Virtual Cyber & Technology Risk Management Forum

First page Table of contents 1 Next page Last page

This is the student handbook for the September 22-24, 2020 Cyber & Technology Risk Management Forum held virtually.

September 22-24, 2020

Virtual Cyber & Technology Risk Management Forum September 22-24, 2020

September 22, 2020

1:00 PM-2:00 PM ET

Cyber Threat Landscape

Ray Roach-Vaden Supervisory Special Agent Major Cyber Crimes Unit - Federal Bureau of Investigation

2:00 PM-2:15 PM ET

Break

2:15 PM-3:15 PM ET

.BANK Cybersecurity - The Cybersecurity & Digital Banking Benefits of .BANK

Ed Gross VP Endorsed Solutions American Bankers Association Andrew Schiff Director of Engagement fTLD Craig Schwartz Managing Director fTLD

3:15 PM-3:30 PM ET

Break

3:30 PM-4:30 PM ET

Federal Update - FDIC

Sylvia Burns Chief Information Officer, Chief Privacy Officer & Director, DIT Federal Deposit Insurance Corporation Russell Pittman Senior Special Advisor to the CIO Federal Deposit Insurance Corporation Nathan Zee Special Assistant Federal Deposit Insurance Corporation

Cyber & Technology Risk Management Forum Virtual September 22-24, 2020

September 23, 2020

1:00 PM-2:00 PM ET

What Should Vendor Management Look Like in 2020

Chad Knutson President, CISO & Partner SBS Cybersecurity

2:00 PM-2:15 PM ET

Break

2:15 PM-3:15 PM ET

Federal Reserve – Exam Tool Modernization and Supervision Central

Katie Chaney SRM Manager, Supervision & Risk Management Federal Reserve Bank of Kansas City Michael Combs Assistant Vice President Federal Reserve Bank of Kansas City Brent Richards Assistant Director, Supervision and Regulation Federal Reserve Board

3:15 PM-3:30 PM ET

Break

3:30 PM-4:30 PM ET

Ransomware – Lessons Learned & Toolkit

Holly Chase Director of Cybersecurity / IT / Fintech Massachusetts Division of Banks Phillip Hinkle Director of IT Security Examinations Texas Department of Banking Mary Beth Quist Senior Vice President, Supervisory Processes Conference of State Bank Supervisors

Cyber & Technology Risk Management Forum Virtual September 22-24, 2020

September 24, 2020

1:00 PM-2:00 PM ET

State IT Supervision

Mary Beth Quist Senior Vice President, Supervisory Processes Conference of State Bank Supervisors

2:00 PM-2:15 PM ET

Break

2:15 PM-3:15 PM ET

Incident Response/Cyber Resilience

Jon Waldman Executive Vice President, IS Consulting and Co-Founder SBS CyberSecurity

3:15 PM-3:30 PM ET

Break

3:30 PM-4:30 PM ET

Lessons Learned in Offsite Supervision

Zach Ball Examination Manager, Office of Banking Michigan Department of Insurance and Financial Services Mike Fabry

Agency Chief Information Technology Officer Nebraska Department of Banking & Finance Brad Johnson District Manager Kentucky Department of Financial Institutions Danny Ragan Information Technology Director Louisiana Office of Financial Institutions

.BANK Cybersecurity The Cybersecurity & Digital Banking Benefits of .BANK

Speaking Today Drew Schiff Director of Engagement fTLD Registry Services | .BANK drew@ftld.com | 202.589.2528

.BANK is an industry led cybersecurity initiative: Providing banks with security against BEC, phishing & spoofing attacks, and preparing their online platforms for the digital banking movement.

fTLD’s Role as Registry Operator

 Operates .BANK in accordance to our contract with our ‘regulator’ ICANN  Develops Policies for .BANK (eligibility, naming, etc.)  Establishes & Monitors Security Requirements for entities operating within .BANK  Verifies new requests for .BANK domains , and performs annual reverifications for existing registrants  Educates the banking industry and guides banks through their .BANK migrations

Why was .BANK Created?

 The Problem: Financial Institutions are most phished organizations - PhishLabs  The Magnitude: Phishing led to 92.4% of all breaches last year – FBI  It’s about Authentication : 90% of breaches & 98% of phishing emails are human error, pure social engineering , containing no malicious links or attachments -Kaspersky Lab & PhishLabs  Banks need a space online that addresses the authentication problem (like .gov & .edu) to protect against these malicious attacks that lead to breaches, identity theft and financial fraud

.BANK {Monitored} Security Requirements Typically 2-3 hours of Engineering time and about $1,000 to complete

1. Ensure authoritative name server host names are within the .BANK zone 2. Implement Domain Name System Security Extensions (DNSSEC) 3. Obtain a Digital Identity Certificate (TLS) 4. Ensure Transport Layer Security (TLS) has been implemented using version 1.2 or greater where possible 5. Email Authentication: Create a Domain-based Message Authentication, Reporting, and Conformance record (DMARC) and Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) records 6. Ensure vendors utilizing DNS resource records are currently using DNSSEC (#2) and TLS (#4) as required

How .BANK Addresses Domain Security

 .BANK’s Verification Process ensures there are no bad actors in the .BANK space  .BANK’s monitored Email Authentication requirement ensures that bad actors can’t spoof your domain from a non .BANK domain  “.BANK” at the end of a domain provides immediate authentication, validating the email(s) and website(s) are legitimate  fTLD requires 2-factor authentication to modify domain information  fTLD requires DNSSEC  fTLD verifies domain contact information at least annually  fTLD monitors domains that are at risk of being non-renewed  fTLD enables ‘role name’ and ‘role email addresses’ to protect privacy in Whois  fTLD provides Registry Lock through registrars  fTLD has placed both .BANK & .INSURANCE on the HSTS preload list ensuring all .BANK sites load exclusively with HTTPS

