digital crime and cybersecurity - fisempower1.fisglobal.com/rs/650-kge-239/images/1503 digital crime...
TRANSCRIPT
Digital Crime and Cybersecurity
May 2017Scott D. Ramsey, Managing Director
Agenda
2
I. Cybersecurity Issues, Trends & Compliance
II. Public Private Partnerships
III. FFIEC & NYDFS 500 Rule
IV. Third Party Risk Management
V. Social Media
VI. Payment Systems & Card Security
VII. Data Protection & Retention
VIII. FinTech
Cybersecurity Issues,
Trends & Compliance
Interesting Cybersecurity Statistics
• Growth of New Malware1
In Q3 2016 alone, 18 million new
malware samples were captured.
• Ransomware on the Rise2
More than 4,000 ransomware
attacks daily since the beginning of
2016.
300% increase over 2015.
1 PandaLabs Report October 20, 2016.
4
MALWARES
Keyloggers
Backdoors
Dialers
Adwares
Virus
Troyanos
Gusanos
Spywares Otros2 US Government Computer Crime and
Intellectual Property Section (CCIPS)
Threat Advancements
5
• IoT Zombie Army– Toasters to cars connected
• Hacking Machines– Smart machines “learning” to circumvent controls
• Cyber Warfare– Cybergangs providing HaaS (Hacking as a Service)
• Increased Attacks on Financial Systems– Nation State sponsoring FUD (Fear, Uncertainty, Doubt)
• Intelligence Sharing– Increased gathering of information by Nations for sharing
• Blockchain Adoption– Securing inter-device transactions
Point of View
• Existing methods for detecting malware are not keeping
pace with advanced malware attacks
• A robust defense in depth strategy incorporates tool and
technology along with education and training of end users
• People continue to be the weakest link in cybersecurity
programs
• Security budgets continue to be static because the return
on security investments are not tied to business risk
• Machine learning (smart computing) is playing a larger role
– both in cyber defense and cyberattacks
6
Public Private Partnerships
Groups and Professional Societies
InfraGard is a partnership
between the FBI and
members of the private
sector.
As an independent, nonprofit,
global association, ISACA engages
in the development, adoption and
use of globally accepted, industry-
leading knowledge and practices
for information systems.
The Information Systems
Security Association (ISSA)®
is a not-for-profit, international
organization of information
security professionals and
practitioners.
Conferences
Point of View
• You get out what you put in
• Certifications – Get your return on
investment
• Continue Professional Education (CPE)– Be selective
– Network
9
FFIEC & 23 NYCRR 500
FFIEC Cybersecurity Assessment
11
• Use the Cybersecurity Assessment Tool
• Have Board and CEO lead the effort
• Identify gap and target state
• Implement action plan to attain and sustain target state
• Update Cybersecurity Assessment periodically
Regulatory expectation is that each financial institution will:
NY DFS Part 500– Highlights
WHEN?
The regulation
became effective
March 1, 2017
WHO?
Covered Entities:
• Banks
• Insurance
Companies
• Others
WHAT?
• Enhanced
Cybersecurity
Program
• Detection of
Cybersecurity
Event and 72
Hour Reporting
• Audit Trail
• Incident
Response Plan
HOW?
Board Resolution
or Senior Officer
needs to sign
certification of
compliance by
Feb.15 of each
year starting in
2018
12
NYDFS & FFIEC Compared Examples
Enhanced Requirements under New NYDFS Rule
13
Point of View
• The regulations being enacted are
pragmatic and reasonable, but are late and
behind
• Cybersecurity program needs to take both
business and technology risks into account
• DFS 500 follows FFIEC, but puts more “bite”
into regulations
• State regulatory agencies are taking Federal
issuances and adding their own
specifications for compliance (23 NYCRR
500)
14
Third Party Risk Management
Third Parties – Who or What is Connected?
