Download SMALL FIRMS CYBERSECURITY GUIDANCE

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts

Airport security wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Information privacy law wikipedia , lookup

Distributed firewall wikipedia , lookup

Wireless security wikipedia , lookup

Unix security wikipedia , lookup

Information security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Social engineering (security) wikipedia , lookup

Cyberwarfare wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

International cybercrime wikipedia , lookup

Cyberattack wikipedia , lookup

Computer security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Transcript 
CYBERSECURITY
SMALL FIRMS CYBERSECURITY GUIDANCE
HOW SMALL FIRMS CAN BETTER PROTECT
THEIR BUSINESS
JULY 2014
SMALL FIRM CYBERSECURITY
DISCLAIMER
This document was prepared as an account of work within the private and public sector. Neither SIFMA or any
of this members, or any of their employees, makes any warranty, express or implied, or assumes any legal liability
or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific
commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily
constitute or imply its endorsement, recommendation, or favoring by SIFMA.
EXECUTIVE SUMMARY
Small businesses are becoming increasingly dependent on devices, services and applications that connect to the
internet such as smartphones, email, social media, and cloud computing services in an effort to increase efficiency and revenues. Through this dependence they become larger targets for cybercriminals looking to exploit
technological vulnerabilities. Cybersecurity firm Symantec reports that in 2012, 31% of all cyber attacks targeted
businesses with fewer than 250 employees, up from 18% in 2011.1 Furthermore, in its 2013 Cost of Cyber Crime
Study, research firm Ponemon Institute reported that smaller organizations incur a higher per capita cost than
larger organizations ($1,564 and $371, respectively) due to cyber attacks.2 The SEC and FINRA have also begun
examinations of cybersecurity preparedness among broker-dealers. As a result, it is crucial for small financial firms
to take proper cybersecurity measures - measures to protect all computing devices, networks, and information - to
ensure their business data remains secure. This guide builds upon the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework which is derived from existing industry standards. Firms should apply
the best practices in this guide in a risk-based, threat-informed approach based on the resources available and in
support of their firm’s overall business model. The end goal is not compliance to a standard but to increase their
cybersecurity and ensure the protection of their customers.
THREATS
CHEW (CRIMINAL - HACTIVIST - ESPIONAGE - WAR)
Cybersecurity threats can vary in scale and motive. Understanding the likelihood of different cyber threats and
their potential impacts should be the first step in helping firms understand what types of protections they need.
Counter-terrorism expert Richard Clarke, who has worked as a Special Adviser to the President for Cyber Security,
developed a simple way to classify the different “cyber threat actors” into four distinct categories – Crime, Hacktivism, Espionage and War (CHEW).3
Small firms are at greatest risk of a criminal cyber attack, that could take the form of data theft, fraud or extortion.
Criminal organizations profit greatly from these attacks and are continually seeking new firms to exploit and developing methods of acquiring vital information. Hacktivism refers to actors seeking to make a political statement
http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
1
http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf
2
http://www.dtcc.com/~/media/Files/Downloads/Congressional%20Testimony/DTCC_Cyber-Security-Testimony_FINAL_6-01-12.ashx
3
3
CYBERSECURITY
through attacks that are generally disruptive in nature. These attacks often involve shutting down websites or
defacing insecure websites to convey their message and can pose reputational risks to a firm’s brand. Espionage
and War attacks are largely perpetrated with the support of nation states and aim to inflict serious financial or
physical harm to the intended target and may look at a small firm as a gateway to disrupting the larger financial
system or markets that they operate within.
In the case of a systemic attack or sector wide disruption the Financial Services Sector Coordinating Council
(FSSCC) has created the Cyber Response Coordination Guide, which enumerates sector-wide procedures for
addressing the technical aspects of an attack. SIFMA’s Capital Markets Response Committee will address the business impacts and make recommendations for market open and close decisions.
As a small firm, criminal actors will pose the greatest threat. In most cases, however, prior to making security
investments, we recommend contacting your local US Secret Service or FBI field office from a law enforcement
