comptroller of the currency administrator of national banks e- security risk mitigation: a...
TRANSCRIPT
Comptroller of the CurrencyAdministrator of National Banks
E- Security Risk Mitigation:A Supervisor’s Perspective
Global DialogueWorld Bank Group
September 10, 2003
Hugh KellySpecial Advisor for Global Banking
Office of the Comptroller of the Currency
Comptroller of the CurrencyAdministrator of National Banks
What is Electronic Security?
Any tool, technique, or process that protects a system’s information assets from threats to confidentiality, integrity, or availability
E-security is composed of: Soft infrastructure – policies, procedures,
processes & protocols that protect the system & data from compromise
Hard Infrastructure – hardware & software used to protect the system & data from threats to security from inside & outside
Comptroller of the CurrencyAdministrator of National Banks
Why is E-Security Important?
Greater reliance on technology increases potential for & likely impact of e-security threats By 2005, online banking will be over
50% in industrial countries & 10% in emerging markets
Growing global connectivity through distributed networks, broadband & wireless connections
Most types of e-crimes are not new New dimensions of security threats due
to networks & e-banking
Comptroller of the CurrencyAdministrator of National Banks
Changing Nature of E-Threats
External: Speed & sophistication of cyber-attacks Hackers are smarter & better organized Blended threats & hybrid attacks Critical infrastructure reliance on Internet Cross-border nature of cyber-attacks
Internal: Security not well understood by Board &
management nor a high priority Misconfigured or outdated systems, mail programs or
web sites lead to vulnerabilities Security holes in mobile & wireless networks Use of generic off-the-shelf software Just one naïve user with easy-to-guess password
increases risk
World-Wide Cyber Attack Trends
1995 1996 1997 1998 1999 2000 2001 2002
200M
300M
400M
500M
600M
700M
900M
0
Infe
cti
on
Att
em
pts
100M
800M
* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;
** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404
Ne
two
rk In
tru
sio
n A
tte
mp
ts
20,000
40,000
60,000
80,000
120,000
0
100,000Blended Threats
(CodeRed, Nimda, Slammer)
Denial of Service(Yahoo!, eBay)
Mass Mailer Viruses(Love Letter/Melissa)
Zombies
Polymorphic Viruses(Tequila)
Malicious CodeInfectionAttempts* Network
IntrusionAttempts**
Comptroller of the CurrencyAdministrator of National Banks
Possible Effects of a Cyber Attack
Denial-of-service Unauthorized use or misuse of
computing systems Loss/alteration/compromise of data or
software Monetary/financial loss Loss or endangerment of human life Loss of trust in computer/network
system Loss of public confidence
Comptroller of the CurrencyAdministrator of National Banks
Proactive & Multi-Layered Risk Mitigation Framework
Need for broader adoption of proactive e-security risk mitigation processes Help identify & manage threats Meet business & customer expectations Preserve public trust
Caveat -- E-security framework must be multi-layered & dynamic Changing risk profiles People, processes & technology issues
Comptroller of the CurrencyAdministrator of National Banks
E-Security Risk Control Progam
Need awareness at Boardroom level Direct business impact Linkage to standards demanded by
regulators, shareholders & customers Apply Basel EBG e-banking risk
management principles: Active oversight by Board & management Robust e-security risk control policy/program
Authentication & authorization Data access controls, encryption & recovery Intrusion detection, integrity checking & incident
response procedures
Consider operational risk impact
Comptroller of the CurrencyAdministrator of National Banks
Supervisory Actions
Need more focus globally on enhancing e-security supervision & examination
Many individual bank supervisors are developing: Modern e-security risk management
standards for their banks Integrated IT/safety & soundness
examination procedures Better incident reporting & analysis Business continuity/disaster recovery
plans (public/private sector scope)
Comptroller of the CurrencyAdministrator of National Banks
Conclusion:What Can We Do Together?
Enhance global supervisory cooperation on e-security issues Promote e-security risk management
principles & best practices Information exchange on incidents,
threat vulnerability assessments & risk mitigation needs
Supervisory policy development, including examination approaches to cyber & IT risks
Examiner training Public alerts & education