driving down business risk for credit unions · 2020-02-06 · driving down business risk for...

SILVERSKY PROPRIETARY AND CONFIDENTIAL

Driving Down Business Riskfor Credit Unions

Credit Union Cyber Shift to a “Risk Based” Approach

Gerrit Boele, CISSP


About the SpeakerGerrit has grown with the ever-changing security industry for over 15 years, spending time supporting small organizations and enterprises in their quest for compliance and security. As a Security Architect and Consultant he has designed hundreds of systems to secure each of the varying businesses verticals in his purview. Gerrit has now been with SilverSky more than nine years, architecting security solutions. Compliance is not a stranger and Gerrit is well-versed in compliance and helps to work within the needs of FFIEC, GLBA, NCUA, PCI DSS, NYDFS, and even HIPAA to guide each entity he has opportunity to aid.

Gerrit Boele, CISSP


Agenda

Information Security Business Disruptions

Common Security Scenarios

Impacts of CU Regulation

How to Build Good Foundations

Business Checklist

Compliance Struggle Continues to Evolve

Process

Technology

People

Maintain Efficiency

MaximizeKnowledge

Utopia

Balancing the Equation


Balancing the EquationShifting Sands of InfoSec

Information

Cyber Security

• Credit Unions can struggle in the balance of what is IT and what is Security.

• Information Monitoring and Risk driven programs are Shifting the way Credit unions allocate FTE’s.

• Data Knowledge like diagrams and how and where data is electronically stored helps reduces risk for Credit Unions.


Credit Union Disruptions Happen

Least Minimal Moderate Significant Most

InnovativeElevated Investment

Advanced

Intermediate

Evolving

BaselineUnder

Invested

Inherent Risk

Cybe

rsec

urity

Mat

urity

Lev

el

for e

ach

Dom

ain

Cyber is becoming more relevant to Credit Unions

IT Assets are inherited and become complex

Risk is driving the audit

Teams are overloaded and assigned skills outside their

realm of expertise


Credit Union Estate Breakout

Windows Linux

Windows Mac

Anti-Virus/ Next Gen AV EDR

Firewall HTTP Content Filter Email Gateway Intrusion Detection Prevention

Data in motion Data at rest Physical data Policy

IT Manager Security CIO

Internal Wiki SharePoint BSA

NCUA GLBA


Credit Union Estate a Worrying Reality

Access issues Complex Often inherited

Old Software Patching is a

common issue

AV is being replaced by EDR EDR can be complex

Difficult to configure Cause user grief

Cloud has muddled where data is

In short supply

Limited resource Constant change

Industry driven Getting harder

https://www.enisa.europa.eu/

Malware Families by Type

In Depth Architecture

VenderInfrastructure

MainData Center

DRLocation

Operations

Sites

Network


The Usual Suspects

CEO

Corporate decisions Responsible for overall health and status of business Point of communication between board and the world Manage and maintain the leadership teams to success

CIO

IT resource management Policy development Procedure development Practice development Resourcing/Budget Project development

CISO

Security operations Cyber risk and intelligence Security architecture Investigations and forensics Governance

Security Staff

Completes the daily activity and tasks assigned by the CISO

IT Staff

Reports through IT managers to the CIO or directly to CEO

Daily operations Ticket support


The Usual Suspects

CEO

Corporate decisions Responsible for overall health and status of business Point of communication between board and the world Manage and maintain the leadership teams to success

CIO

IT resource management Policy development Procedure development Practice development Resourcing/Budget Project development

IT Staff

Reports through IT managers to the CIO or directly to CEO

Daily operations Ticket support

Most organizations do not have a perfect structure. In fact, I often see one

person doing many roles or wearing many hats. Security operations

Cyber risk and intelligence Security architecture Investigations and forensics Governance

Completes the daily activity and tasks assigned by the CISO

Recent Quote:“Mr. Smith who is a VP and Head Cashier of XXX Bank. Mr. Smith is also responsible for our IT operations and is a critical component to the compliance (Security) functions of the bank.”


