security awareness training: addressing your weakest link · 2020-02-22 · security awareness...
TRANSCRIPT
© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®
Security Awareness Training: Addressing Your Weakest Link
Presented by: Patrick Barry and Karen Crumbley
March 27, 2019
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Session Objectives
• Define Information Security Awareness and
Cybersecurity Awareness Training
• Understand FFIEC guidance on Information Security and
Cybersecurity Awareness Training, Examiner Scrutiny
• Effective techniques; the science of human behavior
• How social engineering impacts security awareness
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Insider Threat to Financial Institutions
https://iapp.org/news/a/data-indicates-human-error-prevailing-cause-of-breaches-incidents/
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Guidance on Information Security and Cybersecurity Awareness
• FFIEC Information Technology Examination Handbook, Information Security, Appendix A: Examination Procedures
https://ithandbook.ffiec.gov/it-booklets/information-security/appendix-a-examination-procedures.aspx
• Cybersecurity Assessment Tool (CAT) Cybersecurity Maturity: Domain 1https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017_Cybersecurity_Maturity_June2.pdf
• FFIEC Information Technology Examination Handbook, IT Booklets
https://ithandbook.ffiec.gov/it-booklets/management.aspx
• FFIEC Information Technology Examination Handbook, Information Security Booklet
https://ithandbook.ffiec.gov/it-booklets/information-security.aspx
• 501b Gramm-Leach-Bliley Acthttps://www.ffiec.gov/exam/infobase/documents/02-con-501b_gramm_leach_bliley_act-991112.pdf
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Understanding What Needs to be Protected
• Data Classification
– Three categories: Confidential, Sensitive, Public
• Non-public Information (NPI)
• Confidentiality, Integrity, and Availability
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Threat Environment Actors
• Cyber Criminals
• Nation States
• Hacktivists
• Insiders
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Document Shredding Procedures
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Document Shredding Procedures
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Situational Awareness
HEY YOU
THE PIN CODE FOR THE DOOR IS…..
1234
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Social Media Communication
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Social Media Communication
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Social Media Communication
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Phone Scams
Custom Vishing Campaign Examples
– Try to gain account balance details acting as a distressed
customer at a car dealership
– Contact Bank personnel impersonating the IT Department,
looking to gain details about employee passwords
– Contact mortgage bankers to discuss a loan application
delivered via email – Dropbox with a malware tainted PDF
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Unauthorized Visitors
Bank Social Engineering Engagement
Scenario: Working with IT Audit to review the server area and badges.
– Cloned a teller’s badge
– Access to the Sherriff’s office IT Closet, shared with the bank
– Provided 4 digit PIN to access the bank’s server closet
– Access to server/router/switches
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
End User Policies and Incident Response Plans
• Incorporate into your Information Security and
Cybersecurity Awareness Programs
© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®
Questions
Patrick Barry – Rebyc Security [email protected]
Karen Crumbley – Gladiator [email protected]