IT Security Pick the Low Hanging Fruit First ! A little bit about me - - PowerPoint PPT Presentation

Breakout Session – Sept. 29th, 2016

IT Security

Pick the Low Hanging Fruit First!

8/22/2016

A little bit about me

• Degree in Computer Science
• Began my professional IT career in 1982 at Dow Chemical
• Held technical engineering positions in Fortune 500 companies
• Started my first company in 1989, a software development firm
• Since 2003, building 4IT

Special Honors

South Florida Business Journal – 2013 CIO of the Year, Finalist South Florida Business and Wealth - 2014 Apogee Award for Chief Information Officer South Florida Business Journal - 2015 CIO of the Year, Winner

8/22/2016

A small plug …. Very small

Founded in 2003, 4IT is an award winning South Florida based Managed Service Provider that delivers a full suite of IT services including management of premise and cloud infrastructure, IT security consulting, customized IT management tools, L1/L2/L3 helpdesk, project management, enterprise communications systems, and datacenter engineering and disaster recovery services. 4IT currently provides contracted information technology services to approximately 75 companies across South Florida in widely diversified industries including non-profit, legal, medical, federal government, retail, wholesale distribution, and financial services. Special Honors South Florida Business Journal – 2013 Top 25 IT Consulting Companies

• Inc. 5000 – 2014 Americas Fastest Growing Private Companies

South Florida Business Journal - 2014 50 Fastest Growing Companies in South Florida South Florida Business Journal - 2015 Top 10 Systems Integrators in South Florida CRN, The Channel Company - 2016 Managed Service Provider Elite 150 Charitable Efforts Joe DiMaggio Children’s Hospital - Annual Technology Sponsor of the Tour De Broward American Cancer Society - Annual Sponsor “Relay for Life” in Kendall Family Resource Center of South Florida - Annual Sponsor “Strike Against Child Abuse” South Florida Digital Alliance - Member

8/22/2016

The Only Thing We Have to Fear …

• Fortune.com, June 2016 - “Larger banks are getting harder to penetrate since they’ve invested in security for

years”, said Bill Stewart, an EVP with Booz Allen. “Now, the adversaries are moving down the food chain. In practice, this means the same hackers who once targeted big banks are seeking easier prey: credit unions, small hedge funds, PR firms, and a wide variety of other mid-tier enterprises.”

• Isheriff.com, June 2016 - As early as 2006, it was found that credit unions are even more frequently

targeted than banks. Hackers target credit unions for a simple reason: they are easier to hack.

• The Cheatsheet, May 2015 - For retailers and banks, the cost of data breaches can be astronomical.

According to the Ponemon Institute’s annual study, the total average cost of a data breach worldwide has increased 15% over the past year to more than $3.5 million.

• Debbie Matz, 8th Board Chair NCUA - NCUA’s first Supervisory Letter for 2014 described our top priorities.

Examiners will be looking to see how credit unions are implementing risk mitigation controls to better protect, detect, and recover from cyber-attacks. This includes vendor due diligence, strong password policies, proper patch management, employee training and network monitoring.

8/22/2016

10 Reasons Hackers Target Credit Unions

1. Smaller - Credit unions rarely have security staff and resources on par with larger financial institutions. 2. Adaptation – Hackers adapt quickly. Credit unions are perceived as slow to adopt new technology. 3. Money - Previous attacks have seen millions of dollars lost. Hackers have reasons to attempt more attacks. 4. Low Visibility - Credit unions are not seen as big targets. Hackers assume they have less cyber security in place. 5. Element of Surprise - Attacks against credit unions are rarely publicized yielding a false sense of security. 6. Complexity - Credit unions have their own set of products, personnel, and budget. No common security strategy. 7. Internal Threats – Employees are also perpetrators of cyber crimes and frequently targets of social engineering and phishing scams. 8. Seeking IT-only Solutions - The IT department should be the start but not the end cyber security efforts. 9. Weaknesses - Credit unions often don't see the flaws in their security and fail to correct them accordingly.

• 10. Defense vs Offense - Investing in only defensive measures ensures that hackers will exploit security flaws.

Proactive monitoring, auditing, and IT security training are rare.

8/22/2016

Fundamentals of IT Security

• Prevention
• Detection
• Remediation

8/22/2016

What’s the Point?

