I. INTRODUCTION
On December 18, 1997, the FDIC has issued a guidance (FIL-131-97) identifying many financial institution information system security risks associated with Internet use, whether in-house or outsourced, and describing several risk controls. The guidance, entitled Security Risks Associated with the Internet, does not make specific recommendations as to technical solutions since risks and risk controls are dependant upon each institution’s individual system design and objectives. Since financial institutions could become prominent targets of malicious activities or have a security breach, the guidance provides that financial institution management recognize Internet banking risks, protect systems and data from compromise, implement appropriate controls and reevaluate such risks and controls on an ongoing basis.
The guidance serves to complement FDIC’s safety and soundness examination procedures for electronic banking activities, which focus on non-technical function, e.g., planning, administration, internal controls and policies and procedures. Technical examinations are referred to FDIC information systems specialists and electronic banking subject matter experts.
II. SECURITY RISKS
While the Internet in general is inherently insecure, current and developing technologies are utilized to facilitate secure electronic commerce transactions. Failure to review and address inherent risk factors increases the likelihood of system or data compromise. The FDIC identified five concerns as transactional and system security issues: Data Privacy and Confidentiality, Data Integrity, Authentication, Non-repudiation and Access Control/System Design.
Data Privacy and Confidentiality. Unless protected, all data transfers, including e-mail, travel openly on the Internet and may be monitored or read by others. “Sniffer” programs can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to look for and collect certain types of data, e.g., credit card, deposit or loans account numbers or passwords. Data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems if proper security precautions are not taken.
Data Integrity. Those with specific knowledge and tools may be able to alter or modify data during a transmission. Data integrity could be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.
Authentication. The need to verify that a particular communication, transaction, or access request is legitimate, but through “IP spoofing,” one computer can claim to be another or user identity can be misrepresented. It is simple to send e-mail that appears to have come from someone else or send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.
Non-repudiation. Non-repudiation involves proof of origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent, therefore steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions.
Access Control/System Design. A link between an institution’s internal network and the Internet may create additional access points into the internal operating system, which presents heightened risk to systems and data, requiring strong security measures to control access. Risks include the destruction, altering or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators include hackers, unscrupulous vendors, former or disgruntled employees or espionage agents.
Potential areas of vulnerability related to access control and system design include
System Architecture and Design. The Internet can facilitate unchecked or undesired access to internal systems unless systems are appropriately designed and controlled, e.g., IP spoofing. Improper access may result from other technically permissible activities not properly restricted or secured, e.g., application layer protocols are standard sets of rules determining how computers communicate across the Internet and numerous application layer protocols, each with different functions and a wide array of data exchange capabilities, are utilized on the Internet. HTTP facilitates the movement of text and images, while FTP permits the transfer, copying and deleting of files between computers and Telnet enables one computer to log in to another. FTP and Telnet exemplify activities which may be improper for a given system, even though the activities are within the scope of the protocol architecture.
The open architecture of the Internet also makes it easy for system attacks and systems can be accessed and used to launch attacks against other systems. A denial of service attack, intended to bring down a server, system or application may be accomplished by overwhelming a system with so many requests that it shuts down. An attack may involve accessing and altering a Web site, e.g., changing advertised rates on CDs.
Security Scanning Products. There are software programs that run automated security scans against Web servers, firewalls and internal networks to identify weaknesses that may allow unauthorized system access or other attacks against the system. Although marketed as security tools to system administrators and information systems personnel, they are available to anyone and may be used with malicious intent.
Logical Access Controls. Controlling system access involves safeguarding user IDs and passwords. Passwords can be obtained through deceptive “spoofing” techniques such as redirecting users to false Web sites where passwords or user names are entered or creating shadow copies of Web sites where attackers can monitor all activities of a user. The unauthorized or unsuspected acquisition of data, e.g., passwords, user IDs, e-mail addresses, phone numbers, names and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone’s personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default or “cache” files can automatically retain images of such data received or sent over the Internet.
Security Flaws and Bugs/Active Content Languages. Software and hardware design vulnerabilities are usually widely publicized and the identification of new bugs and flaws are constant and often serious enough to compromise system integrity. In addition, software marketed to the general public may not contain sufficient security controls for financial institution applications. Languages and technologies pages (e.g., Java, ActiveX) present security concerns, especially when dealing with network software or active content languages that allow computer programs to be attached. Web Security flaws identified in Web browsers have included bugs that theoretically may allow the installation of programs on a Web server, which could then be used to back into the financial institution’s system. Such technologies, regarded as secure, must be managed properly.
