Jessica Dore, CISA...2 Jessica Dore, CISA [email protected] 989.797.8391 Beth Behrend, CCBCA,...

48
1

Transcript of Jessica Dore, CISA...2 Jessica Dore, CISA [email protected] 989.797.8391 Beth Behrend, CCBCA,...

Page 1: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

1

Page 2: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

2

Jessica Dore, CISA

[email protected]

989.797.8391

Beth Behrend, CCBCA, CBAP

[email protected]

616.975.4100

Page 3: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

3

Security is not convenient.

– J. Hey, c. 2003

Page 4: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

4

There are only two types of

companies: those that have been

hacked, and those that will be.”

— Robert Mueller, FBI Director, 2001-2013

Page 5: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

5

Banking / Financial

Business

Educational

Government / Military

Medical / Healthcare

2017Category 2016 2015

Source: ID Theft Resource Center

52 (4.8%)

72,262

98 (9%)

1,048,342

72 (6.6%)

13,869,571

376 (34.4%)

15,942,053

495 (45.3%)

5,669,711

99 (7.4%)

2,910,117

116 (8.7%)

1,146,861

70 (5.2%)

5,838,098

374 (27.9%)

5,141,972

680 (50.8%)

159,365,480

71 (9.1%)

5,063,044

58 (7.4%)

759,600

63 (8.1%)

34,222,763

277 (35.5%)

112,832,082

312 (39.9%)

16,191,017

Page 6: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

6

Perpetrated by Outsiders

75%

Source: Verizon 2017 Data Breach Investigations Report

Page 7: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

7

25%

Involved Internal Actors

Source: Verizon 2017 Data Breach Investigations Report

Page 8: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

8

18%

Conducted by State-Affiliated Actors

Source: Verizon 2017 Data Breach Investigations Report

Page 9: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

9

Featured Multiple Parties

3%

Source: Verizon 2017 Data Breach Investigations Report

Page 10: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

10

Involved Organized Criminal Groups

51%

Source: Verizon 2017 Data Breach Investigations Report

Page 11: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

11

4

5

3

2

1 Hacking accounted for 62% of breaches.

More than 5 of 10 breaches

included malware.

81% of hacking related breaches leveraged

either stolen and/or weak passwords.

Social attacks comprised 43% of attacks.

Physical breaches account for 8%

of attacks.

Source: Verizon 2017 Data Breach Investigations Report

Page 12: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

12

With donor restrictions

• 7 out of 10 organizations say their security risk increased significantly

in 2017.

• 77% of attacks that successfully compromised organizations in 2017

utilized fileless techniques.

• A third of all attacks are projected to utilize fileless techniques in

2018.

• Ransomware on decline while cryptomining malware booms.

• Cryptominers have impacted 55% of organizations globally.

Source: barkly.com

Page 13: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

13

With donor restrictions

• Awareness of ransomware reached a tipping point.

• Few victims are actually paying ransoms.

• Cryptocurrency volatility is tough on the extortion racket.

• Cryptocurrency-mining malware provides a stealthier, more effective

alternative to ransomware.

Page 14: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

14

4

5

3

2

1 123456

password

12345678

Qwerty

12345

9

10

8

7

6 123456789

letmein

1234567

football

iloveyou

Page 15: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

15

False emails, chats, or websites designed to impersonate real

systems with the goal of capturing sensitive data.

Phishing

Same as phishing e-mails, but appearing to be from someone

you know – VERY legitimate in appearance!

Spearphishing

SMS (text msg) phishing – link sent through text message

which delivers a payload

Smishing

Targets employs fraudulently using actual executive’s names

to attempt wire-fraud

Whaling

Using the promise of an incentive for gathering your

information (e.g. gift cards; free movies; money)

Baiting

Legitmate looking ads on legitimate sites (ex. YouTube) that

once clicked on deliver a payload

“Malvertizing”

Target (and one in West Michigan in early Oct ‘17!)

Partner Network Compromise

Impersonation (phone/in-person)

Social Engineering

Distributed Denial of Service

DDoS

And… don’t forget about physical security…

Page 16: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

16

4B4 billion humans

online by 2020 –

twice that of today

$6T$6 trillion in cyber-

crime damage costs

by 2021

15x15x the amount of

Ransomware impact

of 2015.

