Release #5: Regulatory Requirements and Cyber Defense

 

Basics

The financial sector is extensively regulated at international and national level. Industry standards such as PCI-DSS and SWIFT CSCF (Customer Security Controls Framework) play just as much a role as ISO 27001, EU-GDPR (General Data Protection Regulation), or national laws such as IT-SiG (IT-Sicherheitsgesetz), KWG (Kreditwesengesetz) in Germany (which is based on Basel I and Basel II and is specified with the MaRisk (Mindestanforderung an das Risikomanagement) and BAIT (Bankenaufsichtliche Anforderungen an die IT) requirements).

 No news so far and I risk that you my reader will fall asleep. But wake up, the point is, that this different requirements need to be put under one hat and they have to be useful on an operational level in a easy manner. This is the big task for the 2nd Line-of-Defense (2LoD) in this game.

Therefore I will briefly present a methodology to tame all the major and well-known regulations and the minimum measurements that should  be implemented at the 1st Line-of-Defense (1LoD) or 2nd Line-of-Defenes (2LoD). This part can only serve as a guide and is neither complete nor free from errors. Standards change over time and the tasks and goals of a CDC can be quite different, as well as your infrastrucuture. There is no way around reading the papers yourselve and define an individual implementation for your organisation.

 

 

Info Box The Three Lines of Defense Model
!

A common control concept is the "Three Lines of Defense" (TLoF, 3LoD). Simplified, the responsibilities in the TLoD model are divided as follows

  • 1LoD: the operational implementation of requirements of the 2LoD 
  • 2LoD is for example the Information Security Management (ISM) and Business Continuity Management (BCM) department, here the requirements for the company are defined, the basis are regulations, laws, regulations and technical requirements 
  • 3LoD, is the Corporate Audit department, here the implementation by the 1LoD of the requirements of the 2LoD are checked

 

Today, companies are increasingly called upon to strengthen transparency to create trust in their activities. The fulcrum is adequate risk management and reporting, which is also required by the German legislator and regulated by the KonTrag act. 

 


In order to be able to comply with all regulations, it is important that the Information Security Management (ISM) selects a Security Program Framework as the basis for its Information Security Management System (ISMS), that is internationally recognized and that many other standards can be mapped to. For example ISO 27001 or the NIST Cybersecurity Framework (CSF, with the phases Identify, Protect, Detect, Respond, Recover) is considered as a program framework. In my opinion ISO 27001 together with the NIST Special Publications (SP) 800-53 as a control framework is a good combination for companies doing international business, or optionally ISO with the BSI IT basic protection catalogues if your main business and organisational focus is in Germany. Don't make it overly complicated, it should make your life easier. The matrix of security controls, mapped to an ISMS porgram framework can then be used as input to the enterprise risk management system. Please don't mix it up with Information (or IT) Risk Management (IRM) which is just a tool for a part of information security and risk management.


 




 As soon as all requirements from SWIFT CSCF, PCI-DSS, BAIT, and GDPR have been mapped to the corresponding NIST (or whatever you like) controls and to ISO 27001, the ISMS can be set up and implemented. Regular testing (vulnerability scans, security compliance scans, penetration testing and such) should make sure you know the gap between ISMS policies and the real IT world, and that this gap is handled correctly and in time.

 A mapping many (if not all) all common control frameworks to the CIS controls can be found here: https://www.auditscripts.com/free-resources/critical-security-controls/

 




 

Even if these tasks have been well implemented by the 2LoD, a CDC will still recognize in detail the gaps in the operational implementation (1LoD) of the ISMS, and that is exactly what a CDC is there for. Psst, communication and a good relationship between the 1st and the 2nd line is the key for success here.

Ok, know we know our external and internal requirements, know how they fit to a security program framework and how to feet the ERM, this is reat to avoid issues during an audit but how do we make things happen in an organization? Correct! Policies! Let's dive deeper into the "house of policies" every decent organisation should have. 

 

Written policies, operating procedures, and processes

During an audit attention is always paid to whether a department and its tasks fit into the “written order” (wO) and policies of a company. It makes sense to set up the wO as a pyramid or "house of policies" , from the top of an abstract regulation from the management to the detailed procedure at the operational level. (The topic of procedures and processes will be examined in more detail in a dedicated blog on the CDC architecture.)

 


 

 

Example:

 

 

Document

Author

Legitimization

Structure, roles, responsibility of the ISMS organisation.