16
Point of View
• Third parties should be viewed as any
other user
• Establish standards and requirements for
all third parties
• Include right to audit for compliance to
standards
• Third Parties should adhere to your
cybersecurity policies
17
Social Media
Social Media Do’s and Don’ts
19
Facebook:
• Don’t post NPI in profile
• Don’t post public out-of-town pictures until back home
LinkedIn:
• Keep separate personal and professional IDs
• Don’t post NPI in profiles
DNA Discovery:
• Don’t post family tree for public view Potential giveaway of Mother’s maiden name, Father’s middle name,
birthdate, etc.
Point of View
• Social media is a treasure trove of information
• Used to obtain information on targets for
identity theft, phishing, etc.
• Develop, implement and enforce Use Policy
for corporate social media
• Engage with clientele to make them aware of
risks and exposures
20
Payment Systems
and Card Security
22
OBJECTIVE CONTROL
Build and maintain a
secure network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords
and security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive
information across open public networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement strong access
control measures
7. Restrict access to cardholder data by business need to
know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test
networks
10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information
security policy
12. Maintain a policy that addresses information security
Payment System SecurityPCI DSS
Credit Card SecurityEuropay, MasterCard and VISA (EMV)
23
Points:
• Card issues have spent between $200 and $800 Million to distribute chip cards
• Large retailers have spent over $8 billion to install new card readers
• Chip n Signature are majority of cards issued
Readers do not authentic signature
• Chip n Pin cards are much more secure
However, if Card n Pin are compromised and used in ATM, bank is
responsible
• Chips contain the same card holder data as mag strips
• “Card not present” fraud has increased
Phone and on-line purchase with stolen card
Point of View
• Chip & Pin should be mandatory eliminating
Chip & Signature
• New POS hardware must capture and store
only information required after transaction
• Pattern analysis is a good offense Push alerts to cardholders
Query large purchases
Query out of country purchases
24
Data Protection and Retention
Data Protection and Retention
26
• Data is a unique asset that can exist in
multiple states simultaneously At rest
In transit
Being processed
Archived
• Data Cycle Management program Based on value of data
Ensures RPO can be met
• Controls Encryption
Use of data policy
Point of View
• Data Classification should be based on value of
data Confidential
Company
Public
• Encryption Keys Changed frequently
Known by 2 personnel
Secured with physical access controls for 3d
person
• Formal Retention Policy Off-site audits
Point of sunset
Destruction procedures
27
FinTech
FinTech Defined
29
“[A]n economic industry composed of companies that use technology to make financial services more
efficient. Financial technology companies are generally startups trying to disintermediate incumbent
financial systems and challenge traditional corporations that are less reliant on software.”
FinTech is a Financial Disruptor
Forbe’s FinTech Hot 5
30
Point of View
• FinTech and traditional financial institutions who will
interface with them will need to understand
cybersecurity from multiple aspects and
infrastructures
• Pressures to adopt FinTech will increase as delivery
platforms mature and evolve
• Regulatory “controls” will increase as FinTech is
adopted
• Effective and pro-active cybersecurity controls must
be implemented, monitored and sustained
31
Resources
White Papers and
Intelligence Briefings
• WHITE PAPER: Recalibrating Your
AML Risk Program
• INTELLIGENCE BRIEFINGS:
– Trade-based Money Laundering Risk
and Regulatory Agency Priorities
– Trending Anti-Money Laundering
(AML) Compliance Standards and
Cybersecurity Requirements
Cybersecurity and
Cyber Risk Solutions
• Cybersecurity Assessment
• Reverse Stress Testing
• Exam Readiness Training
• Online Phishing, Malware and
Social Engineering Prevention
Training
• CyberForce Anomalous Activity
& Threat Intelligence Monitoring
BSA/AML and
Fraud Solutions
• BSA/AML Consulting
• Risk Managed Services Center
(RMSC)
– Alert Clearing Services
– Enhanced Due Diligence review
– Vendor risk management
– Complaint management
• Financial Crime Management (FCM)
Monitoring and Detection
Questions?
Scott Ramsey CDRP, [email protected]
(561) 322-8781
Visit us in the
expo hall
to learn more