Page 17: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

17

Weak and Stolen Credentials,

a.k.a. Passwords

Back Doors, Application Vulnerabilities

Malware

Poor Patch Management

Social Engineering

Too Many Permissions

Insider Threats

Physical Attacks

Improper Configuration

Weak Enforcement of Remote

Login Policies

Page 18: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

18

With donor restrictions

On May 25, 2018, all businesses

collecting and retaining data of

any individuals residing, visiting or

conducting business in the

European Union (EU) will be

subject to new standards for data

security and breach response

when the EU General Data

Protection Regulation (GDPR) goes

into effect.

S M T W T F S

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31

May 2018

Page 19: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

19

With donor restrictions

• In the event of a data breach, businesses must notify all parties that could

be affected within 72 hours after becoming aware of the breach.

• EU residents will have full rights to access and request erasure of data as

they see fit – free of charge – unless there is significant reason for the

business to retain that information.

• Increased jurisdiction will include any business that processes personal data

of EU residents (including temporary residents and visitors) – not just

businesses located within the EU.

• The policies surrounding consent have become much stricter and

businesses can no longer assume a party’s consent – it must be expressly

stated.

Page 20: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

20

Has your institution went through

the process of determining if you

need to be in compliance with

GDPR?

A. Yes

B. No

C. Uncertain

Page 21: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

21

Data

Perimeter

Access

Governance

Vendor

Mobile

Human

Source: www.lifehack.org

Page 22: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

22

Keep patched and up to date

Monitor network traffic for anomalies

Monitor for encrypted traffic traveling over nonstandard ports

Use two factor authentication wherever possible

Ensure malware protection software is in place

Monitor for the presence of remote network protocols and administrative tools used to

pivot back into the network and conduct post-exploitation of a network, such as

Powershell, cobalt strike and TeamViewer

Page 23: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

23

Is your institution regularly

monitoring ATMs to ensure they are

patched appropriately?

A. Yes

B. No

C. Uncertain

Page 24: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

24

Monitoring and Patching of ATMs

Vendor Management

Patch Management

Business Continuity & Recovery Testing

Board Oversight

Page 25: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

25

Page 26: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

26

Beneficial

Ownership

Rule:

Fifth Pillar of

Anti-Money

Laundering

Page 27: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

27

With donor restrictions

Effective May 11, 2018, new requirements were imposed on covered

Financial Institutions under FinCENs Customer Due Diligence rules.

• Commonly referred to as the Beneficial Owners Rule

• Categorizes Beneficial Owners into two categories:

o Control Prong

o Ownership Prong

• Establishes requirements for verification of identity

Page 28: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

28

With donor restrictions

By now, all covered financial institutions should have in place procedures for

compliance with the Rule, which should be incorporated into the customer risk

monitoring process

Any reasonable suspicion that a customer is evading or attempting to evade

beneficial ownership requirements should trigger an assessment of the

advisability of opening an account or closing an existing account, as well as

the possibility of filing a suspicious activity report

Page 29: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

29

With donor restrictions

A quick recap of the guidance provided by FinCEN:

Beneficial ownership threshold: more stringent written internal

policies may be appropriate:

• Goal is transparency in beneficial ownership

• Should be risk-based

Page 30: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

30

Consider this ownership structure:

For purposes of the Rule, Fred is a beneficial owner of Bedrock Granite because he owns 30% of its equity through his 60% ownership in Flintstone Quarry. Wilma is also a beneficial owner of Bedrock Granite because she indirectly owns 20% of its equity interest through her direct ownership of Flintstone Quarry, plus 16 2/3% ownership through her direct ownership of Pebbles & BamBam LLC, for a total of indirect ownership interest of 36 2/3%. Neither Barney nor Betty meet the definition of beneficial owner as each indirectly owns only 16 2/3% of Bedrock Granite.

