Jessica Dore, CISA...2 Jessica Dore, CISA [email protected] 989.797.8391 Beth Behrend, CCBCA,...
Transcript of Jessica Dore, CISA...2 Jessica Dore, CISA [email protected] 989.797.8391 Beth Behrend, CCBCA,...
1
2
Jessica Dore, CISA
989.797.8391
Beth Behrend, CCBCA, CBAP
616.975.4100
3
Security is not convenient.
– J. Hey, c. 2003
4
There are only two types of
companies: those that have been
hacked, and those that will be.”
— Robert Mueller, FBI Director, 2001-2013
5
Banking / Financial
Business
Educational
Government / Military
Medical / Healthcare
2017Category 2016 2015
Source: ID Theft Resource Center
52 (4.8%)
72,262
98 (9%)
1,048,342
72 (6.6%)
13,869,571
376 (34.4%)
15,942,053
495 (45.3%)
5,669,711
99 (7.4%)
2,910,117
116 (8.7%)
1,146,861
70 (5.2%)
5,838,098
374 (27.9%)
5,141,972
680 (50.8%)
159,365,480
71 (9.1%)
5,063,044
58 (7.4%)
759,600
63 (8.1%)
34,222,763
277 (35.5%)
112,832,082
312 (39.9%)
16,191,017
6
Perpetrated by Outsiders
75%
Source: Verizon 2017 Data Breach Investigations Report
7
25%
Involved Internal Actors
Source: Verizon 2017 Data Breach Investigations Report
8
18%
Conducted by State-Affiliated Actors
Source: Verizon 2017 Data Breach Investigations Report
9
Featured Multiple Parties
3%
Source: Verizon 2017 Data Breach Investigations Report
10
Involved Organized Criminal Groups
51%
Source: Verizon 2017 Data Breach Investigations Report
11
4
5
3
2
1 Hacking accounted for 62% of breaches.
More than 5 of 10 breaches
included malware.
81% of hacking related breaches leveraged
either stolen and/or weak passwords.
Social attacks comprised 43% of attacks.
Physical breaches account for 8%
of attacks.
Source: Verizon 2017 Data Breach Investigations Report
12
With donor restrictions
• 7 out of 10 organizations say their security risk increased significantly
in 2017.
• 77% of attacks that successfully compromised organizations in 2017
utilized fileless techniques.
• A third of all attacks are projected to utilize fileless techniques in
2018.
• Ransomware on decline while cryptomining malware booms.
• Cryptominers have impacted 55% of organizations globally.
Source: barkly.com
13
With donor restrictions
• Awareness of ransomware reached a tipping point.
• Few victims are actually paying ransoms.
• Cryptocurrency volatility is tough on the extortion racket.
• Cryptocurrency-mining malware provides a stealthier, more effective
alternative to ransomware.
14
4
5
3
2
1 123456
password
12345678
Qwerty
12345
9
10
8
7
6 123456789
letmein
1234567
football
iloveyou
15
False emails, chats, or websites designed to impersonate real
systems with the goal of capturing sensitive data.
Phishing
Same as phishing e-mails, but appearing to be from someone
you know – VERY legitimate in appearance!
Spearphishing
SMS (text msg) phishing – link sent through text message
which delivers a payload
Smishing
Targets employs fraudulently using actual executive’s names
to attempt wire-fraud
Whaling
Using the promise of an incentive for gathering your
information (e.g. gift cards; free movies; money)
Baiting
Legitmate looking ads on legitimate sites (ex. YouTube) that
once clicked on deliver a payload
“Malvertizing”
Target (and one in West Michigan in early Oct ‘17!)
Partner Network Compromise
Impersonation (phone/in-person)
Social Engineering
Distributed Denial of Service
DDoS
And… don’t forget about physical security…
16
4B4 billion humans
online by 2020 –
twice that of today
$6T$6 trillion in cyber-
crime damage costs
by 2021
15x15x the amount of
Ransomware impact
of 2015.
