comptroller of the currency administrator of national banks e- security risk mitigation: a...

Comptroller of the CurrencyAdministrator of National Banks

E- Security Risk Mitigation:A Supervisor’s Perspective

Global DialogueWorld Bank Group

September 10, 2003

Hugh KellySpecial Advisor for Global Banking

Office of the Comptroller of the Currency

Comptroller of the CurrencyAdministrator of National Banks

What is Electronic Security?

Any tool, technique, or process that protects a system’s information assets from threats to confidentiality, integrity, or availability

E-security is composed of: Soft infrastructure – policies, procedures,

processes & protocols that protect the system & data from compromise

Hard Infrastructure – hardware & software used to protect the system & data from threats to security from inside & outside

Comptroller of the CurrencyAdministrator of National Banks

Why is E-Security Important?

Greater reliance on technology increases potential for & likely impact of e-security threats By 2005, online banking will be over

50% in industrial countries & 10% in emerging markets

Growing global connectivity through distributed networks, broadband & wireless connections

Most types of e-crimes are not new New dimensions of security threats due

to networks & e-banking

Comptroller of the CurrencyAdministrator of National Banks

Changing Nature of E-Threats

External: Speed & sophistication of cyber-attacks Hackers are smarter & better organized Blended threats & hybrid attacks Critical infrastructure reliance on Internet Cross-border nature of cyber-attacks

Internal: Security not well understood by Board &

management nor a high priority Misconfigured or outdated systems, mail programs or

web sites lead to vulnerabilities Security holes in mobile & wireless networks Use of generic off-the-shelf software Just one naïve user with easy-to-guess password

increases risk

World-Wide Cyber Attack Trends

1995 1996 1997 1998 1999 2000 2001 2002

200M

300M

400M

500M

600M

700M

900M

0

Infe

cti

on

Att

em

pts

100M

800M

* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;

** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404

Ne

two

rk In

tru

sio

n A

tte

mp

ts

20,000

40,000

60,000

80,000

120,000

0

100,000Blended Threats

(CodeRed, Nimda, Slammer)

Denial of Service(Yahoo!, eBay)

Mass Mailer Viruses(Love Letter/Melissa)

Zombies

Polymorphic Viruses(Tequila)

Malicious CodeInfectionAttempts* Network

IntrusionAttempts**

Comptroller of the CurrencyAdministrator of National Banks

Possible Effects of a Cyber Attack

Denial-of-service Unauthorized use or misuse of

computing systems Loss/alteration/compromise of data or

software Monetary/financial loss Loss or endangerment of human life Loss of trust in computer/network

system Loss of public confidence

Comptroller of the CurrencyAdministrator of National Banks

Proactive & Multi-Layered Risk Mitigation Framework

Need for broader adoption of proactive e-security risk mitigation processes Help identify & manage threats Meet business & customer expectations Preserve public trust

Caveat -- E-security framework must be multi-layered & dynamic Changing risk profiles People, processes & technology issues

Comptroller of the CurrencyAdministrator of National Banks

E-Security Risk Control Progam

Need awareness at Boardroom level Direct business impact Linkage to standards demanded by

regulators, shareholders & customers Apply Basel EBG e-banking risk

management principles: Active oversight by Board & management Robust e-security risk control policy/program

Authentication & authorization Data access controls, encryption & recovery Intrusion detection, integrity checking & incident

response procedures

Consider operational risk impact

Comptroller of the CurrencyAdministrator of National Banks

Supervisory Actions

Need more focus globally on enhancing e-security supervision & examination

Many individual bank supervisors are developing: Modern e-security risk management

standards for their banks Integrated IT/safety & soundness

examination procedures Better incident reporting & analysis Business continuity/disaster recovery

plans (public/private sector scope)

Comptroller of the CurrencyAdministrator of National Banks

Conclusion:What Can We Do Together?

Enhance global supervisory cooperation on e-security issues Promote e-security risk management

principles & best practices Information exchange on incidents,

threat vulnerability assessments & risk mitigation needs

Supervisory policy development, including examination approaches to cyber & IT risks

Examiner training Public alerts & education