SlideShare a Scribd company logo

Securing Fintech: Threats, Challenges & Best Practices

Download as PPTX, PDF
Ulf Mattsson
Ulf Mattsson

Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry, and the policies and solutions your organization needs to have in place to protect against them. Viewers will learn: • Current trends in Cyber attacks • FFIEC Cyber Assessment Toolkit • NIST Cybersecurity Framework principles • Security Metrics • Oversight of third parties • How to measure cybersecurity preparedness • Automated approaches to integrate Security into DevOps About the Presenter: Ulf Mattsson is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM. Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention

1 of 64
Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com
Ulf Mattsson Inventor of more than 45 US Patents Industry Involvement: • PCI DDS - PCI Security Standards Council Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs • IFIP - International Federation for Information Processing • CSA - Cloud Security Alliance • ANSI - American National Standards Institute ANSI X9 Tokenization Work Group • NIST - National Institute of Standards and Technology NIST Big Data Working Group • User Groups Security: ISACA & ISSA Databases: IBM & Oracle 2
3 Evolving IT Risk – My ISACA Articles
4
New York State’s Cybersecurity Rules • The New York State Department of Financial Services (“DFS”) has been closely monitoring the evergrowing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors • Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data • Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes • The financial services industry is a significant target of cybersecurity threats https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23 NYCRR500.pdf 5
New York State’s Cybersecurity Rules • They lay out unprecedented requirements on steps financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators • "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place" to protect businesses and clients "from the serious economic harm caused by these devastating cyber-crimes," Governor Andrew Cuomo said in a statement • The state in December delayed implementation of the rules by two months and loosened some requirements after financial firms complained they were onerous and said they would need more time to comply • The new rules call for banks and insurers to scrutinize security at third-party vendors that provide them goods and services http://www.reuters.com/article/cyber-new-york-idUSL1N1G11F2 6
7
Visibility Into Third Party Risk Discover and thwart third party vulnerabilities and security gaps in real-time to better control the impact of breaches. Source: SecurityScoreCard # Vulnerabilities Time 8
Verizon 2017 & 2016 Data Breach Investigations Reports (DBIR)
Verizon 2017 Data Breach Investigations Report – Credentials Issue Source: Verizon 2017 Data Breach Investigations Report 10
Verizon 2017 Data Breach Investigations Report – PII Issue Source: Verizon 2017 Data Breach Investigations Report PII 11
Source: Verizon 2017 Data Breach Investigations Report Verizon 2017 Data Breach Investigations Report – Motives Financial Espionage 12
Source: Verizon 2016 Data Breach Investigations Report 13 Source: Verizon 2016 Data Breach Investigations Report Verizon 2016 Data Breach Investigations Report – Breach Discovery
Source: Verizon 2017 Data Breach Investigations Report Decreases in card skimming and POS crime sprees influence the massive decrease in law enforcement and fraud detection Verizon 2017 Data Breach Investigations Report – Breach Discovery 14
Source: Verizon 2016 Data Breach Investigations Report 15Source: Verizon 2016 Data Breach Investigations Report Verizon 2016 Data Breach Investigations Report – Malware
Source: Verizon 2017 Data Breach Investigations Report Verizon 2017 Data Breach Investigations Report – Crime ware 16
Source: Verizon 2017 Data Breach Investigations Report Verizon 2017 Data Breach Investigations Report – Breaches & Actors 17
Leaked NSA Tools Infect and Control Computers
19
Incident Classification Patterns Across Confirmed Data Breaches Source: Verizon 2016 Data Breach Investigations Report Web Application Attacks 20
Worry Only About the Major Breach Patterns Source: Verizon 2016 Data Breach Investigations Report 21 Application Attacks
Security and Applications
Security Tools for DevOps Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Fuzz testing is essentially throwing lots of random garbage Vulnerability Analysis Runtime Application Self Protection (RASP) Interactive Application Self- Testing (IAST) 23
Security Metrics
Security Metrics from DevOps 25 # Vulnerabilities Time
Generating Key Security Metrics 26 # Vulnerabilities Time
The Board’s Perception of Cybersecurity Risks • How would you characterize the board’s perception of cybersecurity risks over the last one to two years? • Source: PWC – The Global State of Information Security Survey 2016 Increased Increased significantly High No change 27
Source: PWC – The Global State of Information Security Survey 2016 Cybersecurity is now a Persistent Business Risk • Cybersecurity software, solutions, and services market is likely to remain a growth sector because executives and Boards recognize that cyber threats will never be completely eliminated, and regulatory and compliance requirements will likely become more stringent • Cybersecurity services market is expanding in the wake of increased incidents and heightened regulations, corporations and government agencies are scrambling to safeguard their data and networks—a push that is catalyzing growth in the market for cybersecurity solutions and technologies 28
Trends in Board Involvement in Cyber Security • Source: PWC – The Global State of Information Security Survey 2016 29
Questions the Board Will Ask Source: PWC – The Global State of Information Security Survey 2016 30
CEOs, CFOs, Business Risk Owners & CISOs questions 1."How much cyber risk do we have in dollars and cents?" 2."How much cyber insurance do we need?" 3."Why am I investing in this cyber security tool?" 4."How well are our crown jewel assets protected?" 5."How do I know that we’ve actually lowered our risk exposure?" 6. "As my business changes through M&A, adding new business applications and new cyber risks , how can I get the quickest view of the impact on my overall business risk?" 31 Source: PWC – The Global State of Information Security Survey 2016
Risk Management Are your security controls covering all sensitive data? Are your deployed security controls failing? Source: storm.innosec.com Are you prioritizing business asset risk? 32
