Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Internet Banking

advertisement 
Comptroller of the Currency
Administrator of National Banks
E- Security Risk Mitigation:
A Supervisor’s Perspective
Global Dialogue
World Bank Group
September 10, 2003
Hugh Kelly
Special Advisor for Global Banking
Office of the Comptroller of the Currency
What is Electronic Security?
Comptroller of the Currency
Administrator of National Banks
 Any tool, technique, or process that

protects a system’s information assets
from threats to confidentiality, integrity,
or availability
E-security is composed of:
 Soft infrastructure – policies, procedures,

processes & protocols that protect the
system & data from compromise
Hard Infrastructure – hardware & software
used to protect the system & data from
threats to security from inside & outside
Why is E-Security Important?
Comptroller of the Currency
Administrator of National Banks
 Greater reliance on technology
increases potential for & likely impact of
e-security threats
 By 2005, online banking will be over 50%
in industrial countries & 10% in emerging
markets
 Growing global connectivity through
distributed networks, broadband & wireless
connections
 Most types of e-crimes are not new
 New dimensions of security threats due to
networks & e-banking
Comptroller of the Currency
Administrator of National Banks
Changing Nature
of E-Threats
 External:

 Speed & sophistication of cyber-attacks
 Hackers are smarter & better organized
 Blended threats & hybrid attacks
 Critical infrastructure reliance on Internet
 Cross-border nature of cyber-attacks
Internal:
 Security not well understood by Board & management




nor a high priority
Misconfigured or outdated systems, mail programs or
web sites lead to vulnerabilities
Security holes in mobile & wireless networks
Use of generic off-the-shelf software
Just one naïve user with easy-to-guess password
increases risk
120,000
Infection Attempts
900M
800M
Blended Threats
(CodeRed, Nimda, Slammer)
100,000
700M
Denial of Service
(Yahoo!, eBay)
600M
80,000
500M
400M
300M
Malicious Code
Infection
Network
Attempts*
Intrusion
Attempts**
Zombies
200M
100M
60,000
Mass Mailer Viruses
(Love Letter/Melissa)
Polymorphic Viruses
(Tequila)
20,000
0
0
1995
40,000
1996
1997
1998
1999
2000
2001
* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;
** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404
2002
Network Intrusion Attempts
World-Wide Cyber Attack Trends
Comptroller of the Currency
Administrator of National Banks
Possible Effects
of a Cyber Attack
 Denial-of-service
 Unauthorized use or misuse of





computing systems
Loss/alteration/compromise of data or
software
Monetary/financial loss
Loss or endangerment of human life
Loss of trust in computer/network
system
Loss of public confidence
Comptroller of the Currency
Administrator of National Banks
Proactive & Multi-Layered
Risk Mitigation Framework
 Need for broader adoption of proactive

e-security risk mitigation processes
 Help identify & manage threats
 Meet business & customer expectations
 Preserve public trust
Caveat -- E-security framework must
be multi-layered & dynamic
 Changing risk profiles
 People, processes & technology issues
Comptroller of the Currency
Administrator of National Banks
E-Security Risk
Control Progam
 Need awareness at Boardroom level
 Direct business impact
 Linkage to standards demanded by
regulators, shareholders & customers
 Apply Basel EBG e-banking risk
management principles:
 Active oversight by Board & management
 Robust e-security risk control policy/program
 Authentication & authorization
 Data access controls, encryption & recovery
 Intrusion detection, integrity checking & incident
response procedures
 Consider operational risk impact
Comptroller of the Currency
Administrator of National Banks
Supervisory Actions
 Need more focus globally on enhancing

e-security supervision & examination
Many individual bank supervisors are
developing:
 Modern e-security risk management



standards for their banks
Integrated IT/safety & soundness
examination procedures
Better incident reporting & analysis
Business continuity/disaster recovery plans
(public/private sector scope)
Conclusion:
Comptroller of the Currency
Administrator of National Banks
What Can We Do Together?
 Enhance global supervisory cooperation
on e-security issues
 Promote e-security risk management




principles & best practices
Information exchange on incidents, threat
vulnerability assessments & risk mitigation
needs
Supervisory policy development, including
examination approaches to cyber & IT risks
Examiner training
Public alerts & education
Related documents
Contents • Assurance Cases for Medical Devices
Contents • Assurance Cases for Medical Devices
vocab10 - Mira Costa High School
vocab10 - Mira Costa High School
Manufacturing
Manufacturing
Keeping it Simple: E-security Education in Australia
Keeping it Simple: E-security Education in Australia
Lesson 3 - C21 Student Resources
Lesson 3 - C21 Student Resources
Phase III: Individualized Professional Development
Phase III: Individualized Professional Development
Money and banking - Gasiorowski
Money and banking - Gasiorowski
D-BP01-Employee Communications and Levels of Authority
D-BP01-Employee Communications and Levels of Authority
Econoics ABC Book - fahad-a
Econoics ABC Book - fahad-a
Currency search
Currency search
Download
advertisement