TOP IT Security Issues An Examiner

1
TOP IT Security IssuesAn Examiners Perspective

• Matthew Biliouris, Information Systems Officer
  EI

2
EFS Products Services

• TRADITIONAL EFS

• ATM
• WIRE TRANSFER
• ACH
• Automated Telephone Response Systems

3
EFS Products Services

• TYPICAL INTERNET-BASED EFS

• A/C History Review
• Account Transfers
• Applications
• Withdrawal Requests

4
EFS Products Services

• NEWER ON-LINE EFS

• Bill Payment / Presentment
• Account Aggregation
• Statement Disclosure Delivery
• Check Imaging
• Credit Card Statement Access
• Downloads to Financial Software

5
Account Aggregation
Brokerage
Travel
CUs/Banks
401K
taxes
Credit Cards
Bills
E-Mail
Airline Miles
Shopping
6
Types of Web Sites

• Informational Sites
• Marketing Info
• Interactive Sites
• Secure Messaging
• Loan Applications
• Account Inquiry
• Fully Transactional Sites
• Financial Transactions (transfer funds, pay
  bills, etc.)

7
Credit Union Industry Statistics
8
Credit Union Industry Statistics
9
Credit Union Industry Statistics
10
Credit Union Industry Statistics
11
2004 CSI/FBI Survey

• Security Trends
• 2004 Computer Security Institute FBI Survey
• 494 Security practitioner responses
• 19 of responders from financial services
  industry

12
Key Findings

• Unauthorized use and financial losses declined
• Virus and denial of service top cost
• Law enforcement reporting declined
• Security audits used
• Security outsourcing low
• Sarbanes-Oxley impact
• Security training needed

13
Respondents
14
Percentage of IT Budget Spent on Security
2004 481 Respondents/97
15
Unauthorized Use
16
Breach Frequency
17
Website Incidents
18
Types of Losses
19
Computer Intrusions Actions Taken
20
Computer Intrusions Not Reported
21
NCUA Strategic Plan 2003-2008

• Goal 2
• Facilitate the ability of credit unions to safely
  integrate financial services and emerging
  technology in order to meet the changing
  expectations of their members.

22
Frequent Question

• Does NCUA expect all credit unions to develop
  and implement e-Commerce services?

NO!

• NCUA encourages credit unions to consider
  offering e-Commerce services.

23
23
24
24
25
Risk Assessment Process
26
Electronic Financial Services

• Areas of Risk
• Transaction/Operational
• Compliance
• Reputation
• Strategic

27
IST Exam Procedures

• Before implementing product/service
• Seek education as to the benefits risks.
• Determine if risks are acceptable.
• Determine regulatory compliance requirements.
• Ensure a legal review of contracts.
• Assess the adequacy of staff expertise
  (technical, managerial, member service).

28
IST Exam Procedures

• Before implementing product/service (contd)
• Assess the adequacy of staff expertise
  (technical, managerial, member service).
• Determine best in-house/outsourcing solution.
• Evaluate necessary security measures.
• Research available bond coverage.
• Seek expert assistance when necessary.

29
IST Exam Procedures

• Before implementing product/service (contd)
• Complete due diligence of vendors.
• Involve all interested operational audit
  functions in planning implementation.
• Develop audit performance mechanisms.
• Create or revise related policies and procedures.

30
Security Programs

• Gramm-Leach-Bliley Act 501(b)
• Outlines Specific Objectives
• Requires NCUA establish standards for
  safeguarding member records

31
Security Programs

• Credit Unions Must Have Process in Place to
• Ensure Security Confidentiality of Member
  Records
• Protect Against Anticipated Threats or Hazards
• Protect Against Unauthorized Access
• Specifically Stated in 748.0(b)(2)

32
(No Transcript)
33
Security Programs

• Appendix A Guidelines for Safeguarding Member
  Information
• Involvement of Board of Directors
• Assess Risk
• Manage Control Risk
• Oversee Service Providers
• Adjust the Program
• Report to the Board

34
Security Programs

• Response Program Guidance
• Increasing Number of Security Events
• Congressional Inquiries
• GLBA Interpretation
• FFIEC Working Group
• Revise Part 748-Add New Appendix B

35
Security Programs

• Credit Unions Must Have Process in Place to
• Ensure Security Confidentiality of Member
  Records
• Protect Against Anticipated Threats or Hazards
• Protect Against Unauthorized Access
• Respond to Incidents of Unauthorized Access to
  Member Information

36
(No Transcript)
37
Security Programs

• Appendix B Guidance on Response Programs
• Components of a Response Program
• Assessing Incident
• Notifying NCUA/SSA
• Notifying Law Enforcement Agencies
• Containing/Controlling Incident
• Notifying Affected Members

38
Security Programs

• Appendix B Guidance on Response Programs
• Content of Member Notice
• Account/Statement Review
• Fraud Alerts
• Credit Reports
• FTC Guidance

39
PART 748 APPENDIX B

• Conflict with State Law e.g., California Notice
  of Security Breach statute
• Requires notice to California residents when
  unencrypted member information is or may have
  been acquired by unauthorized person
• Gramm Leach Bliley Preemption Standards no
  intent to preempt where state law provides
  greater consumer protections

