key Milestones
• 2015 - Guidance on Cybersecurity Governance and Cybersecurity Controls
• 2015 - Business Continuity Planning Booklet update• 2015 - Cybersecurity Risk Assessment Tool (CAT)• 2015 - Update to FFIEC IT Management Handbook• 2016 - Exams incorporate cybersecurity review• 2016 - Update to FFIEC Information Security Booklet
©20
17 C
lifto
nLar
sonA
llen
LLP
Business Continuity Planning
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
2015 BCP Update
• Addition of Appendix J• Strengthening the Resilience of Outsourced
Technology Services• The BCP appropriately addresses cyber-resiliency
issues and events, including malware, insider threats, destruction or corruption of data or systems, disruptions of communication infrastructure, and simultaneous attacks on institutions and service providers.
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
2015 BCP Update
• Focus on vendor management– Due Diligence– Contracts– Monitoring and Testing
• Credit Unions need to ensure outsourced activities are performed in a “safe and sound manner”
• Credit Unions need to be able to recover critical services whether the service is in-house or provided by a third-party
©20
17 C
lifto
nLar
sonA
llen
LLP
IT Management Handbook
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
“CYBER”
• Large focus on “cyber” threats– The original Handbook contained only a single reference
to “cyber.” The revised Handbook contains 53 references.
• A lot more focus on “cybersecurity,” vendor management being incorporated into enterprise risk assessment, and ITRM.
• New section on Risk Measurement which details techniques and criteria for measuring IT risk
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Enterprise Architecture
• New section for Enterprise Architecture (“EA”)– Closer partnership between business groups and IT– Improved focus on institution’s goals– Reduce complexity / Improve agility
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Risk Assessments
• More focus on Risk Assessments and Risk Management
• IT Risk Management support Enterprise-Wide Risk Management– Risk identification– Risk measurement– Risk mitigation– Risk monitoring
• Risk Appetite– Cybersecurity Assessment Tool (CAT) introduced term,
Handbook makes additional 11 references
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Board Oversight
• The expectations of the Board’s level of involvement in and, ultimately, oversight responsibility for IT and Cybersecurity have increased dramatically
• Board should be:– Actively reviewing and approving policies– Intimately aware of current IT environment for their
organization
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Board Oversight
• The Board and a steering committee are still responsible for overall IT management, but the guidance now introduces a new obligation for the Board, requiring that they provide a “credible challenge” to management.
• Specifically, this means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”.
• No more “rubber stamps”. The Board is expected to actually govern, and that means they need access to accurate, timely and relevant information.
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Summary
• Increased focus on:– Board oversight and management– Effective risk management programs– Vendor management programs– Modern cybersecurity risks
©20
17 C
lifto
nLar
sonA
llen
LLP
Information SecurityHandbook
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Key Observations
• Re-enforced accountability for information security• ISO independence from IT operations• Leveraging industry data for risk management• Focus on third party risk management• ISP built from risk management process• Continuous monitoring and auditing of ISP
components• New section - Security Operations; addresses
incident response
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Four Major Categories
1. Governance of the Information Security Programa) Security Cultureb) Responsibility and Accountabilityc) Resources
2. Information Security Program Management a) Risk Identificationb) Risk Measurementc) Risk Mitigationd) Risk Monitoring and Reporting
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Four Major Categories
3. Security Operationsa) Threat Identification and Assessmentb) Threat Monitoringc) Incident Identification and Assessmentd) Incident Response
4. Information Security Program Effectivenessa) Assurance and Testing
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Governance of Information Security Program
• Updated management structure (changes in bold)– Board of Directors / Steering CommitteeExecutive Management– Chief Information Officer or Chief Technology OfficerChief Information Security Officer (ISO)
This role needs to be independent from IT Operations
– IT Line Management– Business Unit Management
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Information Security Program Management
• Risk Identification
• Risk Measurement
• Risk Mitigation
• Risk Monitoring and Reporting
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Information Security Program Management
• Assets– People, processes, locations– Who we are and what we do
• Threats and Vulnerabilities– What could go wrong
• Likelihood and Impact– What if it does go wrong
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Information Security Program Management
• Updates for consistency with the FFIEC Cybersecurity Assessment Tool (CAT) and the NIST Cybersecurity Framework as appropriate
• The booklet contains updated examination procedures to help examiners measure the adequacy of an institution's culture, governance, information security program, security operations, and assurance processes
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Information Security Program Management
• Inherent risk profile• Cybersecurity inherent risk is the level of risk posed
to the institution by the following:
1. Technologies and Connection Types2. Delivery Channels3. Online/Mobile Products and Technology Services4. Organizational Characteristics5. External Threats
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Determine desired
maturity
Perform gap analysis
Prioritize and plan changes
Implement changes
Communicate results
Reevaluate
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Security Operations
• Threat Identification and Assessment
• Threat Monitoring
• Incident Identification and Assessment
• Incident Response
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Security Operations
• Threat Intelligence: Where and how do you get updated info– Internal and External
• Information sharing and associations– FS-ISAC– FBI Infraguard– National and regional associations
• Training and Information Feeds– SANS Internet Storm Center– User groups
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Security Operations
• Monitoring– System and application logs– Account usage– Vulnerability scanning– Network traffic
• *Need to know what is normal*
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Security Operations
• Incident Response– Proactive – need to be prepared– Everyone needs to know their role– Understand communication channels– Have proper training and simulations
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Program Effectiveness
• Periodic testing of the program– Table top exercises (NIST 800-61)– DRP and BCP testing– Penetration testing– Social engineering– True breach / red team simulation
©20
17 C
lifto
nLar
sonA
llen
LLP
Summary
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Summary
• Ensure you are not “falling behind”• Have to prepare for and plan for a breach• Increased focus on vendor management• Ensure proper governance and oversight• Validate controls work as expected
©20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
QUESTIONS
twitter.com/CLAconnectfacebook.com/cliftonlarsonallen
linkedin.com/company/cliftonlarsonallen
©20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnect.com
Thank you!
David Anderson, OSCPManager, Information Security, Direct: 612-376-4699Email: [email protected]