Juggling FireWe ask the most skilled person to do jobs of compliance and security. But that is limited to the pool that was hired for other task skillsets. Often it winds up creating a culture of increasing knowledge or a very unhappy employee.

IT


Too Many Hats… Good or Bad?

BudgetCompliance

Information Security

IT

DataProcess

People

54%of alerts are investigated

for Organizations— Cisco 2018 Security

Capabilities Benchmark Study

FACTOrganizations struggle to remediate or even handle

the incidents they find in their estate.

Testing and building the right process

helps be efficient, otherwise controls get out of hand.

Organizations struggle to

understand data and how it flows

through their organization.206

number of daysto detect a data breach

— Ponemon Institute

51%are not being remediated

— Cisco 2018 Security Capabilities Benchmark Study

$188,242average cost of a

cyberattack— Symantec


Fighting the Teenage Years?

Least Minimal Moderate Significant Most

InnovativeElevated Investment

Advanced

Intermediate

Evolving

BaselineUnder

Invested

Inherent Risk

Cybe

rsec

urity

Mat

urity

Lev

el

for e

ach

Dom

ain


Automated Cybersecurity Examination Tool

https://www.ncua.gov/files/agenda-items/AG20191024Item3a.pdf

Taking a phase in approach for the smaller CU’s to be deployed last.

Risk Based Assessment of a CU’s Information Technology program.

Ensures your program effectively identifies, remediates, and controls inherent risks to appropriate residual risk levels.

Requires increased oversight of service providers.

Understanding of supply chain risk.

Building for ComplianceIdentify Risk

o Risk Assessments and testing the IT estate configurations are key to understanding risk and being honest about the work needed.

Understand Your Datao Building a good solution in todays world

requires all of the estate to be looked at.o Cost and the budget become an contending

issue.

Create Lifecycles o 24/7 insight into critical systems AD, DNS,

EDR/AV, Email.o Governance and Audit support.

(Good Reporting)


People, Process, & Technology InfluencersLogs to Collect

Security Logs• Intrusion

Detection/Prevention• Endpoint Systems• VPN Terminations• HTTP Controls(Proxy WCF)• Honeypot/Honeynet• FirewallIT Logs• Routers• Switches• Domain Controller• Wireless Access Point• Server Estate• Applications

Knowledge to Collect

Business• Process• Policy/Governance• Partner ProfilesTechnology• Device Configuration File• Asset Location• Who owns the asset• Diagrams• Scanning reports• Software Inventory

Security Intelligence

Correlate• IDPS/Firewall• Authentication Systems• Domain Services• Endpoint Data

(Server/Workstation)• Email GatewaysCollect:• Syslog data from all IT

assets• Store them for the term

needed for compliance.• Threat Intelligence

“Good Security monitors what we know and sets it into a perpetual lifecycle of validation and reeducation.”


From Idea to RealityBridging Resources is Key

Money is always the hardest thing to justify for CU’s Often Finance is the ultimate decision holders A breach always opens the wallet (Too Late) Communication lines that are trusted must be instituted Understand the details of all your assets to speak quickly Stay Focused on risk and he reduction of exposure Remember we never place a million dollar fence around a

hundred dollar horse

The goal is to pass the auditThat is the baseline


Risk Readiness ChecklistCompleted Annual Risk Assessment

Completed Annual Penetration Test

Diagram of the Data flow for all data (Especially PII)

Completed Logical Diagram (Reviewed Annually)

Completed Physical Diagram (Reviewed Annually)

Inventory of all IT assets (Location, Make, Model, Current Firmware)

Hierarchy of the IT leadership (Reviewed Annually)

Audit Plan (Due Dates/Reporting Ability/Audit Requirements)

Incident Handling Policy (Documented and Reviewed Annually)

Complete Vender/Partner Checklist (Reviewed Annually)

YES NO

YES NO

YES NO

YES NO

YES NO

YES NO

YES NO

YES NO

YES NO

YES NO


THANK YOU!

driving down business risk for credit unions · 2020-02-06 · driving down business risk for...

Documents