testing your cyber incident response plan...the ffiec releases a revised information security...

© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®

Tom Williams - Gladiator Business Continuity Strategy Manager

Testing Your Cyber Incident Response Plan

Presented byGladiator - A Division of Jack Henry & Associates And The Graduate School of Banking

August 8-9, 2018

© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.®

Agenda

• The FFIEC Guidelines on Cyber-Security

• Risk factors facing financial institutions

• Incident Response Plan components

• Incident Response Plan testing techniques

• Centurion Cyber Drill


• Nuggets of Wisdom

• Write them down, memorize

them, take pictures of them,

etc.

• Be prepared to answer:

“What nuggets of wisdom have

you learned?”

Takeaways Throughout the Day

© 2017 Jack Henry & Associates, Inc.®

Three Successful Brands

• Community and Multi-Billion Dollar Banks

• Core Processing Systems

• Integrated Complementary Products

• In-House or Outsourced Services

• Credit Unions of All Sizes

• Core Processing Systems

• Integrated Complementary Products

• In-House or Outsourced Services

• Financial Institutions of All Sizes

• Corporate Entities and Strategic Partnerships

• Core Processor Agnostic

• Best-of-Breed Niche Solutions


Brief Introduction to Gladiator Services

Gladiator® CoreDEFENSEManaged Security

Services™

Gladiator® IT Regulatory Compliance/Policy

Products™

Centurion Business Continuity Planning™/

Centurion Disaster Recovery®

Gladiator® Hosted Network Solutions™

Gladiator® Managed IT Services™


Business Continuity / Incident Response

Plan Components

The FFIEC – Federal Financial Institution Examination Counsel Guidelines on BCP/IRP


FFIEC BCP Guidelines

Business Impact

Analysis (BIA)

Risk Assessment

Risk Management

Risk Monitoring

• Critical Business Functions

• Disaster Impacts• Prioritization• Recovery Windows• Recovery Strategies• Resources

• Threats– Natural– Human– Technical– Cyber Attacks

• Enterprise-wide BCP

• Emergency Plans• Crisis Management

Plans• IT & Business Unit

Plans• Family Disaster

Plan

• Plan Maintenance• Plan Testing

• Business Units

• Systems / Apps


Top Concerns

• Regulatory

Compliance

• Cybersecurity

and IT

• Reputatio

n


Cybersecurity Threat Landscape

• Buffer Overflow

• Service Overwhelm

• Stealth Diagnostics

• DoS

• SQL Injections

• Phishing

• Web Browser Pop-Ups

• VBA, ActiveX Flash Tricks

• OS Specific Attack Tools

• Cross-site Scripting

• SSL-encrypted threats

• Zombie Bots

• RDP Exploits

• Memory

• Scrapping

• DDOS

• Ransomware

• APT’s

• Spear Phishing

• Targeted Attacks

• Drive-by Downloads

• Watering Hole Attacks

Pervasive

Limited

• Self Replicating Code

• Password Guessing

• Password Cracking

• Disabling Audits

Challenging

• Hijacking Sessions

• Exploit Known Vulnerabilities

• Packet Forging & Spoofing

• SPAM

• Back Doors

• Sweeper & Sniffers


IRP Basic Requirements

FFIEC’s IRP Minimum Components:

• Assess the nature and scope to identify systems and types

of information that have been accessed and/or misused

• Notification of primary regulator

• Completing a SAR and notification of law enforcement

• Take steps to contain the incident to prevent further

unauthorized access


IRP Basic Requirements

• Criteria that must be met before compromised systems

are returned

• Notification of employees when warranted

• Notification of customers when warranted

• Intrusion response team in place

• Important pieces, but do not provide details to respond in

the most effective manner.


Key Best Practices to Supplement Requirements

Consider the following:

– What happened and when?

– Performance?

– Was the Recovery process inhibited?

– What could be done differently?

– Corrective steps for similar future incidents?

– Other tools or resources?

– Use this as an opportunity to improve upon what you already

have in place.


