Flagstar Bank Elements of a Typical ISSP What are the following in Flagstar bank Violations of Policya. Procedures for Reporting Violations b. Penalties for Violations Policy Review and Modificatio

Submitted by:

Jubaida Silvi, Kunika Saxena, Melissa Page, Rikta Chakladar

Last Updated Date:

09/30/2021

Table of Contents

Introduction 2

EISP of Flagstar 4

The background of Flagstar 4

The organizational structure 5

The structure of the information security office: 5

The IT/IS infrastructure 5

1. Flagstar bank’s information security policies 6

2. Procedures 7

3.Programs 7

4.Control 7

5.Opening issues 7

The IISP of Flagstar 7

Federal, state, or local cybersecurity or computer laws and regulations, industrial standards 7

Access Control Telecommunications and Network Security Information Security Governance & Risk Management Software 8

Investigations and Compliance 9

References: 10

Appendix 1: Team Charter 11

On January 22nd US-based bank and mortgage lender Flagstar bank disclosed that they suffered a data breach after the Clop ransomware gang hacked their Accellion file transfer server in January of this year. In December, cybercriminals affiliated with the Clop ransomware gang began exploiting vulnerabilities in Accellion FTA used by organizations to share sensitive files with people outside of their organization. Accellion informed Flagstar of the incident on January 22, 2021, that their platform had a vulnerability and of the breach. Flagstar permanently discontinued the use of the file-sharing system after being informed of the issue. Researchers found that the threat group who stole Flagstar’s information from Accellion FTA was not using the December zero-day vulnerability, which had been patched, but rather used a new vulnerability that was discovered in January. After the data was stolen, Flagstar received a ransom note demanding payment in bitcoin or the data would be released to the public.

Figure1- Example Accellion ransom note received by victims

Ransom demands associated with Accellion attacks have ranged as high as $10 million in bitcoin.

After Flagstar began notifying victims of the data breach, the Clop ransomware gang released screenshots of stolen data with a warning that it had stolen a lot more personal data.

The shared screenshots illustrate the types of sensitive customer and employee information stolen, including social security numbers, names, addresses, phone numbers, and tax records.

Figure2- Screenshots of Flagstar data shared on Clop ransomware site

The ransomware gang has only shared a few screenshots of stolen data, as Flagstar is a bank and mortgage lender, it should be assumed that the threat actors stole further documents containing sensitive information.

Based on the numerous Accellion data leaks published by the Clop gang, they are behind all of these attacks and will continue to publish stolen data as victim's disclose their attacks.

Unfortunately, this means we will likely see further data breaches associated with Accellion FTA hacks soon.

Flagstar’s recent security breach was attributed to an exploitation of a vulnerability of Accellion, a partner of Flagstar that offers a secured file sharing product called FTA. Accellion on Dec 23 last year suffered a cyberattack, which it claimed to remediate using a patch update, notified its customers, added new fraud monitoring capabilities, and flagged attack anomalies. Accellion highlighted that FTA was a 20-year-old software and has constantly encouraged its customers to upgrade to its new software which has a robust security architecture.

Flagstar is headquartered in Troy, Michigan and has some branches in Ohio, Indiana, and Wisconsin. Flagstar Bank offers home loans, commercial, and retail banking services across all states through a network of wholesale brokers and 87 retail physical offices. It is a NYSE listed bank that has over 1.1 million borrowers.

The business model of Flagstar is to maintain sustainable and predictable earnings to thrive with minimal impact in a fluctuating interest-rate environment through its mix of businesses. Where if interest rates are low, its other business units like mortgage originations, mortgage subservicing and warehouse lending compensates for the net-interest margins. On the other hand, when interest rates are high, business units like commercial and consumer lending offsets. The vision and STAR values highlighted below, guides them to serve their customers and employees through a set of principles and values.

Figure 3- Vision and STAR values of Flagstar from their website

Layers of administration - tellers, supervisors, managers, financial managers, branch manager, salespersons, IT technicians, security officers, CISO, CEO

Number of departments Financial Department: Financial Department, IT Department, R&D Department, Credit Department, Corporate Banking, Risk Management Department, Audit & Inspection

The relationship to the IS/IT department - different layers of administration work on different parts of the information systems and information technology. (i.e. managers (all of them) work with IT to increase sales and make plans to submit to higher ups (CEO) for company growth. This can include new equipment (computers, machines, tech needed for banking). IS department is related to employees such as IT techs, security officers, CISO (all of these have to do with keeping security and firewall protections up to date to help prevent attacks)

Infosec team is a centrally located team.

