Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Driving Down Business Riskfor Credit Unions
Credit Union Cyber Shift to a “Risk Based” Approach
Gerrit Boele, CISSP
SILVERSKY PROPRIETARY AND CONFIDENTIAL
About the SpeakerGerrit has grown with the ever-changing security industry for over 15 years, spending time supporting small organizations and enterprises in their quest for compliance and security. As a Security Architect and Consultant he has designed hundreds of systems to secure each of the varying businesses verticals in his purview. Gerrit has now been with SilverSky more than nine years, architecting security solutions. Compliance is not a stranger and Gerrit is well-versed in compliance and helps to work within the needs of FFIEC, GLBA, NCUA, PCI DSS, NYDFS, and even HIPAA to guide each entity he has opportunity to aid.
Gerrit Boele, CISSP
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Agenda
Information Security Business Disruptions
Common Security Scenarios
Impacts of CU Regulation
How to Build Good Foundations
Business Checklist
Compliance Struggle Continues to Evolve
Process
Technology
People
Maintain Efficiency
MaximizeKnowledge
Utopia
Balancing the Equation
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Balancing the EquationShifting Sands of InfoSec
Information
Cyber Security
• Credit Unions can struggle in the balance of what is IT and what is Security.
• Information Monitoring and Risk driven programs are Shifting the way Credit unions allocate FTE’s.
• Data Knowledge like diagrams and how and where data is electronically stored helps reduces risk for Credit Unions.
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Credit Union Disruptions Happen
Least Minimal Moderate Significant Most
InnovativeElevated Investment
Advanced
Intermediate
Evolving
BaselineUnder
Invested
Inherent Risk
Cybe
rsec
urity
Mat
urity
Lev
el
for e
ach
Dom
ain
Cyber is becoming more relevant to Credit Unions
IT Assets are inherited and become complex
Risk is driving the audit
Teams are overloaded and assigned skills outside their
realm of expertise
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Credit Union Estate Breakout
Windows Linux
Windows Mac
Anti-Virus/ Next Gen AV EDR
Firewall HTTP Content Filter Email Gateway Intrusion Detection Prevention
Data in motion Data at rest Physical data Policy
IT Manager Security CIO
Internal Wiki SharePoint BSA
NCUA GLBA
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Credit Union Estate a Worrying Reality
Access issues Complex Often inherited
Old Software Patching is a
common issue
AV is being replaced by EDR EDR can be complex
Difficult to configure Cause user grief
Cloud has muddled where data is
In short supply
Limited resource Constant change
Industry driven Getting harder
https://www.enisa.europa.eu/
Malware Families by Type
In Depth Architecture
VenderInfrastructure
MainData Center
DRLocation
Operations
Sites
Network
SILVERSKY PROPRIETARY AND CONFIDENTIAL
The Usual Suspects
CEO
Corporate decisions Responsible for overall health and status of business Point of communication between board and the world Manage and maintain the leadership teams to success
CIO
IT resource management Policy development Procedure development Practice development Resourcing/Budget Project development
CISO
Security operations Cyber risk and intelligence Security architecture Investigations and forensics Governance
Security Staff
Completes the daily activity and tasks assigned by the CISO
IT Staff
Reports through IT managers to the CIO or directly to CEO
Daily operations Ticket support
SILVERSKY PROPRIETARY AND CONFIDENTIAL
The Usual Suspects
CEO
Corporate decisions Responsible for overall health and status of business Point of communication between board and the world Manage and maintain the leadership teams to success
CIO
IT resource management Policy development Procedure development Practice development Resourcing/Budget Project development
IT Staff
Reports through IT managers to the CIO or directly to CEO
Daily operations Ticket support
Most organizations do not have a perfect structure. In fact, I often see one
person doing many roles or wearing many hats. Security operations
Cyber risk and intelligence Security architecture Investigations and forensics Governance
Completes the daily activity and tasks assigned by the CISO
Recent Quote:“Mr. Smith who is a VP and Head Cashier of XXX Bank. Mr. Smith is also responsible for our IT operations and is a critical component to the compliance (Security) functions of the bank.”
