Conference of State Bank Supervisors IT Training STREAM Technology Lab Overview 23-June-2009

1. Conference of State Bank Supervisors IT Training STREAM Technology Lab Overview 23-June-2009 Federal Reserve Bank of Chicago S&R Technology Lab Presented by Christopher Olson Federal Reserve Bank of Chicago Christopher.Olson@chi.frb.org

2. Agenda • What is Risk? • Bank Operations Simulation • Asset Liability Management Modeling • IT Topic: Virtualization • Instructor Subject Matter Experts • Technology Lab History and Build-out

3. What is Risk? • Webster's dictionary: "the possibility of a loss". • Future event • Uncertainty of occurrence; probability • Probability is greater than 0 and less than 1 (or greater than 0% and less than 100%) • Uncertain outcome or impact • Favorable and unfavorable outcome

4. Risks Are Interactive Market Legal Operational Reputational Liquidity Credit

5. Operational Risk Defined “The risk of loss from inadequate or failed internal processes, people, and systems, or from external events.” – Basel, “Sound Practices for the Management & Supervision of Operational Risk” Translation: Everything that’s not credit and market risk.

6. Operational Risks: People Processes Systems External Events Credit Market Liquidity Legal Reputational Operational Risks: People Processes Systems External Events Why focus on Operational Risk? Insufficient staff Unsafe work place Fraud Security breaches Business disruption Product flaws Customer unsuitability Improper practices Unsafe work place Processing errors Documentation errors

7. Scandals Galore Kim Woo-choong Daewoo Nick Leeson Barings Ken Lay, Jeff Skilling, Andy Fastow, Lou Pai Enron Mark Swartz/Dennis Kozlowski Tyco

8. Examiner Responsibilities Internal Control Activities You’re Doomed!

9. Control Activities • Bank performance reviews in each business line • Physical and logical controls • Separation of duties • Conflicts of interest • Compensating controls • Approvals and authorizations • Verifications and reconciliations • Information processing

10. Bank Operations Simulation Course

11. BOpS Course Modules • Cash and Teller Operations • Check Operations • NSF Processing and Transaction Input • Proof and Transit • Back Office Routines • ACH Operations • Investment Operations • Loan Operations • Wire Transfer Operations

12. BOpS Course Modules (continued) • System and Security Access • Accounts Payable • Fixed Assets • Correspondent Bank Account Reconciliation • Payment System Risk • Call Report Review • Daily Statement Review • Extensive Hands On Training!

13. Bank Operations Simulation Course Provides core curriculum and training in bank operations. Target audience is all Safety and Soundness examiners who are looking for bank operations training!

14. Other Application Classes BSA/ AML Hands On Lab Asset Liability Management Model Lab  We call this the “ALM” class

15. ALM Course

16. Course Background Effective IRR model reviews require a specialized set of examination tools • Regulatory Market Risk Knowledge - PALM (f.k.a. FIRRM) - ALM 1, ALM 2 • Understanding of financial instruments - Options Institute - PALM - ALM 1, ALM 2

17. Course Background (continued) • Fundamental understanding of financial modeling • Vocabulary • Internal controls • Technical implementation options, risk, and limitations • Understanding of moderate simulation and valuation techniques supported or not supported by model vendors • Baker Group, ProfitStars, Compass, Sendero, Bancware

18. ALM Model Vendor Usage—Member Banks 2004 FRS Board of Governors Survey • 68 IRR models or consultants represented • QRM • 17 banks with $1.4 trillion in total assets. • 15 QRM firms have total assets > $10 billion • Bancware • 27 banks with $613 billion in total assets • Sendero • 114 Banks with $413 billion in total assets • Plansmith / Intercept • 92 banks with $22 billion in total assets

19. ALM Model Vendor Usage • IPS Sendero ALM is used at the largest number of FRS member institutions (114) • BancWare ALM4 and ALM5 are widely used at our largest institutions and many regional banks

20. Course Objective ALM Model class provides examiner the ability to assess: • The appropriateness of the general model setup • The appropriateness of specific complex instrument setups • The accuracy and reasonableness of critical model assumptions • Whether critical assumptions have been correctly implemented in a model • Common model risk control weaknesses • The overall adequacy of model risk management practices

21. IRR Identification and Management • Objectives: • Identify four primary sources of IRR Discuss the modeling process and the types of models most commonly used by banks • Learn what questions to ask your management team • Discuss supervisory expectations and best practices for strong IRR management

22. Interest Rate Risk • Mismatch Risk • The risk that interest rates change and assets and liabilities re-price at different times • Yield Curve Risk • The risk of non-parallel shifts in the yield curve • Basis Risk • The risk that rates on instruments with the same or similar maturities will not move together as the general level of interest rates changes • Options Risk • The risk that changes in interest rates will cause asset or liability holders to exercise explicit or embedded options

23. What Should IRR Models Do? • The IRR modeling process should: • produce reasonably accurate risk measures • capture all risks material to the institution • provide clear and useful information to senior management and board of directors

24. What Should Drive the Model Decision? • Complexity of: • Bank and Organizational Structure • Products and Services • Positions Held • Markets • Cost versus Benefit • Materiality of Risk • Exposure to Risk Factors

25. Information Technology Classes e-Banking IS Vulnerability Management Network Security Operating Systems Supervisory Themes

26. IT Topic: Virtualization

27. What is Virtualization • An application and its base operating system combined together in a single compact package

28. What is Virtualization? • Resources are shared between the host systems according to demand • Resources: CPU, Memory, Network and Disk space

29. What is Virtualization? • Virtualization works by allowing multiple operating systems to be installed on a single physical server • Hypervisor is software that makes each Virtual Machine appear as a standalone server Virtual Machine 1 Virtual Machine 2 Hypervisor (Software) • Enables CPU, Memory, Network and Disk sharing

30. Two Attack Scenarios • External Attacker: A vulnerable VM is attacked from an outside attacker • Phase 1: Vulnerability • Phase 2: Exploitation • Phase 3: Extend Control • Internal Attacker: An attacker compromises the hypervisor (“hyperjacking”) • Hypervisor Rootkit • Off-Host Attack

31. Attack Phase 1: Vulnerability Attacker is in control of VM 1 • VM 1 is un-patched and vulnerable • VM 2, 4, 5 and 6 are patched and compliant • VM 3 is running with a known vulnerability due to application requirements • VM 3 not externally available (private)

32. Attack Phase 2: Exploitation Attacker is in control of VM 1 • External attacker launches attacks against other VMs • Port scans are not detected by the network monitoring device • No IP traffic traverses the physical NIC on the host

33. Attack Phase 3: Extend Control • VM 1 and VM 3 are under the control of an external attacker • Attacker uses trusted production server VM 3 to probe for vulnerabilities in other hosts • Attacker discovers and exploits VM 6

34. Two Attack Scenarios • External Attacker: A vulnerable VM is attacked from an outside attacker • Phase 1: Vulnerability • Phase 2: Exploitation • Phase 3: Extend Control • Internal Attacker: An attacker compromises the hypervisor (“hyperjacking”) • Hypervisor Rootkit • Off-Host Attack

35. Hypervisor Rootkit HypervisorRootkit attacks VM 3 • Hypervisor root kit is inserted on the running hypervisor from a trusted guest • Attack vector is a known vulnerability on VM 3

36. Attack from Outside of the VM • A direct attack on the hypervisor comes from an outside the VM • Attack vector is either from a network connection or from physical access (insider attack) Outside source attacks hypervisor

37. Result: Hyperjacked Host Hyperjacked Host • All communication to the guest VM’s is compromised • Guest VMs have no way of knowing that the hypervisor is compromised • On-guest security tools have no way to “see” the compromise

38. Lessons Learned from the Attack • A vulnerable VM leads to intra-host risk and potential compromise • The intra-host (“inside-out”) risk results from running public and private servers in the same environment • The risk of intra-host (“inside-out”) attacks increases • The financial institution must think through the security considerations of their architecture

39. Implementation Principle #1 • The Bank must understand and document theirvirtualization solution • Use documentation from the Vendor • Leverage open initiatives (DISA, CISecurity.org, SANS) • Document physically and logically where Virtualization fits in the bank • The Financial Institution must allocate time for training, testing and documentation

40. ImplementationPrinciple #2 • Ensure that changes are documented and implemented successfully • Patch Management • Help Desk and Configuration Management • Change Management is a necessity for incident response • Why? It helps to determine whether an authorize or unauthorized change led to the event/incident

41. Implementation Principle #3 • Plan the Dive and Dive the Plan • Proper planning is essential • Perform a test in a laboratory environment • Define requirements and architect the supporting solution • Iterate • Remember Security, but focus on process

42. 80 % Process, 20% Technology • Updated Management Processes • Patching of Offline Systems • Access to New Management Tools • Configuration Standards

43. Updated Management Processes • Handling of virtual disks • State is saved as a file (VM disk Image) that can be copied • The VM disk Image can be analyzed—used by an attacker / rogue administrator • Treat the File (VM disk image) as a high-security object • DO NOT store the VM disk image on USB sticks, portable drives, desktops or other insecure places

44. Patching of Offline Systems • Problem: Offline Virtual Machines (VMs) lag behind on updates • Patching, Anti-Virus and other tools are agent based • Agents don’t work when the VM disk image is offline • Offline images become security risks • Solution: Don’t let the VMs lag • Adopt tools that can update (patch, Anti-Virus, etc.) the VM while offline • Adopt tools that scan the VM when they boot

45. Access to New Management Tools • Access Control Life Cycle—Physical Environment • How is server access currently managed • Request, Approve, Provision, Review (RAPR) • Access Control Life Cycle—Virtual • Enhance the physical management to include virtual tools

46. Configuration Standards • Problem: • Easy VM disk image copying facilitates easy replication ofsecurity vulnerabilities • Mitigation: • Ask if the financial institution has adopted templates

47. Case Study—Virtualization

48. STREAM Technology Lab Classes • E-banking • Network Security • IS Vulnerability Management • Operating Systems • Supervisory Themes • Bank Operations Simulation • Asset Liability Management Modeling • Bank Secrecy Act / Anti-Money Laundering

49. Course Attendance: 2000-2008 Course attendance continues to increase. 2007 and 2008 shows continued overall growth with near-capacity attendance in each of the three IT Application courses.

50. Course Participant Affiliations Course participants have diverse affiliation from across the Federal Reserve System, FFIEC agencies, state regulators and international central banks.