Risk Factors Facing Financial Institutions


Cybersecurity Challenges

• Cybercrime cost in the trillions

• Segregation of InfoSec oversight

from IT

• Cyber incident management and

resiliency

• Qualified InfoSec personnel

• Ever changing Risk Landscape

* salary.com


Cybercrime will Cost Businesses

Source: Juniper - The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation

• Consumers’ lives and records have been rapidly digitized

• Data breaches will cost $6.1 trillion globally by 2021


Cybercrime Elements

Source: Verizon Data Breach Investigations Report, 2017

• Money, Espionage,

Fun, Ideology, Grudge• Hacking, Malware, Social

Engineering schemes

• Email, Social Media,

Internet browsing

Means Motive

Opportunity

2017 VDBIR62% Hacking51% Malware43% Social

2017 VDBIR 73% Financial21%

Espionage6% FIG

© 2017 Jack Henry & Associates, Inc.®18 © 2017 Jack Henry & Associates, Inc.®

.

Regulators Making Cybersecurity a Priority

The FFIEC releases a revised Information Security

booklet - FFIEC, September 9, 2016

FFIEC Releases Updates to Cybersecurity

Assessment Tool- FFIEC, May 31, 2017

FFIEC Releases Cybersecurity

Assessment Tool - FFIEC, June 30, 2015

Financial Regulators Release Revised

Management Booklet - FFIEC, November 10, 2015

FFIEC Issues Statement on Safeguarding

the Cybersecurity of Interfinancial

institution Messaging and Payment

Networks - FFIEC, June 7, 2016

The FFIEC published frequently asked questions

(FAQ) guide related to the Cybersecurity Assessment

Tool - FFIEC, October 17, 2016

New York State Department of Financial Services

Proposed 23 NYCRR 500 - Cybersecurity

Requirements for Financial Services Companies

- NYSDFS, December 28, 2016

The FDIC launches the Information Technology

Risk Examination (InTREx) Program - FFIEC, June 30, 2016


InfoSec Regulatory Exam Focus

2014 – 2015• Business

Continuity

• IT Risk Assessments

• Log Archiving

2015 – 2016• Vendor Management

• CyberSecAssessment Tool

• Ongoing VA Scanning

2016 – 2017• Information Security

Officer

• SIEM & Breach Detection

• Cyber Resiliency


Examiners position on ISO

Independent ISO or Committee

Sufficient knowledge and training

Separate InfoSec oversight from IT

Rightsized InfoSec program

Source: FFIEC Guidelines 2006

© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.® Source: Deloitte. Beneath the surface of a cyberattack, 2016

Technical Investigation

Customer breach notification

Post-breachcustomer protection

Regulatory compliance

Public relations

Attorney fees and litigation

Cybersecurity improvements

© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.® Source: Deloitte. Beneath the surface of a cyberattack, 2016

Insurance premium increases

Increase cost to raise debt

Impact of operation disruption

Lost value of customer relationships

Value of lost contract revenue

Devaluation of trade name

Loss of intellectual property


Today’s Top 6 Cyber Threats Facing Financial Institutions

6

Social

Engineering

1

Encrypted

Traffic

2

Malicious

Code

Variants

3

Supply

Chain

Infections

4

Patches/

Vulnerabilities

5

Ransomware


1 - Encrypted Messages - Counter Measures

1. Decrypt Traffic for Inspection

2. Behavioral Analytics


AV Is Failing, and IPS Is Not Far Behind

Signature based “safety net”

APTs & zero-day attacks


2 - Malicious Code Variants - Counter Measures

1. DNS Protection

2. Deep Content Inspection / Sand Box

© 2017 Jack Henry & Associates, Inc.®© 2018 Jack Henry & Associates, Inc.

Malware & Attacks are more diverse

Source: 2018 Symantec Internet Security Threat Report


DNS Protection: Phishing

1. Threat sends malware to user

2. User clicks to view MalwareDL.com

3. Gladiator® analyzes threat;rejects

4. Gladiator® redirects unsafe request to safe landing page


DNS Protection: Drive-by Download

1. User types in website

2. Website has been hacked and redirects to malicious site

3. Gladiator® detects malicious site

4. Gladiator® Redirects


3 - Supply Chain

Sup p lyCha i n

L o g i s t i c s

C o n s u m e r

S u p p l i e r

D i s t r i b u t e r

Ma n u f a c t u r e r

R e t a i l e r


3 - Supply Chain - Counter Measures

1. Vendor Due Diligence

2. Vendor Management


4 - Patching - Counter Measures

1. Weekly Patching or as Needed

2. Weekly Vulnerability Scanning

3. Data Access Governance

4. Managed IT Services


CNN HeadlineMarch 23rd

NBC affiliate WXIA reported that the city received a ransom demand in bitcoin for $6,800 per unit or $51,000 to unlock the entire system.

The FBI is investigating a ransomware attack on the city of Atlanta

http://www.11alive.com/article/news/local/cyber-attack-hits-atlanta-computers-everyone-who-has-done-business-with-city-may-be-at-risk/85-530947288


5 – Ransomware Counter Measures

1. Data Access Governance

2. Actively Managed Endpoint Security

3. Modern Era Backup Strategy

4. Sandbox Technology


Top Threats (June – December 2017)

Top threats detected by Microsoft Office 365 ATP


6 – Social Engineering Counter Measures

1. Security Awareness Training

2. Principle of Least Privilege

3. Application Whitelisting


Incident Response Plan Components


• This document establishes the plan, procedures, forms and other

steps Cashmere Valley Bank will use when responding to a

computer security related incident.

• A computer security incident is an information related event where

there appears to be:

– The misuse or unauthorized use of information or computing

resources;

– An impact or potential impact to the confidentiality, integrity or

availability of information.

• The incident may be due to an external intruder or may be caused

by a disgruntled employee.

38Incident Response Plan – Purpose


• Indications or symptoms of a computer security infraction, event or incident

that deserves special attention could be the following:

– System crashes

– New user accounts or high activity on a previously low usage account;

– New files (usually with novel or strange file names);

– Data modification or deletion (files start to disappear);

– Denial of service (users become locked out of a system);

– Unexplained or poor system performance;

– Suspicious probes (there are numerous unsuccessful login attempts);

– Suspicious access (someone accesses files on many user accounts).

39Incident Response Plan – Purpose


Cyber Risk Appetite

• Management position on cyber risk

• Cyber risk appetite is not static

• Not a one-size-fits-all

• Based on business strategy

• Actionable and specific


LOW

RISK

HIGH

RISK

What is the Bank’s Cyber-Security Risk Mitigation

Profile?

BSA/AML

No Incident

Response

Plan

Internal Fraud

Incident

Response

Plan

MODERATE

RISK

Each organization should continually

strive to move toward the Low Risk area


Cyber Incident Response Plan Components

Monitoring Identification /

Detection

Investigation / Decision Making

Evidence Collection /

Forensic Analysis

Communications –

Employees -Members

Media – Legal –Insurance

Management

Vendor / Resource

Management

Business Resumption


Incident Response Process

Cyber Incident

1.Report Incident

• Technical Support / Help Desk

2.Incident

Classification

• Validation and Severity of Incident

3.Notification/

Escalation

• Who to contact, internal-external

4.Assessment

• Entry point of virus• Systems affected• Time to close incident• Regulatory - Law agencies

5.Documentation

• Phone conversations• System logs• Meeting minutes• Screen shots

6.Containment

• Shut down system• Disconnect from network• Monitor system/network• Set traps• Disable functions, etc.


Incident Response Process

7.Protecting Evidence

• Preserving hard drives• Documenting incidents

8.

Eradication & Recovery

• Anti-virus software• System rebuilds

9.Follow-up Analysis

• System monitoring• Sequence of events• Method of discovery• Lessons learned

10.Incident Prevention

• Technology

• Policies, procedures

• Training on security awareness

• Technical configurations• Access permissions, logs, etc.