• Reduced Accidental Loss
• Reduced Purposeful Loss
• Reduced Legal Liability
• Data Retention
• Disaster Recovery

8/22/2016

FFIEC Cybersecurity Assessment Tool

1. Cyber Risk Management & Oversight 2. Threat Intelligence & Collaboration 3. Cybersecurity Controls 4. External Dependency Management 5. Cyber Incident Management & Resilience

A. Governance B. Risk Management C. Resources D. Training & Culture

Domain Assessment Factors

A. Threat Intelligence B. Monitoring & Analyzing C. Information Sharing A. Preventative Control B. Detective Controls C. Corrective Controls A. Connections B. Relationships Management A. Incidence Resilience Planning & Strategy B. Detection, Response, Mitigation C. Escalation & Reporting

8/22/2016

Domain 1 - Cyber Risk Management and Oversight

Cyber risk management and oversight addresses the board of directors’ (board’s) oversight and management’s development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight. A. Governance includes oversight, strategies, policies, and IT asset management to implement an effective governance of the cybersecurity program. B. Risk Management includes a risk management program, risk assessment process, and audit function to effectively manage risk and assess the effectiveness of key controls. C. Resources include staffing, tools, and budgeting processes to ensure the institution’s staff or external resources have knowledge and experience commensurate with the institution’s risk profile. D. Training and Culture includes the employee training and customer awareness programs contributing to an organizational culture that emphasizes the mitigation of cybersecurity threats.

FFIEC Assessment Definitions

8/22/2016

Domain 2 – Threat Intelligence and Collaboration

Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties A. Threat Intelligence refers to the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making. B. Monitoring and Analyzing refers to how an institution monitors threat sources and what analysis may be performed to identify threats that are specific to the institution or to resolve conflicts in the different threat intelligence streams. C. Information Sharing encompasses establishing relationships with peers and information-sharing forums and how threat information is communicated to those groups as well as internal stakeholders.

FFIEC Assessment Definitions

8/22/2016

Domain 3 – Cybersecurity Controls

Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring. A. Preventative Controls deter and prevent cyber attacks and include infrastructure management, access management, device and end-point security, and secure coding. B. Detective Controls include threat and vulnerability detection, anomalous activity detection, and event detection, may alert the institution to network and system irregularities that indicate an incident has or may occur. C. Corrective Controls are utilized to resolve system and software vulnerabilities through patch management and remediation of issues identified during vulnerability scans and penetration testing.

FFIEC Assessment Definitions

8/22/2016

Domain 4 – External Dependency Management

External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and oversight. A. Connections incorporate the identification, monitoring, and management of external connections and data flows to third parties. B. Relationship Management includes due diligence, contracts, and ongoing monitoring to help ensure controls complement the institution’s cybersecurity program.

FFIEC Assessment Definitions

8/22/2016

Domain 5 - Cyber Risk Management and Oversight

Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution’s containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident. A. Incident Resilience Planning & Strategy incorporates resilience planning and testing into existing business continuity and disaster recovery plans to minimize service disruptions and the destruction or corruption of data. B. Detection, Response, & Mitigation refers to the steps management takes to identify, prioritize, respond to, and mitigate the effects of internal and external threats and vulnerabilities. C. Escalation & Reporting ensures key stakeholders are informed about the impact of cyber incidents, and regulators, law enforcement, and customers are notified as required.

FFIEC Assessment Definitions

8/22/2016

Authentication

• Centralized Authentication (AD, Radius)
• Network – (LAN, Wireless)
• Email – (Desktop, Portable, Web)
• Remote Access (VPN, Gotomypc, Logmein)
• Vendor Services
• DNS, Domain Registrar, Vendor Registrations
• Voice Data Service
• Datacenter Access
• Dual Factor if Possible

8/22/2016

Restricted Internet

• Web Filtering
• Reduces Risk from Malware
• Restrict Remote Access
• Increased Productivity
• Loss of Corporate Data
• Decreased Bandwidth Use
• Best as firewall, purpose built device, or cloud service
• Should work on portable devices (laptops)
• Access Classes
• Users only get allowed sites
• Users get all except for forbidden categories
• No unrestricted users

8/22/2016

E-Mail

• Portables - Authorized Only
• Access Via Web - Consider the consequences
• Vendor Notifications - Special Mailbox
• Spam Filtering - Specialized Service or Device
• Archiving - If you want to find an email when needed
• Use Policy - Reduced legal liability
• No Outbound Relay - member trust

8/22/2016

Portable Devices

• Remote Access - No local data if possible
• Encryption - Full Device if storing any data
• Authorized - Required from the Server for Email
• Wireless - Access is via WPA-Enterprise Only
• Remote Wipe – Supported with Agent

8/22/2016

Firewall

• Replace every 36 months
• Major manufacturer
• Multilevel Security Change Policy & Approval
• Automated Reporting
• SSL or Client based VPN
• Should include these minimum services
• Intrusion Prevention
• Gateway Antivirus
• Content Filtering (if no service or device)

8/22/2016

Wireless

• Private
• Active Directory Authenticated
• WPA or better (enterprise recommended)
• MAC Address filtering
• Rogue Access Point Detection
• Guest
• Completely separated from private LAN
• Change the passphrase every 90 days
• Limit the bandwidth usage
• Different public IP than LAN
• Block Port 25

8/22/2016

Use Policies

• Company Equipment Use
• Personal Data
• Laptops / Workstations / Portables / Storage
• Printers
• Internet Use
• Business only use
• Webmail / Facebook
• Privacy Policy
• Customers
• Corporate Data
• Passwords
• Complexity
• Expiration
• Sharing

8/22/2016

Disaster Recovery

• BMR (Bare Metal Restorable)
• Define RTO (Return to Operation) and RPO (recovery point objective)
• Quarterly Restore Test
• Offsite Replication of Backups
• All critical data on a server
• No production data on as NAS device
• Business Continuity requires special planning

8/22/2016

IT Department

• Comprehensive Monitoring Tool with Alerting
• Completely automated patch, A/V, malware management
• Ticketing System with Templates & Documentation
• Segregation of Networks (LAN, Wireless, IT Mgmt)
• Documented Add/Change/Delete Procedures
• Documented Security Change Protocols
• Core infrastructure changes need approval

8/22/2016

Auditing

• Quarterly Vulnerability Testing (Internal & External)
• Automated Network Health Reports
• Quarterly review of any service outages
• Non-IT Senior Manager as Liaison to IT
• Documented procedure for A/C/D of IT Worker
• Log collection at all external facing systems
• Log collection of all security access changes
• Annual Audit by outside third-party of all IT operations

8/22/2016

Our Integrated Toolset

Tool Product Key Features FFIEC Table

IT Ticketing & Workflow Connectwise Workflow, Service Templates, Documentation Device Monitoring Labtech Auto Remediation, Scripting Network Monitoring N-Able, Logic Monitor Full LAN and WAN monitoring Voice Alerting Email2Phone, ShoreTel Integration with monitoring tools Anti-Virus Anti-Malware Webroot, MalwareBytes Fully Automated Updates, Exception Alerts Content Filtering OpenDNS Granular User and Category Control, Auto Reporting Vulnerability Testing Net Detective Integration with monitoring tools Email Archiving Barracuda Mail Archiver Integration with monitoring tools, Auditing Features Email Anti-Spam Filter Barracuda Email Security Granular Control of spam filtering Auditing Net Detective, Labtech Integration with monitoring tools Firewalls Sonicwall Integration with monitoring tools, FWAAS Backup & Replication VEEAM, ShadowProtect Integration with monitoring tools

Requirements: Multitenant, Client access, Fully Integration System, OPEX vs. CAPEX, Premise & Cloud

8/22/2016

Conclusions

• Get authentication centralized

(PRE, REM)

• Restrict Wireless and Internet Usage

(PRE)

• Be careful with portable devices

(PRE)

• Get a good enterprise class firewall

(PRE, DET, REM)

• Publish your tech policies

(PRE, REM)

• Have a plan for disasters and test it

(PRE, REM)

• Make sure IT people have the right tools

(PRE, DET, REM)

• Schedule vulnerability testing

(PRE, DET)

• Have IT audited by a third-party

(PRE, DET, REM)

8/22/2016

Questions & Answers

8/22/2016

Corporate Office Broward Office PBVC Data Center

12595 SW 137th Ave. 3195 N. Powerline Rd 18001 Old Cutler Road Suite 301 Suite 110 Suite 365 Miami, FL 33186 Pompano Beach, FL 33069 Palmetto Bay, FL 33157 Phone 305-278-7100 Fax 305-513-5087 Email: info@4it-inc.com http://www.4it-inc.com/CUServiceProvider/ https://webapps2.ncua.gov/CUServiceProvider/

An NCUA Credit Union Service Provider