COVID-19 Scams Benefit From

 COVID thematic subject lines for phishing related to ‘PPP loans’, ‘U.S. Government Stimulus Payments’, ‘Mainstreet Lending Program’, ‘Small Business Loans’, ‘Relief Funds’ and other personal/business financial needs  Remote workers that aren’t necessarily practicing the same level of cybersecurity hygiene  Email communication replacing face-to-face communication that occurs in offices  Significantly higher volume of customer email with greater urgency as customers do genuinely need help  Executives , and other employees not accustomed to answering customer emails ‘ pitching in ’  Customer anxiety around business & personal finances

The Impact of COVID-19 on Banks  More Cyberattacks: Bad actors have taken advantage of the chaos created by remote workers, emails replacing face-to-face interactions, and customer anxiety around finances to drastically increase their phishing and spoofing attacks on banks and bank customers (over 400% according to the FBI)  Transition to Online & Digital Banking: Bank Customers have had to quickly adjust to online banking and digital communication with their banks  Changes will last: More than 25% of consumers don’t plan to return to branches even once it’s safe to do so. New exposure to, and reliance on, online banking and communications has eased concerns around, and increased interest in, online and digital banking going forward  It’s more important than ever that banks secure themselves, and their customers, against these cyberattacks , and prepare their platforms for the likely permanent increase in online & digital banking

The Good News  .BANK protects against the most pervasive and dangerous cybersecurity attacks banks have been facing for decades  .BANK provides industry leading domain security  .BANK domains authenticate bank websites and emails so customers can easily recognize and trust online interactions  .BANK authentication and trust prepares banks for escalated online banking today, and the addition of digital products and services to enhance relationships and attract new customers  fTLD guides banks through an affordable [~$1,000] transition to .BANK that is easy [2-3hrs of engineering] for banks and seamless for customers [no disruption, no change to behavior]  .BANK works with all other bank cybersecurity tools

Q&A Moderator: Ed Gross, VP Endorsed Solutions, ABA Craig Schwartz, Managing Director, fTLD Drew Schiff, Director of Engagement, fTLD

Resources  Book a .BANK Migration Consultation: go.ftld.com/meetings/drew89  Learn More About .BANK: www.register.bank/learn  Get a .BANK Domain: www.register.bank/get-started  .BANK Security Requirements: www.register.bank/securityrequirements  .BANK Migration Timeline: www.register.bank/timeline  .BANK Customer FAQ: www.register.bank/customerfaq  Customer Communications Guide: www.register.bank/communications  Drew Schiff: drew@fTLD.com | +1 202 589 2528 12

#$ ! )!*-( /$*) !!$ -Ѷ #$ ! -$1 4 !!$ - о $- /*-Ѷ $1$.$*) *! )!*-( /$*) #)*'*"4

•

* -) ++-* #ѷ *+/$)" (* -) / #)*'*"4 ( ) " ( )/ ++-* # . $) '0 $)" "$' Ѷ 1 +.Ѷ ) -* 0 / *-$ )/ /$*)ѵ • *-" )$5$)" /# ѷ (+-*1$)" #*2 2 *+ - / ѵ # - *-" )$5 /$*)ѷ • '$"). 0.$) .. !0) /$*). *! Ѷ • + / . *0- *+ - /$)" (* 'Ѷ ) • - '' '. .4./ (. 1 '*+( )/ '$! 4 ' ѵ • '*0 /- / "4ѷ ) - .$)" '*0 *+/$*) Ҋ - /$)" '*0 )/ - *! 3 '' ) ѵ • *2Ҋ * ҝ *Ҋ * 1 '*+( )/ ѷ $)$($5 . 1 '*+( )/ ) $(+-*1 *).$./ ) 4 ) . 0-$/4ѵ • * -)$5$)"Ѷ .0++*-/$)" - (*/ 2*-& ) $(+-*1$)" .. /* / ѷ * -)$5$)" *0- ++'$ /$*) ) $)!- ./-0 /0- ) .0++*-/$)" - (*/ 2*-&!*- ) - (*/ 3 (.ѵ &$)" / (*- - $'4 1 $' ' /* /# +0 '$ ѵ

• # /- ).$/$*) /* ( ) /*-4 / ' 2*-& $) - # спсп 2 . ! $-'4 . (' .. 0 /* $)1 ./( )/. $) (* -)$5$)" *0- $)!- ./-0 /0- • - . *! !* 0. !*- (* -)$5 /$*) $) '0 ѷ • )/ -+-$. )/$/4 ) " ( )/ җ Ҙ • * -)$5 /$*) Ҋ ' /-*)$ $' 3 # )" җ Ҙ • 3 ($) /$*) **' 0$/ җ Ҙ • ' /-*)$ $") /0- • -)$)" #)*'*"4 * -)$5 /$*) • ) $Ҋ $ .$") • 0 '$ Ҋ! $)" )/ -) / ++'$ /$*).

•

)/ -+-$. )/$/4 ) " ( )/ җ

• ) '45 + -!*-( ) $..0 . ) $ )/$!$ - . *! $(+-*1 ( )/ • *-&$)" *) $(+' ( )/$)" $(+-*1 ( )/. • )/ -$( .*'0/$*) $) '0 . *+/$($5$)" . 0-$/4 . ))$)"Ѷ ) +*$)/ . //$)". ) ++'$ /$*) - #$/ /0- • *-&$)" 2$/# + -/) -. *) 1 '0 /$)" ) $(+' ( )/$)" '*0 . .*'0/$*) • * -)$5 /$*) • 1 '*+$)" /# '0 +-$)/ ) -* ( + 2$/# !0/0- ./ / 1$.$*) '*)" 2$/# 0-- )/ ./ / 1 '$ /$*) • ++$)" *! 0.$) .. + $'$/$ . /* / #)*'*"4 .*'0/$*).Ѷ +# . +'*4( )/ -* ( + • ' /-*)$ $' 3 # )" җ Ҙ • (+-*1 + -!*-( ) ) - .$'$ ) 4 • # 0'4 - ' . ѷ • /# $'$/4 /* 0+'* 0 $* ) 1$ * !$' .Ѷ • +*+Ҋ0+ )*/$!$ /$*). 0. -. /* .#*2 + -.*) ' *)) /$1$/4 $..0 .Ѷ ) • /# $'$/4 /* ( $)/ $) / ! . !-*( */# - .4./ (. 1 ) 2# ) /#*. .4./ (. - 0) 1 $' ' .0 # . )& $)

