W. Jackson Schultz, CISASenior IT Audit & Security Consultant

25 Braintree Hill Office Park, Suite 102, Braintree, MA 02184 • Phone: (617) 471-1120 • Fax: (617) 472-7560 • http://www.ocd-tech.com

A Division of O’Connor & Drew, P.C.

VA’S, PT’S, AND THE FFIEC(OH MY)

SESSION GOALS

Goals:

•Provide an overview of cybersecurity

•Current and emerging threats

•Regulations and requirements

•Commonly discovered vulnerabilities

AGENDA

Introductions

Current state of cybersecurity

Compare vulnerability assessment and penetration test

What the regulations actually mean

Vulnerabilities that we discover on a regular basis

W. JACKSON SCHULTZJackson is a senior auditor with OCD Tech. Prior to joining the firm, Jackson was a

security consultant for a boutique consulting firm with a focus on financial services and

HIPAA covered entities. In addition, Jackson has assisted multiple organizations align

their governance structure to ISO 27001. Currently, Jackson performs IT audit control

testing for O’Connor & Drew clients.

Recent assignments include:

• Managed CISO

• Interim CTO

• ITGC and Audit

• IT and Information Security Risk Assessment

• Disaster Recovery and Business Continuity Planning (DR/BCP)

• Digital Forensics

Education

• Candidate for Executive Master in Cybersecurity, Brown University

• Bachelor of Science in Computer Science with Upsilon Pi Epsilon Distinction, Salem

State University

Certifications & Memberships

• Certified Information Systems Auditor (CISA), ISACA

• Information Systems Audit & Control Association

• Information Systems Security Association (ISSA)

• Member, InfraGard, a partnership between the private sector and FBI

• Member, Cloud Security Alliance (CSA)

• Member, ISSA New England

ESTABLISHED

1949

HIGHLY COMPETENT:

CISA CRISC CISSP C|EH

STANDARDS-DRIVEN:

COBIT NIST SANS ISO

A Division of O’Connor & Drew, P.C.

INDUSTRIES• Financial Services

• Automobile Dealerships

• Real Estate

• Higher Education

• Not-for-Profit

• Government Entities

SERVICES• IT Audit• IT Vulnerability Assessments• Physical Security Evaluation• Penetration Testing• Wi-Fi Vulnerability Assessment• Confidential Data Review• Backup Infrastructure Evaluation• Firewall Testing• End User Education• Sarbanes Oxley 404 Testing• FFIEC Cybersecurity Assessment• Service Organization Control (SOC) Reports• NIST Cybersecurity Framework Evaluations

WHY IS THIS IMPORTANT?

WHY IS THIS IMPORTANT?

WHY IS THIS IMPORTANT?

WHY IS THIS IMPORTANT?

WHY IS THIS IMPORTANT?

HTTP://FORTUNE.COM/2016/06/15/DATA-BREACH-

“Data Breaches Now Cost $4 Million on Average” - Fortune 6/15/16

SMALL BUSINESS HEADTRASH

“I’m too small to be a target - I won’t get breached”

DATA is what makes a target… not size.

It’s easier to rob a home than a museum.

As community bankers know, the Federal Financial Institution’s Examination Council (FFIEC) is the governing body for financial institutions.

FFIEC GUIDANCE

This group is made up of individual regulators, namely, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). Additionally, they include a state liaison representative.

FFIEC GUIDANCE

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a consumer protection law put in place to protect US Citizens Banking with US Financial Institutions.

Mandates under GLBA can be covered through periodic vulnerability scanning as well.

GLBA

1) Identify and recognize the various risks that could lead to customer/member information compromise (and financial goals and liquidity of the institution).

5 GOALS

5 GOALS

2) Ensure a written plan exists that contains relevant policies and procedures commensurate to the level of risk within the institution.

5 GOALS

3) Implement security controls that meet compliance requirements, are in line with internal policies, and truly lower risk to the institution.

5 GOALS

4) Consistently test security within the technical environment to ensure that the technical safeguards put in place exist and are functioning as intended.

5 GOALS

5) Monitor the plan and adapt as needed. As the technical environment, business objectives, and risk ratings change, the security plan should be adjusted as appropriate.

The FFIEC uses the IT Examination Handbook as its document with which they expect financial institutions to comply.

The area of focus during today’s discussion is going to be IT Booklets » E-Banking » Risk Management of E-Banking Activities » Information Security Program » Information Security Controls

FFIEC GUIDANCE

Specifically, this section states:

FFIEC GUIDANCE

The Regulators are looking to see that financial institutions have a formal testing plan in place to identify control effectiveness and remediation within the technical environment.

WHAT DOES THIS MEAN?

CAT - CYBERSECURITY ASSESSMENT TOOL

The FFIEC rolled out the CAT, and its last update was in May, 2017.

The goal of this is to help provide financial institutions with a better understanding of where their risks lie.

They say, “The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”

CAT - CYBERSECURITY ASSESSMENT TOOL

Additionally, the FFIEC has rolled out the Cybersecurity Assessment Tool - also called the CAT, to help guide financial institutions towards maturing their cyber environment.

CAT - CYBERSECURITY ASSESSMENT TOOL

Baseline controls are the minimum standards under which financial institutions should fall. These map to the FFIEC IT Handbook

CAT - CYBERSECURITY ASSESSMENT TOOL

If you really want to impress them… advanced is a 4/5, innovative is 5/5.

CAT - CYBERSECURITY ASSESSMENT TOOL

One more - this is another area, change management and remediation. Vulnerability scans can be performed here too, with the goal of making sure that nothing was overlooked.

