1 / 53

Conference of State Bank Supervisors IT Training STREAM Technology Lab Overview 23-June-2009

Conference of State Bank Supervisors IT Training STREAM Technology Lab Overview 23-June-2009. Federal Reserve Bank of Chicago S&R Technology Lab. Presented by Christopher Olson Federal Reserve Bank of Chicago Christopher.Olson@chi.frb.org. Agenda . What is Risk?

cargan
Download Presentation

Conference of State Bank Supervisors IT Training STREAM Technology Lab Overview 23-June-2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Conference of State Bank Supervisors IT Training STREAM Technology Lab Overview 23-June-2009 Federal Reserve Bank of Chicago S&R Technology Lab Presented by Christopher Olson Federal Reserve Bank of Chicago Christopher.Olson@chi.frb.org

  2. Agenda • What is Risk? • Bank Operations Simulation • Asset Liability Management Modeling • IT Topic: Virtualization • Instructor Subject Matter Experts • Technology Lab History and Build-out

  3. What is Risk? • Webster's dictionary: "the possibility of a loss". • Future event • Uncertainty of occurrence; probability • Probability is greater than 0 and less than 1 (or greater than 0% and less than 100%) • Uncertain outcome or impact • Favorable and unfavorable outcome

  4. Risks Are Interactive Market Legal Operational Reputational Liquidity Credit

  5. Operational Risk Defined “The risk of loss from inadequate or failed internal processes, people, and systems, or from external events.” – Basel, “Sound Practices for the Management & Supervision of Operational Risk” Translation: Everything that’s not credit and market risk.

  6. Operational Risks: People Processes Systems External Events Credit Market Liquidity Legal Reputational Operational Risks: People Processes Systems External Events Why focus on Operational Risk? Insufficient staff Unsafe work place Fraud Security breaches Business disruption Product flaws Customer unsuitability Improper practices Unsafe work place Processing errors Documentation errors

  7. Scandals Galore Kim Woo-choong Daewoo Nick Leeson Barings Ken Lay, Jeff Skilling, Andy Fastow, Lou Pai Enron Mark Swartz/Dennis Kozlowski Tyco

  8. Examiner Responsibilities Internal Control Activities You’re Doomed!

  9. Control Activities • Bank performance reviews in each business line • Physical and logical controls • Separation of duties • Conflicts of interest • Compensating controls • Approvals and authorizations • Verifications and reconciliations • Information processing

  10. Bank Operations Simulation Course

  11. BOpS Course Modules • Cash and Teller Operations • Check Operations • NSF Processing and Transaction Input • Proof and Transit • Back Office Routines • ACH Operations • Investment Operations • Loan Operations • Wire Transfer Operations

  12. BOpS Course Modules (continued) • System and Security Access • Accounts Payable • Fixed Assets • Correspondent Bank Account Reconciliation • Payment System Risk • Call Report Review • Daily Statement Review • Extensive Hands On Training!

  13. Bank Operations Simulation Course Provides core curriculum and training in bank operations. Target audience is all Safety and Soundness examiners who are looking for bank operations training!

  14. Other Application Classes BSA/ AML Hands On Lab Asset Liability Management Model Lab  We call this the “ALM” class

  15. ALM Course

  16. Course Background Effective IRR model reviews require a specialized set of examination tools • Regulatory Market Risk Knowledge - PALM (f.k.a. FIRRM) - ALM 1, ALM 2 • Understanding of financial instruments - Options Institute - PALM - ALM 1, ALM 2

  17. Course Background (continued) • Fundamental understanding of financial modeling • Vocabulary • Internal controls • Technical implementation options, risk, and limitations • Understanding of moderate simulation and valuation techniques supported or not supported by model vendors • Baker Group, ProfitStars, Compass, Sendero, Bancware

  18. ALM Model Vendor Usage—Member Banks 2004 FRS Board of Governors Survey • 68 IRR models or consultants represented • QRM • 17 banks with $1.4 trillion in total assets. • 15 QRM firms have total assets > $10 billion • Bancware • 27 banks with $613 billion in total assets • Sendero • 114 Banks with $413 billion in total assets • Plansmith / Intercept • 92 banks with $22 billion in total assets

  19. ALM Model Vendor Usage • IPS Sendero ALM is used at the largest number of FRS member institutions (114) • BancWare ALM4 and ALM5 are widely used at our largest institutions and many regional banks

  20. Course Objective ALM Model class provides examiner the ability to assess: • The appropriateness of the general model setup • The appropriateness of specific complex instrument setups • The accuracy and reasonableness of critical model assumptions • Whether critical assumptions have been correctly implemented in a model • Common model risk control weaknesses • The overall adequacy of model risk management practices

  21. IRR Identification and Management • Objectives: • Identify four primary sources of IRR Discuss the modeling process and the types of models most commonly used by banks • Learn what questions to ask your management team • Discuss supervisory expectations and best practices for strong IRR management

  22. Interest Rate Risk • Mismatch Risk • The risk that interest rates change and assets and liabilities re-price at different times • Yield Curve Risk • The risk of non-parallel shifts in the yield curve • Basis Risk • The risk that rates on instruments with the same or similar maturities will not move together as the general level of interest rates changes • Options Risk • The risk that changes in interest rates will cause asset or liability holders to exercise explicit or embedded options

  23. What Should IRR Models Do? • The IRR modeling process should: • produce reasonably accurate risk measures • capture all risks material to the institution • provide clear and useful information to senior management and board of directors