•

3 ($) /$*) **' 0$/ җ Ҙ •

)# ) ( )/. - 0) -2 4 /* ! $'$/ / .. / - 1$ 2 ) - +*-/ +- + - /$*) /$1$/$ . 0-$)" 3 ($) /$*). • (+' ( )/$)" 1$ ' 2*- +-* ..$)" !0) /$*) '$/4 2$'' +-*1$ 3 ($) -. ) . ) " -. /# $'$/4 /* - 1$ 2 /# +*-/. *! 3 ($) /$*) җ .Ҙ ) ( & # )" . (*- !!$ $ )/'4 • ' /-*)$ $") /0- • .$)" ' /-*)$ .$") /0- . - /# - /# ) /- $/$*) ' .$") /0- .ѵ • 3/ -) ' . -1$ 0. /* +-*1$ + $'$/4 !*- 0.$) .. . ) $) $1$ 0 '. /# / *)ҁ/ # 1 /# $- *2) -/$!$ / . • -)$)" #)*'*"4 * -)$5 /$*) • -* 0-$)" ) 2 .4./ ( !*- $)/ -) ' ) 3/ -) ' 0. -. /* .. /- $)$)" !-*( )4 '* /$*)Ѷ / )4 /$( • *-+*- / )$1 -.$/4 җ Ҙ 1$-/0 '$5$)" *0-. *)/ )/ 0-$)" • ) $Ҋ $ .$") • (+-*1$)" *)) /$1$/4 ) '*0 *)) /$*). !*- - "$*) ' ) !$ ' *!!$ .

• -*1$ $)" /**'. !*- 0/*( /$*) Ҋ $1 +0 '$ ''4Ҋ 1 $' ' ++'$ /$*) +-*"- (($)" $)/ -! . җ .Ҙ 1 $' ' *) ѵ"*1 2$/# (*- /* *( $) спср • $) ) $ ' )./$/0/$*). • * /$*). • 1 )/. ) # )" . • ))0 ' $./*-$ ' / • )& $'0- . • (+-*1$)" *0- +0 '$ ! $)" ++'$ /$*).Ҋ * 0. *) $(+-*1$)" *0- 3$./$)" ++'$ /$*). җ$ѵ ѵѶ 0. - $)/ -! .Ҙѵ 9 0) # - .$") 1 )/. ) # )" . Ҋ !*-( -'4 '' +*-/ *! /-0 /0- # )" . җ 0"0./ спспҘ * -)$5$)" )& $) җ -'4 спсрѶ / 1 -.$*) $. 1 $' ' )*2Ҙ * -)$5$)" )./$/0/$*) $- /*-4 ) / /$./$ . *) +*.$/*-4 )./$/0/$*). җспсрҘ * -)$5$)" 0(( -4 *! +*.$/. җ -'4 спссҘ

0.$) .. -* ' ( ѷ “Institution personnel currently have to authenticate to regulator file exchange systems in different ways, e.g., bankers may have multiple ‘tokens,’ user names/passwords, websites, and processes.”

# ( ( -. *! /# *((*) #)*'*"4 *-&$)" -*0+ җ

Ҙ ./ '$.# 0) - /#

*'' *- /$)" /* / -($) 2# /# - /#$. *) -) ) %*$)/'4 - .. ѵ ( -. &)*2' " /# / # " ) 4 $. ./0 4$)" *+/$*). !*- )# ) 0/# )/$ /$*) / #)*'*"4ѵ

/$*) ѷ / -($) 2# /# - *((*) 0/# )/$ /$*) .*'0/$*) $. ! .$ '

*(+' / ѷ

-& / - . - # ) $)$/$ ' - ,0$- ( )/. / -($) /$*)

•

. "- /* .# -$)" &)*2' " Ѷ * Ѷ + $'$/$ .Ѷ / ѵ /* /# ( 3$(0( 3/ )/ /* # '+ # */# - ) +-*(*/ ./ ) - $5 /$*) • ) (* -)$5$)" /# $- .0+ -1$.*-4 .4./ (. җ$) ++$ )Ҙ • $. (* -)$5$)" $/. .0+ -1$.$*) .4./ (. !*- *(+'$ ) Ѷ ) . ! /4 ) .*0) ) .. җ$) ++$ )Ҙѵ '.* +' ))$)" !*- /# !0/0- 3 ($) - **' 0$/ • ) 0"0./ тѶ спспѶ /# - ' . -1 (*)./- / 0+ -1$.$*) )/- ' /* /# . ) *++*-/0)$/4 !*- / #)*'*"4 .# -$)" • +/ ( - сш $)/ - " ) 4 ( /$)" /* .# - 0-- )/ ) +' )) +-*% /. 0.$)" /# ++$ ) +' /!*-(

!**/ - $/ш

How Banks Can Use Vendor Management Programs to Help You Make Better Decisions What Should Vendor Management Look Like in 2020

Presented By: Chad Knutson SBS CyberSecurity, LLC

Contact Information

Chad Knutson o President, CISO, Partner o CISA, CRISC, CISSP o Master’s of Information Assurance o Phone: 605-480-3366 o chad@sbscyber.com o www.sbscyber.com SBS Institute o sbsinstitute@sbscyber.com o 605-269-0909