40
NCUA Expectations

• Potential Questionnaire
• Incorporated into Overall Security Program
• Escalation Process / Incident Response
• Review of Notices Attorney Review?
• Enterprise Wide Approach
• Reporting to Senior Management
• Member Outreach / Awareness Programs
• Employee Training Programs

41
Phishing
42
Quotes

• The use of digital media also can lend
  fraudulent material an air of credibility.
  Someone with a home computer and knowledge of
  computer graphics can create an attractive,
  professional-looking Web site, rivaling that of a
  Fortune 500 company

Arthur Levitt Former Chairman of the SEC
43
Quotes

• Bogus e-mails that try to trick customers into
  giving out personal information are the hottest,
  and most troubling, new scam on the Internet.
• Jana Monroe
• Assistant Director
• Cyber Division of FBI

44
Phishing 101

• Phishing uses e-mail to lure recipients to bogus
  websites designed to fool them into divulging
  personal data.

45
Phishing 101

• E-mail
• Spoofed address
• Convincing
• Sense of urgency
• Embedded link (but not always)

46
Phishing Trends
Anti-Phishing Working GroupIndustry association
focused on eliminating the identity theft and
fraud that result from the growing problem of
phishing and email spoofing. APWG Members- Over
400 members- Over 250 companies- 8 of the top
10 US banks- 4 of the top 5 US ISPs- Over 100
technology vendors- Law enforcement from
Australia, CA, UK, USA
47
Phishing Trends
Source Anti-Phishing Working Group Phishing
Attach Trends Report s- March 2004 May 2004
48
Phishing Trends
Source Anti-Phishing Working Group Phishing
Attach Trends Report - May 2004
49
Examples (June 2004)
Source Anti-Phishing Working Group Phishing
Archive
50
Examples (June 2004)
Source Anti-Phishing Working Group Phishing
Archive
51
Examples (June 2004)
Source Anti-Phishing Working Group Phishing
Archive
52
Examples (June 2004)
Source Anti-Phishing Working Group Phishing
Archive
53
Examples (March 2004)
Source Anti-Phishing Working Group Phishing
Archive
54
Examples (March 2004)
Source Anti-Phishing Working Group Phishing
Archive
55
Examples (May 2004)
Source Anti-Phishing Working Group Phishing
Archive
56
Phishing Action Plans Employee Education

• Training / Policy Development
• Awareness
• Handling complaints reports of suspicious
  e-mails/sites
• Protect on-line identity of credit union
• Response Plan

57
Phishing Action Plans Member Education

• Communication Methods
• Internet Banking Agreements
• Newsletters
• Statement Stuffers
• Recordings when on hold
• Website (FAQs / Advisories / Links)

58
Action Plan Ideas - Education
59
Action Plan Ideas - Education
60
Action Plan Ideas - Education
61
Phishing Action Plan Ideas Member Education

• Content
• We will never ask for xxx via e-mail
• We will never alert you of xxx via e-mail
• Always feel free to call us at on statement
• Always type in our site URL (see statement /
  newsletter / previous bookmark)

62
Phishing Action Plan Ideas Member Education

• Content (contd)
• Sites can be convincingly copied
• Report suspicious e-mails sites
• Where to get more advice on phishing
• Importance of patching
• How to validate site (via cert or seal)
• Where to go for ID theft help

63
Phishing Action Plan Ideas Protection of CUs
Online Identity

• Considerations
• Keep certificates up-to-date
• Practice good domain name controls
• Dont let URLs lapse
• Purchase similar URLs / Search for similar URLs

64
Phishing Resources

• NCUA
• (8/03) LTR 03-CU-12 Fraudulent Newspaper
  Advertisements, and Websites by Entities Claiming
  to be Credit Unions
• (04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes
• (05/04) LTR 04-CU-06 E-Mail Internet Related
  Fraudulent Schemes Guidance
• FFIEC Agency Brochure

65
Action Plan Ideas - Education
66
Action Plan Ideas - Education
67
Phishing Resources

• NCUA
• Related guidance
• (12/02) LTR 02-CU-16 Protection of CU Internet
  Addresses
• (7/02) LTR 02-FCU-11 Tips to Safely Conduct
  Financial Transactions Over the Internet
• (09/01) LTR 01-CU-09 Identity Theft Pretext
  Calling
• Working with External Sources
• Article in NCUA News

68
Inside the Examiners Playbook

• Think Globally
• Vendor Management
• Security Program (Part 748)
• Employee Remote Access
• Risk Assessment

• Patch Management
• IDS/Incident Response
• Virus Definition Updates
• BCP
• Formal Policies

69
69
70
70
71
71
72
72
73
73
74
74
75
75
76
76
77
77
78
FFIEC IT Handbook
79
FFIEC IT Examination Handbook

• Development Acquisition
• Management
• Operations
• Outsourcing
• Retail Payment Systems
• Wholesale Payment Systems

• Issued
• BCP
• Information Security
• Supervision of TSPs
• Audit
• E-Banking
• Fedline

80
80
81
81
82
82
83
83
84
84
85
85
86
86
87
Questions??
Contact Information Matthew Biliouris 703-518-639
4 matthewb_at_ncua.gov