CISO - chief information officer - responsible for implementing and developing an information security program (this includes procedures and policies designed to protect enterprise communications from internal and external threats)

Information security managers - responsible for developing and managing information systems cyber security, including disaster recovery, database protection and software development

Information security analysts - monitor their organization’s networks for security breaches and investigate a violation when one occurs.

Information security staff - this includes IT technicians, IS officers (monitor IT system for threats to security and establish protocols for identifying and containing/removing threats, keeping software for antivirus up to date).

The type of network (e.g., Internet, internal network, wireless), - The Flagstar bank involves a dizzying array of things from employee laptops and desktops, software applications, customizable dashboards and self-service Kiosk, Flagstar also uses the mobile app to approve transactions and gain visibility to financial status. Flagstar exports activity data directly into financial management software applications. They have hosting networks to networking and cabling linking offices around the world, internet of things (loT) devices, sophisticated enterprise tools and data centers.

The number of workstations - for each branch, there are multiple workstations. These include around 3-4 bank tellers, 1 or 2 financial advisors/managers for loans on homes and cars, the office of the branch manager. Salespersons, IT technicians, security officers also each probably have a designated workstation at headquarters but need to be able to have a “mobile” workstation to work at each branch when needed. CISO, CEO - these two each have an office at headquarters the software platform (e.g., the operating system) , major business applications, major database management systems and vendors of the technologies and the systems.

IT/IS use

Flagstar uses a third-party company called Accellion. They operate a file-sharing platform used by Flagstar (and other companies) to store sensitive information on customers and employees, such as social security numbers, phone numbers, and addresses. This helps Flagstar by giving the responsibility of this information to someone else, so that when a breach occurs, they are not the party at fault. It also is an example of using outside resources to better the company.

Current information security services:

Password Security Policy: Password protection and security is one of highest priorities for Flagstar bank. This policy establishes a standard for the creation of strong passwords and the protection of those passwords.

Internet & Intranet Security Policy: Developed systems & procedures to ensure that internet is used only for business purposes in a secure manner without endangering the security of the Flagstar banks' network.

Information Security (IS) Incident Management Policy: Incident management policy maintained by Flagstar bank is to ensure that when an incident comes, they can respond quickly and effectively.

Backup & Recovery Policy In order to safeguard information and computing resources from various business and environmental threats, systems and procedures have been developed for backup of all business data, related application systems and operating systems software on a scheduled basis and in a standardized manner across FB (Flagstar Bank)

Security Awareness Policies: All employees of FB, contractors and third-party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.

Data Security policies: FB uses encryption, firewalls and other technology and security procedures to help protect the accuracy and security of sensitive personal information and prevent unauthorized access or improper use.

Flagstar bank-built processes to identify cybersecurity threats and ensure their data and customer privacy are well-protected. These processes have been built in partnership with Flagstar’s Chief Risk Officer, Chief Information Officer, business unit leaders, and enterprise risk management team. Flagstar’s Chief Information Security and Privacy Officer (CISO) regularly conducts a comprehensive evaluation and testing of our information security program. The results are shared with the Board of Directors.

In addition, the cybersecurity team conducts quarterly simulated phishing exercises and social engineering tests to make sure that employees and contractors are following policies and adhering to the proper standards. CISO also conducts cybersecurity training for many of FB’s community and nonprofit partners, and the bank joined the American Bankers Association.

Flagstar offers many programs- personal banking, mortgage loans, auto loans, business banking, checking and savings accounts, money market accounts, personal loans.

Physical control

Flagstar Bank maintains a restriction of physical access. They use CCTV cameras and alarm systems to provide complete oversight of the building and critical areas. Software and hardware are designed to work in combination with electronic door locks and authorization guidelines.

Access control: Access control means only authorized people can access bank data if they need the data for their work. Flagstar set up a system to maintain authentication of identity. They use biometric and IDs with photographs to find out the authentication. They also have verifying access authorization of electronic devices like fingerprint and face detection.

General issues

The Banking industry has been exposed to a large number of cyber-attacks on their privacy and security such as frauds with online payments, ATM machines, electronic cards, net banking transactions, etc. These are the general issues that Flagstar bank has.

Specific issue: Recently Flagstar bank faced a data breach in March 2021 where hackers gained

unauthorized access of customers' names, Social Security numbers and home addresses.

1. Statement of Purpose

a. Scope and applicability

i. Flagstar’s key points of information security revolve around the values of identifying users/threats, protecting sensitive customer information, detecting threats, responding to threats and recovery of information breached.

b. Definition of technology addressed

i. Flagstar states on their website that they regularly run tests, such as simulated phishing exercises and social engineering tests, to make sure that employees and contractors are following proper procedures

c. Responsibilities

i. CISO conducts comprehensive evaluations and test on information security systems to make sure everything is running as it should. The responsibilities of the security policy are to protect employees but also the consumers who use Flagstar Bank.

2. Authorized users

a. User access

i. While all employees are expected to use bank devices and handle consumer information securely, it is the CISO, Chief Risk Officer, Chief information officer, business unit leaders and enterprise risk management team that are included in the upper management. When an attack occurs, they are the people who would follow the policy guidelines up the chain of command to assess the threat and discontinue it.

ii. Not all employees have access to all information

b. Fair and responsible use

i. All employees handle sensitive information. It is their job to make sure that information is kept secure by checking for proper identification, account information, etc.

ii. Personal work should not be done on organization equipment, limiting the sites that are explored on the systems handling sensitive information.

c. Protection of privacy

i. When creating an account with the bank, they ask for a lot of personal information, including but not limited to:

1. Name

2. Address

3. Date of Birth

4. Social Security Number

5. A form of picture ID to have on file

ii. They then assign you account numbers. Once you have an account number, you can create online accounts which give the user complete access to their information. IT IS IMPERATIVE THAT THOSE SITES ARE KEPT SAFE in order to keep hackers from gaining access to thousands of people’s personal information.

iii. The bank states they have three lines of defense to keep private information secure

1. First line of defense

a. This includes responsibilities such as identifying, managing, and mitigating risks associated with directly conducting business in the bank. They help to implement and maintain processes and practices to ensure conformity with all applicable policies, laws and regulations

b. Second line of defense is made up of the bank’s independent risk management. These units assess, report, and escalate risks and issues independent of First Line Defense and provide additional support when managing risks

c. Third Line of Defense consists of internal audit and loan review, whose responsibilities can include providing timely, relevant, independent, and object enterprise-level perspectives regarding the effectiveness of governance, risk management, internal controls, and the quality of loan portfolios

3. Prohibited users

a. Disruptive use or misuse

I. This area includes using computers for personal work, use of cell phones while helping customers, trying to access information that is unauthorized, sharing of information with others that do not have authorization to access it.

Ii. Cannot collect or store personal information about others

iii. Impersonating any person, business, entity, or IP address

Iv. Alter, damage, or delete any materials or content provided by flagstar

v. There is a full list on this web page (https://www.flagstar.com/legal-disclaimers/terms-of-use.html)

b. Criminal use

i. Allowing outside hackers into the systems, transferring money from accounts without permission from the account owner, allowing access to unauthorized users

c. Offensive or harassing materials

i. Sharing of sensitive information

d. Copyrighted, licensed, or other intellectual property

i. These can include the name “Flagstar”, the design of their website, any imaging or symbols they use to help identify the business

4. Systems management

a. Management of stored materials

i. All computers, routers, Switches, wires, and any other equipment used is kept in a secure, safe place. They discuss in the privacy statement what information is collected and how it used, but there are some things you can opt out of.

b. Employer monitoring

i. Each employee is mandated to security training and policy reviews annually. 2020, 100% of employees completed this training.

c. Virus protection

i. As stated earlier, they run many tests on a regular basis to try and keep their networks as safe as possible

d. Physical security

i. Security guards are posted outside of banks, along with cameras. A lot of banks also have protective glass between consumers and tellers

e. Encryption

i. Information is encrypted that can be harmful to the consumer, especially when sharing information with other banks. Passwords and user names for online accounts to gain access, also two-step authentication has become more popular

● California Consumer Privacy Act (“CCPA”): CCPA is applicable for California residents. The CCPA provides consumers with specific rights regarding their personal information.

● Federal Privacy Act (1974): Establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.