What does the most recent guidance say? Vendor Management Regulation

The Guidance

• FFIEC Guidance : o Outsourcing Technology Services booklet (2004) o Supervision of Technology Service Providers booklet (2012) o Outsourced Cloud Computing (2012) o BCP: Appendix J (2015) o Cybersecurity Assessment Tool (2015) – Domain 4 • FDIC Guidance : o FIL 44-2008: Guidance for Managing Third Party Risk o InTREx: https://www.fdic.gov/news/financial-institution- letters/2016/fil16043a.pdf • OCC Guidance : o OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance o OCC Bulletin 2017-7: Supplemental Exam procedures to 2013-29 • Federal Reserve Guidance : o SR 13-19 / CA 13-21: Guidance on Managing Outsourcing Risk

FDIC FIL-44-2008

• Four basic elements o Risk Assessment o Due Diligence in Selecting a Third Party o Contract Structuring and Review o Oversight

http://www.fdic.gov/news/news/financial/2008/fil08044a.html

FFIEC Cybersecurity Assessment Tool

• Vendor Management is all over the FFIEC CAT • Inherent Risk Profile o Six (6) questions (of 39) mention Third Parties, including identifying the number of vendors that have access to internal systems, as well as hosted ATMs, cards (debit, credit, and prepaid), ACH origination, and Trust • Cybersecurity Maturity o “Third Party” listed 33 times total, “vendor” another four (4) times o Domain 4: External Dependency Management (all about 3PM) Assessment Factors include: Connections, Due Diligence, Contracts, and Ongoing Monitoring

InTREx Management #6

InTREx Procedure #12

SBS Checklist: Download Link

Compliance-Based Vendor Management

What does traditional, old-school Vendor Management look like, and what are its downfalls?

• What does regulation require us to do? o Vendor Risk Assessment o Vendor Selection o Contract Review o Due Diligence o Review Critical Vendors Going Forward • Documentation to review: Compliance-based VM o Contracts o Financials o BCM/IRP documentation o SLAs o Audit/Testing results o Determine if the vendor is a foreign service provider o Determine if the vendor uses subcontractors o Determine how you might terminate the relationship

• No real guidance on HOW to risk-assess vendors • No guidance on how to CATEGORIZE vendors • Most documentation is just gathered, not truly analyzed • Vendors are reviewed inconsistently throughout organizations • Vendor risk is not MEASURED • If you’re not measuring risk, there’s no way to tell when a vendor is not living up to your standards • Typically no process for handling risk exceptions Downsides to Compliance-Based VM

Is Vendor Management Effective?

• Would standard vendor management processes catch issues with your vendors before they happen? • Would your vendor review identify vulnerabilities in your web apps? o SOC Reports don’t include code reviews. • We know the answer… BUT!

Vendor Management should tie into your ISP and use the same risk management frameworks as other ISP areas What is a MODERN Vendor Management Program

Information Security Program Flowchart

• Vendor Risk Assessment o Your risk assessments MUST help you make better decisions 3 Major Components of VM

o Identify Vendor Risk o Identify Vendor Levels

• Vendor Selection

o Based on Vendor Level o Contract Review o Due Diligence o Metrics • Ongoing Vendor Management o Based on Vendor Level o Contract Review o Due Diligence o Metrics

Risk Management Hierarchy

Strategic Risk

Organizational Risk Assessment – evaluates the risk to the organization from the highest level based on what the org has and does

Org Risk Assessment Business Process Risk Assessment (BIA)

BIA – designed to help prioritize and recover business processes; Includes other business process dependencies, Vendors, and IT Assets

Tactical Risk

Vendor Risk Assessment - looks at the criticality of Vendors and the risk of outsourcing; includes IT Assets

Vendor Risk Assessment

IT Risk Assessment – evaluates the Inherent and Residual Risk of IT Assets, threats, and controls; the deep-dive

IT Risk Assessment

Risk Assessment Components

INHERENT RISK

THREAT

VENDOR (PP)

INHERENT RISK

MITIGATING CONTROLS

• What are the decisions you want to make using the Vendor Risk Assessment? o Vendor Selection : which of these vendors do we want to do business with? o Ongoing Vendor Management : do we want to keep doing business with this vendor? • Categorizing Vendors o Not all vendors are created equal! o Difference between your Core Banking vendor and your janitorial company, right? Goals of Vendor Risk Assessment

Modern Vendor Risk Assessment Spreadsheet example – based on Inherent Risk

1. Inventory Your Vendors o Many institutions start with the Accounts Payable list o Note : not all the vendors on the Accounts Payable list need to be managed going forward 2. Determine Protection Profile (importance) 3. Identify Threats to your Institution from that vendor 4. Protection Profile x Threats = Inherent Risk 5. Determine Mitigating Controls o Contract Review Questions o Due Diligence Questions 6. Inherent Risk – Mitigating Controls = Residual Risk Where to Start with Vendor RA?

• Protection Profile (importance) score X (times) Total Threat Score = (equals) Inherent Risk • Inherent Risk = the risk of doing business with this type of vendor Inherent Risk Calculation

• NOTE: there is NO guidance, standard, or baseline for creating the # of vendor levels • Regulatory guidance states to perform ongoing management (contract review, due diligence) for “critical” vendors • SBS uses 4 Vendor Levels o Critical (Level 1) o Significant (Level 2) o Non-Essential (Level 3) o Exempt (Level 4) • https://sbscyber.com/resources/vendor-management-how-should-i- categorize-my-vendors Determine How Many Levels

Vendor Levels

INSTITUTION-WIDE CRITICAL VENDORS

80% of focus and spend

20% of vendors

SIGNIFICANT VENDORS

80% of vendors

20% of focus and spend

NON-ESSENTIAL VENDORS

EXEMPT VENDORS

Determining Vendor Levels

Why are Vendor Levels Important?

