security awareness training: addressing your weakest link · 2020-02-22 · security awareness...

37
© 2017 Jack Henry & Associates, Inc. ® 1 © 2017 Jack Henry & Associates, Inc. ® Security Awareness Training: Addressing Your Weakest Link Presented by: Patrick Barry and Karen Crumbley March 27, 2019

Upload: others

Post on 27-May-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®

Security Awareness Training: Addressing Your Weakest Link

Presented by: Patrick Barry and Karen Crumbley

March 27, 2019

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Session Objectives

• Define Information Security Awareness and

Cybersecurity Awareness Training

• Understand FFIEC guidance on Information Security and

Cybersecurity Awareness Training, Examiner Scrutiny

• Effective techniques; the science of human behavior

• How social engineering impacts security awareness

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Insider Threat to Financial Institutions

https://iapp.org/news/a/data-indicates-human-error-prevailing-cause-of-breaches-incidents/

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Guidance on Information Security and Cybersecurity Awareness

• FFIEC Information Technology Examination Handbook, Information Security, Appendix A: Examination Procedures

https://ithandbook.ffiec.gov/it-booklets/information-security/appendix-a-examination-procedures.aspx

• Cybersecurity Assessment Tool (CAT) Cybersecurity Maturity: Domain 1https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017_Cybersecurity_Maturity_June2.pdf

• FFIEC Information Technology Examination Handbook, IT Booklets

https://ithandbook.ffiec.gov/it-booklets/management.aspx

• FFIEC Information Technology Examination Handbook, Information Security Booklet

https://ithandbook.ffiec.gov/it-booklets/information-security.aspx

• 501b Gramm-Leach-Bliley Acthttps://www.ffiec.gov/exam/infobase/documents/02-con-501b_gramm_leach_bliley_act-991112.pdf

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Understanding What Needs to be Protected

• Data Classification

– Three categories: Confidential, Sensitive, Public

• Non-public Information (NPI)

• Confidentiality, Integrity, and Availability

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Threat Environment Actors

• Cyber Criminals

• Nation States

• Hacktivists

• Insiders

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Threat Types

Internet of Things (IoT)

Internet of Things (IoT)

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Clean Desk Policy

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Clean Desk Policy

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Document Shredding Procedures

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Document Shredding Procedures

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Shoulder Surfing

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Shoulder Surfing

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Situational Awareness

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Situational Awareness

HEY YOU

THE PIN CODE FOR THE DOOR IS…..

1234

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

USB Devices

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

USB Devices

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Social Media Communication

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Social Media Communication

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Social Media Communication

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Password Security

Password

Security

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Password

Security

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Mobile Devices

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Mobile Devices

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Phone Scams

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Phone Scams

Custom Vishing Campaign Examples

– Try to gain account balance details acting as a distressed

customer at a car dealership

– Contact Bank personnel impersonating the IT Department,

looking to gain details about employee passwords

– Contact mortgage bankers to discuss a loan application

delivered via email – Dropbox with a malware tainted PDF

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Unauthorized Visitors

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Unauthorized Visitors

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Unauthorized Visitors

Bank Social Engineering Engagement

Scenario: Working with IT Audit to review the server area and badges.

– Cloned a teller’s badge

– Access to the Sherriff’s office IT Closet, shared with the bank

– Provided 4 digit PIN to access the bank’s server closet

– Access to server/router/switches

Phishing

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

End User Policies and Incident Response Plans

• Incorporate into your Information Security and

Cybersecurity Awareness Programs

© 2017 Jack Henry & Associates, Inc.®© 2019 Jack Henry & Associates, Inc.®

Questions

Patrick Barry – Rebyc Security [email protected]

Karen Crumbley – Gladiator [email protected]