FYI - Online Crime Costs
Rising - Online criminals are attacking corporate and government
networks more frequently, costing businesses an estimated $666
million in 2003, according to a survey of computer security
executives released today.
FYI - FDIC faulted for
weak security - The federal agency that insures U.S. bank deposits
suffers from network security holes that make it vulnerable to cyber
thieves and saboteurs, a report by congressional investigators
FYI - Group wants input
on vulnerability reporting guidelines - The Organization for
Internet Safety is soliciting comments on its guidelines for
reporting and responding to software security vulnerabilities.
FYI - GAO Technology
Assessment: Cybersecurity for Critical Infrastructure Protection.
FYI - GAO Information
Security: Agencies Face Challenges in Implementing Effective
Software Patch Management Processes.
FYI - Compliance costly - Keeping pace with ever-more-stringent
federal regulations has rocketed to the upper reaches of network
executives' concerns, according to the 10th annual Network World 500
FYI - Missing: A Laptop of DEA Informants- Federal investigators are
frantically trying to determine what happened to a missing laptop
computer that contains sensitive data on as many as 100 Drug
Enforcement Administration investigations around the country,
including a wealth of information about many of the agency's
Return to the top of the
COMPLIANCE - We continue our review of the FFIEC
interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
A. RISK DISCUSSION
Compliance risk arises when the linked third party acts in a manner
that does not conform to regulatory requirements. For example,
compliance risk could arise from the inappropriate release or use of
shared customer information by the linked third party. Compliance
risk also arises when the link to a third party creates or affects
compliance obligations of the financial institution.
Financial institutions with weblinking relationships are also
exposed to other risks associated with the use of technology, as
well as certain risks specific to the products and services provided
by the linked third parties. The amount of risk exposure depends on
several factors, including the nature of the link.
Any link to a third-party website creates some risk exposure for an
institution. This guidance applies to links to affiliated, as well
as non-affiliated, third parties. A link to a third-party website
that provides a customer only with information usually does not
create a significant risk exposure if the information being provided
is relatively innocuous, for example, weather reports.
Alternatively, if the linked third party is providing information or
advice related to financial planning, investments, or other more
substantial topics, the risks may be greater. Links to websites that
enable the customer to interact with the third party, either by
eliciting confidential information from the user or allowing the
user to purchase a product or service, may expose the insured
financial institution to more risk than those that do not have such
Return to the top of the
INFORMATION SYSTEMS SECURITY
continue our series on the FFIEC interagency Information Security
CONTROLS TO PROTECT AGAINST MALICIOUS CODE
Typical controls to protect against malicious code use technology,
policies and procedures, and training. Prevention and detection of
malicious code typically involves anti-virus and other detection
products at gateways, mail servers, and workstations. Those products
generally scan messages for known signatures of a variety of
malicious code, or potentially dangerous behavioral characteristics.
Differences between products exist in detection capabilities and the
range of malicious code included in their signatures. Detection
products should not be relied upon to detect all malicious code.
Additionally, anti-virus and other products that rely on signatures
generally are ineffective when the malicious code is encrypted. For
example, VPNs, IPSec, and encrypted e-mail will all shield malicious
code from detection.
Signature-based anti-virus products scan for unique components of
certain known malicious code. Since new malicious code is created
daily, the signatures need to be updated continually. Different
vendors of anti-virus products update their signatures on different
frequencies. When an update appears, installing the update on all of
an institution's computers may involve automatically pushing the
update to the computers, or requesting users to manually obtain the
Heuristic anti - virus products generally execute code in a
protected area of the host to analyze and detect any hostile intent.
Heuristic products are meant to defend against previously unknown or
disguised malicious code.
Malicious code may be blocked at the firewall or gateway. For
example, a general strategy might be to block all executable e-mail
attachments, as well as any Active-X or Java applets. A more refined
strategy might block based on certain characteristics of known code.
Protection of servers involves examining input from users and only
accepting that input which is expected. This activity is called
filtering. If filtering is not employed, a Web site visitor, for
instance, could employ an attack that inserts code into a response
form, causing the server to perform certain actions. Those actions
could include changing or deleting data and initiating fund
Protection from malicious code also involves limiting the
capabilities of the servers and Web applications to only include
functions necessary to support operations. See "Systems Development,
Acquisition, and Maintenance."
Anti-virus tools and code blocking are not comprehensive solutions.
New malicious code could have different signatures, and bypass other
controls. Protection against newly developed malicious code
typically comes in the form of policies, procedures, and user
awareness and training. For example, policies could prohibit the
installation of software by unauthorized employees, and regular
reviews for unauthorized software could take place. System users
could be trained not to open unexpected messages, not to open any
executables, and not to allow or accept file transfers in P2P
communications. Additional protection may come from disconnecting
and isolating networks from each other or from the Internet in the
face of a fast-moving malicious code attack.
An additional detection control involves network and host intrusion
detection devices. Network intrusion detection devices can be tuned
to alert when known malicious code attacks occur. Host intrusion
detection can be tuned to alert when they recognize abnormal system
behavior, the presence of unexpected files, and changes to other
Return to the top of the
F. PERSONNEL SECURITY
4. Determine if the institution provides to its employees
appropriate security training covering the institution's policies
and procedures, on an appropriate frequency, and that institution
employees certify periodically as to their understanding and
awareness of the policy and procedures.
Return to the top of the
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
49. If the institution uses a Section 14 exception as
necessary to effect, administer, or enforce a transaction, is it :
a. required, or is one of the lawful or appropriate methods to
enforce the rights of the institution or other persons engaged in
carrying out the transaction or providing the product or service; [§14(b)(1)]
b. required, or is a usual, appropriate, or acceptable method
1. carry out the transaction or the product or service
business of which the transaction is a part, including recording,
servicing, or maintaining the consumer's account in the ordinary
course of business; [§14(b)(2)(i)]
2. administer or service benefits or claims; [§14(b)(2)(ii)]
3. confirm or provide a statement or other record of
the transaction or information on the status or value of the
financial service or financial product to the consumer or the
consumer's agent or broker; [§14(b)(2)(iii)]
4. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
5. underwrite insurance or for reinsurance or for
certain other purposes related to a consumer's insurance; [§14(b)(2)(v)]
6. in connection with:
i. the authorization,
settlement, billing, processing, clearing, transferring,
reconciling, or collection of amounts charged, debited, or otherwise
paid by using a debit, credit, or other payment card, check, or
account number, or by other payment means; [§14(b)(2)(vi)(A)]
ii. the transfer of
receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
iii. the audit of debit,
credit, or other payment information? [§14(b)(2)(vi)(C)]