Cyber Budgeting Source: storm.innosec.com Asset Regulatory Risk Residual Risk FTE Cost Tool Cost Total Cost CRM High Medium $ 20,000 0 $ 20,000 HR High Medium $ 100,000 20,000 $ 120,000 Feed High Low $ 1,000 0 $ 1,000 Crossbow Medium Medium $ 5,000 50,00 $ 10,000 eTrader Low Low $ 1,000 0 $ 1,000 IT Alert Low Low $ 1,000 0 $ 1,000 SAP Low Low $ 1,000 0 $ 1,000 Total $ 129,000 $ 25,000 $ 154,000 33
Asset Sensitivity, Risk, and Quarterly Findings 34
Audience Focused Dashboards CISO CEO and Board of Directors Senior Management How compliant are we? How much risk do we have? What work do we need to prioritize? 35
DCAP Data Centric Audit and Protection - Centrally managed security Data Centric Security Lifecycle & PCI DSS UEBA User behavior analytics helps businesses detect targeted attacks PCI DSS Protect stored cardholder data YearI 2004 I 2014 I 2015 PCI DSS 3.2 I 2016 PCI DSS Security in the development process 36
Security Skills Shortage 37
Cybercriminal Sweet Spot Source: calnet Cybercrime Trends and Targets 38
Problematic and Increasing Shortage of Cybersecurity Skills • 46 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2016 • 28 percent of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015 • 18 percent year-over-year increase 39
Examples of Services That Can Fill The Gap Application Services • Application Hosting & Cloud Migration • IT Consulting & Information Architecture • Software Development & User Experience Design Security Services • Audit & Assessment Services • Application Security Consulting • Managed Vulnerability Scanning • Security Tools Implementation • Virtual CISO SecDevOps 40
Regulations
Federal Financial Institutions Examination Council (FFIEC)
FFIEC is a Formal U.S. Government Interagency Body It includes five banking regulators Source: WIKPEDIA 43 1. Federal Reserve Board of Governors (FRB), 2. Federal Deposit Insurance Corporation (FDIC), 3. National Credit Union Administration (NCUA), 4. Office of the Comptroller of the Currency (OCC), and 5. Consumer Financial Protection Bureau (CFPB). It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"
FFIEC Cybersecurity Assessment Tool The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories: • Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains: • Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 44
FFIEC Cybersecurity Assessment Tool – Part One Inherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk: • Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services. • Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered. • Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered. • Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers. • External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 45
FFIEC Cybersecurity Assessment Tool – Risk Levels The following includes definitions of risk levels: • Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees. • Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services. • Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication. • Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication. • Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 46
FFIEC Cybersecurity Assessment Tool – Part Two Cybersecurity Maturity Maturity level within each of the following five domains: • Domain 1: Cyber Risk Management and Oversight • Domain 2: Threat Intelligence and Collaboration • Domain 3: Cybersecurity Controls • Domain 4: External Dependency Management • Domain 5: Cyber Incident Management and Resilience Domains, Assessment Factors, Components, and Declarative Statements Within each domain are assessment factors and contributing components. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 47
FFIEC Cybersecurity Assessment Tool – Maturity Levels Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf Definitions for each of the maturity levels The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level 48
FFIEC Cybersecurity Assessment Tool – 5 Domains: 1. Domain 1: Cyber Risk Management and Oversight 2. Domain 2: Threat Intelligence and Collaboration 3. Domain 3: Cybersecurity Controls 4. Domain 4: External Dependency Management 5. Domain 5: Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersec urity/FFIEC_CAT_App_B_Map_to_NI ST_CSF_June_2015_PDF4.pdf 49
Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity Framework Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 50
FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing Assessment Results Source: https://www.ffiec.gov/pdf/cyb ersecurity/FFIEC_CAT_June_20 15_PDF2.pdf 51
FFIEC Cybersecurity Assessment Tools - Excel Templates
FFIEC Cybersecurity Assessment Tool - Excel Template The linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment. The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against defined targets based on the completed assessment worksheets. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 53
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected for each domain. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack thereof. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 55
FFIEC Cybersecurity Assessment Tool – FAIR International Standard Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool Factor Analysis of Information Risk (FAIR) 56
FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC FSSCC Automated Cybersecurity Assessment Tool FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on an ”automated” tool: • No attempts were made to interpret or change any of the FFIEC’s stated expectations; and • Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination and supervisory process Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool 57
FFIEC Applications and Data
FFIEC Cybersecurity Assessment Source: https://www.ffiec.go v/pdf/cybersecurity/ FFIEC_CAT_App_B_M ap_to_NIST_CSF_Jun e_2015_PDF4.pdf Risk Resources Controls 59
Examples of Services That Can Fill The Gap Application Services • Application Hosting & Cloud Migration • IT Consulting & Information Architecture • Software Development & User Experience Design Security Services • Audit & Assessment Services • Application Security Consulting • Managed Vulnerability Scanning • Security Tools Implementation • Virtual CISO SecDevOps 60
Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com
My Work with PCI DSS Standards Payment Card Industry Security Standards Council (PCI SSC) 1. PCI SSC Tokenization Guidelines Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 10. PCI SSC Tokenization Products Task Force 62
Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015 63
Data Security On Prem Operating System Security Controls & Agents OS File System Database Application Framework Application Source Code Application Data Network External Network Internal Network Application Server SecDevOps