17
Weak and Stolen Credentials,
a.k.a. Passwords
Back Doors, Application Vulnerabilities
Malware
Poor Patch Management
Social Engineering
Too Many Permissions
Insider Threats
Physical Attacks
Improper Configuration
Weak Enforcement of Remote
Login Policies
18
With donor restrictions
On May 25, 2018, all businesses
collecting and retaining data of
any individuals residing, visiting or
conducting business in the
European Union (EU) will be
subject to new standards for data
security and breach response
when the EU General Data
Protection Regulation (GDPR) goes
into effect.
S M T W T F S
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31
May 2018
19
With donor restrictions
• In the event of a data breach, businesses must notify all parties that could
be affected within 72 hours after becoming aware of the breach.
• EU residents will have full rights to access and request erasure of data as
they see fit – free of charge – unless there is significant reason for the
business to retain that information.
• Increased jurisdiction will include any business that processes personal data
of EU residents (including temporary residents and visitors) – not just
businesses located within the EU.
• The policies surrounding consent have become much stricter and
businesses can no longer assume a party’s consent – it must be expressly
stated.
20
Has your institution went through
the process of determining if you
need to be in compliance with
GDPR?
A. Yes
B. No
C. Uncertain
21
Data
Perimeter
Access
Governance
Vendor
Mobile
Human
Source: www.lifehack.org
22
Keep patched and up to date
Monitor network traffic for anomalies
Monitor for encrypted traffic traveling over nonstandard ports
Use two factor authentication wherever possible
Ensure malware protection software is in place
Monitor for the presence of remote network protocols and administrative tools used to
pivot back into the network and conduct post-exploitation of a network, such as
Powershell, cobalt strike and TeamViewer
23
Is your institution regularly
monitoring ATMs to ensure they are
patched appropriately?
A. Yes
B. No
C. Uncertain
24
Monitoring and Patching of ATMs
Vendor Management
Patch Management
Business Continuity & Recovery Testing
Board Oversight
25
26
Beneficial
Ownership
Rule:
Fifth Pillar of
Anti-Money
Laundering
27
With donor restrictions
Effective May 11, 2018, new requirements were imposed on covered
Financial Institutions under FinCENs Customer Due Diligence rules.
• Commonly referred to as the Beneficial Owners Rule
• Categorizes Beneficial Owners into two categories:
o Control Prong
o Ownership Prong
• Establishes requirements for verification of identity
28
With donor restrictions
By now, all covered financial institutions should have in place procedures for
compliance with the Rule, which should be incorporated into the customer risk
monitoring process
Any reasonable suspicion that a customer is evading or attempting to evade
beneficial ownership requirements should trigger an assessment of the
advisability of opening an account or closing an existing account, as well as
the possibility of filing a suspicious activity report
29
With donor restrictions
A quick recap of the guidance provided by FinCEN:
Beneficial ownership threshold: more stringent written internal
policies may be appropriate:
• Goal is transparency in beneficial ownership
• Should be risk-based
30
Consider this ownership structure:
For purposes of the Rule, Fred is a beneficial owner of Bedrock Granite because he owns 30% of its equity through his 60% ownership in Flintstone Quarry. Wilma is also a beneficial owner of Bedrock Granite because she indirectly owns 20% of its equity interest through her direct ownership of Flintstone Quarry, plus 16 2/3% ownership through her direct ownership of Pebbles & BamBam LLC, for a total of indirect ownership interest of 36 2/3%. Neither Barney nor Betty meet the definition of beneficial owner as each indirectly owns only 16 2/3% of Bedrock Granite.