standpoint and the Office of Critical Infrastructure Protection at the US Department of the Treasury for the latest
information on the specific threats your firm may be facing.
C.H.E.W. - Motivations and Capabilities
CRIMINAL
HACTIVIST
ESPIONAGE
WAR
Definition
Organized groups of
criminals who hide
in “cyber sanctuary”
countries to launch
broad based attacks
against individuals and
companies for financial
gain.
Loosely organized
collections of hackers
launching targeted
campaigns against
specific entities or web
sites and able to cause
embarrassment and
financial damage.
Cyber espionage operations are largely carried
out by nation-states are
extremely well-organized and well-funded.
They use this stolen
intellectual property
to enhance their own
economies.
This is when the motivations of a nation-state
or a terrorist group
turn from intellectual property theft
towards damage and
destruction.
Motivation
• Money
• Information to sell
(e.g. credit card
numbers)
• Protest
• Revenge
• Demonstration of
power
• Acquiring secrets
• National security
• Economic benefit
• Destroy, degrade,
deny
• Political motivation
Capability
• Large number of
actors
• Basic to Advanced
skills
• Present in nearly all
countries
• Large number of
actors
• Tend to have
limited skills
• Few with advanced
skill sets and
motivations
• Small but growing
number of
countries with
capability
• Larger array of
‘support’
• Limited number of
actors
• Potential non-state
actors
• Expensive to
maintain
4
SMALL FIRM CYBERSECURITY
COMPONENTS OF AN EFFECTIVE PROGRAM
STRATEGIC VIEW4
NIST has created an approach for firms of all sizes to improve their cyber protections. This framework was the
result of a collaborative effort between NIST and leading industry professionals and companies, including SIFMA.
The framework is specifically designed as a broad strategic overview of cybersecurity policies, written from a
business context that allows both technical and non-technical individuals to discuss the topic. The Framework is
comprised of five functional categories:
NIST Cybersecurity Framework
Function
Summary Description
Identify
- Identification of at-risk data (PII1, accounts, transactions, etc.)
- Assess the threat to and vulnerability of existing infrastructure
- Understand all devices connected to the network and network structure
Protect
- Limit network access to authorized users and devices
- Educate all users on cybersecurity awareness and risk management
- Employ programs and services that secure data and networks (e.g. firewalls, file
encryption, password protection, data backups)
Detect
- Exercise network monitoring to detect threats in a timely manner
- Evaluate threat and understand potential impact
- Look for anomalies in physical environment among users, including presence of
unauthorized users or devices
Respond
- Contain and mitigate the event to prevent further damage
- Coordinate with stakeholders to execute a response plan and notify proper authorities.
Once detected, notification to proper authorities
- Evaluate response effort to improve response plan
Recover
- Execute recovery systems to restore systems and data
- Update response plan with lessons learned
- Resume business activities with internal and external stakeholders and manage public
relations
This framework provides a holistic view of how small businesses can approach cybersecurity planning. We
encourage firms to use these guidelines and the suggested approach to begin the dialogue of how to assess and
improve their current cybersecurity protocols.
In order to cooperatively tackle the issue of cybersecurity across the financial industry, SIFMA strongly recommends participating in the Financial Services - Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC
provides financial services firms a platform to share up-to-date threat information and best practices to mitigate
these threats. As the cybersecurity threat to small businesses increases, cooperatives such as the FS-ISAC will
continue to play a large role in mitigating, informing, and preventing cyber attacks.
4
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
5
CYBERSECURITY
IMMEDIATE ACTION ITEMS
According to Verizon’s 2013 Data Breach Investigations Report, 76% of network intrusions and the top five
methods of hacking both utilized weak or stolen credentials.5 SIFMA has adapted from the NSA cybersecurity
checklist and the SANS Institute “First Five” a list of eight low-cost actions that can be implemented with relative
ease and limited technical experience to combat such intrusions.
While these recommendations are not exhaustive in that they will not protect against all types of attacks and
human error, they will provide small firms with adequate defense against the most common ones. For more
detailed guidance on further security measures, we suggest using the SANS Institute’s Top Twenty Critical Security