Recommended

Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2
Semir Ibrahimovic
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
Olivier Busolini
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking Sector
Quick Heal Technologies Ltd.
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
Edureka!
 
AI and the Impact on Cybersecurity
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on Cybersecurity
Graham Mann
 

Recommended

Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2
Semir Ibrahimovic
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
Olivier Busolini
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking Sector
Quick Heal Technologies Ltd.
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
Edureka!
 
AI and the Impact on Cybersecurity
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on Cybersecurity
Graham Mann
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
Priyanshu Ratnakar
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
2022 Cybersecurity Predictions
2022 Cybersecurity Predictions2022 Cybersecurity Predictions
2022 Cybersecurity Predictions
Matthew Rosenquist
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Edureka!
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 
ChatGPT in Cybersecurity
ChatGPT in CybersecurityChatGPT in Cybersecurity
ChatGPT in Cybersecurity
Simplilearn
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Edureka!
 
Navigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation SlidesNavigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation Slides
Ivanti
 
Social Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingSocial Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingDepartment of Defense
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
Guido Marchetti
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Jason Murray
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
A. Shamel
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
Sergey Gordeychik
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsLearning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Ulf Mattsson
 

More Related Content

What's hot

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
Priyanshu Ratnakar
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
2022 Cybersecurity Predictions
2022 Cybersecurity Predictions2022 Cybersecurity Predictions
2022 Cybersecurity Predictions
Matthew Rosenquist
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Edureka!
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 
ChatGPT in Cybersecurity
ChatGPT in CybersecurityChatGPT in Cybersecurity
ChatGPT in Cybersecurity
Simplilearn
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Edureka!
 
Navigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation SlidesNavigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation Slides
Ivanti
 
Social Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingSocial Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingDepartment of Defense
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
Guido Marchetti
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Jason Murray
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
A. Shamel
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
Sergey Gordeychik
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 

What's hot (20)

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
2022 Cybersecurity Predictions
2022 Cybersecurity Predictions2022 Cybersecurity Predictions
2022 Cybersecurity Predictions
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
ChatGPT in Cybersecurity
ChatGPT in CybersecurityChatGPT in Cybersecurity
ChatGPT in Cybersecurity
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
 
Navigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation SlidesNavigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation Slides
 
Social Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness BriefingSocial Media Cyber Security Awareness Briefing
Social Media Cyber Security Awareness Briefing
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 

Similar to Securing Fintech: Threats, Challenges & Best Practices

Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsLearning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Ulf Mattsson
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
Ulf Mattsson
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber Security
Joan Weber
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
 
Cybersecurity Day for Parliament
Cybersecurity Day for ParliamentCybersecurity Day for Parliament
Cybersecurity Day for Parliament
Oxford Martin Centre, OII, and Computer Science at the University of Oxford
 
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial SectorCapitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
CapitolTechU
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
Priyanka Aash
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
Hafid CHEBRAOUI
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
Cognizant
 
2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public SectorScott Geye
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
Skoda Minotti
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
SolarWinds
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
Ulf Mattsson
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 

Similar to Securing Fintech: Threats, Challenges & Best Practices (20)

Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsLearning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber Security
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
Cybersecurity Day for Parliament
Cybersecurity Day for ParliamentCybersecurity Day for Parliament
Cybersecurity Day for Parliament
 
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial SectorCapitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 

More from Ulf Mattsson

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
Book
BookBook
Book
Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
Ulf Mattsson
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
Ulf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
Ulf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
Ulf Mattsson
 

More from Ulf Mattsson (20)

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
Book
BookBook
Book
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 

Recently uploaded

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 

Recently uploaded (20)

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 

Securing Fintech: Threats, Challenges & Best Practices

  • 1. Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com
  • 2. Ulf Mattsson Inventor of more than 45 US Patents Industry Involvement: • PCI DDS - PCI Security Standards Council Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs • IFIP - International Federation for Information Processing • CSA - Cloud Security Alliance • ANSI - American National Standards Institute ANSI X9 Tokenization Work Group • NIST - National Institute of Standards and Technology NIST Big Data Working Group • User Groups Security: ISACA & ISSA Databases: IBM & Oracle 2
  • 3. 3 Evolving IT Risk – My ISACA Articles
  • 4. 4
  • 5. New York State’s Cybersecurity Rules • The New York State Department of Financial Services (“DFS”) has been closely monitoring the evergrowing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors • Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data • Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes • The financial services industry is a significant target of cybersecurity threats https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23 NYCRR500.pdf 5
  • 6. New York State’s Cybersecurity Rules • They lay out unprecedented requirements on steps financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators • "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place" to protect businesses and clients "from the serious economic harm caused by these devastating cyber-crimes," Governor Andrew Cuomo said in a statement • The state in December delayed implementation of the rules by two months and loosened some requirements after financial firms complained they were onerous and said they would need more time to comply • The new rules call for banks and insurers to scrutinize security at third-party vendors that provide them goods and services http://www.reuters.com/article/cyber-new-york-idUSL1N1G11F2 6
  • 7. 7
  • 8. Visibility Into Third Party Risk Discover and thwart third party vulnerabilities and security gaps in real-time to better control the impact of breaches. Source: SecurityScoreCard # Vulnerabilities Time 8
  • 9. Verizon 2017 & 2016 Data Breach Investigations Reports (DBIR)
  • 10. Verizon 2017 Data Breach Investigations Report – Credentials Issue Source: Verizon 2017 Data Breach Investigations Report 10
  • 11. Verizon 2017 Data Breach Investigations Report – PII Issue Source: Verizon 2017 Data Breach Investigations Report PII 11
  • 12. Source: Verizon 2017 Data Breach Investigations Report Verizon 2017 Data Breach Investigations Report – Motives Financial Espionage 12
  • 13. Source: Verizon 2016 Data Breach Investigations Report 13 Source: Verizon 2016 Data Breach Investigations Report Verizon 2016 Data Breach Investigations Report – Breach Discovery
  • 14. Source: Verizon 2017 Data Breach Investigations Report Decreases in card skimming and POS crime sprees influence the massive decrease in law enforcement and fraud detection Verizon 2017 Data Breach Investigations Report – Breach Discovery 14
  • 15. Source: Verizon 2016 Data Breach Investigations Report 15Source: Verizon 2016 Data Breach Investigations Report Verizon 2016 Data Breach Investigations Report – Malware
  • 16. Source: Verizon 2017 Data Breach Investigations Report Verizon 2017 Data Breach Investigations Report – Crime ware 16
  • 17. Source: Verizon 2017 Data Breach Investigations Report Verizon 2017 Data Breach Investigations Report – Breaches & Actors 17
  • 18. Leaked NSA Tools Infect and Control Computers
  • 19. 19
  • 20. Incident Classification Patterns Across Confirmed Data Breaches Source: Verizon 2016 Data Breach Investigations Report Web Application Attacks 20
  • 21. Worry Only About the Major Breach Patterns Source: Verizon 2016 Data Breach Investigations Report 21 Application Attacks
  • 23. Security Tools for DevOps Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Fuzz testing is essentially throwing lots of random garbage Vulnerability Analysis Runtime Application Self Protection (RASP) Interactive Application Self- Testing (IAST) 23
  • 25. Security Metrics from DevOps 25 # Vulnerabilities Time
  • 26. Generating Key Security Metrics 26 # Vulnerabilities Time
  • 27. The Board’s Perception of Cybersecurity Risks • How would you characterize the board’s perception of cybersecurity risks over the last one to two years? • Source: PWC – The Global State of Information Security Survey 2016 Increased Increased significantly High No change 27
  • 28. Source: PWC – The Global State of Information Security Survey 2016 Cybersecurity is now a Persistent Business Risk • Cybersecurity software, solutions, and services market is likely to remain a growth sector because executives and Boards recognize that cyber threats will never be completely eliminated, and regulatory and compliance requirements will likely become more stringent • Cybersecurity services market is expanding in the wake of increased incidents and heightened regulations, corporations and government agencies are scrambling to safeguard their data and networks—a push that is catalyzing growth in the market for cybersecurity solutions and technologies 28
  • 29. Trends in Board Involvement in Cyber Security • Source: PWC – The Global State of Information Security Survey 2016 29
  • 30. Questions the Board Will Ask Source: PWC – The Global State of Information Security Survey 2016 30
  • 31. CEOs, CFOs, Business Risk Owners & CISOs questions 1."How much cyber risk do we have in dollars and cents?" 2."How much cyber insurance do we need?" 3."Why am I investing in this cyber security tool?" 4."How well are our crown jewel assets protected?" 5."How do I know that we’ve actually lowered our risk exposure?" 6. "As my business changes through M&A, adding new business applications and new cyber risks , how can I get the quickest view of the impact on my overall business risk?" 31 Source: PWC – The Global State of Information Security Survey 2016
  • 32. Risk Management Are your security controls covering all sensitive data? Are your deployed security controls failing? Source: storm.innosec.com Are you prioritizing business asset risk? 32
  • 33. Cyber Budgeting Source: storm.innosec.com Asset Regulatory Risk Residual Risk FTE Cost Tool Cost Total Cost CRM High Medium $ 20,000 0 $ 20,000 HR High Medium $ 100,000 20,000 $ 120,000 Feed High Low $ 1,000 0 $ 1,000 Crossbow Medium Medium $ 5,000 50,00 $ 10,000 eTrader Low Low $ 1,000 0 $ 1,000 IT Alert Low Low $ 1,000 0 $ 1,000 SAP Low Low $ 1,000 0 $ 1,000 Total $ 129,000 $ 25,000 $ 154,000 33