And a high-level security policy with a business alignment
to supoort the overall strategy of the company.

CISO

Signed and approved by the CEO and other members of the C-Level leadership team.

General requirements for state-of-the-art handling of security topics like logging, system hardening, and so on. Maybe based on ISO 27k or BSI IT base protection.

ISM department/team or the CISO together with the accountable owners of the corresonding business processes.

ligitimized by the high-level secrurity policy

Operational implementation of the security requirements from a level above.

Department which ownes the operational process, maybe with support of a security architect, the ISM team or the CISO.

 required by the organisational security ploicies for general security requirements.
 

At the operational level you should be free to define further levels down to processes, roles and such.

  

Risk management

Enterprise Risk Management (ERM) typically covers all areas of a company, like finance, supply chain, IT, HR, legal, and so on. Depending on the size and dependency of the IT, the risk identification and management can have a specialized process (Information Risk Management, IRM), this comes often hand in hand with Information Security Management (ISM) and Business Continuity Management (BCM). For information risk management, the CDC is the one-stop shop for getting information about technical vulnerabilities, cybersecurity incidents, and more. A well defined interface between the CDC and risk management team regarding the content and format of the risk data, as well as the frequency of reporting, make it very easy for both sides to fulfil their mandate. This significantly improves the risks identification of a company's operational functions and creates a communication channel to adress or escalate new risks or incorrect handling of already known risks. 
 
As a bank, one certainly does not get past the "minimum requirements for risk management" (MaRisk,  https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Rundschreiben/2017/rs_1709_marisk_ba.html). The Federal Financial Supervisory Authority (BaFin) presents it in its Circular 09/2017 (BA) as follows: "This circular provides a flexible and practical framework for the design of the risk management of institutions on the basis of Section 25a (1) of the Banking Act (KWG). It also clarifies the requirements of Section 25a (3) of the KWG (Group Risk Management) and Section 25b of the KWG (outsourcing). If your company is working as an IT service provider for banks or if the CDC offers its services as a managed security service (MSS), MaRisk defined the requirements AT 4.3.2 Section 2 "... provide adequate written information on the risk situation at least quarterly." This should be reason enough to establish a close cooperation  betwenn RM and the 1LoD. Again, a good relationship and communication is the key to success. 
 

What needs to be monitored?

In a CDC, one question always arises at the beginning: What needs to be monitored?

At most companies, a "best practice" approach is enough to get started and get the first experiences. However, in a highly regulated environment with internal and external audits, this approach is doomed to failure because it is decoupled from risk management. If an auditer notices that you have implemented a right measure, out of the belly, he will not accept it and instead assume it was by luck.

The question about what to monitor can be answered by approaching the problem on two levels.

  1. What are the assets with the highest protection requirements? Risk management can help with the response. When asked why the limit was drawn at a certain level of protection and not elsewhere, one should have a plausible answer. For example, a company could have 4 levels of protection requirements and they only want to look at the systems and data of level 4 (very high) and 3 (high), then you should be sure that only here are the "crown jewels" (bank data, personal data, databases for access and monitoring systems, etc.) of the company. The basis for this is a clean, consistent and up-to-date information security and risk management and an IT infrastructure that reflects this through identity and access management as well as network separation, etc. 
  2. If you know what attack pattern to monitor, you need to clearly define why you want to detect certain attacks with your SIEM and why others not. This part is quite interesting, because here the seed (inital process) is sown for many - if not all - further processes in the CDC, but more on that later. You should make sure that you do not limit yourself unintentionally here. The following sources can serve as a basis for the development and use of SIEM use cases: 
    1. Mitre ATT&CK Matrix (https://attack.mitre.org/), here you can use the "Navigator" (https://mitre-attack.github.io/attack-navigator/enterprise/) to limit the TTPs (Tactics, Techniques and Procedures) to attacker groups in the financial world. 
    2. Insights from Threat Intelligence. If there are any particular threats to your business, they should also be included in the monitoring process. 
    3. Controls, e.g. from NIST SP 800-53 or BSI IT basic protection

Open flanks (incomplete preventive measures) in the network infrastructure, system architecture or application landscape. For example, if it is not possible to block certain TCP ports at the firewall, then detection by intrusion detection systems or web application firewalls should be implemented and the alarms should be sent to the CDC.

For the sake of completeness I want to shortly describe the three different ways to collect data which are a less distinctive than the method described above, but still helpful.