Controls list or the NIST Small Business Information Security guide. Links to both are included in the Additional
References section at the end of the guide.
Action Item Checklist
Function
Summary Description
Username and
Password Protection
Strictly enforce robust password security per NIST standards that include:
- Upper and lower case letters, numbers, and symbols
- A minimum of 8 characters, avoiding common words and dates
- Password is not used for any other credential
- Changing passwords regularly
- Deploy multi-factor authentication
Control
Administrative and
Privileged Access
Restrict administrative and privileged access to systems and data through
preventative and detective controls to prevent unauthorized access or alteration of
systems and/or data.
Application
Whitelisting
Allow only trusted software to execute on operating systems. Prevent the
execution of all other software through the use of application whitelists.
Anti-Virus, Email
and Website Filters
Updated anti-virus software, in addition to web security software, greatly reduces
the risk of unintentional and intentional computer infection. Additionally, personal
vigilance against suspicious emails and attachments greatly reduces cyber threats.
Secure Standard
Operating Systems
Standardize on trusted operating systems that meet Common Criteria. Using
unsupported or outdated operating systems, such as Windows XP, presents risks to
the network and critical data.
Automated Patching
Tools and Processes
Utilize automatic software updates and spot-check that updates are applied
frequently to ensure software currency and reduce the risks associated with out-ofdate, vulnerable software.
Back Up Data
Regularly
Investing in and using cloud or physical external hard-drive backup systems
provides an additional level of security for important data in the event that
information is destroyed.
Mobile Device
Security and
Encryption of Data
Ensure that mobile devices are secure with passwords and the data is encrypted in
the event of loss.
http://www.tripwire.com/state-of-security/security-data-protection/five-quick-wins-from-verizons-2013-data-breach-investigationsreport-2/
5
6
SMALL FIRM CYBERSECURITY
TECHNICAL SOLUTIONS
Firms in most cases need third party solutions to enable an effective cybersecurity program. In order to enable the
seven suggested actions above we’ve listed below a few cybersecurity solutions within each category firms should
consider to jumpstart their search for the correct solution to fit their needs. It is important to note that third party
vendors must be held to high standards, especially if they have access sensitive information or are critical to business operations.
BUSINESS CYBERSECURITY SOLUTIONS6:
Resources
USERNAME AND PASSWORD
PROTECTION
CONTROL ADMINISTRATIVE
PRIVILEGES
APPLICATION WHITELISTING
ANTI-VIRUS, EMAIL AND WEBSITE
FILTERS
6
LastPass
Dashlane
Roboform
Keeper
Passpack
Common Key
Zoho (Vault)
BeyondTrust (PowerBroker)
Cyber-Ark (PIM)
Dell SecureWorks (eDMZ)
HP Enterprise Security (ArcSight ESM, ArcSight Identity View)
Intellitactics (SecurityManager)
nCircle (CCM)
Security Compliance Corp (Access Auditor)
Symantec (CCS)
Tripwire (Enterprise, Log Center)
Xceedium (Xsuite)
Bit9
IBM (Tivoli Endpoint Manager {BigFix})
Lumension (Vulnerability Management)
Microsoft (System Center)
Tripwire (Enterprise, Log Center)
Bromium (vSentry)
Invincea (Enterprise)
Kaspersky (Administration Kit)
McAfee (ePolicy Orchestrator)
Microsoft (Forefront, System Center)
Sophos (Endpoint Protection)
Symantec (SEP)
Vendors sourced from the SANS Institute
7
CYBERSECURITY
Resources
SECURE STANDARD OPERATING
Tripwire (Enterprise)
SYSTEM
NETWORK SECURITY ANALYSIS
VULNERABILITY SCANNING &
MANAGEMENT
Algosec (Firewall Analyzer & FireFlow)
Athena (FirePAC)
Firemon (Security Manager)
RedSeal Networks (Network Advisor)
SolarWinds (Network Configuration Manager)
Dell SecureWorks (Managed Web App Firewall, Web Application
Testing)
Qualys (Qualys Guard WAS)
NTO (NTO Spider)
WhiteHat Security (Sentinel)
Tenable (Nessus, Security Center)
nCircle (CCM, IP360)
Qualys (QualysGuard Policy Compliance Module)
Secunia (Corporate Software Inspector)
SECURE APPLICATION DEVELOPMENT
Cenzic (Hailstorm Enterprise)
Checkmarx (Checkmarx)
Coverity (Save)
Hp (Fortify 360, Fortify on Demand, WebInspect)
IBM (Ounce Labs Core, Appscan)
Veracode (Static/Dynamic)
FORENSIC TOOLS
AccessData (AccessData FTK and PRTK)
ElcomSoft (ElcomSoft EFDD – Bitlocker,
Guidance Software (Encase Enterprise Edition)
Mandiant (Mandiant Platform)
BACKUP TOOLS
Acronis Backup & Recovery
Genie Backup Manager
Paragon Backup & Recovery
NTI Backup Now
Rebit
Acronis TrueImage
Norton Ghost
Paragon Hard Disk Manger Suite
ShadowProtect Desktop
NovaBACKUP
8
SMALL FIRM CYBERSECURITY
TRAINING
There are a variety of service providers that offer comprehensive training in cybersecurity best practices. Recurring cybersecurity training helps ensure a uniform understanding of policies and practices within the company