  • 34. Asset Sensitivity, Risk, and Quarterly Findings 34
  • 35. Audience Focused Dashboards CISO CEO and Board of Directors Senior Management How compliant are we? How much risk do we have? What work do we need to prioritize? 35
  • 36. DCAP Data Centric Audit and Protection - Centrally managed security Data Centric Security Lifecycle & PCI DSS UEBA User behavior analytics helps businesses detect targeted attacks PCI DSS Protect stored cardholder data YearI 2004 I 2014 I 2015 PCI DSS 3.2 I 2016 PCI DSS Security in the development process 36
  • 39. Problematic and Increasing Shortage of Cybersecurity Skills • 46 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2016 • 28 percent of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015 • 18 percent year-over-year increase 39
  • 40. Examples of Services That Can Fill The Gap Application Services • Application Hosting & Cloud Migration • IT Consulting & Information Architecture • Software Development & User Experience Design Security Services • Audit & Assessment Services • Application Security Consulting • Managed Vulnerability Scanning • Security Tools Implementation • Virtual CISO SecDevOps 40
  • 43. FFIEC is a Formal U.S. Government Interagency Body It includes five banking regulators Source: WIKPEDIA 43 1. Federal Reserve Board of Governors (FRB), 2. Federal Deposit Insurance Corporation (FDIC), 3. National Credit Union Administration (NCUA), 4. Office of the Comptroller of the Currency (OCC), and 5. Consumer Financial Protection Bureau (CFPB). It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"
  • 44. FFIEC Cybersecurity Assessment Tool The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories: • Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains: • Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 44
  • 45. FFIEC Cybersecurity Assessment Tool – Part One Inherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk: • Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services. • Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered. • Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered. • Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers. • External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 45
  • 46. FFIEC Cybersecurity Assessment Tool – Risk Levels The following includes definitions of risk levels: • Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees. • Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services. • Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication. • Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication. • Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 46
  • 47. FFIEC Cybersecurity Assessment Tool – Part Two Cybersecurity Maturity Maturity level within each of the following five domains: • Domain 1: Cyber Risk Management and Oversight • Domain 2: Threat Intelligence and Collaboration • Domain 3: Cybersecurity Controls • Domain 4: External Dependency Management • Domain 5: Cyber Incident Management and Resilience Domains, Assessment Factors, Components, and Declarative Statements Within each domain are assessment factors and contributing components. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 47
  • 48. FFIEC Cybersecurity Assessment Tool – Maturity Levels Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf Definitions for each of the maturity levels The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level 48
  • 49. FFIEC Cybersecurity Assessment Tool – 5 Domains: 1. Domain 1: Cyber Risk Management and Oversight 2. Domain 2: Threat Intelligence and Collaboration 3. Domain 3: Cybersecurity Controls 4. Domain 4: External Dependency Management 5. Domain 5: Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersec urity/FFIEC_CAT_App_B_Map_to_NI ST_CSF_June_2015_PDF4.pdf 49
  • 50. Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity Framework Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 50
  • 51. FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing Assessment Results Source: https://www.ffiec.gov/pdf/cyb ersecurity/FFIEC_CAT_June_20 15_PDF2.pdf 51
  • 53. FFIEC Cybersecurity Assessment Tool - Excel Template The linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment. The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against defined targets based on the completed assessment worksheets. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 53
  • 54. FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected for each domain. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
  • 55. FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack thereof. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 55
  • 56. FFIEC Cybersecurity Assessment Tool – FAIR International Standard Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool Factor Analysis of Information Risk (FAIR) 56
  • 57. FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC FSSCC Automated Cybersecurity Assessment Tool FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on an ”automated” tool: • No attempts were made to interpret or change any of the FFIEC’s stated expectations; and • Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination and supervisory process Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool 57
  • 60. Examples of Services That Can Fill The Gap Application Services • Application Hosting & Cloud Migration • IT Consulting & Information Architecture • Software Development & User Experience Design Security Services • Audit & Assessment Services • Application Security Consulting • Managed Vulnerability Scanning • Security Tools Implementation • Virtual CISO SecDevOps 60
  • 61. Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com
  • 62. My Work with PCI DSS Standards Payment Card Industry Security Standards Council (PCI SSC) 1. PCI SSC Tokenization Guidelines Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 10. PCI SSC Tokenization Products Task Force 62
  • 63. Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015 63
  • 64. Data Security On Prem Operating System Security Controls & Agents OS File System Database Application Framework Application Source Code Application Data Network External Network Internal Network Application Server SecDevOps