Pub. 13 2018-2019 Issue 2
WWW.NEBANKERS.ORG 20 Cyber insurance is designed to mitigate losses from a data breach involving sensitive customer information; however, some coverage may also include other cybercrime such as business interruptions or network damage. Tech Talk — continued from page 19 process conducted to manage security incidents. Regulatory guidance requires incident response policies. However, many institutions don’t ever progress past the policy stage. With the risk environment at the current level, this is no longer an acceptable practice. Institutions must be capable of detecting intrusions and responding appropriately. The Incident Response Process The National Institute of Standards and Technology (NIST) has published a document titled “Computer Security Incident Handling Guide”. This guide represents a four step process for incident response. The four steps are: • Preparation • Detection & Analysis • Containment, Eradication and Recovery • Post-Incident Activity Many financial institutions may not be able to develop full incident response capabilities that will cover all four steps. However, preparation, detection and basic analysis are tasks and skills that institutions must be capable of performing. The first step—preparation—is critical as it will determine the success of any intrusion response. Preparation includes development of policies and procedures. Additionally, it is important to invest in appropriate training for on-site IT staff so that they will be able to detect intrusions and perform basic analysis. On-site IT staff are best qualified for this since they operate in the environment on a daily basis and can determine abnormal activity. Third-party IT providers can also be very valuable provided they have dedicated staff trained in intrusion response. Another key element in the preparation step is to test response capabilities. Testing should be conducted frequently and can include scenario and tabletop testing. It is also impor- tant to test the actual technical response processes, including use of any tools to be used in detection and basic analysis. Any additional work in the preparation phase can make subsequent tasks, such as detection and analysis. much easier. Network Visibility The second step—detection & analysis—can quickly become complex. An institutionmust have the capabilities and resources to determine if there has been an intrusion. This includes full content packet captures, traffic data from all ingress and egress points in the network, and appropriate system logs from all devices such as firewalls, routers, switches, virtualization hypervisors, servers, antivirus products and workstations. The goal is to aggregate and retain all data so that on-site IT staff has complete visibility into what is happening across all areas of the network at all times. Not If - But When The saying “It’s not if, but when” applies to intrusions today. Every business has a need for intrusion response now. Somemay not knowuntil law enforcement informs them. Smart businesses will have prepared their incident response ahead of time and will detect when Sad Panda intrudes. Ty Purcell is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com to learn howCoNetrix can improve your Cybersecurity maturity.com . Bryan is a member of Kutak Rock LLP’s banking practice group where he concentrates on bank regulatory matters.
Made with FlippingBook
RkJQdWJsaXNoZXIy OTM0Njg2