● Gramm-Leach Bliley (GLB) Act (1999): The act addressed to control the ways financial institutions deal with the private information of individuals.

● Consumer Financial Protection Bureau: The Consumer Financial Protection Bureau is a U.S. government agency that makes sure banks, lenders, and other financial companies treat customers fairly.

● Consumer Privacy Act (“CCPA”): CCPA is applicable for California residents.

● Federal and state laws and regulations that require all information to be kept private and secured.

Industry Standards

● Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is applicable for those organizations who accept credit card payments.

Development Security - applying developments to security involves many processes, including developing, adding, and testing security features on applications to help prevent against security vulnerabilities and threats.

This is important to the company because it is a constant work in progress to keep out hackers and attackers from private information of citizens and employees. Without the changing development of security measures, hackers could easily learn a system and access information. This is especially important in a bank setting, due to the information that could become available for attacks, such as bank accounts, fraud, theft of money in accounts, home addresses of customers, identity theft from social securities, and so much more.

Cryptography Security

Architecture and Design Security Operations

Business Continuity & Disaster Recovery Planning Legal Regulations,

There are many key roles involved in compliance and investigation of attacks when they happen. Some of those include having a responsible investigative authority, having a responsible investigator(s), and having legal counsel for when things go sideways.

Having responsible investigators is important because when attacks do happen, we want them taken seriously. This ensures that a thorough investigation is done so that changes can be made, software can be stronger, and risk of attack decreases. You also want to have and investigative authority (person in charge) so that they can oversee the investigation. This prepares them for future attacks and helps them to learn better ways of handling situations. A company that believes they will never be attacked is a vulnerable one. In Flagstar’s case, they information hacked was through the third-party vendor used by them. The action of Flagstar should be to reevaluate whether that vendor is “good enough” to keep, or if they should restructure that part of their business plan. Legal counsel comes in here. It is always a good idea in a large corporation to have good legal counsel for when things go wrong. If someone isn’t doing their job correctly and efficiently, then legal counsel can help you get out of a contract for a security breach

Physical (Environmental) Security

-This would involve security guards around the premises and inside the building for each branch

-It would also include security cameras in and around the building, including the drive through, ATM, each teller station, the bank vault, all entrances and exits, and the parking lot.

Acceptable use policy

Information Reliability - All information acquired from the Internet must be considered suspect

until confirmed by separate information from a reliable source. Users must not rely on the

alleged identity of a correspondent through outside email or the Internet. The identity of a

person or organization is confirmed through authoritative methods such as digital certificates

granted by third party verification or digital signatures. More information can be obtained from

the Enterprise IT Security Department.

Downloading Software - Users must not install software from the Internet unless specifically

authorized to do so by the Information Systems or Enterprise IT Security Department. Users

may download data files from the Internet, but must check these files for viruses before using

them. Copyright laws must be respected when downloading files.

Sending Security Parameters - Users must not send any sensitive parameters such as credit

card numbers, telephone calling card numbers, fixed passwords, or account numbers through

the Internet unless the connection is encrypted end-to-end.

International Transfer Of Data - The movement of private or research information such as

human resources records or sensitive research across international borders in some countries

is illegal. Before transferring any private or sensitive research information across a border, users

must check with the BSU General Counsel to ensure that laws are not violated.

Setting Up Extra Services - The establishment of any connection to the BSU network with a

third party is forbidden unless the Enterprise IT Security Department has approved the controls

associated with this connection. The establishment of electronic data interchange and other

electronic business system arrangements is prohibited unless approved by both Enterprise IT

Security Department and Information Systems Department.

Information Security Reports - All users in receipt of information about system vulnerabilities

must forward this information to the Enterprise IT Security Department, which will determine

what action is appropriate. Users must not redistribute system vulnerability information.

Network security policies

Connection Approval Required - BSU computers or networks may be connected to third-party computers or networks only after the Enterprise IT Security Department has determined that the combined systems will be in compliance with BSU security requirements. Real-time connections between two or more in-house BSU computer systems must not be established unless Information Security has determined that such connections will not jeopardize the information security of sensitive data.

Personal Computer Connections - Employees must not connect their own computers with BSU computers or networks without prior authorization from DIT. Personally- owned systems must not be used to process any BSU information unless the systems have been approved for use by Information Security.