• Your Critical Vendors are critical for a reason – they’re vital to your day-to-day operations • Focus most of your time on your most important and critical vendors • The higher the Vendor Level, the more: o Questions you ask

o Documents you gather o Frequent you review o Risk mitigation you expect

Are you really managing your existing vendor risk and relationships, or are you just floating along? Ongoing Vendor Management

Ongoing Vendor Management

1. Bank adopts Third Party Management Program

4. IT Risk Assessment

5. Perform Due Diligence

Bank identifies current vendors and performs scheduled reviews.

3.Collect Data and Documents

6. Review Contract

2. Verify Vendor Risk Level • Level 1 • Level 2 • Level 3

7. Report Upstream

• Perform a Vendor Risk Assessment o Always start with the risk assessment! • Determine vendor classification • The more important/risky the vendor, the more you do to mitigate risk • Make the #1 decision: do we want to keep doing business with this vendor? o If yes – great! Move along. o If no – or if there’s more risk than you want – then what? Much of the Same as Selection

Risk Mitigation

• Risk mitigation = “The process by which an organization introduces specific measures to minimize or eliminate unacceptable risks associated with its operations.” • Inherent Risk – Mitigating Controls = Residual Risk

INHERENT RISK

MITIGATING CONTROLS

• All depends on the Level of the Vendor • The greater the Vendor Level (risk), the more documentation should be required • Don’t forget to analyze ; can’t just collect • What do you look for? RED FLAGS! • SBS Blog: “What Documentation Should You Review for a Critical Vendor?” o https://sbscyber.com/resources/what-documentation-should-you- review-for-a-critical-vendor Required Documentation

Management Requirements

Due Diligence & Contract Review

• Same questions from before – FDIC & OCC • However, you should look into some other questions to ask, rather than just focusing FDIC & OCC questions, such as: o SOC Review Questions – what is important to take away from a SOC review? o Cloud Computing Questions o Foreign-Based Service Provider Questions • Just as different documentation requirements should be set for different levels of vendor, so should the amount and types of questions. • The more critical the vendor, the deeper the dive into Contract Review and Due Diligence questions.

The Watch List

• When a vendor does not meet acceptable levels of risk (does not “pass” a vendor review), the vendor should be placed on a Watch List. • The Watch List has four (4) outcomes:

1. Accept the Risk 2. Resolve the Risk

Work with the vendor to address any issues until resolved, then remove the vendor from the Watch List 1. Find a new vendor 2. Bring the product in-house (if outsourced) for more control 3. Discontinue the product or service

3. Change the Risk

4. Transfer the Risk

Vendor Management Summary

• Not all vendors are created equal! • How do you categorize different “levels” of vendors? • Do you need to collect the same information from different vendor levels? • Is it enough to simply gather documentation from vendors? • Do you need to ask the same questions from different levels of vendors? • What are the major components of ongoing vendor management? • How do you identify your riskiest vendor? • What is the ultimate decision to make from the ongoing vendor management process?

Besides traditional Vendor Management requirements, what are some of the modern ways to manage Vendor Risk? Other Ways to Manage Vendor Risk

Models to Manage Vendor Risk

• Assessment documentation from vendors o SSAE 18, SOC, or IT Audit reports • Tools (like TRAC) • Questionnaires • Onsite Visits • Other – Security Scorecard, FICO, etc.

• SOC 1: o Controls relevant to a service organization’s internal control over financial reporting • SOC 2: o Examination of a service organization’s controls over one or more of the 5 Trusted Services Criteria • SOC 3: o SOC 2 minus the juicy stuff o It’s publicly available • Type 1: o Control effectiveness as a snapshot in time • Type 2: o Control effectiveness over a period of time SOC Audits

Questionnaires

• Create your own questionnaires! • Include things like: o Physical Security Requirements

Physical Access Physical Storage

o Data segregation o Base questionnaire from your own regulation FIL 44-2008 or OCC 2013-29 are good places to start After all, YOU are responsible for the protection of your data o Best Practices (based on vendor type or data center)

Today’s Vendor Management has numerous shortfalls. What should you do to close the gap? Other Useful Tools for Modern Vendor Management

What About Code Reviews?

• Even more importantly… • Inside Look at the issue before it becomes a software product • Has your vendor had a code review performed for the system/application you’re using? • Code Review vs Web Application Assessment • OWASP – Open Web Application Security Project o https://www.owasp.org/index.php/Main_Page o THE standard for online web application security • In our experience, most orgs do NOT have their web apps tested against OWASP standards.

Outside looking in information. • UpGuard o https://www.upguard.com/product/vendorrisk • SecurityScorecard o https://securityscorecard.com • BitSight o https://www.bitsight.com/ • FICO Cyber Risk Score o https://www.fico.com/en/products/cyber-risk-score • CAVEAT: these are newer technologies, and there are assumptions made in many of these scores. Don’t treat them as gospel, but they are a good resource New Tools to Check Vendor Risk

Web Applications

Deeper Views

Contract for your own assessment: • Web Application Assessment • Penetration Test

Request: • Their Technical Reports

• Source Code Audit Reports • Social Engineering Results???

