Wednesday, August 12, 2015

FFIEC Cybersecurity Assessment Tool


The Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool was released June 30, 2015.  The Assessment is designed to help financial institutions and regulators determine the inherent risk exposure to a cybersecurity attack, and measure “Cybersecurity Maturity.”  Designed for financial institutions of all sizes, the Assessment incorporates concepts and principles contained in the FFIEC IT Examination Handbook.  Core documents include an overview for Chief Executive Officers and the Board of Directors, User Guide, Inherent Risk Assessment, and Cybersecurity Maturity evaluation.  Additional information and documentation is located at following link: http://www.ffiec.gov/cyberassessmenttool.htm 

 

There are two parts to the Assessment designed to help management evaluate inherent risk, measure security preparedness, and identify gaps in controls:

 

  • FFIEC Cyber Inherent Risk Profile – this document assists determining your risk exposure to cybersecurity attack, based on the ‘risk that the institution’s activities, services, and products pose to the institution.’ 
     
  • FFIEC Cyber Mapped to FFIEC Handbook – this document assists in determining your current state of cybersecurity preparedness represented by maturity levels across five domains.  This document helps determine whether your institution has adequate controls to prevent and respond to a cybersecurity attack.

 

The Assessment is designed for use by institutions of all sizes, and provides a straight-forward and adaptable approach.  By reviewing the inherent risk and maturity levels across all of the domains, the FFIEC states that management can determine whether the bank’s maturity levels are appropriate in relation to its risks. If not, the bank may take action either to reduce the risk or increase the level of maturity.

 

While the use of the Assessment is optional for institutions, examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.  Examiners will begin using the Assessment in late 2015. Additional information can be found on the OCC website: www.occ.treas.gov

 

Solution

The severity and impact of cyber threats have changed the landscape in which financial institutions of all sizes and complexities operate.  Breaches of customer data, credit card information, employee and customer authentication credentials, etc., are becoming more commonplace.  It is critical that financial institutions maintain a formal process for managing cyber risks that informs management and boards of directors.  The Cybersecurity Assessment Tool is designed to support and enhance the following elements of an institution’s overall cybersecurity risk management program:

 

  • Identify, measure, mitigate and monitor risks
  • Develop risk management processes commensurate with your institution’s level of risk and complexity
  • Align IT strategy with business strategy and account for how risks will be managed both now and in the future
  • Create a governance process to ensure ongoing awareness and accountability
at No comments:

Monday, August 3, 2015

TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations

Systems Affected


Microsoft Windows Systems, Adobe Flash Player, and Linux


Overview


Between June and July 2015, the United States Computer Emergency Readiness Team (US-CERT) received reports of multiple, ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures.


Description



US-CERT is aware of three phishing campaigns targeting U.S. Government agencies and private organizations across multiple sectors. All three campaigns leveraged website links contained in emails; two sites exploited a recent Adobe Flash vulnerability (CVE-2015-5119) while the third involved the download of a compressed (i.e., ZIP) file containing a malicious executable file. Most of the websites involved are legitimate corporate or organizational sites that were compromised and are hosting malicious content.


Impact



Systems infected through targeted phishing campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.


Solution



Phishing Mitigation and Response Recommendations


  • Implement perimeter blocks for known threat indicators:
    • Email server or email security gateway filters for email indicators
    • Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware
    • DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames
  • Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge).
  • Identify recipients and possible infected systems:
    • Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted the email and were not identified in purge of mailboxes)
    • Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked.
    • Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the malware.
    • Review anti-virus (AV) logs for alerts associated with the malware.  AV products should be configured to be in quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected.
    • Scan systems for host-level indicators of the related malware (e.g., YARA signatures)


  • For systems that may be infected:
    • Capture live memory of potentially infected systems for analysis
    • Take forensic images of potentially infected systems for analysis
    • Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment)
  • Report incidents, with as much detail as possible, to the NCCIC.


Educate Your Users


Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should:


  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.  Be particularly wary of compressed or ZIP file attachments.
  • Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the email).
  • Report any suspicious emails to the information technology (IT) helpdesk or security office immediately.


Basic Cyber Hygiene


Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by today’s security practitioners:


  • Privilege control (i.e., minimize administrative or superuser privileges)
  • Application whitelisting / software execution control (by file or location)
  • System application patching (e.g., operating system vulnerabilities, third-party vendor applications)
  • Security software updating (e.g., AV definitions, IDS/IPS signatures and filters)
  • Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls and virtual local area networks)
  • Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards)


Further Information


For more information on cybersecurity best practices, users and administrators are encouraged to review US-CERT Security Tip: Handling Destructive Malware to evaluate their capabilities encompassing planning, preparation, detection, and response. Another resource is ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.


References



ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
at No comments:
Subscribe to: Posts (Atom)

Protecting Your Business From Your Remote Employees

A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modif...

  • Home Depot information
    Home Depot   said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers fro...
  • Data Privacy Day
    Nearly every day is some kind of holiday or special observance at the local, state or national level. Some days are assigned to multiple ca...