New Installations - Employees and vendors working for BSU must not make arrangements for, or actually complete, the installation of voice or data lines with any carrier unless they have obtained written approval from the Director of the Office of Telecommunications.

Firewalls Required - All connections between BSU internal networks and the Internet or any other publicly accessible computer network must include an approved firewall or related access control system. The privileges permitted through this firewall or related access control system must be based on business needs and must be defined in an access control standard issued by the Enterprise IT Security Department (documentation available from the department).

Third party access control policy

Written Approval Required - Before third party users are permitted to reach BSU internal

systems through real-time computer connections, specific written approval of the Enterprise IT

Security Department Manager must be obtained. These third parties include information

providers such as outsourcing organizations, business partners, contractors, and consultants

working on special projects.

Access Restrictions - Third-party information system vendors must be given only in-bound

connection privileges when the DIT Systems Manager determines that they have a legitimate

business need. These privileges must be enabled only for the time period required to

accomplish previously defined and approved tasks. Third-party vendor access that will last

longer than one day must be approved by the Enterprise IT Security Department.

Only Public Information Posted - Unless the relevant information Owner has approved in

advance, employees must not place anything other than BSU public information in a directory,

on a server, or in any other location where unknown parties could readily access it.

Third Party Security Requirements - As a condition of gaining access to the BSU computer

network, every third party must secure its own connected systems in a manner consistent with

BSU requirements. BSU must reserve the right to audit the security measures in effect on third

party-connected systems without prior warning. BSU also must reserve the right to immediately

terminate network connections with all third-party systems not meeting such requirements.

Encryption Policy

Default Protection Not Provided - The Internet and other public networks are not protected

from wiretapping by default. In all but a few rare instances, if information is to be protected, then

the user must take specific action to enable encryption facilities. Users who employ cellular or

mobile phones must not store or discuss Sensitive (Confidential or Restricted) information

unless they have taken steps to encrypt the information. Video conferences must not involve

discussion of sensitive information unless encryption facilities are known to be enabled.

When To Use Encryption - Whenever confidential information is sent over a public computer

network like the Internet, encryption methods authorized by the Enterprise IT Security

Department must be used to protect it. Whenever confidential information is stored in a

computer, this storage must be with similar authorized encryption methods. For more

information about these circumstances, “Data Classification Quick Reference Table.”

Key Selection - Many encryption routines require that the user provide a seed or a key as

input. Users must protect these security parameters from unauthorized disclosure, just as they

would protect passwords from unauthorized disclosure. Rules for choosing strong seeds or keys

must follow all rules for choosing strong passwords.

SQL injection prevention policies

Develop web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database.

This can be accomplished in a variety of programming languages including Java, .NET, PHP, and more.

Additionally, developers, system administrators, and database administrators can take further steps to minimize attacks or the impact of successful attacks:

Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.

Utilize the principle of least privilege(link is external) when provisioning accounts used to connect to the SQL database. For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts. Never allow your web application to connect to the database with Administrator privileges (the "sa" account on Microsoft SQL Server, for instance).

Do not use shared database accounts between different web sites or applications.

Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input.

Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation

Remediation policy

Immediate action must be taken to address any confirmed SQL Injection flaws discovered:

Once a person responsible for coordinating remediation is identified, please respond to the notice so that Information Security and Policy can work directly with the coordinator to ensure full remediation

Coordinate an investigation of potentially vulnerable web pages and resources amongst developers or other stakeholders

A review of web, application, and database logs may reveal the point of vulnerability and source of attacks

Develop a plan to remediate any confirmed SQL Injection flaws and prevent future attacks

https://www.flagstar.com/esg/company-overview/our-business-overview.html

https://www.bowiestate.edu/files/resources/information-security-public.pdf

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a

Application Security

https://www.vmware.com/topics/glossary/content/application-security

https://www.compliance.com/resources/tips-preparing-conducting-compliance-investigations/

Information Security

https://www.criminaljusticedegreeschools.com/careers/information-security-officer/#:~:text=Career%20Description%2C%20Duties%2C%20and%20Common,virus%20software%20to%20block%20threats.

https://www.flagstar.com/esg/governance/data-security-and-customer-privacy.html

https://www.flagstar.com/esg/governance/risk-management.html

https://www.flagstar.com/legal-disclaimers/terms-of-use.html

https://www.flagstar.com/legal-disclaimers/privacy-statement.html#2