190 likes | 587 Views
Sia Partners US. Presenters Gus Moreno IT Risk Specialist Tel : (917) 239-7549 Email : gus.moreno@sia- partners.com Alexis Wyrofsky Consultant Tel : (401) 862-1661 Email : alexis.wyrofsky @sia- partners.com. AIBA Presentation: IT Risk Assessments. September 20, 2012. Introduction
E N D
Sia Partners US Presenters Gus Moreno IT Risk Specialist Tel : (917) 239-7549 Email : gus.moreno@sia-partners.com Alexis Wyrofsky Consultant Tel : (401) 862-1661 Email : alexis.wyrofsky@sia-partners.com AIBA Presentation: IT Risk Assessments September 20, 2012
Introduction IT Risk: In the News IT Risk Hot Topics IT Risk Program IT Standards and Selective Article Links 1 2 3 4 5
Introduction • With the growing complexity of Information Technology, financial institutions are exposed to a greater number of IT risks. • Due to the increased threat, regulators hold companies accountable not only to regulatory requirements but also to standards of best practices and procedures. • IT Risk expertise assists companies in navigating the current threats to their IT environment, and ensures compliance with regulatory requirements. In 2012 alone, many Information Security attacks and operational issues made national news headlines: • Password File Hacking • Amazon Cloud Outage • SQL Injection Attacks • Mobile Device Attacks Guidance for regulatory exams is published; however, regulators’ focus changes based on the current IT trends. For example, recent hot topics in Financial Services include: • Cyber Attacks • Data Leakage • Vendor Management • Disaster Recovery & Business Continuity Plans • Data Privacy
IT Risk: In the News Password File Hacking SECURITY EVENT POSSIBLE RISK MITIGATION • Controls • Review quality of stored passwords. • Set up security monitoring procedures that should be able to detect an attempted breach. • Establish adequate security perimeter controls. • Develop a security patch deployment process. • Cost-benefit • $200,000-300,000: set up adequate, A+ security measures, versus • $5.5 million: the average cost to a company of a security breach. • Since 2002, Information Security breaches have risen exponentially. • Cyber activity has spiked this year. • 6/2012: 3 major Password Breaches. • LinkedIn: 6.4 million hacked passwords. • Lastfm.com. • eHarmony. • Passwords were stored in database using a standard algorithm rather than encryption.
IT Risk: In the News Cloud Computing POSSIBLE RISK MITIGATION OPERATIONAL EVENT • Controls • Understand availability of computer resources risk and ensure that infrastructure is resilient. • E.g.: Establish an automatic switch over to a standby machine. • Implement security monitoring in a cloud. • Establish vendor management controls. • Include cloud services in Disaster Recovery Plan. • Employ geographic distribution of data centers. • 6/9/2012: Outage of Amazon Elastic Compute Cloud (EC2) caused by severe weather conditions. • Mainstream websites running off the Amazon cloud were down – Netflix, Instagram, Pinterest, Heroku. • 4/2011: Technical glitch caused an Amazon cloud outage. • Caused service interruptions for websites Foursquare, Reddit and HootSuite.
IT Risk: In the News SQL Injection Hacks SECURITY EVENT POSSIBLE RISK MITIGATION • 11/2011 - 1/2012: SQL injection hack affected over 1 million urls.1 • Infected by lilupophilupop.com malware. • The attacker can completely take over the underlying operating system of the SQL server and the Web application. • Hacking process is partially manual and partially automated – suggests significant preparation and manpower. • Toolkit constructed for a particular attack and targets a specific application architecture. • 3/2011: Lizamoon.com SQL injection hack: • 500,000 urls affected via redirects that push rogue AV software. • Quickly contained. • Establish patch deployment process. • Verify Virus / Malware process. • Set up Web application development policies and requirements. • Inspect application on Firewalls. • Ensure appropriate use of "least privileges." • Assume the applications are not secure (encrypt passwords, etc.). 1 According to the SANS Internet Storm Center; Cisco claims that fewer web pages were affected as online discussions following a hack increase hits.
IT Risk: In the News Mobile Device Attacks SECURITY EVENT POSSIBLE RISK MITIGATION • Android malware attacks: New framework Tatanga –“man-in-the-mobile” attacks (MitMo): • Intercept the secret codes sent by a bank via text message to a customer’s phone to verify a large transaction request. • Initiate transfers and transactions by bypassing the out-of-bank authorization systems. • Target small businesses using online banking; mobile attacks expected to become more prevalent. • Other Mobile Device Security Risks: • High potential for mobile devices to be lost or stolen. • Applications do not typically have encrypted containers (in place for email) or other security measures. • Ensure Mobile Computing policies are in place: • State that applications must be downloaded from a trusted source, e.g., Google Play app stores. • Set up multifactor authentication. • Implement user security awareness training. • Move slowly into the space. • Update and ensure SDLC process is specific for mobile device applications.
IT Risk Hot Topics Cyber Attacks Cyber Attacks • Cyber attacks are increasingly more targeted to specific corporations. • Moving from simply making a point to wreaking financial havoc. • Advanced Persistent Threats (APTs) focus on hacking an individual employee rather than the organization’s infrastructure. • Spear Phishing: hackers obtain a company email list in order to appear as a trusted source. • Example: RSA Spear Phishing Attack in 3/2011– Hackers sent phishing emails appearing to come from a Recruitment website to employees of RSA. • Attachment in the email placed a malicious file on the employee’s computer, enabling attackers to gain remote access to the company network and steal information regarding RSA’s SecurID keyfob products. Cause of Risk 1 • Establish effective security patch and virus/malware patch procedures. • Review network security processes to ensure that sufficient restriction exists for access to business critical applications (either internally or externally hosted). • Perform ongoing penetration testing. • Implement a Computer Emergency Response Team (CERT) process. • Ensure Security Administration (both new hires and existing personnel) have adequate training. • Ensure that strong password and pin requirements are included and enforced in company policies. • Evaluate practices used by Help Desk to reduce opportunities for social engineering attacks. Risk Mitigation 2
IT Risk Hot Topics Data Leakage Data Leakage • Reliance on the Internet and emails to transfer and store data. • Wireless networks. • Mobile devices. • Storage sites. • Personal and unauthorized websites. • File transmission, FTP, Skype, etc. • Social networking. • USB ports/thumb drives. • Remote access controls. Cause of Risk 1 • Assess all possible data leakage channels within the IT environment. • Apply measures to reduce the unauthorized disclosure of sensitive data to secure the environment. • Ensure effective data classification process exists for all company information. • Identify potential leakage channels. • Establish additional controls where possible based a data classification system. • Implement monitoring solutions to manage sensitive information. • Put in place an ongoing employee awareness program. Risk Mitigation 2
IT Risk Hot Topics Vendor Management Vendor Management • Increasing reliance on third-party vendors to perform many IT functions and services. • Vendors and service providers are responsible for continuous operations of key business IT processes and proper handling of sensitive data. • Prevalence of Cloud Services. • Service disruptions or Information Security breaches result in high financial or reputational costs. Cause of Risk 1 • Ensure that due diligence is conducted on vendors. • Prior to engagement during the Contract Phase. • Right to Audit, Security Monitoring. • On a periodic (annual) basis. • Manage vendor relationships – enforce the adoption of internal controls by the vendor. • Monitor the vendor’s Information Security and data-handling procedures. • Restrict access to critical production data and information processing systems. • Implement security monitoring solutions for vendor access to business sensitive data. Risk Mitigation 2
IT Risk Hot Topics DisasterRecovery/Business Continuity Plans Disaster Recovery/Business Continuity Plans • Post-9/11, Business Continuity (BCP) and Disaster Recovery (DR) became highlighted areas for regulatory examiners. • Regulators going beyond the idea of alternate sites to the requirement that enough critical staff be available for principal trading applications, especially for “market makers.” • Increased use of vendors would require that DR/BCP plans include an appropriate level of testing. Cause of Risk 1 • Include business continuity considerations into the overall design of the business model in order to reduce the risk of service disruptions. • Ensure plans are robust, detailed, regularly updated, tested and approved by a bank’s Executive Management. • Include areas such as pandemic crisis management, media communication, hardware recovery and security measures. • Monitor and analyze the results of testing: • Identify areas requiring special attention. • Personnel that could benefit from additional training. Risk Mitigation 2
IT Risk Hot Topics Data Privacy Data Privacy • Differences in global data privacy regulations and standards: Cause of Risk 1 • 2011 marked a pivotal year in Asia with the introduction of many data protection regulations. • US government has limited power to protect citizens’ data privacy. • Federal Trade Commission rarely takes action against US companies for privacy breaches; usually levies small fines. • If company has lawful access to data it may use it, as long as it is not prohibited (such as under Gramm-Leach-Bliley Act). • 2012: EC proposed General Data Protection Regulation, a draft update of the Directive. • Requires reporting a data breach within 24 hours. • South Korea: Personal Information Protection Act considered the most stringent data privacy regulation globally. • Creates a Data Protection Commission. • Mandates a Privacy Compliance Officer for businesses. • Requires data breach notification. • Introduces Privacy Impact Assessments. • Importance of privacy policy / statement: as long as a customer is made aware of the policy when data is collected and does not object, the company can use it. • May require companies to delete consumer data if its retention is not justified. • Conforms data privacy rules across EU. United States Europe Asia • Patriot Act allows US officials to access phone, email and financial information without a warrant. • 1995 EU Directive on Data Protection • Protects citizens' privacy and states that permission is required by a consumer for a company to use or exchange personal data. • Hong Kong and the Philippines have both recently passed significant data privacy regulations. • US companies would be heavily penalized for releasing EU citizens’ personal data to US authorities (such as by complying with National Security Letters) • Review data protection control jurisdictions of business activities and verify their adherence to sovereign laws. • Corroborate that policies support the segregation of company and personal information that might go cross-border. • Review the security monitoring process, particularly the communication procedure in the event of a security breach. • Verify that cloud and email storage infrastructure supports infrastructure requirements. • Ensure that the DR solution is not in violation of regional standards. Risk Mitigation 2
IT Risk Program Designing and Implementing an IT Risk Program: How to Monitor & Control IT Risk • Set up security controls • Perform an annual independent IT Risk Assessment • Conduct application security reviews • Perform internal and external penetration tests • Ensure security patches/malware patches are completed on a timely basis • Maintain risk reporting that provides information on patching process (up-to-date) • Verify that adequate number of Information Security personnel have adequate skillset • Ensure existence of training program; up-to-date training of current employees • Confirm that IS Policy allows for personal use on business devices and use of personal devices for • business purposes
IT Risk Program IT Risk Assessment Methodology Methodology and Process of an IT Risk Assessment: Conduct in accordance with established industry and regulatory guidance (FFIEC, COBIT, etc., further discussed on slide 16).
