comptroller of the currency administrator of national banks e- security risk mitigation: a...
TRANSCRIPT
![Page 1: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/1.jpg)
Comptroller of the CurrencyAdministrator of National Banks
E- Security Risk Mitigation:A Supervisor’s Perspective
Global DialogueWorld Bank Group
September 10, 2003
Hugh KellySpecial Advisor for Global Banking
Office of the Comptroller of the Currency
![Page 2: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/2.jpg)
Comptroller of the CurrencyAdministrator of National Banks
What is Electronic Security?
Any tool, technique, or process that protects a system’s information assets from threats to confidentiality, integrity, or availability
E-security is composed of: Soft infrastructure – policies, procedures,
processes & protocols that protect the system & data from compromise
Hard Infrastructure – hardware & software used to protect the system & data from threats to security from inside & outside
![Page 3: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/3.jpg)
Comptroller of the CurrencyAdministrator of National Banks
Why is E-Security Important?
Greater reliance on technology increases potential for & likely impact of e-security threats By 2005, online banking will be over
50% in industrial countries & 10% in emerging markets
Growing global connectivity through distributed networks, broadband & wireless connections
Most types of e-crimes are not new New dimensions of security threats due
to networks & e-banking
![Page 4: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/4.jpg)
Comptroller of the CurrencyAdministrator of National Banks
Changing Nature of E-Threats
External: Speed & sophistication of cyber-attacks Hackers are smarter & better organized Blended threats & hybrid attacks Critical infrastructure reliance on Internet Cross-border nature of cyber-attacks
Internal: Security not well understood by Board &
management nor a high priority Misconfigured or outdated systems, mail programs or
web sites lead to vulnerabilities Security holes in mobile & wireless networks Use of generic off-the-shelf software Just one naïve user with easy-to-guess password
increases risk
![Page 5: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/5.jpg)
World-Wide Cyber Attack Trends
1995 1996 1997 1998 1999 2000 2001 2002
200M
300M
400M
500M
600M
700M
900M
0
Infe
cti
on
Att
em
pts
100M
800M
* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;
** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404
Ne
two
rk In
tru
sio
n A
tte
mp
ts
20,000
40,000
60,000
80,000
120,000
0
100,000Blended Threats
(CodeRed, Nimda, Slammer)
Denial of Service(Yahoo!, eBay)
Mass Mailer Viruses(Love Letter/Melissa)
Zombies
Polymorphic Viruses(Tequila)
Malicious CodeInfectionAttempts* Network
IntrusionAttempts**
![Page 6: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/6.jpg)
Comptroller of the CurrencyAdministrator of National Banks
Possible Effects of a Cyber Attack
Denial-of-service Unauthorized use or misuse of
computing systems Loss/alteration/compromise of data or
software Monetary/financial loss Loss or endangerment of human life Loss of trust in computer/network
system Loss of public confidence
![Page 7: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/7.jpg)
Comptroller of the CurrencyAdministrator of National Banks
Proactive & Multi-Layered Risk Mitigation Framework
Need for broader adoption of proactive e-security risk mitigation processes Help identify & manage threats Meet business & customer expectations Preserve public trust
Caveat -- E-security framework must be multi-layered & dynamic Changing risk profiles People, processes & technology issues
![Page 8: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/8.jpg)
Comptroller of the CurrencyAdministrator of National Banks
E-Security Risk Control Progam
Need awareness at Boardroom level Direct business impact Linkage to standards demanded by
regulators, shareholders & customers Apply Basel EBG e-banking risk
management principles: Active oversight by Board & management Robust e-security risk control policy/program
Authentication & authorization Data access controls, encryption & recovery Intrusion detection, integrity checking & incident
response procedures
Consider operational risk impact
![Page 9: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/9.jpg)
Comptroller of the CurrencyAdministrator of National Banks
Supervisory Actions
Need more focus globally on enhancing e-security supervision & examination
Many individual bank supervisors are developing: Modern e-security risk management
standards for their banks Integrated IT/safety & soundness
examination procedures Better incident reporting & analysis Business continuity/disaster recovery
plans (public/private sector scope)
![Page 10: Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September](https://reader036.vdocuments.us/reader036/viewer/2022082817/56649db05503460f94a9eaec/html5/thumbnails/10.jpg)
Comptroller of the CurrencyAdministrator of National Banks
Conclusion:What Can We Do Together?
Enhance global supervisory cooperation on e-security issues Promote e-security risk management
principles & best practices Information exchange on incidents,
threat vulnerability assessments & risk mitigation needs
Supervisory policy development, including examination approaches to cyber & IT risks
Examiner training Public alerts & education