Supply Chain

• Identify: o High Availability Vendors o High Confidentiality Vendors • Resiliency o Identify Single Points of Failure o Build Alternative Solutions o Document Manual Procedures o Business Continuity Management Plan • Confidentiality o Vendor Management Program o Incident Response Plan

Internet

Server Datacenter

Internet Banking

Bank

Desktops

Firewall

Power

FFIEC Information Security

II.C.14 Supply Chain The typical institution purchases a wide variety of hardware and software, which often is manufactured or developed internationally. In a supply chain attack, a threat source incorporates unidentified and harmful features into the purchased items before delivery. During the risk identification process, management should identify factors that may increase risk from supply chain attacks and respond with appropriate risk mitigations. An effective information security program seeks to limit the potential for harm through techniques tailored to specific acquisitions and services. Examples of techniques to mitigate the risk from such attacks include the following: • Only making purchases through reputable sellers who demonstrate an ability to control their own supply chains. • Purchasing hardware and software through third parties to shield the institution’s identity. • Reviewing hardware for anomalies. • Using automated software testing and code reviews for software. • Regularly reviewing the reliability of software and hardware items purchased through activity monitoring and evaluations by user groups.

Third Party vs. Fourth Party

Outsourced Vendor Risks

Hosted Systems • Need to use local admin • Must use out of data Java version (or Java extensions) • Teller application sending cleartext passwords • Shared/default passwords on databases at multiple institutions • Requires use of outdate browsers (yes Internet Explorer) • Limits on password length and certain special characters • … Now move it to an outsourced environment…

• 4,918 community bank charters as of Q2 2020 • How many banks are hosted in your outsourced datacenter • What are the impacts of that datacenter failing? • How do we know if there is good security? Large Scale Impacts

Finastra Ransomware/Data Breach

• Friday, March 20, 2020 Finastra notified its customers of a security incident that is currently impacting its customers. o 4.5% of the core processor market - #5 global core banking provider • Services were down through the weekend, leaving most of Finastra’s North American customers unable to provide services to their clients • Brian Krebs: “their response so far is straight out of the playbook for dealing with ransomware attacks.” • ZDNet and threat intelligence firm Bad Packets: o Research has shown that Finastra's internet-facing security measures were lacking. o Finastra had been running vulnerable Pulse VPN servers and outdated Citrix servers recently.

Confidential – Not for Public Distribution

Federal Reserve System Supervision & Regulation (S&R) Examination Tool Modernization and Supervision Conference of State Banking Supervisors Cyber and Technology Risk Management Forum September 23, 2020 – 2:15 p.m. ET

Brent Richards Assistant Director & CIO Federal Reserve Board

Michael Combs Assistant Vice President Federal Reserve Bank of Kansas City

Katie Chaney SRM Manager Federal Reserve Bank of Kansas City

Confidential – Not for Public Distribution

Agenda

S&R Technology Vision, Strategic Themes and Strategic Initiatives

Brent Richards

Community and Regional Business Strategies for IT Coming Soon: Supervision Central Interagency IT: High Priority Initiative

Michael Combs

Demonstration of

Supervision Central

Katie Chaney

Confidential – Not for Public Distribution

S&R Technology Vision

• Simplify our environment • Increase interagency sharing and interoperability • Leverage new technologies • Optimize our spend

Board of Governors of the Federal Reserve System

Confidential – Not for Public Distribution

Key Strategic Themes

• FOSTER EXPERIMENTATION, INNOVATION AND DISRUPTIVE THINKING We identify, evaluate and deploy new and emerging technologies to enable business strategies by empowering teams to elevate ideas, test them, and then evaluate their potential value to the S&R Division and/or Function. • TRANSITION END Ͳ TO Ͳ END BUSINESS PROCESSES FROM AGGREGATED POINT SOLUTIONS TO INTEGRATED PLATFORMS We improve user experience, minimize data silos, eliminate unnecessary cost/complexity, and reduce time to market by effectively leveraging integrated platforms to support end Ͳ to Ͳ end business processes instead of aggregating multiple independent point solutions. • BUY VS. BUILD / CLOUD FIRST We bring “best in class” industry and market leading platforms to S&R through robust buy vs. build analysis, market research, proactive exploration and provisioning. Our default position is to acquire commercial cloud Ͳ based platforms, limiting point solutions and/or custom development to only those scenarios where it is absolutely required. • MAXIMIZE THE VALUE OF ENTERPRISE INVESTMENTS We actively engage with Board and System IT to ensure enterprise investments are proactively established and can be fully and effectively leveraged by S&R. • RISK Ͳ BASED SECURITY We deploy the most appropriate information security protections and design security to avoid unnecessary complexity, reflect transparency of risk decisions, and support frictionless (positive end user experience) integrated security.

Board of Governors of the Federal Reserve System

Confidential – Not for Public Distribution

Key Strategic Initiatives

• ELECTRONIC FILING (M&A) – Production Go Ͳ Live 10/21 • ENTERPRISE INFORMATION MANAGEMENT (EIM) – RFP in works • END Ͳ TO Ͳ END EXAMINATION PLATFORM (GT100) Ͳ RFI underway; RFP planned for released 7/20 • SUPERVISION CENTRAL (LT100) – Production Go Ͳ Live 03/21 • LOGON.GOV (FFIEC) – Market Assessment Complete; Implementation Plan will be presented to FFIEC 09/20 • CROWDSOURCING (BOARD S&R) – Production Go Ͳ Live Q4/20 • PORTFOLIO, PROGRAM AND PROJECT MANAGEMENT PLATFORM (BOARD S&R) – Production Go Ͳ Live Q1/21 • OFFICE 365/MICROSOFT TEAMS (BOARD AND SYSTEM S&R) – Board Production Go Ͳ Live Q1/21

Board of Governors of the Federal Reserve System

Confidential – Not for Public Distribution

Executing the Supervisory Process

Board Policy is calibrated to support risk Ͳ focused supervision and the efficient use of scarce examiner resources.