Viruses/Malicious Programs. Viruses and other malicious programs are threats to systems or networks connected to the Internet and aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access or initiating the transmission of data.
III. CONCLUSION
Internet utilization presents numerous issues and risks that must be addressed, some of which are beyond an institution’s control. While Internet reliability and security improves, new tools and methods used by others to compromise data and systems may affect related aspects of an institution’s business. Therefore, comprehensive security controls must not only be implemented, but updated to guard against current and emerging threats. Security controls addressing risks presented in the FDIC guidance are included in its Appendix A, which is reproduced in whole following this article.
APPENDIX A
SECURITY MEASURES
PART ONE: Discusses the primary interrelated technologies, standards, and controls that presently exist to manage the risks of data privacy and confidentiality, data integrity, authentication, and non-repudiation.
I. Encryption, Digital Signatures, and Certificate Authorities
Encryption techniques directly address the security issues surrounding data privacy, confidentiality, and data integrity. Encryption technology is also employed in digital signature processes, which address the issues of authentication and non-repudiation. Certificate authorities and digital certificates are emerging to address security concerns, particularly in the area of authentication. The function of and the need for encryption, digital signatures, certificate authorities, and digital certificates differ depending on the particular security issues presented by the bank's activities. The technologies, implementation standards, and the necessary legal infrastructure continue to evolve to address the security needs posed by the Internet and electronic commerce.
Encryption
Encryption, or cryptography, is a method of converting information to an unintelligible code. The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as “cryptographic keys.” These “keys” are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.
Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters. Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.
Symmetric and Asymmetric Key Systems
There are two types of cryptographic key systems, symmetric and asymmetric. With a symmetric key system (also known as secret key or private key systems), all parties have the same key. The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised. For the parties to get the same key, there has to be a way to securely distribute the key to each party. While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet. Asymmetric key systems can solve this problem.
In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the “private key.” The other key is made widely available to anyone who wants it, and is referred to as the “public key.” The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key. Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system. Therefore, the sender of amessage can be authenticated as the private key holder by anyone decrypting the message with a public key. Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is. The keys can be stored either on a computer or on a physically separate medium such as a smart card.
Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s). In addition, the key itself must be strong enough for the intended application. The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data. Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods. Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.
Digital Signatures
Digital signatures authenticate the identity of a sender, through the private, cryptographic key. In addition, every digital signature is different because it is derived from the content of the message itself. The combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated.
Digital signatures can be applied to any data transmission, including e-mail. To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data). This process is known as the “hash.” The message digest is then encrypted with a private key, and sent along with the message. The recipient receives both the message and the encrypted message digest. The recipient decrypts the message digest, and then runs the message through the hash function again. If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified. Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message. The digital signature cannot be reused, because it is unique to the message. In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.
Certificate Authorities and Digital Certificates
Certificate authorities and digital certificates are emerging to further address the issues of authentication, non-repudiation, data privacy, and cryptographic key management. A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction. To do this, the CA vouches for the identity of a party by attaching the CA’s digital signature to any messages, public keys, etc., which are transmitted. Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand. Digital certificates are messages that are signed with the CA’s private key. They identify the CA, the represented party, and could even include the represented party’s public key.
The responsibilities of CAs and their position among emerging technologies continue to develop. They are likely to play an important role in key management by issuing, retaining, or distributing public/private key pairs.
Implementation
The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary. The technologies and methods can be used individually, or in combination with one another. Some techniques may merely encrypt data in transit from one location to another. While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation. Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers. Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored.
The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized. Care should be taken to ensure the techniques utilized are sufficient to meet the required needs of the institution. All of the technical and implementation differences should be explored when determining the most appropriate package.
PART TWO: Discusses the primary technical and procedural security measures necessary to properly govern access control and system security.
I. System Architecture and Design
Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems.
Placing a “screening router” between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks. Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.
II. Firewalls
Description, Configuration, and Placement
A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise.
The key to a firewall’s ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.
Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.
Data Transmission and Types of Firewalls
Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration.
There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate
interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.
When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.
III. Product Certification and Security Scanning Products
Several organizations exist which independently assess and certify the adequacy of firewalls and other computer system related products. Typically, certified products have been tested for their ability to permit and sustain business functions while protecting against both common and evolving attacks.
Security scanning tools should be run frequently by system administrators to identify any new vulnerabilities or changes in the system. