Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry,
Bio: Ulf is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM.
Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention. One line of his research during the last 15 years is in the area of managing and enforcing security policies for databases, including joint projects with research and development teams at IBM, Microsoft, Hewlett-Packard, Oracle, Sybase, Informix, Teradata, and RSA.
Ulf is a research member of IFIP and a member of ANSI X9. Leading journals and professions magazines, including IEEE Xplore, ISACA and IBM Journals, published more than 100 of his in-depth professional articles and papers. Ulf received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Cisco Systems, Ingres, Google and other leading companies. Ulf frequently gives presentations at leading security and database conferences in US, Europe and ASIA, and frequent tutorials at the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association.
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan 13
1. Securing FinTech:
Threats, Challenges, Best
Practices, FFIEC, NIST, and
Beyond
Ulf Mattsson, CTO Security Solutions
Atlantic Business Technologies
ulf.mattsson@atlanticbt.com
2. Ulf Mattsson
Inventor of more than 45 US Patents
Industry Involvement:
• PCI DDS - PCI Security Standards Council
Encryption & Tokenization Task Forces, Cloud & Virtualization
SIGs
• IFIP - International Federation for Information
Processing
• CSA - Cloud Security Alliance
• ANSI - American National Standards Institute
ANSI X9 Tokenization Work Group
• NIST - National Institute of Standards and Technology
NIST Big Data Working Group
• User Groups
Security: ISACA & ISSA
Databases: IBM & Oracle
2
3. My Work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Guidelines Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC Tokenization Products Task Force
3
6. Agenda
1. FFIEC Cyber Assessment Toolkit
2. Current trends in Cyber attacks
3. Security Metrics
4. Oversight of third parties
5. How to measure cybersecurity preparedness
6. Automated approaches to integrate Security into DevOps
6
9. FFIEC is a Formal U.S. Government Interagency Body
It includes five banking regulators
Source: WIKPEDIA
9
1. Federal Reserve Board of Governors (FRB),
2. Federal Deposit Insurance Corporation (FDIC),
3. National Credit Union Administration (NCUA),
4. Office of the Comptroller of the Currency (OCC), and
5. Consumer Financial Protection Bureau (CFPB).
It is "empowered to prescribe uniform principles, standards, and report
forms to promote uniformity in the supervision of financial institutions"
10. FFIEC Cybersecurity Assessment Tool
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.
To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:
• Technologies and Connection Types
• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics
• External Threats
Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:
• Cyber Risk Management and Oversight
• Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and Resilience
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 10
11. FFIEC Cybersecurity Assessment Tool – Part One
Inherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk:
• Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk
depending on the complexity and maturity, connections, and nature of the specific technology products or services.
• Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on
the nature of the specific product or service offered.
• Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may
pose a higher inherent risk depending on the nature of the specific product or service offered.
• Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions,
number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with
privileged access, changes in information technology (IT) environment, locations of business presence, and locations of
operations and data centers.
• External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 11
12. FFIEC Cybersecurity Assessment Tool – Risk Levels
The following includes definitions of risk levels:
• Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has
few computers, applications, systems, and no connections. The variety of products and services are limited. The
institution has a small geographic footprint and few employees.
• Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of
the technology it uses. It offers a limited variety of less risky products and services.
• Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be
somewhat complex in terms of volume and sophistication.
• Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in
terms of scope and sophistication.
• Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver
myriad products and services.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf
12
13. FFIEC Cybersecurity Assessment Tool
– Part Two
Cybersecurity Maturity
Maturity level within each of the following five domains:
• Domain 1: Cyber Risk Management and Oversight
• Domain 2: Threat Intelligence and Collaboration
• Domain 3: Cybersecurity Controls
• Domain 4: External Dependency Management
• Domain 5: Cyber Incident Management and Resilience Domains,
Assessment Factors, Components, and Declarative Statements
Within each domain are assessment factors and contributing
components.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf
13
14. FFIEC Cybersecurity Assessment Tool –
Maturity Levels
Each maturity level includes a set of declarative statements
that describe how the behaviors, practices, and processes of
an institution can consistently produce the desired outcomes.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf
Definitions for each of the maturity levels
The Assessment starts at the Baseline
maturity level and progresses to the
highest maturity, the Innovative level
14
20. FFIEC Cybersecurity Assessment Tool - Excel Template
The linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to
complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment.
The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against
defined targets based on the completed assessment worksheets.
Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
20
21. FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity
Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected
for each domain.
Source: FFIEC
Cybersecurity
Assessment
Tool Excel
Template by
Tony
DiMichele
22. FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity
The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack
thereof.
Source: FFIEC
Cybersecurity
Assessment
Tool Excel
Template by
Tony
DiMichele
22
23. FFIEC Cybersecurity Assessment Tool
FFIEC released this as a free spreadsheet “tool”:
• Spreadsheets are notoriously hard to maintain control of, and the information contained within this tool is clearly
sensitive in nature.
Like many other checklist assessment frameworks, the FFIEC CAT is relatively binary in how it forces the user to characterize
the condition of the elements it evaluates.