Policy

Business Processes are consistent across Districts, eliminate inefficient and redundant activities and focused on supervisory areas of highest risk. (12 Ͳ to Ͳ 1)

Process

6 Technology Platform supports consistent processes and policy execution to achieve business outcomes.

Platform

Confidential – Not for Public Distribution

RBO and CBO Supervision Vision

Agencies

Bankers

Supervision Central

Supervisory Planning

Supervisory Events

Ongoing Supervision

Scheduling >> Scoping >> Data Intake >> eWorkprograms >> Vetting >> Automated Report >> Issues The “Online Exam”

Confidential – Not for Public Distribution

Supervision Central: The Business Case

The Business Problems…

Community, Regional and Consumer examiners noted ongoing technology gaps and pain points when collaborating with external stakeholders. Business opportunities included: 9 Improve data exchange with supervised organizations and reduce regulatory burden. 9 Better share supervisory information externally with other agencies 9 Eliminate file size limits

The Business Case… Desired Outcomes

Improve Collaboration Capabilities with Other Agencies

Reduce Regulatory Burden and Compliance Costs for the Banking Public Improve the Efficiency and Effectiveness of Related Supervision Processes

Drive Down the Cost of Community and Regional Bank Supervision Simplify the Technology Landscape for Examiners and Staff

Manage Data to Enable and Support Business Analytics and Decision Ͳ Making

Confidential – Not for Public Distribution

Business Features / Roadmap

Supervision Central Foundational Product Community – Regional – Consumer

Future Phases

Artificial Intelligence

Supervisory Events

Continuous Monitoring

Ad Hoc

Office 365 Experience

Document Intake and Organization

External Sharing & Collaboration

Authentication & Authorization

Evaluation of Low Code

Record Retention & Archival

Optimize E2E

Advanced Search

Approval Workflow

Backlog for Prioritization

Replacing: CBO ExamSpace RBO ExamSpace RBO TeamSites CA ExamSpace Intralinks

Confidential – Not for Public Distribution

Transforming Business and IT

• It has helped business leaders imagine the possibilities of cloud and a better collaboration experience with external partners, even if it means storing CSI and PII data off premises. • It has also solidified the business vision of connecting data and end Ͳ to Ͳ end processes whenever it is needed without tool hopping. • It has helped technology staff push forward with brand new cloud architectural design patterns for external authentication, cloud hosting and integration to core Fed data. • It has helped the records community consider a different way of managing information in the cloud through its retention period. It will likely change how S&R manages documents overall. • It has helped information security staff move away from BISP, being the first cloud Ͳ based system in S&R to move to SAFR. Supervision Central is an early Ͳ adopter of cloud services in S&R and is introducing substantial change:

Confidential – Not for Public Distribution

Interagency IT: High Priority Initiative

• The legacy technology used by agencies today is complex and will be nearing end Ͳ of Ͳ life over the next few years. Cloud Ͳ based capabilities, low code platforms and artificial intelligence provide the opportunity for transformational business and technology change. • The Fed has a strong vision for technology and the FDIC and CSBS are looking for active partnerships that could help propel these strategies further than if the Fed were to go it alone • The business case for using shared technology is aspirational and represents a multi Ͳ year strategy. It would require executive Ͳ level commitment from the Fed, FDIC and CSBS. An appropriate implementation strategy would be to start small, fail quickly and deliver value incrementally in alignment with a long Ͳ term vision.

Themes

• Historically, reaching agreement on interagency technology has been challenging and resulted in sub Ͳ optimal tools. • Managing expectations will be difficult (we can’t boil the ocean). • Agency processes and legacy technology are ingrained and would be difficult to unwind. • Long runway needed to achieve business outcomes – multiyear vision

1. Deploy Supervision Central for interagency use on joint events in 2021. 2. Evaluate CBO activities that could benefit from common technology tools across agencies (80%) 3. Investigate options and develop a business case for new technology investments across agencies. 4. Determine executive support from the Fed, FDIC and CSBS for the business case and set direction.

Scope

Challenges

Confidential – Not for Public Distribution

Interagency IT: High Priority Initiative

Objective: To further enhance the Fed’s CBO supervision by improving shared technology across agencies.

IT Guiding Principles

Interagency collaboration is governed by business need • “Business First” • Focus on common processes across Agencies • Technical limits don’t drive solutions Interagency collaboration is mindful of information security • Rigorous information security standards • Shared technology creates new risk • Reliance on InfoSec experts Interagency collaboration is inclusive • More open sharing across Agencies • Cognizant of Agencies’ varying roles and responsibilities • Solution Ͳ based mindset Interagency collaboration is innovative • Innovative, optimal solution to replace the complex legacy technology • Transformational business and technology changes • Cloud Ͳ based capabilities, low Ͳ code platforms, and artificial intelligence

1 2

Confidential – Not for Public Distribution

Interagency IT HPI: What’s our 80%?

Proving Our Hypothesis: CBO Supervision across the Fed, FDIC and States is similar for 80% of business processes. Interagency projects get bogged down in the 20%.

What are the shared big rocks of the supervisory process?

Ͳ Level 1 Ͳ Process

Planning

Exams

Monitoring

Ͳ Level 2 Ͳ Activities

What shared high Ͳ level activities are conducted for each process?

2. Workpapers

1. Scoping

3. Report

States

Fed

FDIC

What steps are conducted for each activity across agencies? Where are we similar (80%)?

Ͳ Level 3 Ͳ Steps

1. 2. 3. 4.

ͲͲͲͲͲͲͲͲͲͲ ͲͲͲͲͲͲͲͲͲͲ ͲͲͲͲͲͲͲͲͲͲ ͲͲͲͲͲͲͲͲͲͲ

1. 2. 3. 4. 5.

ͲͲͲͲͲͲͲͲͲͲ ͲͲͲͲͲͲͲͲͲͲ ͲͲͲͲͲͲͲͲͲͲ ͲͲͲͲͲͲͲͲͲͲ ͲͲͲͲͲͲͲͲͲͲ

1. 2. 3.

ͲͲͲͲͲͲͲͲͲͲ ͲͲͲͲͲͲͲͲͲͲ ͲͲͲͲͲͲͲͲͲͲ

Confidential – Not for Public Distribution

Demo

Demo of Supervision Central Katie Chaney, FRB Ͳ KC

CSBS Cyber & Tech Risk Management Forum

Incident Response and Cyber Resilience

Presented By: Jon Waldman, CISA, CRISC Partner, President of the SBS Institute, EVP of IS Consulting - SBS CyberSecurity, LLC

Contact Information

Jon Waldman o Partner, EVP IS Consulting o CISA, CRISC o Master’s of Information Assurance, Dakota State University o Mission: Help you make more informed cybersecurity decisions o Phone: 605-380-8897

o jon@sbscyber.com o www.sbscyber.com

SBS Institute o sbsinstitute@sbscyber.com o 605-269-0909

What are the new (and old) ways bad guys are getting our information and money? CURRENT THREATS

What do you look like to a bad guy?

66.233.160.64

It’s not some dude sitting at his hacker desk all day typing out ping commands to IP addresses via the command prompt manually… Attacks today are AUTOMATED

Automated, remember?

Shodan.io

Ransomware Rising

• MAJOR increase in ransomware attacks in 2019 – 118% year-over-year • Insurance companies paying the ransom = higher ransoms; upwards of MILLIONS of dollars o Average Ransom Payout - $178,254 as of Q2 2020 (up 60% from Q1 2020) • Healthcare, government, transportation, and MSPs all being actively targeted • Hackers often getting in via vulnerable RDP and say undetected for months before launching a carefully crafted attack

Ransomware Rising

Ransomware Trends

• Ransomware = data breach – exfiltration becomes commonplace (22% vs. 30% threatening) • Top 5 Ransomware variants from Q1 2020: o Sodinokibi (REevil) – 15.4% o Maze – 7.7% o Phobos – 7.7% o Netwalker – 7.1% o Dharma – 6.4%

o https://www.coveware.com/blog/q2-2020-ransomware-marketplace-report • MEDIAN Company size of ransomware victims: 100 employees • 75% of all ransomware attacks happen to companies with <$50M in revenue • Average Downtime from Ransomware: 16 days

Ransomware Tactics

Top Ransomware Vulnerabilities: • RDP or Virtual Desktop endpoints without MFA • Citrix ADC systems affected by CVE-2019-19781 • Pulse Secure VPN systems affected by CVE-2019-11510 • Microsoft SharePoint servers affected by CVE-2019-0604 • Microsoft Exchange servers affected by CVE-2020-0688 • Zoho ManageEngine systems affected by CVE-2020-10189

https://www.microsoft.com/security/blog/ 2020/04/28/ransomware-groups-continue- to-target-healthcare-critical-services-heres- how-to-reduce-risk/

Password Reuse Top 25 worst passwords of 2019

Modern Password Rules

• Longer = better (12 chars – user; 16 chars – admin) • Don’t reuse passwords • Still a good idea to change your password occasionally • Use a Password Manager

o LastPass o Dashlane o Keeper o KeePass o 1Password • Monitor Your Accounts Online

Have I Been Pwned?

https://haveibeenpwned.com/

ImmuniWeb Radar

• Free Dark Web Scan: https://www.immuniweb.com/radar/

COVID-19 Cyber Threats

• Google: 18+ Million COVID-19 emails in just the last week, in addition to 240M daily COVI-19 spam messages • Phishing up 667% right now • FBI IC3: 4x complaints per day (1K before COVID-19, now 3k-4k per day) • 148% spike in ransomware attacks due to COVID-19 • 30%-40% increase in attacker interest relating to RDP (as measured by Shodan) • 26% increase in e-comm web skimming in March • Healthcare, Financial Services , Medical Suppliers and Manufacturing, Government and Media Outlets all seeing a large increase in cyber threats

Where does Incident Response fit in to your Information Security Program? Defining Incident Response

19 19

• FFIEC Information Security Booklet • Security Operations section • FFIEC Cybersecurity Assessment Tool • Domain 5 – Incident Management and Resilience • FFIEC BCM Booklet • Resilience; tying IRP to BCP • FDIC Appendix B to Part 364 • Section III Response Program Regulatory Guidance on IRP

• NIST SP 800-61 Computer Security Incident Handling Guide : • http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf • NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response • http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

III. Security Operations (IS Booklet)

• Threat Identification and Assessment • More focused then Risk Identification Process • Monitor for hostile cyber or physical threats, human errors, structure failures, and man-made or natural disasters. • Leverage attack trees, event trees, and kill chains • Threat Monitoring • Establish responsibility and authority to monitor systems • Network, host, and application monitoring • Incident Identification and Assessment • Identify indicators of compromise and analyze events • Leverage identification systems such as: ISP, Endpoint monitors, DLP, Logs, file integrity…. • Escalate and report . • Incident Response

• Establishes when and who should enact Incident Response • Defined Process to address the threat and return to operations

FFIEC CAT

DFIR!

Incident Response Process

Bank

Third Party

Customer

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

https://www.csbs.org/sites/default/files/cybersecurity101_2019_final_with_links.pdf

Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147 Page 148 Page 149 Page 150 Page 151 Page 152 Page 153 Page 154 Page 155 Page 156 Page 157 Page 158 Page 159 Page 160 Page 161 Page 162 Page 163 Page 164 Page 165 Page 166 Page 167 Page 168 Page 169 Page 170 Page 171 Page 172 Page 173 Page 174 Page 175 Page 176 Page 177 Page 178 Page 179 Page 180 Page 181 Page 182 Page 183 Page 184 Page 185 Page 186 Page 187 Page 188 Page 189 Page 190 Page 191 Page 192 Page 193 Page 194 Page 195 Page 196 Page 197 Page 198 Page 199

Made with FlippingBook Publishing Software