Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Compliance and Technology Partner for Financial Institutions Case Studies in Incident Response Real World Do’s and Don’ts Presented By: Tom Hinkel,

Published byMilo Fletcher Modified over 8 years ago

Similar presentations

Presentation on theme: "The Compliance and Technology Partner for Financial Institutions Case Studies in Incident Response Real World Do’s and Don’ts Presented By: Tom Hinkel,"— Presentation transcript:

1 The Compliance and Technology Partner for Financial Institutions Case Studies in Incident Response Real World Do’s and Don’ts Presented By: Tom Hinkel, Director of Compliance Safe Systems, Inc. California Bankers Association 2012 Security Management Conference

2 The Compliance and Technology Partner for Financial Institutions Agenda What is an “Incident” Incident Response Policy Elements Regulatory Guidance (FDIC, FFIEC) & Best Practices (NIST, BITS, SANS) Case Studies  RSA  FIS  Heartland  Wells Fargo (2)

3 The Compliance and Technology Partner for Financial Institutions Incident vs. Event An incident is a violation of computer security policies, acceptable use policies, or standard computer security practices. An information security incident is defined as an irregular or adverse event that negatively impacts the confidentiality, integrity and/or availability of the institution’s systems, network, or non-public information. Security Event - An event that compromises the confidentiality, integrity, availability, or accountability of an information system.

4 The Compliance and Technology Partner for Financial Institutions Regulatory Guidance FIL-27-2005 – April 1, 2005  FINAL GUIDANCE ON RESPONSE PROGRAMS - Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice  A response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider.

5 The Compliance and Technology Partner for Financial Institutions FIL-27-2005 At a minimum, an institution’s response program should contain procedures for:  Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused;  Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information;

6 The Compliance and Technology Partner for Financial Institutions FIL-27-2005  Consistent with the agencies’ Suspicious Activity Report (SAR) regulations, filing a timely SAR, and in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing, promptly notifying appropriate law enforcement authorities;  Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and

7 The Compliance and Technology Partner for Financial Institutions FIL-27-2005  Notifying customers when warranted in a manner designed to ensure that a customer can reasonably be expected to receive it. Service Provider Considerations: When an incident of unauthorized access to sensitive customer information involves customer information systems maintained by an institution’s service provider, it is the financial institution’s responsibility to notify its customers and regulator. However, an institution may authorize or contract with its service provider to notify the institution’s customers or regulator on its behalf.

8 The Compliance and Technology Partner for Financial Institutions FIL-27-2005 Customer Contact required if… “Misuse of non-public information has occurred or it is reasonably possible that misuse could occur”.

9 The Compliance and Technology Partner for Financial Institutions FFIEC “Social engineering is a growing concern for all personnel, and in some organizations personnel may be easy targets for hackers trying to obtain information through trickery or deception.” “Controls against these attacks involve strong identification policies and employee training.”

10 The Compliance and Technology Partner for Financial Institutions FFIEC “Security Incident” “A security incident represents the attempted or successful unauthorized access, use, modification, or destruction of information systems or customer data.” “A financial institution’s security monitoring should, commensurate with the risk, be able to identify control failures before a security incident occurs…” “Outsourcing (various aspects of the analysis and response function) does not relieve the institution of the responsibility for ensuring that control failures are identified before a security incident occurs…”

11 The Compliance and Technology Partner for Financial Institutions FFIEC CSIRT - The CSIRT (Computer Security Incident Response Team) is typically tasked with performing, coordinating, and supporting responses to security incidents. Typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, management, legal, public relations, as well as information technology.

12 The Compliance and Technology Partner for Financial Institutions FFIEC Item 11 in Objective 5 of the FFIEC Information Security IT Examination Procedures:  If the institution experienced unauthorized access to sensitive customer information, the examiner must determine that it: Conducted a prompt investigation to determine the likelihood the information accessed has been or will be misused; Notified customers when the investigation determined misuse of sensitive customer information has occurred or is reasonably possible; Delivered notification to customers, when warranted, by means the customer can reasonably be expected to receive, for example, by telephone, mail, or electronic mail; and Appropriately notified its primary federal regulator.

13 The Compliance and Technology Partner for Financial Institutions Suspicious Activity Report Electronic filing required after 7/1/2012

14 The Compliance and Technology Partner for Financial Institutions SAR

15 The Compliance and Technology Partner for Financial Institutions NIST National Institute of Standards and Technology Special Publication 800-61 (Draft 2)

16 The Compliance and Technology Partner for Financial Institutions NIST Special Publication 800-61

17 The Compliance and Technology Partner for Financial Institutions BITS Shared Assessments Program Defining an Event - Are the following considered Information Security events: Loss of service (equipment or facility)? System malfunction or overload? Human error? Non-compliance with policy or guidelines? Breach of physical security arrangement? Uncontrolled system change? Malfunction of software or hardware? Access violation? Physical asset loss or theft?