Bedrock

Granite, Inc

Flintstone Quarry, LLC

owns 50%Pebbles & BamBam, LLC

owns 50%

Fred owns 60% Wilma owns 40% Wilma owns 35%Barney

owns 33 1/3%Betty

owns 33 1/3%

Page 31: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

31

With donor restrictions

Identify each beneficial owner according to

risk-based procedures containing the same

elements included in the financial institution’s

CIP

No requirement that these be identical

Must address the use of documentary and

non-documentary methods

The CDD Rule expressly allows for use of

photocopies or other reproduction

documents as documentary verification

Page 32: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

32

With donor restrictions

No requirement that these procedures be implemented

retroactively, However:

• if the identified beneficial owner is an existing customer that was subject to

the institution’s CIP, the institution may rely on information in its possession;

• information must be up-to-date, accurate, and the legal entity customer’s

representative certifies or confirms the accuracy;

• beneficial ownership records should cross-reference the relevant CIP

records; and

• there is an obligation to update information triggered when the financial

institution becomes aware of information during normal account monitoring

Page 33: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

33

With donor restrictions

Each time a loan is renewed or certificate of deposit is rolled over

the institution is required to obtain information on the beneficial

owners.

• For accounts established prior to May 11, 2018, certified beneficial

ownership of legal entity customers must be obtained at the first renewal

following that date

o Verification at subsequent renewals

NOTE: This requirement is subject to 90-day exceptive relief as of May 16, 2018, which has been

extended to September 8, 2018, to allow time for institutions that had not treated such rollovers or

renewals as new accounts to implement appropriate procedures to meet the requirements

Page 34: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

34

Has your institution developed a

procedure to identify and verify

beneficial owners for existing

accounts?

A. Yes, for all existing legal entity

account holders

B. Yes, but only as required for loan

renewal or CD rollover

C. No

D. Uncertain

Page 35: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

35

With donor restrictions

• If a legal entity is the trustee of a trust that owns 25% or more of equity

interests of a legal entity, the beneficial owner for purposes of the

Ownership/Equity Prong is the trustee

• If multiple trustees, financial institution is expected to collect and verify

the identity of at least one co-trustee

• Keep in mind that the financial institution is still required to identify and

verify a natural person as the beneficial owner under the Control Prong

Page 36: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

36

With donor restrictions

• Charities/non-profits: not limited to

those entities that meet definition under

Internal Revenue Code.

• Sole proprietorships/Unincorporated

Associations

• Non – US governmental departments,

agencies or political subdivisions

Page 37: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

37

With donor restrictions

• Aggregating transactions for legal

entity and beneficial owners

• Identification of beneficial owners

on CTR

Page 38: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

38

Website ADA

Compliance

Page 39: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

39

With donor restrictions

How does this impact financial institutions?

• Any business that exists to benefit the public, a local or state

government or agency is subject to ADA regulations

• Potential lawsuits alleging non-compliance

Page 40: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

40

With donor restrictions

Website Content Accessibility Guidelines (WCAG)

• Issued by the World Wide Web Consortium (W3C)

• Technical specifications to improve accessibility of web content,

websites and web applications on desktop computers, laptops,

tablets and mobile devices for people with a wide range of

disabilities

• Most recent version: WCAG 2.1 W3C Recommendation,

effective June 5, 2018

Page 41: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

41

With donor restrictions

• Perceivable

• Operable

• Understandable

• Robust

Page 42: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

42

With donor restrictions

Information and user interface

components must be presentable to

users in ways they can perceive

• Ensures content is available to

view in multiple forms, and is

easy to see or hear regardless

of disability

Page 43: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

43

With donor restrictions

User interface components and

navigation must be operable

• Ensures a user could easily

navigate a website without

running into limited functionality

or time limits

Page 44: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

44

With donor restrictions

Information and the operation of user

interface must be understandable

• Ensures all webpages are

readable, predictable, and

have the capability to correct

user mistakes

Page 45: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

45

With donor restrictions

Content must be robust enough

that it can be interpreted reliably

by a wide variety of user agents,

including assistive technologies

• Ensures the compatibility

between the website and all

current and future

technologies someone may

use to assist them

Page 46: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

46

Has your Institution performed a

Website ADA Compliance

assessment?

A. Yes

B. No

C. Uncertain

Page 47: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

47

With donor restrictions

Perform an assessment of your website• Internal review by your audit and/or IT staff

• Third–party review

Establish procedures for ongoing monitoring:• When any website updates are made

• When specific content is added, deleted or changed

Report results of reviews to Audit Committee and/or Board of Directors

Page 48: Jessica Dore, CISA...2 Jessica Dore, CISA jessica.dore@rehmann.com 989.797.8391 Beth Behrend, CCBCA, CBAP beth.behrend@rehmann.com 616.975.4100 4 There are only two types of companies:

48