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Juggling FireWe ask the most skilled person to do jobs of compliance and security. But that is limited to the pool that was hired for other task skillsets. Often it winds up creating a culture of increasing knowledge or a very unhappy employee.
IT
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Too Many Hats… Good or Bad?
BudgetCompliance
Information Security
IT
DataProcess
People
54%of alerts are investigated
for Organizations— Cisco 2018 Security
Capabilities Benchmark Study
FACTOrganizations struggle to remediate or even handle
the incidents they find in their estate.
Testing and building the right process
helps be efficient, otherwise controls get out of hand.
Organizations struggle to
understand data and how it flows
through their organization.206
number of daysto detect a data breach
— Ponemon Institute
51%are not being remediated
— Cisco 2018 Security Capabilities Benchmark Study
$188,242average cost of a
cyberattack— Symantec
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Fighting the Teenage Years?
Least Minimal Moderate Significant Most
InnovativeElevated Investment
Advanced
Intermediate
Evolving
BaselineUnder
Invested
Inherent Risk
Cybe
rsec
urity
Mat
urity
Lev
el
for e
ach
Dom
ain
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Automated Cybersecurity Examination Tool
https://www.ncua.gov/files/agenda-items/AG20191024Item3a.pdf
Taking a phase in approach for the smaller CU’s to be deployed last.
Risk Based Assessment of a CU’s Information Technology program.
Ensures your program effectively identifies, remediates, and controls inherent risks to appropriate residual risk levels.
Requires increased oversight of service providers.
Understanding of supply chain risk.
Building for ComplianceIdentify Risk
o Risk Assessments and testing the IT estate configurations are key to understanding risk and being honest about the work needed.
Understand Your Datao Building a good solution in todays world
requires all of the estate to be looked at.o Cost and the budget become an contending
issue.
Create Lifecycles o 24/7 insight into critical systems AD, DNS,
EDR/AV, Email.o Governance and Audit support.
(Good Reporting)
SILVERSKY PROPRIETARY AND CONFIDENTIAL
People, Process, & Technology InfluencersLogs to Collect
Security Logs• Intrusion
Detection/Prevention• Endpoint Systems• VPN Terminations• HTTP Controls(Proxy WCF)• Honeypot/Honeynet• FirewallIT Logs• Routers• Switches• Domain Controller• Wireless Access Point• Server Estate• Applications
Knowledge to Collect
Business• Process• Policy/Governance• Partner ProfilesTechnology• Device Configuration File• Asset Location• Who owns the asset• Diagrams• Scanning reports• Software Inventory
Security Intelligence
Correlate• IDPS/Firewall• Authentication Systems• Domain Services• Endpoint Data
(Server/Workstation)• Email GatewaysCollect:• Syslog data from all IT
assets• Store them for the term
needed for compliance.• Threat Intelligence
“Good Security monitors what we know and sets it into a perpetual lifecycle of validation and reeducation.”
SILVERSKY PROPRIETARY AND CONFIDENTIAL
From Idea to RealityBridging Resources is Key
Money is always the hardest thing to justify for CU’s Often Finance is the ultimate decision holders A breach always opens the wallet (Too Late) Communication lines that are trusted must be instituted Understand the details of all your assets to speak quickly Stay Focused on risk and he reduction of exposure Remember we never place a million dollar fence around a
hundred dollar horse
The goal is to pass the auditThat is the baseline
SILVERSKY PROPRIETARY AND CONFIDENTIAL
Risk Readiness ChecklistCompleted Annual Risk Assessment
Completed Annual Penetration Test
Diagram of the Data flow for all data (Especially PII)
Completed Logical Diagram (Reviewed Annually)
Completed Physical Diagram (Reviewed Annually)
Inventory of all IT assets (Location, Make, Model, Current Firmware)
Hierarchy of the IT leadership (Reviewed Annually)
Audit Plan (Due Dates/Reporting Ability/Audit Requirements)
Incident Handling Policy (Documented and Reviewed Annually)
Complete Vender/Partner Checklist (Reviewed Annually)
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
SILVERSKY PROPRIETARY AND CONFIDENTIAL
THANK YOU!