18 The Compliance and Technology Partner for Financial Institutions SANS Top 20 Critical Security Controls Critical Control 18: Incident Response Capability  After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and vulnerabilities the organization faces. These scenarios help ensure that team members understand their role on the incident response team and also help prepare them to handle incidents.

19 The Compliance and Technology Partner for Financial Institutions Case Studies - Objectives - 1.Problem Statement – Identify the control failure 2.Cause Identification – Describe the cause of the controls failure 3.Risk Analysis – Describe the risk to the business (i.e. regulatory, reputation, etc.) 4.Recommendation – Corrective action, control additions and modifications

20 The Compliance and Technology Partner for Financial Institutions Case Studies RSA Company described attack as “extremely sophisticated” and an “advanced persistent threat”. “…the attack resulted in certain information being extracted from RSA’s systems. Some of that information is related to RSA SecurID authentication products.” Director of the National Security Agency admitted China responsible.

21 The Compliance and Technology Partner for Financial Institutions Case Studies RSA Phishing email that was sent to RSA employees that contained an Excel spreadsheet with an embedded Adobe Flash exploit. Exploit allowed the attacker to install a backdoor and subsequently gain access to the information they were after.

22 The Compliance and Technology Partner for Financial Institutions RSA - Lessons Learned - 1.Problem Statement – Identify the control failure 2.Cause Identification – Describe the cause of the controls failure 3.Risk Analysis – Describe the risk to the business (i.e. regulatory, reputation, etc.) 4.Recommendation – Corrective action, control additions and modifications

23 The Compliance and Technology Partner for Financial Institutions Case Studies Heartland Payment Systems Advanced Persistent Threat (APT), first breach was detected December 2008, not disclosed until January 2010. Estimated 130 million credit and debit cards were compromised. “Studied the personnel database, finding the right person to spearfish.”

24 The Compliance and Technology Partner for Financial Institutions Heartland - Lessons Learned - 1.Problem Statement – Identify the control failure 2.Cause Identification – Describe the cause of the controls failure 3.Risk Analysis – Describe the risk to the business (i.e. regulatory, reputation, etc.) 4.Recommendation – Corrective action, control additions and modifications

25 The Compliance and Technology Partner for Financial Institutions Case Studies FIS - Sunrise Company disclosed the breach in its first quarter earnings statement issued May 3, 2011. Attack occurred March 5, 2011. 7,170 prepaid accounts may have been at risk and that three individual cardholders’ non- public information may have been disclosed. $13 million loss ($0.03 per share) “The Sunrise system was a fully PCI compliant” – President, CEO

26 The Compliance and Technology Partner for Financial Institutions Case Studies FIS - Sunrise Cyber thieves broke into the FIS network and targeted the “open-loop” prepaid debit cards. Crooks were able to drastically increase or eliminate the withdrawal limits for cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.

27 The Compliance and Technology Partner for Financial Institutions FIS - Lessons Learned - 1.Problem Statement – Identify the control failure 2.Cause Identification – Describe the cause of the controls failure 3.Risk Analysis – Describe the risk to the business (i.e. regulatory, reputation, etc.) 4.Recommendation – Corrective action, control additions and modifications

28 The Compliance and Technology Partner for Financial Institutions Case Studies Wells Fargo (1) Printer malfunction caused some printed statements to contain a portion of another customer’s statement to be appended to the bottom. Spokesman said that “we’re treating this matter as an information security breach.”

29 The Compliance and Technology Partner for Financial Institutions Case Studies Wells Fargo (2) Department of Social Services sent subpoenas to Wells Fargo seeking financial records as part of an investigation. Subpoenas included 130 names and SSN’s of affected parties. Wells provided a copy of the subpoenas to all affected parties without redacting the NPI.

30 The Compliance and Technology Partner for Financial Institutions Wells Fargo - Lessons Learned - 1.Problem Statement – Identify the control failure 2.Cause Identification – Describe the cause of the controls failure 3.Risk Analysis – Describe the risk to the business (i.e. regulatory, reputation, etc.) 4.Recommendation – Corrective action, control additions and modifications

31 The Compliance and Technology Partner for Financial Institutions Questions? Tom Hinkel, CISA, CRISC, CCSA Director of Compliance, Safe Systems, Inc. 770-752-0550 tom@safesystems.com www.complianceguru.com

Download ppt "The Compliance and Technology Partner for Financial Institutions Case Studies in Incident Response Real World Do’s and Don’ts Presented By: Tom Hinkel,"

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Security Controls – What Works

Security Controls – What Works
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Network security policy: best practices

Network security policy: best practices
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Information Security Issues at Casinos and eGaming

Information Security Issues at Casinos and eGaming

Similar presentations

Ads by Google