Current IT Trends

1

• Current IT Trends Issues including the New
  FFIEC Authentication Guidance
• Saltmarsh, Cleaveland Gund CPAs
• Annual Financial Institution Technology Funnel
• The Tampa Club,
• Tampa, Florida
• October 6, 2011

2

• Presenters

David Fiedorek Senior Examiner Division of Risk
Management Supervision Tampa Field
Office FDIC Annie Moore, CPA, MBA, CPCU, CISA,
CFE, CIA Information Technology Examination
Analyst Division of Risk Management
Supervision Tampa Field Office FDIC Division of
Risk Management Supervision
3
Todays Session Topics

• Current Security Threats
• Mobile Banking Guidance
• Multi-Factor Authentication Guidance
• Common Examination Findings
• You Be the Regulator Challenge (!!)
• Questions and Answer Session

4
Top 10 most popular passwords

1. 123456
2. 12345
3. 12345678
4. Password
5. iloveu

• Princess
• rockyou
• 1234567
• 12345678
• abc123

From a list of 32 million passwords an unknown
hacker stole from Rock You, a company that makes
software for software networking sites like
Facebook and MySpace The New
York Times 1/20/10
5
Current IT Opportunities? Threats ?

• Mobile Devices
• Social Networking
• Cloud Computing
• Geo-location
• Identity Theft
• Social Engineering
• And On and On..!!!

6
Community Bank Security Considerations

• Perimeter Security (Firewall, IDS, IPS, DMZ)
• Internal Security (IDS/IPS, Network Controls)
• Mobile, Mobility, On-Demand (Wi Fi Risks)
• Custom Web Applications (Careful Maintenance)
• Event Correlation
• SANS List (Vulnerability Review)
• Resource Availability
• Assess, Prioritize, Remediate Vulnerabilities
• User Education (Employees and Customers)

7
Mobile Banking Risks/Controls

• Delivery Channel Types/Characteristics
• SMS/text Unsecure/cannot encrypt
• OK for non-sensitive communication/watch
• malicious texts tweets
• Browser from WAP to sophisticated smart phones
• Most popular, security/vulnerabilit
  ies akin to PC-banking)
• Mobile Apps customized software user-friendly
  interface
• Needs secure vendor coding and testing
• Can be corrupted by rogue malware
  installations
• Customer education and secure app
  distribution
• Only use reliable downloads
• Timely updates/patch distribution to
  customers

8
Mobile Banking Risks/Controls

• Banker concerns
• Secure Customer Authentication/Authorization
• Re-authenticate after non-use/exit (FIL
  50-2011)
• On-Device Data Security
• Do not store/Encrypt data on device
• Device lost or stolen-GPS and wiping
  services
• Device Malware/Viruses
• Limited attacks to date, but prime target
• Monitor developments, customers should run
  AV software

9
Mobile Banking Risks/Controls

• Other Banker concerns
• Data Transmission Security
• Search/Accept Strongest Cell Tower Signal
• Devices backward compatible/Less secure
  standard to connect
• Rogue operator could trick/downgrade/hijack
  session
• Preclude customers from using public WLAN if
  mobile banking
• Compliance/Legal/Reputation Risks
• Consumer laws, regulations, supervisory
  guidance applies
• Involve Compliance Officer in implementation
  to limit risks and ensure
• disclosure requirements fully accessible on
  mobile device
• Ensure changes to policies/procedures address
  mobile banking
• Monitor for legal and regulatory changes
• Ensure appropriate staff training
• Due diligence, risk assessment and control,
  vendor management, ongoing monitoring and
  reporting apply
• Recent court cases (Ocean/Peoples United Bank
  (May 2011) Comerica Bank (June 2011) /Jack Henry
  vendor for Ocean Bank

10
Cloud Computing

• On demand model for network access allowing users
  to tap into a shared pool of configurable
  computing resources (applications, networks,
  servers, storage services that can be quickly
  acquired and released with minimal management
  effort or service provider intervention Public
  (TSP), Private (FI), and Hybrid models (combo)
• Why consider?
• OPEX/CAPEX cost alignment and containment
• Facilitates consolidation and virtualization
  opportunities
• Process reengineering/technology, procurement,
  administration change
• Optimize, repurpose, realign network and
  computing resources
• Recent IBM Global Risk Survey
• 77 believe cloud computing makes privacy
  protection more difficult
• 50 concerned about data breach or loss
• 23 worried about weakened corporate security

11
Cloud Computing

• Cloud Computing Concerns
• Intellectual Property Protection, Regulatory
  Compliance, Accountability, Jurisdiction/Trans-Bo
  rder Data Flow, Threat/Risk Assessments,
  Logging/Monitoring, Litigation/e-Discovery,
  Indemnification, Disaster/Breach Scenarios
• Security Evolution Is it Fast Enough?
• Changing over time, but fast enough to keep up?
  Evolving through reactive through adaptive
  (where regulators/banking industry is now)
  through predictive phases (DoD and other high
  targets (infrastructure) that use best controls
  and security practices)
• Audit/Control Considerations for Cloud Service
  Providers?
• Risk-based approach Specific
  environments/controls/best practices
• developed by larger leading banks
• Promotes standardization/efficiency
  Outsourcers get needed information quickly
• Free download at www.sharedassessments.org