• Some tools, users rate each element of the framework as “Weak”, “Partial”, or “Strong”, enabling them to identify
elements that have room for improvement and providing actionable insight.
Making a meaningful comparison between “inherent risk” and control conditions is tricky though, and the FFIEC CAT
describes a rudimentary matrix-like approach for doing so.
• Some tools, combine these measurements graphically, which makes the comparison easier to digest.
Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool
23
24. FFIEC Cybersecurity Assessment Tool – FAIR International Standard
Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool
Factor Analysis of
Information Risk
(FAIR)
24
25. FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC
FSSCC Automated Cybersecurity Assessment Tool
FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on
an ”automated” tool:
• No attempts were made to interpret or change any of the FFIEC’s stated expectations; and
• Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination
and supervisory process
Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool 25
27. The Board’s Perception of Cybersecurity Risks
• How would you characterize the board’s perception of cybersecurity risks over the last one to two years?
• Source: PWC – The Global State of Information Security Survey 2016
Increased
Increased
significantly
High
No change
27
28. Source: PWC – The Global State of Information Security Survey 2016
Cybersecurity is now a Persistent
Business Risk
• Cybersecurity software, solutions, and services market is
likely to remain a growth sector because executives and
Boards recognize that cyber threats will never be completely
eliminated, and regulatory and compliance requirements will
likely become more stringent
• Cybersecurity services market is expanding in the wake of
increased incidents and heightened regulations, corporations
and government agencies are scrambling to safeguard their
data and networks—a push that is catalyzing growth in the
market for cybersecurity solutions and technologies
28
29. Trends in Board Involvement in Cyber Security
• Source: PWC – The Global State of Information Security Survey 2016
29
30. Questions the Board Will Ask
Source: PWC – The Global State of Information Security Survey 2016
30
31. CEOs, CFOs, BRusiness Risk Owners & CISOs questions
1."How much cyber risk do we have in dollars and cents?"
2."How much cyber insurance do we need?"
3."Why am I investing in this cyber security tool?"
4."How well are our crown jewel assets protected?"
5."How do I know that we’ve actually lowered our risk
exposure?"
6. "As my business changes through M&A, adding new
business applications and new cyber risks , how can I get the
quickest view of the impact on my overall business risk?"
31
32. • The global shortage of technical skills in
information security is by now well documented,
but an equally concerning shortage of soft skills
• Need people who understand that they are here to
help the business make money and enable the
business to succeed -- that's the bottom line
• But it's very hard to find information security
professionals who have that mindset
Security & Business Skills
Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-one-talks-about/a/d-id/1315690
32
34. Trends in Board Involvement in Cyber Security
Source: PWC – The Global State of Information Security Survey 2016
34
35. Risk Management
Are your security
controls covering
all sensitive data?
Are your deployed
security controls
failing?
Source: storm.innosec.com
Are you prioritizing
business asset
risk?
35
36. Cyber Budgeting
Source: storm.innosec.com
Asset
Regulatory
Risk Residual Risk FTE Cost Tool Cost Total Cost
CRM High Medium $ 20,000 0 $ 20,000
HR High Medium $ 100,000 20,000 $ 120,000
Feed High Low $ 1,000 0 $ 1,000
Crossbow Medium Medium $ 5,000 50,00 $ 10,000
eTrader Low Low $ 1,000 0 $ 1,000
IT Alert Low Low $ 1,000 0 $ 1,000
SAP Low Low $ 1,000 0 $ 1,000
Total $ 129,000 $ 25,000 $ 154,000
36
41. Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
41
42. How can I Find My Blind Spots?
Existing PII Data
Unprotected
PII Data
Data
Found in Audit
Time
Protected
PII Data
Audit
42
43. Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
43
44. Visibility Into Third Party Risk
Discover and thwart third party vulnerabilities and security
gaps in real-time to better control the impact of breaches.
Source: SecurityScoreCard
# Vulnerabilities
Time
44
53. Problematic and Increasing Shortage of Cybersecurity
Skills
• 46 percent of organizations say they have
a “problematic shortage” of cybersecurity
skills in 2016
• 28 percent of organizations claimed to
have a “problematic shortage” of
cybersecurity skills in 2015
• 18 percent year-over-year increase
53
54. Examples of Services That Can Fill The Gap
Application Services
• Application Hosting & Cloud
Migration
• IT Consulting & Information Architecture
• Software Development & User Experience
Design
Security Services
• Audit & Assessment Services
• Application Security Consulting
• Managed Vulnerability Scanning
• Security Tools Implementation
• Virtual CISO
SecDevOps
54
61. DCAP
Data Centric Audit and
Protection -
Centrally managed
security
Data Centric Security Lifecycle & PCI DSS
UEBA
User behavior
analytics helps
businesses detect
targeted attacks
PCI DSS
Protect stored
cardholder data
YearI
2004
I
2014
I
2015
PCI DSS
3.2
I
2016
PCI DSS
Security in the
development
process
62. Securing FinTech:
Threats, Challenges, Best
Practices, FFIEC, NIST, and
Beyond
Ulf Mattsson, CTO Security Solutions
Atlantic Business Technologies
ulf.mattsson@atlanticbt.com