IT Risk Program Risk Control Matrix Risk Control Matrix (RCM) Tool: Provides a qualitative assessment of the expected controls for each area of the IT environment. Documents whether relevant control objectives are met. Identifies open risk issues based on gaps between the required control and the control in place. Categorizes issues based on a risk rating such as “High” “Medium” and “Low.” The determination of the risk rating is based on the severity of the risk and the probability of its occurrence. Determines and tracks management’s decision whether each flagged risk should be remediated, partially remediated, accepted or a combination. Prescribes recommendations on steps to address the risk deemed to need mitigation. Sample RCM
IT Risk Program Guidance & Internal Audit’s Role IT Risk Guidance • FFIEC: • Maintains and publishes 11 FFIEC Information Technology Examination Handbooks which outline examination objectives and procedures for evaluating IT environments of financial institutions. • Provides introductory, reference, and educational training material on specific topics of interest to field examiners from the FFIEC member agencies. • CobiT: • IT governance framework established by ISACA, the former Information Systems Audit and Control Association; • Shared Assessments: • Evaluation program of security controls focusing on Information Technology and Information Security. • Created by several major US Banks (JPMorgan Chase, Bank of America, Citigroup, BNY Mellon) in association with the Big 4 accounting firms. • ISO/IEC 27002: • Standard aimed at Information Security, which was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Role of Internal Audit • Audit the IT/IS Control Program. • IT Risk Assessment: • Perform the IT Risk Assessment (if done in-house) • Collaborate with external vendor firm to oversee performance of assessment.
IT Standards and Selective Article Links http://ithandbook.ffiec.gov/it-booklets.aspx http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspx http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html?pagewanted=2&_r=1&emc=eta1 http://mobile.blogs.wsj.com/cio/2012/06/06/linkedin-password-breach-illustrates-endemic-security-issue/ http://www.forbes.com/sites/anthonykosner/2012/06/30/amazon-cloud-goes-down-friday-night-taking-netflix-instagram-and-pinterest-with-it/ http://www.forbes.com/sites/anthonykosner/2012/07/01/survey-of-effects-of-cloud-outage-shows-how-much-of-the-web-runs-on-amazon/ http://www.wired.com/cloudline/2012/06/amazon-outage-pilot-error/ http://www.forbes.com/sites/kellyclay/2012/06/30/aws-power-outage-questions-reliability-of-public-cloud/ http://www.huffingtonpost.com/2012/07/02/amazon-power-outage-cloud-computing_n_1642700.html http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ http://mobile.eweek.com/c/a/Security/New-Android-Malware-Better-at-Targeting-Bank-Transactions-161221/ http://www.nftc.org/default/Innovation/PromotingCrossBorderDataFlowsNFTC.pdf http://www.informationweek.com/security/attacks/sql-injection-hack-infects-1-million-web/232301355 http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232301285/latest-sql-injection-campaign-infects-1-million-web-pages.html?itc=edit_stub http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/ http://www.informationweek.com/government/security/nsa-chief-china-behind-rsa-attacks/232700341 http://blogs.rsa.com/rivner/anatomy-of-an-attack/ https://www.bit9.com/blog/2011/03/18/rsa-and-the-apt-attack/ http://www.msnbc.msn.com/id/15221111/ns/technology_and_science-privacy_lost/t/la-difference-stark-eu-us-privacy-laws/#.UFEG95afht0 http://cyberlaw.stanford.edu/node/5544 http://www.computing.co.uk/ctg/news/2162386/europe-s-protection-laws-cause-conflict-warn-legal-experts http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2120983
Contacts at Sia Partners US Alexis Wyrofsky Consultant Sia Partners US 641 Lexington Ave. Suite 1322 New York, NY 10022 Office :(212) 634-6325 – Cell: (401) 862-1661 Email: alexis.wyrofsky@sia-partners.com Gus Moreno IT Risk Specialist Sia Partners US 641 Lexington Ave. Suite 1322 New York, NY 10022 Office :(212) 634-6325 – Cell: (917) 239-7549 Email: gus.moreno@sia-partners.com