July 9, 2000
FYI - A study completed by a team of economists at the Office of the Comptroller of the Currency found that banks offering Internet services are typically more profitable than those that do not, with the exception of the smallest institutions.
FYI - The FDIC issued guidelines establishing standards for safeguarding customer information as required by the Gramm-Leach-Bliley Act (GLBA). The agencies are also seeking comment on the rescission of Year 2000 standards for safety and soundness. Comments are due by August 25, 2000.
FYI - The Federal Reserve Board requests comment on proposed revisions to Regulation E (Electronic Fund Transfers) to implement provisions of the Gramm-Leach-Bliley Act requiring disclosure of automated teller machine (ATM) fees. Comment is requested by August 18, 2000.
INTERNET SECURITY - In the FDIC paper "Security Risks Associated with the Internet," FDIC discusses the primary technical and procedural security measures necessary to properly govern access control and system security.
1) System Architecture and Design
Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems.
Placing a "screening router" between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks. Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.
a) Description, Configuration, and Placement
A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise.
The key to a firewall's ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.
Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.
b) Data Transmission and Types of Firewalls
Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration.
There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.
When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.
INTERNET COMPLIANCE - Truth in Savings Act (Regulation DD)
Financial institutions that advertise deposit products and services online must verify that proper advertising disclosures are made in accordance with all provisions of Regulation DD. Institutions should note that the disclosure exemption for electronic media under the regulation does not specifically address commercial messages made through an institution's web site or other online banking system. Accordingly, adherence to all of the advertising disclosure requirements of the regulation are required.
Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to the regulation if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication. According to the regulation, disclosures generally are required to be in writing and in a form that the consumer can keep
IN CLOSING - The "Internet Banking News" is delivered to your computer every Monday morning, unless we have stated in a previous edition that we would not be publishing the newsletter because of holidays or vacations.
Sometimes your server could be down or your security systems is not letting the e-mail through. Please send me an e-mail if you do not receive your copy of the "Internet Banking News."