  24. What Should Drive the Model Decision? • Complexity of: • Bank and Organizational Structure • Products and Services • Positions Held • Markets • Cost versus Benefit • Materiality of Risk • Exposure to Risk Factors

  25. Information Technology Classes e-Banking IS Vulnerability Management Network Security Operating Systems Supervisory Themes

  26. IT Topic: Virtualization

  27. What is Virtualization • An application and its base operating system combined together in a single compact package

  28. What is Virtualization? • Resources are shared between the host systems according to demand • Resources: CPU, Memory, Network and Disk space

  29. What is Virtualization? • Virtualization works by allowing multiple operating systems to be installed on a single physical server • Hypervisor is software that makes each Virtual Machine appear as a standalone server Virtual Machine 1 Virtual Machine 2 Hypervisor (Software) • Enables CPU, Memory, Network and Disk sharing

  30. Two Attack Scenarios • External Attacker: A vulnerable VM is attacked from an outside attacker • Phase 1: Vulnerability • Phase 2: Exploitation • Phase 3: Extend Control • Internal Attacker: An attacker compromises the hypervisor (“hyperjacking”) • Hypervisor Rootkit • Off-Host Attack

  31. Attack Phase 1: Vulnerability Attacker is in control of VM 1 • VM 1 is un-patched and vulnerable • VM 2, 4, 5 and 6 are patched and compliant • VM 3 is running with a known vulnerability due to application requirements • VM 3 not externally available (private)

  32. Attack Phase 2: Exploitation Attacker is in control of VM 1 • External attacker launches attacks against other VMs • Port scans are not detected by the network monitoring device • No IP traffic traverses the physical NIC on the host

  33. Attack Phase 3: Extend Control • VM 1 and VM 3 are under the control of an external attacker • Attacker uses trusted production server VM 3 to probe for vulnerabilities in other hosts • Attacker discovers and exploits VM 6

  34. Two Attack Scenarios • External Attacker: A vulnerable VM is attacked from an outside attacker • Phase 1: Vulnerability • Phase 2: Exploitation • Phase 3: Extend Control • Internal Attacker: An attacker compromises the hypervisor (“hyperjacking”) • Hypervisor Rootkit • Off-Host Attack

  35. Hypervisor Rootkit HypervisorRootkit attacks VM 3 • Hypervisor root kit is inserted on the running hypervisor from a trusted guest • Attack vector is a known vulnerability on VM 3

  36. Attack from Outside of the VM • A direct attack on the hypervisor comes from an outside the VM • Attack vector is either from a network connection or from physical access (insider attack) Outside source attacks hypervisor

  37. Result: Hyperjacked Host Hyperjacked Host • All communication to the guest VM’s is compromised • Guest VMs have no way of knowing that the hypervisor is compromised • On-guest security tools have no way to “see” the compromise

  38. Lessons Learned from the Attack • A vulnerable VM leads to intra-host risk and potential compromise • The intra-host (“inside-out”) risk results from running public and private servers in the same environment • The risk of intra-host (“inside-out”) attacks increases • The financial institution must think through the security considerations of their architecture

  39. Implementation Principle #1 • The Bank must understand and document theirvirtualization solution • Use documentation from the Vendor • Leverage open initiatives (DISA, CISecurity.org, SANS) • Document physically and logically where Virtualization fits in the bank • The Financial Institution must allocate time for training, testing and documentation

  40. ImplementationPrinciple #2 • Ensure that changes are documented and implemented successfully • Patch Management • Help Desk and Configuration Management • Change Management is a necessity for incident response • Why? It helps to determine whether an authorize or unauthorized change led to the event/incident

  41. Implementation Principle #3 • Plan the Dive and Dive the Plan • Proper planning is essential • Perform a test in a laboratory environment • Define requirements and architect the supporting solution • Iterate • Remember Security, but focus on process

  42. 80 % Process, 20% Technology • Updated Management Processes • Patching of Offline Systems • Access to New Management Tools • Configuration Standards

  43. Updated Management Processes • Handling of virtual disks • State is saved as a file (VM disk Image) that can be copied • The VM disk Image can be analyzed—used by an attacker / rogue administrator • Treat the File (VM disk image) as a high-security object • DO NOT store the VM disk image on USB sticks, portable drives, desktops or other insecure places

  44. Patching of Offline Systems • Problem: Offline Virtual Machines (VMs) lag behind on updates • Patching, Anti-Virus and other tools are agent based • Agents don’t work when the VM disk image is offline • Offline images become security risks • Solution: Don’t let the VMs lag • Adopt tools that can update (patch, Anti-Virus, etc.) the VM while offline • Adopt tools that scan the VM when they boot

  45. Access to New Management Tools • Access Control Life Cycle—Physical Environment • How is server access currently managed • Request, Approve, Provision, Review (RAPR) • Access Control Life Cycle—Virtual • Enhance the physical management to include virtual tools

  46. Configuration Standards • Problem: • Easy VM disk image copying facilitates easy replication ofsecurity vulnerabilities • Mitigation: • Ask if the financial institution has adopted templates

  47. Case Study—Virtualization

  48. STREAM Technology Lab Classes • E-banking • Network Security • IS Vulnerability Management • Operating Systems • Supervisory Themes • Bank Operations Simulation • Asset Liability Management Modeling • Bank Secrecy Act / Anti-Money Laundering

  49. Course Attendance: 2000-2008 Course attendance continues to increase. 2007 and 2008 shows continued overall growth with near-capacity attendance in each of the three IT Application courses.

  50. Course Participant Affiliations Course participants have diverse affiliation from across the Federal Reserve System, FFIEC agencies, state regulators and international central banks.

More Related