11Vendor Management

• Tier 1 vendors must report all Incidents to CVB

• T1 vendors must have Incident Response Plans• T1 Vendors must have Business Continuity Plans


Incident Response Severity Levels

Level

1

• Not a computer security condition – Low Impact

• The incident may be another type of issue

• The CIO may redirect the issue back to the Help Desk

Level

2

Security Infraction or Event – Moderate Impact

A security infraction is non-compliance with security policy or standard

In many cases does not require formal investigation or tracking

Infractions are addressed according to policy and enforcement

Level

3

• Information Security Incident – High Impact

• An information security incident appears significant upon initial reporting and additional investigation is deemed appropriate.


Incident Response Testing

• Annual requirement

• Validates that the IRP will work

• Appropriate response

• Incident reporting requirements

• Severity ranked scenarios


Incident Response Plan Testing Considerations

• Testing is a necessity and should be completed annually.

• Size and complexity matter in testing.

• Assemble your team.– Validate response capabilities.

– Consider a vendor representative.

– Vendors assist with testing efforts-Centurion.

• Determine your testing scenario.– Variety of severity levels with technical and non-technical

incidents.


The Impact of Cybersecurity and Technology

Service Providers

• Technology Service Providers (TSPs)

– Cyber resilience becomes a factor

– TSP’ are now a part of your Incident Response Team

– Vendor Management

• Relationship between vendor management and incident response

• Information Sharing


FFIEC-Information Security Officer Responsibilities

Incident

Response

Management

& Training

Information

Security

Strategy &

Policies

Information

Systems

Risk

Assessment

IT Audits &

Interaction

with

Examiners

Business

Continuity /

Disaster

Recovery

Vendor

ManagementVulnerability

Assessments


vISO (Virtual Information Security Officer)

Service Elements

Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation

Written Information Security ProgramPolicies, Procedures, Forms

Ongoing Compliance ManagementAudit Support, Monthly Meetings

ReportingInformation Security Program Status


Centurion Cyber Drill


• Better understand your financial institution’s vulnerability toward cyber incidents.

• Assess your financial institution’s Incident Response Plan (IRP).

• Identify the major milestones associated with a cyber incident.

• Collaborate with your peers to share approaches to dealing with cyber incidents.

Cyber Incident Response Drill Objectives


Avoid becoming a victim like the following companies:

Cyber Incident Response Drill Objectives


• This is a test exercise, based on the probability of a real-

world scenario.

• Treat scenario details as fact.

• Think about how your bank’s cyber program would

measure up to a similar, but real incident.

• Consider what improvements may be required to your

IRP resulting from the drill.

Cyber Attack Drill Information


• Provide an interactive experience based on decisions associated with a cyber incident.

• You are assigned to the Incident Response Team (IRT) of The Financial Institution of Madison.

• Your team will be given a scenario resulting in a cyber incident to The Financial Institution of Madison.

• Please assume the role that you are assigned to as an Incident Response Team Member.

Cyber Attack Drill Information


Incident Response Team Introduction

FRONT OF Room

Chief Operations Manager /Compliance Manager

Chief Information Security OfficerChief Executive Officer

Marketing / HR Manager


Incident Response Drill Challenges

Situational events that your IRT has to make decisions on

Share ideas and learn from your peers

Challenges are derived from real-world situations

Poll Everywhere will display team challenge results

Creates group discussion and collaboration


• $757 million in assets

• Main office is located in downtown Madison, WI

• 9 additional branch office locations throughout Madison

• 211 employees and 511,000 customers

Financial Institution of Madison Bank Profile


• Core processing – Outsourced

• Windows® infrastructure runs at main office

• VMware Snapshots taken once per day and replicated off-site at another branch twenty-five miles away

• Uses a MPLS common network between branches

• Thirty days of historical backups

Financial Institution of Madison Technology Profile


Let’s Get Started!


Cyber-Exercise Slides

• To maintain the integrity of the cyber-exercise, we

elected not to include the actual slides of the drill until

after the drill is completed in class.

• For those that elect to attend the class the slide for the

cyber-exercise will be made available immediately after

attending the class.

testing your cyber incident response plan...the ffiec releases a revised information security...

Documents