Pub. 6 2016-2017 Issue 5

14 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S Is your bank prepared to respond to a situation like this? Do you have a plan? Security Incidents Before we get too far, let’s look at how NIST defines a security incident: “A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security prac- tices.” (1) Examples of security incidents in- clude: • An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash. • Users are tricked into opening a “quar- terly report” sent via email that is actu- ally malware; running the tool has in- fected their computers and established connections with an external host. • An attacker obtains sensitive data and threatens that the details will be re- leased publicly if the organization does not pay a designated sum of money. • A user provides or exposes sensitive information to others through peer-to- peer or file sharing services. Criminal Minds Before putting together an incident response plan, you’ll want to consider different avenues (called attack vectors) someone could use to carry out an attack. Here are some common, though not exhaustive, vectors: • External/RemovableMedia: An attack executed from removable media or a peripheral device—for example, ma- licious code spreading onto a system from an infected USB flash drive. • Attrition: An attack that employs brute forcemethods to compromise, degrade, or destroy systems, networks, or ser- vices such as a DDoS attack. • Web: An attack executed fromawebsite or web-based application—for example, a cross-site scripting attack used to steal credentials or a redirect to a site that exploits a browser vulnerability and installs malware. • Email: An attack executed via an email message or attachment, commonly referred to as phishing. • Impersonation: An attack involving replacement of something benign with something malicious like a man in the middle attack or rogue wireless access point. • Improper Usage: Any incident result- ing from violation of an organization’s acceptable usage policies by an autho- rized user such as a user who installs file sharing software, leading to data loss. • Loss or Theft of Equipment: The loss or theft of a computing device or media. • Other: An attack that does not fit into any of the other categories. The Plan Now that you are aware of the threats out there and possible vectors an attack- er might take, it’s time to document and formalize your incident response plan. Every bank will go about this process in different ways, but at minimum, should include the following: • Identifywhat, if any, customer informa- tion or customer information systems have been accessed or misused; • Notify primary Federal regulator if there is unauthorized access to or use of sensitive customer information; • Notify law enforcement authorities and file a SAR when appropriate; • Take appropriate steps to contain and control the incident; • Notify customers when warranted. Assemble the Team! No matter the size of the bank or organization, you’ll want to gather an adequate and qualified team, usually dubbed a “computer incident response team” (CIRT), that can be activated in an incident response situation. The team’s primary objective will be to serve as leaders and coordinate instruction, the involvement of proper persons to handle the issue, and generally carry out the incident response plan. Test Your Plan Last, and arguably most important, perform incident response testing. How do you know your plan is effective if it’s never been tested? This is the practical, hands on portion that can be done sev- eral different ways from table top sce - nario exercises all the way to full blown simulations. The FDIC’s Cyber Challenge vignettes (https://www.fdic.gov/regu - lations/resources/director/technical/ cyber/cyber.html) are a helpful resource and starting place for testing ideas. The bank should schedule and perform at least one incident response test annually and report the results to the board. Respond to Incidents andCarryOn Now that you are aware, have a team, and a tested plan, you will be muchmore prepared to handle any incidents that come your way. Nothing to see here, carry on! n No matter the size of the bank or organization, you’ll want to gather an adequate and qualified team, usually dubbed a “computer incident response team” (CIRT), that can be activated in an incident response situation.