September 1, 2002
- GAO reports Federal Reserve Banks Areas for
Improvement in Computer Controls. http://www.gao.gov/new.items/d021018r.pdf
FYI - Software security
widely used for Internet banking and e-commerce can be easily
circumvented, and customer accounts at several of Sweden's largest
banks remain at risk as a result, a computer expert said
FYI - Maryland
Investments Club - Internet Investment Scheme - The Canada Deposit
Insurance Corporation (CDIC) has issued a news release advising
North American investors and depositors of an apparent Internet
fraud scheme falsely involving CDIC. www.fdic.gov/news/news/financial/2002/FIL0297.html
FYI - Possible Attempted
Fraud By Convicted Fugitive - The U.S. Marshals Service has again
asked the Federal Deposit Insurance Corporation (FDIC) to alert all
U.S. banks about the activities of fugitive John Ruffo, who was
convicted in 1998 for his role in defrauding several banks of over
$350 million and may now be attempting other fraud schemes. www.fdic.gov/news/news/financial/2002/FIL0296.html
COMPLIANCE - Record Retention
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review part two of three regarding controls to prevent and detect intrusions.
4) Attack Profile. Frequently systems are installed with more available components and services than are required for the performance of necessary functions. Banks maintaining unused features may unwittingly enable network penetration by increasing the potential vulnerabilities. To reduce the risk of intrusion, institutions should use the minimum number of system components and services to perform the necessary functions.
5) Modem Sweep. While access to a system is typically directed through a firewall, sometimes modems are attached to the system directly, perhaps without the knowledge of personnel responsible for security. Those modems can provide an uncontrolled and unmonitored area for attack. Modems that present such vulnerabilities should be identified and either eliminated, or monitored and controlled.
6) Intrusion Identification. Real-time identification of an attack is essential to minimize damage. Therefore, management should consider the use of real-time intrusion detection software. Generally, this software inspects for patterns or "signatures" that represent known intrusion techniques or unusual system activities. It may not be effective against new attack methods or modified attack patterns. The quality of the software and sophistication of an attack also may reduce the software's effectiveness. To identify intrusions that escape software detection, other practices may be necessary. For example, banks can perform visual examinations and observations of systems and logs for unexpected or unusual activities and behaviors as well as manual examinations of hardware. Since intrusion detection software itself is subject to compromise, banks should take steps to ensure the integrity of the software before it is used.
7) Firewalls. Firewalls are an important component of network security and can be effective in reducing the risk of a successful attack. The effectiveness of a firewall, however, is dependent on its design and implementation. Because
misconfigurations, operating flaws, and the means of attack may render firewalls ineffective, management should consider additional security behind the firewall, such as intrusion identification
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
32. When a customer relationship
ends, does the institution continue to apply the customer’s opt
out direction to the nonpublic personal information collected
during, or related to, that specific customer relationship (but not
to new relationships, if any, subsequently established by that