CAT - CYBERSECURITY ASSESSMENT TOOL

Gold star - innovative control. These controls are not for everyone. This assessment is more or less a risk assessment, and controls should be commensurate to risk level.

CAT - CYBERSECURITY ASSESSMENT TOOL

As you can see, vulnerability assessments are talked about a lot.

But what exactly are they looking for?

VULNERABILITY ASSESSMENT

A vulnerability assessment is a scan designed to identify flaws in a network design that could lead to business interruption or be exploited by a malicious individual.

VULNERABILITY ASSESSMENT

A vulnerability scan is used in the preliminary stages of a penetration testing engagement, or when an individual is trying to get a sense of what vulnerabilities or assets exist on a network.

VULNERABILITY SCANS APPLIED

When assessing an environment, our first step is to perform a vulnerability scan. Through this, our hope is to gain a sense of what assets are maintained within the institution. We will want to gather a list of what equipment, human resources, and services are running in the background.

From here, we will identify vulnerabilities that affect the institution’s environment and could carry both a technical and organizational impact.

VULNERABILITY ASSESSMENT

NESSUS OUTPUT

THE PERSONAL TOUCH

There needs to be a personal assessment performed to follow up on findings reported through vulnerability assessment.

PENETRATION TEST

A penetration test is best described as the exploitation of the discovered vulnerabilities, with the goal of seeing how far they lead.

PENETRATION TEST

A penetration test is typically performed by a third-party company who is engaged to test the security of the technical environment. These tests can be performed in black box, white box, or gray box style.

PENETRATION TEST

Black box testing - the testing of a system without prior knowledge of the environment itself. Often times, this type of testing best simulates a hacker’s intrusion.

BLACK BOX TESTING

PENETRATION TEST

White box testing - also called clear box testing, this involves testing a system with full knowledge of the architecture, network diagrams, and source code (if applicable). This type of testing helps a company understand where a majority of the risks truly lie.

WHITE BOX TESTING

PENETRATION TEST

Gray box testing - somewhere in the middle. This type of testing typically involves some prior knowledge of the system or environment. In gray box testing engagements, the assessor has typically reviewed network design or architecture documents, but nothing more.

GRAY BOX TESTING

PENETRATION TEST

There is no one-size-fits-all approach to the type of testing your that your environment will benefit from.

This all depends on what you hope to gain from the results of the test.

PENETRATION TEST

Often times, when we are contracted to perform a black box testing engagement, we do our best to leverage open source intelligence (OSINT) information found on the public domain. This could be information related to a corporate-sponsored initiative, email addresses that can be found on a website, or a netblock of IP addresses that the institution is using.

PENETRATION TEST

We will visit a variety of sources or utilize a number of tools to gain this information.

We will leverage an internally developed Pastebin scraping technology, or use theHarvester, Discover, Hunter, or Maltego to provide us with this information.

PENETRATION TEST

Typically, we will look for and record:

-Physical Locations

-Employees/Email Addresses

-Registered Public Domain Names

-Registered Netblock IP Addresses

-Registered Public IP Addresses

-Wireless SSIDs

COMMON ITEMS IDENTIFIED

When we perform this kinds of testing, many of the organizations for whom we work share similar items noted by our auditors. Some of the most common ones are here:

UNPATCHED SYSTEMS

Typically, when a vulnerability assessment is performed, it’s very common for us to find unpatched software, in both Windows and third-party systems (including antivirus).

It’s important to run a Windows patching software, like Windows Server Update Services (WSUS), and also use a product that allows for the patching of third-party software, such as Adobe and Java.

Internal scans can be performed to check the status of the software being patched.

DEFAULT CREDENTIALS

Another commonly found vulnerability is default credentials on a variety of systems.

These have even appeared on domain controllers in the past.

It’s important to mandate in policy that default credentials are required to be changed when rolling out new systems or devices.

This is a vulnerability often overlooked, and one that malicious individuals will try to exploit when attempting to virtually break in.

SUBNET VS. VLAN

Many times, subnets can be confused with virtual local area networks (VLANs). This is a common misconception which can lead to a misconfiguration.

VLANs allow for an organization to create separate logical and physical networks.

Subnetting, however, only allows for separate logical networks. This means that the information traveling across one subnet can be access by an individual on another subnet through a shared asset - a switch.

Traffic traveling through a switch can seen by all other hosts also traveling through this switch.

END OF LIFE SYSTEMS

The major technology companies consistently make upgrades to their software and systems.

This means that inevitably, older technologies will be outdated and these companies will no longer support them.

They will issue a statement that these are no longer receiving updates, which makes them vulnerable to attack.

Examples of this are Windows XP and Windows Server 2003.

Windows XP machines can be found (somewhat commonly) on ATMs.

AS A BONUS

The regulators want to see information sharing about vulnerabilities found in your network!

IN CONCLUSION

The FFIEC is the regulatory body that assesses the security of financial institutions.

Vulnerability scanning and penetration testing are required under FFIEC guidelines and GLBA.

Vulnerability scanning yields a solid understanding of how an environment is configured.

Penetration testing is the act of mimicking a hacker in an attempt to break in.

Many of the same types of findings are found at each institution with whom we work.

Perform both vulnerability assessments and penetration tests regularly to help keep a strong level of security.

25 Braintree Office Hill Park

Suite 102

Braintree, MA 02184

Telephone: (844) OCD-TECH

A DIVISION OF O’CONNOR & DREW, P.C.

Thank

You!

Questions

? @TheOCDTech

@OCDCPA

http://www.ocd-tech.com

http://www.ocd.com