Blog: Security and Compliance

 

Today the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC IT Handbook, BCP Booklet.  The update included a new appendix entitled Strengthening the Resilience of Outsourced Technology Services.  The appendix highlights and expands on the BCP Booklet in four specific areas: third-party management, third-party capacity, testing with third-party technology service providers, and cyber resilience.  To learn more, visit https://www.ffiec.gov/press/pr020615.htm  

 

On December 3rd, the Texas Bankers Association (TBA), Independent Bankers Association of Texas (IBAT), and SWACHA hosted a cybersecurity event for banking executives, board members, and senior management called, “Executive Leadership of Cybersecurity (ELOC)”. At the conference, the Financial Services Information Sharing and Analysis Center (FS-ISAC) announced the availability of a free threat information sharing appliance that financial institutions can use to enter, store, and share threat information. The appliance is called Soltra Edge and the website says it “takes large amounts of complex threat information across communities, people and devices and analyzes, prioritizes, and routes it to users in real-time.” [more]

Here is some initial information:

  • The appliance is a free download that is distributed as a virtual machine. It runs CentOS and is accessed via a web interface. Setup appears fairly simple, especially for a customer that is already running VMware. The database stores information using Structured Threat Information eXpression (STIX) and information can be shared by setting up feeds using the Trusted Automated eXchange of Indicator Information (TAXII) protocol.
  • Making use of the appliance is not as easy as the setup. It is a brand new product that is trying to gain acceptance, so it is still under development and does not have all the features that they eventually want it to have.
    • The appliance is distributed with an empty database. The financial institution can load threat information using the web interface (manual data entry), import from a CSV file, import from a STIX file, or import from a TAXII feed.
    • Initially, most of community financial institutions will likely want to receive threat information from a TAXII feed rather than enter and store/share their own threat information. Each TAXII feed must be setup individually. Here are the ones we know about so far:
      • FS-ISAC has one available with a couple of caveats – 1) the financial institution will probably need to join FS-ISAC (for pricing information, visit https://www.fsisac.com/join) and 2) the last post on the Soltra forum indicated that this feed needs to be upgraded in order to work with Edge v.2. 
      • There is a free feed at hailataxii.com, but it is not yet clear who is providing the information or how useful it is.
    • So far, reporting seems VERY basic. Queries can be manually entered into the web interface, but that was the only reporting feature shown during a Soltra webinar. The Soltra forums have some discussion about integrating the appliance with some security information and event management (SIEM) systems such as Splunk, but that is still in development. Also, many community financial institutions do not currently have a SIEM system installed.
    • There are plans to import threat data directly from firewalls, IPS/IDS, etc., but that is also under development and reporting on that information would still be an issue.

 

 


 

On October 6, 2014, ISACA launched the Cybersecurity Fundamentals Certificate.  The Cybersecurity Fundamentals Certificate is aligned with the Skills Framework for the Information Age (SFIA) and the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. [more] It tests for foundational cybersecurity knowledge in five areas:

  1. Cybersecurity concepts
  2. Cybersecurity architecture principles
  3. Cybersecurity of networks, systems, applications and data
  4. The security implications of emerging technology
  5. Incident response

To see ISACA's press release visit http://www.isaca.org/About-ISACA/Press-room/News-Releases/2014/Pages/ISACA-Launches-New-Cybersecurity-Certificate.aspx


 

The Federal Financial Institutions Examination Council (FFIEC) today launched a web page dedicated to cybersecurity (http://www.ffiec.gov/cybersecurity.htm). The website is designed to be "a central repository for current and future FFIEC-related materials on cybersecurity." [more]

As a part of the Press Release announcing the launch of the cybersecurity web page, the FFIEC also noted the launch of the website "coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regularly scheduled examinations."  According to the press release, the focus of the pilot program will be on:

  1. Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. Service Provider and Vendor Risk Management
  5. Cyber Incident Management and Resilience
The pilot program is expected to last about 4 weeks and include regulators from the FDIC, OCC, Federal Reserve, NCUA, and the States.

 

This month, the New York State Department of Financial Services ("the Department") released results from a survey conducted in 2013 on cyber security.  154 institutions completed the survey, representing 60 community and regional banks, 12 credit unions, and 82 foreign branches and agencies.  The survey asked questions regarding information security framework; corporate governance around cyber security; use and frequency of penetration testing and results; budget and costs associated with cyber security; the frequency, nature, cost of, and response to cyber security breaches; and future plans on cyber security. [more]

In conclusion, the Department states:

"As part of its continuing efforts in this area, the Department plans to expand its IT examination procedures to focus more fully on cyber security.  The revised examination procedures will include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery.  The revised procedures are intended to take a holistic view of an institution's cyber readiness and will be tailored to reflect each institution's unique risk profile.  The Department believes this approach will foster smarter, stronger cyber security programs that reflect the diversity of New York's financial services industry."

This report comes on the hills of the FFIEC webinar, Executive Leadership of Cybersecurity: What Today's CEO Needs to Know About the Threats They Don't See in which the FFIEC introduced expectations of new examination procedures.

To read the full Report on Cyber Security in the Banking Sector by the New York State Department of Financial Services can be found here - http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf


 

The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit http://www.ffiec.gov/press/pr040214.htm

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf


 

The Federal Financial Institutions Examination Council (FFIEC) jointly issued a statement to alert financial institutions Microsoft will discontinue extended support for Windows XP effective April 8, 2014.  After this date, Microsoft will no longer provide secruity patches or support for the Windows XP Operating System.  To read the Joint Statement, visit http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf 

 

Crucial M500 SSDs support self-encrypting drive (SED) technology which allows BitLocker for Windows 8 to simply be used for encryption key management rather than software-based encryption.  Out of the box, the drive encrypts all written data and decrypts all read data - and functions like a non-SED drive until key management software like Windows 8 (and Server 2012) BitLocker is used. [more]

When you turn BitLocker on using Windows 8 and a compliant SSD like the M500, you don't have to wait for the whole disk to be rewritten and it's encrypted.  Thus, you can encrypt the whole drive in a couple of minutes or less.  As far as BitLocker and Windows is concerned, it functions just like traditional non-SED drives do regarding pre-boot passwords, recovery keys, etc. 

An interesting spec is Crucial states their SSDs are designed to support 72TB total bytes written (TBW) - which is equal to 40GB per day for 5 years.  It stands to reason that if you don't have to rewrite every byte of an SSD when you use BitLocker to encrypt or decrypt the whole drive, it should help the life expectancy of the drive. 

So, since the drive I/O specs include the hardware encryption overhead, you lose no performance whatsoever when you implement whole disk encryption using BitLocker for Windows 8 on these drives. 

A very basic description of Crucial M500 encryption can be found at

http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/An-introduction-to-the-encryption-features-of-the-M500/ta-p/128272 

More specs are available (since this is a Micron drive) from:

http://www.micron.com/~/media/Documents/Products/Data%20Sheet/SSD/m500_2_5_ssd.pdf