and limits human error. InfraGard is a cooperative between the FBI and private companies that operate over 80
chapters across the United States and offer free membership to businesses seeking to learn more about cybersecurity issues and training. Along with becoming a member of the FS-ISAC it is recommended that that firm join
this organization in order to gain access to threat alerts and regular briefings from law enforcement. Additional IT
training is available through a variety of organizations and certification programs.
DHS/FEMA STATE CYBERSECURITY TRAINING PROGRAM
Cybersecurity for Everyone – Non-Technical Courses:
AWR 175 – Information Security for Everyone
AWR 174 – Cyber Ethics
AWR 168 – Cyber Law and White Collar Crime
Cybersecurity for Business Professionals – Business Managers Courses:
AWR 176 - Business Information Continuity
AWR 177 - Information Risk Management
AWR 169 - Cyber Incident Analysis and Response
For a complete list of courses visit:
http://teex.com/teex.cfm?pageid=NERRTCprog&area=NERRTC&templateid=1856
CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE (SEI) CERT
TRAINING
Risk Assessment Courses:
Introduction to the CERT Resilience Management Model
Practical Risk Management: Framework and Methods
CENTER FOR INFORMATION SECURITY AWARENESS (CFISA) COURSES
InfraGard Awareness Course / Information Security Awareness In The Workplace Course
ADDITIONAL TRAINING RESOURCES:
MS-ISAC – https://msisac.cisecurity.org/resources/videos/free-training.cfm
Stay Safe Online – http://staysafeonline.org/business-safe-online/train-your-employees
9
CYBERSECURITY
POINTS OF CONTACT
In the event of a security breach, it is important to alert authorities and have an business continuity or disaster
recovery plan, including internal points of contact. File a report with the local law enforcement so there is an
official record of the incident. Further more, firms should report online crime or fraud to their local office of the
United States Secret Service (USSS) or FBI. In addition, make sure your primary regulator is aware as well.
Points of Contact
Agency
Contact
FBI Field Offices
www.fbi.gov/contact-us/field
USSS Field Offices
www.secretservice.gov/field_offices.shtml
CY-WATCH (FBI/USSS)
Phone : 855.292.3937
SIFMA Market Emergency
Phone : 646.934.6406
FS-ISAC Security Operations Center
Phone : 877.612.2622
Department of Homeland Security National
Cybersecurity and Communications Integration Center
(NCCIC)
Phone : 703.235.8832
US Department of the Treasury Office of Critical
Infrastructure Protection and Compliance Policy (OCIP)
[email protected]
In addition, 47 states have enacted laws that outline who must be notified in the event of a security breach. The list
below indicates the reporting requirements per state.
National Conference of State Legislatures Security Breach Notification Laws
FEEDBACK
Please direct any questions or comments about this product to the Operations, Technology and Business Continuity team at SIFMA via Karl Schimmeck at [email protected].
10
SMALL FIRM CYBERSECURITY
ADDITIONAL RESOURCES
• Australian Department of Defense Strategies to Mitigate Targeted Cyber Intrusions
• FBI InfraGard Program
• FCC Cybersecurity for Small Businesses
• FCC Cybersecurity Planner
• FINRA Cybersecurity Targeted Examination Letter
• FINRA Cybersecurity Targeted Examination Letter Questions
• Financial Services-Information Sharing and Analysis Center
• FFIEC Cybersecurity Resource Center
• National Cyber Security Alliance
• NIST Computer Security Resource Center
• NIST Cybersecurity Framework
• NIST Small Business Corner
• NIST Small Business Information Security: The Fundamentals
• NSA/IDA Top 10 Information Assurance Mitigation Strategies
• On Guard Online
• Sans Top 20 Critical Security Controls
• Securities and Exchange Commission Office of Compliance Inspections and Examinations Cybersecurity
Initiative (SEC OCIE)
• US Chamber of Commerce Internet Security Essentials for Small Business
• US Computer Emergency Readiness Team (CERT) Home Network Security Guide
11
WWW.SIFMA.ORG
Related documents
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
Interagency Cybersecurity Forum Launched; NRC Chairman Allison Macfarlane Chairs Inaugural Meeting
Interagency Cybersecurity Forum Launched; NRC Chairman Allison Macfarlane Chairs Inaugural Meeting
French cybersecurity firms increasingly successful in fast
French cybersecurity firms increasingly successful in fast
Applied Cybersecurity
Applied Cybersecurity
Cybersecurity of Medical Devices
Cybersecurity of Medical Devices
your cybersecurity solution must do
your cybersecurity solution must do
Information Security - Georgia Libraries Tech Center
Information Security - Georgia Libraries Tech Center
Chapter 1 - Mecca Hosting
Chapter 1 - Mecca Hosting
Saint Leo University Computer Science and Information Systems
Saint Leo University Computer Science and Information Systems
National Initiative For Cybersecurity Education (NICE)
National Initiative For Cybersecurity Education (NICE)