Bedrock
Granite, Inc
Flintstone Quarry, LLC
owns 50%Pebbles & BamBam, LLC
owns 50%
Fred owns 60% Wilma owns 40% Wilma owns 35%Barney
owns 33 1/3%Betty
owns 33 1/3%
31
With donor restrictions
Identify each beneficial owner according to
risk-based procedures containing the same
elements included in the financial institution’s
CIP
No requirement that these be identical
Must address the use of documentary and
non-documentary methods
The CDD Rule expressly allows for use of
photocopies or other reproduction
documents as documentary verification
32
With donor restrictions
No requirement that these procedures be implemented
retroactively, However:
• if the identified beneficial owner is an existing customer that was subject to
the institution’s CIP, the institution may rely on information in its possession;
• information must be up-to-date, accurate, and the legal entity customer’s
representative certifies or confirms the accuracy;
• beneficial ownership records should cross-reference the relevant CIP
records; and
• there is an obligation to update information triggered when the financial
institution becomes aware of information during normal account monitoring
33
With donor restrictions
Each time a loan is renewed or certificate of deposit is rolled over
the institution is required to obtain information on the beneficial
owners.
• For accounts established prior to May 11, 2018, certified beneficial
ownership of legal entity customers must be obtained at the first renewal
following that date
o Verification at subsequent renewals
NOTE: This requirement is subject to 90-day exceptive relief as of May 16, 2018, which has been
extended to September 8, 2018, to allow time for institutions that had not treated such rollovers or
renewals as new accounts to implement appropriate procedures to meet the requirements
34
Has your institution developed a
procedure to identify and verify
beneficial owners for existing
accounts?
A. Yes, for all existing legal entity
account holders
B. Yes, but only as required for loan
renewal or CD rollover
C. No
D. Uncertain
35
With donor restrictions
• If a legal entity is the trustee of a trust that owns 25% or more of equity
interests of a legal entity, the beneficial owner for purposes of the
Ownership/Equity Prong is the trustee
• If multiple trustees, financial institution is expected to collect and verify
the identity of at least one co-trustee
• Keep in mind that the financial institution is still required to identify and
verify a natural person as the beneficial owner under the Control Prong
36
With donor restrictions
• Charities/non-profits: not limited to
those entities that meet definition under
Internal Revenue Code.
• Sole proprietorships/Unincorporated
Associations
• Non – US governmental departments,
agencies or political subdivisions
37
With donor restrictions
• Aggregating transactions for legal
entity and beneficial owners
• Identification of beneficial owners
on CTR
38
Website ADA
Compliance
39
With donor restrictions
How does this impact financial institutions?
• Any business that exists to benefit the public, a local or state
government or agency is subject to ADA regulations
• Potential lawsuits alleging non-compliance
40
With donor restrictions
Website Content Accessibility Guidelines (WCAG)
• Issued by the World Wide Web Consortium (W3C)
• Technical specifications to improve accessibility of web content,
websites and web applications on desktop computers, laptops,
tablets and mobile devices for people with a wide range of
disabilities
• Most recent version: WCAG 2.1 W3C Recommendation,
effective June 5, 2018
41
With donor restrictions
• Perceivable
• Operable
• Understandable
• Robust
42
With donor restrictions
Information and user interface
components must be presentable to
users in ways they can perceive
• Ensures content is available to
view in multiple forms, and is
easy to see or hear regardless
of disability
43
With donor restrictions
User interface components and
navigation must be operable
• Ensures a user could easily
navigate a website without
running into limited functionality
or time limits
44
With donor restrictions
Information and the operation of user
interface must be understandable
• Ensures all webpages are
readable, predictable, and
have the capability to correct
user mistakes
45
With donor restrictions
Content must be robust enough
that it can be interpreted reliably
by a wide variety of user agents,
including assistive technologies
• Ensures the compatibility
between the website and all
current and future
technologies someone may
use to assist them
46
Has your Institution performed a
Website ADA Compliance
assessment?
A. Yes
B. No
C. Uncertain
47
With donor restrictions
Perform an assessment of your website• Internal review by your audit and/or IT staff
• Third–party review
Establish procedures for ongoing monitoring:• When any website updates are made
• When specific content is added, deleted or changed
Report results of reviews to Audit Committee and/or Board of Directors
48