12
Multifactor Authentication News

• Bank/Customer Losses down, but cyber-attacks up
  in last 18 months
• Commercial Accounts Fraudulent Takeover
• (Losses 2009 63 Losses 2010 36)
• Stopped Transactions
• (2009 20 2010 36)
• Still need greater vigilance
• better government/industry collaboration
• Employee/contractor still pose threats

13
Multifactor Authentication News

• Community Bank Usage
• 113 responses to July/August 2011 Heit, Inc.
  survey
• 83 - Consumer Account Transactions
• 74 - Business Account Transactions
• 37 - Key Employees Connecting to Remote Systems
• Community bank accounts much more vulnerable
• Consumer MFA most useful for password changes,
  high-risk and infrequent transaction types

14
FFIEC Authentication Guidance

• Background
• On October 12, 2005, the FFIEC agencies
  issued guidance entitled Authentication in an
  Internet Banking Environment .
• The Guidance provided a risk management
  framework for financial institutions offering
  Internet-based products and services to their
  customers, and required
• Effective authentication mechanisms
• Periodic Risk Assessments for institutions to
  adjust their controls in response to changing
  internal/external threats

15
Recent Supplementary Guidance

• On 6/29/11, the FFIEC released FIL
  50-2011-FFIEC Supplement to Authentication in an
  Internet Banking Environment
• The guidance outlines expectations regarding
  customer authentication, layered security, and
  other controls in the high-risk on-line world.
• The FDIC expects institutions to upgrade their
  controls for high-risk online transactions
  through
• Yearly risk assessments
• For consumer accounts, layered security controls
  
• For business accounts, layered security controls
  consistent
• with the increased level of risk posed by
  business accounts and
• More active consumer awareness and education
  efforts.
• Layered security controls should include
  processes to detect and respond to suspicious or
  anomalous activity and, for business accounts,
  administrative controls.
• Certain types of device identification and
  challenge questions should no longer be
  considered effective controls.

16
Complying with updated Multi-Factor
Authentication guidanceFor Exams beginning by
Year End 2011

• Banks should be working towards compliance by
• Coordinating with their IT service provider (if
  applicable)
• Updating their IT risk assessment and analyzing
  potential gaps identified and
• Developing an updated Multi-Factor Authentication
  project plan with timeline for implementation

17
Complying with updated Multi-Factor
Authentication guidance

• For exams beginning in 2012, regulators will
• Assess progress toward conformance with agencies
  looking for diligent, good-faith effort to
  comply, with reasonable timeframe for completion
• Validate that banks reliant on their IT service
  provider are working with them where remediation
  is needed
• Realistically, many financial institutions will
  not conform until later in 2012 (shortened time
  frame compared to original 2005 MFA guidance
• Cite MRBA if acceptable efforts have not been
  made (reasonability test based on examiner
  judgment).

18
YOU BE THE REGULATOR CHALLENGE

• First Neighborhood Bank of Anywhere opened in
  2001. A new bank President started 3 months ago
  and is presenting the following 2011 risk
  assessment and annual security reports to the
  Board.
• Do you see any areas of concern?
• Please raise your hand when you think youve
  found something wrong.
• But first, just a little more background

19
First Neighborhood Bank Heat Map

Risk Impact (Severity)        
Risk Impact (Severity) High     9
Risk Impact (Severity)        
Risk Impact (Severity)        
Risk Impact (Severity) Medium   4  
Risk Impact (Severity)        
Risk Impact (Severity)        
Risk Impact (Severity) Low 1    
Risk Impact (Severity)        
Risk Impact (Severity)   Low Medium High
  Risk Probability (Likelihood) Risk Probability (Likelihood) Risk Probability (Likelihood) Risk Probability (Likelihood)
The Board selected a risk appetite of medium (4)
20
First Neighborhood of Anywhere Bank 1st Annual
Information Security Report-For 20109/30/11

• Vendor program
• Audit program
• Business Continuity/Disaster Recovery
• Information Security Program
• Risk Assessment (overall residual risk level of
  medium met).
• We have policies and procedures for all of the
  areas listed above and our auditors and
  regulators test our controls for us.
• We dont need any additional resources right now.

21
Key Residual Risks
Risk Description Action Plan Action Date
Risk assessment is inadequate Update our 2008 risk (IT and BSA risk assessments) 11/30/11
BCP/DR plan may not be viable President/BCP/DR Coordinator will conduct another table-top test like 2 years ago 6/30/12
Outsourced Internal Audit Firm finds too many findings (picky, picky) Change firms again this year Immediately
Neither member of the annual IT Steering Committee wants to be named CISO. Hire a consultant to do a detailed cost benefit. 9/30/12
Staff isnt trained and we dont have a way to see what our 27 or so remote access users do but we trust them. Have the outsourced network administrator monitor. Immediately
22
Common Areas Noted in IT Examinations

• IT Strategic Plan
• ISO Role/Information Security Program
  Updates/Implementation
• Risk Assessment/Audit Plan Linkage
• Business Continuity/Disaster Recovery Plan
• Updating and Testing
• Audit Policy/Schedule/Findings Tracking
• Internal Control Testing
• Vendor Management/Oversight
• User Access Reviews
• Penetration Tests-Internal/External and
• Data privacy, Encryption

23
Topic Summary

• Current Security Threats
• Mobile Banking Guidance
• Multi-Factor Authentication Guidance
• Common Examination Findings

24
Need Additional Resources?

• www.FDIC.gov
• www.FFIEC.org
• www.ISACA.org
• www.NIST.org
• www.Bankersonline.com
• www.BankInfoSecurity.com

25

• Questions?
• Thank you!