  • Input-driven: Collect everything you can get and see what can be made out of it. Contra: Collect too much, waste storage space and money. (SIEM solutions often have a license model based on GB of log data. Pro: Have many data for additional and manual investigations.
  • Output-driven: Know what alarms you want to generate and collect the needed data. Contra: Data may be missing for e-forensic. Pro: Safe storage and money.
  • Hybrid: Collect the data you need for detecting specific attacks (like the output-driven approach) and all log-data from critical or exposed systems. Contra: See decision process above for monitoring.

 

Regulations and their implementation in the CDC

In the upcoming blogs will describe the individual regulations and their significance for a CDC (shown as an example). 

For the IT of the banks, BaFin published the so-called BAIT with release 10/2017 (BA) in order to offer further details to MaRisk and the finance sector.

For the insurance industry, a complementary release (VAIT) was published exactly 1 year later.

In the case of a special audit (44er Sonderprüfung) by the BaFin (supervisor) and the Deutsche Bundesbank (part of the European System of Central Banks), at least the requirements of MaRisk and the common set of best practices are examined.

 

Now an institution can try to transfer the problem to a service provider and outsource critical processes. In this case the institution is still accountable for the correct execution of the outsourced process and has to establish the proper contracts with audit rights and has to proof an adequate service provider management. Service providers and their clients (i.e. a bank) should define their responsibilities and the instruments of service provider management precisely, so as not to experience an unpleasant surprise during an audit.

Beside regular onsite audits, the processes need to be connected and harmonized. Let's assume the outsourcer already has an internal incident response process in department A and another department B which is responsible for collecting logs and for the administration of the computer system but the detection process is outsourced to a Cyber Defense MSSP. In this case the outsourcer has to connect the internal  and external processes and train them.

Other important standards that should be adhered to are certainly ISO 27001, some NIST Special Publications (SPs) or the IT basic protection catalogues of the BSI. No matter what, but internationally respected or well-known standards are the way to go, and the auditor should see the storyline of your management system and IT architecture .

 

Ok, that's it basically. :-)


Best,

Thomas

Popular posts from this blog

Release #3: Terminology, Frameworks and Standards - Part 1

Image
I n my previous blog posting we defined our CDC, the function it provides and introduced some basic terms. Next we will look at catalogues and models that help defenders to understand the actions of attackers. The MITRE ATT&CK catalogue categorizes typical attack techniques and tactics and provides many additional information which is often very helpful in the daily life of a CDC architect or analyst. Info Box Tactics, Techniques and Procedure (TTPs) ! TTPs are an attacker's actions, regardless of the phase in the kill chain. This refers to tactics, techniques and procedures, not the underlying strategy.   MITRE ATT&CK™ Matrix The MITRE ATT&CK™ Framework describes itself on the web page (https://attack.mitre.org/) as follows: MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for th
Read more

Facebook: Magnitude of the leaked data

Image
About 2 days ago bleepingcomputers reported about a leak of over 500.000.000 Facebook user records. Scratching the surface revealed that the data is available to nearly everyone. Here are some numbers to estimate the magnitute of the leak. 77 Gb of plaintext data from 105 countries world wide can be found on the Internet. Some indicators make clear that at least part of the data is from 2019, but only Facebook can make clear if there is also more current data included. The collections seem not to be from one web scraping session, but might be local web scraping campaigns in each country. Some file names are even in local languages. A world map with all countries (file size in MB).     Here are the top 20 based on file size in MB.   The data is of the following categories. name sex relationship status address employer email address (very seldom) year of birth (very seldom) telephone number (very seldom) some dates and IDs Note that citizens from various EU states are affected which is
Read more

Release #1: Cyber Defense in highly regulated Markets - Intro

T oday, in the middle of the 21st century terms like "Cyberwar" and "Cybercrime" are omnipresent in our society. Fortunately the Cyberwar is (yet) no real war between states; instead it is a mixture of sabotage, espionoage, psyops, manipulation of information and as well the theft of money(1)(2)(3). The relams of nation-state hackers and cyber crimnals and also tradional crimnals overlap because it is oportunistic ("Go where the money is.").(4)   Between the 80s and the 90s of the 20th century our current situation was mostly just in the heads of computer nerds and cyberpunk authors. Some of the computer freaks stepped over the border, people that were called "Hackers" pushed the technology and thinking beyond its intention and limits, found failures (bugs) in the systems and codes to get control over telephone and computer systems for fun and to learn how they work. In these days every bigger IT company had their own Unix-flavor with their own h
Read more