April 9, 2000
FYI - The FDIC's Electronic Banking examination procedures state that the bank is responsible to "Determine whether appropriate procedures exist for maintaining links with other web sites, including both external and internal sites (intranets or other private networks.) (Management should monitor these linked sites regularly for continued appropriateness and accuracy of the site addresses.)"
FYI - One of the advantages of a web site audit is that we check links to ensure the appropriateness and accuracy of the linked sites. Our quarterly web site audit will satisfy the FDIC's regular monitoring requirement of your internal and external links. If Your Bank is not currently receiving quarterly audits, you may want to consider modifying your auditing schedule, which you can modify by sending us an e-mail.
INTERNET SECURITY - INTRUSION DETECTION SYSTEMS
Vulnerability assessments and penetration analyses help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate. The next step is to monitor the system for intrusions and unusual activities. Intrusion detection systems (IDSs) may be useful because they act as a burglar alarm, reporting potential intrusions to appropriate personnel. By analyzing the information generated by the systems being guarded, IDSs help determine if necessary safeguards are in place and are protecting the system as intended. In addition, they can be configured to automatically respond to intrusions.
Computer system components or applications can generate detailed, lengthy logs or audit trails that system administrators can manually review for unusual events. IDSs automate the review of logs and audit data, which increases the review's overall efficiency by reducing costs and the time and level of skill necessary to review the logs.
Typically, there are three components to an IDS. First is an agent, which is the component that actually collects the information. Second is a manager, which processes the information collected by the agents. Third is a console, which allows authorized information systems personnel to remotely install and upgrade agents, define intrusion detection scenarios across agents, and track intrusions as they occur. Depending on the complexity of the IDS, there can be multiple agent and manager components.
Generally, IDS products use three different methods to detect intrusions. First, they can look for identified attack signatures, which are streams or patterns of data previously identified as an attack. Second, they can look for system misuse such as unauthorized attempts to access files or disallowed traffic inside the firewall. Third, they can look for activities that are different from the user's or system's normal pattern. These "anomaly-based" products (which use artificial intelligence) are designed to detect subtle changes or new attack patterns, and then notify appropriate personnel that an intrusion may be occurring. Some anomaly-based products are created to update normal use patterns on a regular basis. Poorly designed anomaly-based products can trigger frequent false-positive responses.
Although IDSs may be an integral part of an institution's overall system security, they will not protect a system from previously unknown threats or vulnerabilities. They are not self-sufficient and do not compensate for weak authentication procedures (e.g., when an intruder already knows a password to access the system). Also, IDSs often have overlapping features with other security products, such as firewalls. IDSs provide additional protections by helping to determine if the firewall programs are working properly and by helping to detect internal abuses. Both firewalls and IDSs need to be properly configured and updated to combat new types of attacks. In addition, management should be aware that the state of these products is highly dynamic and IDS capabilities are evolving.
IDS tools can generate both technical and management reports, including text, charts, and graphs. The IDS reports can provide background information on the type of attack and recommend courses of action. When an intrusion is detected, the IDS can automatically begin to collect additional information on the attacker, which may be needed later for documentation purposes.
INTERNET COMPLIANCE - Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.
In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.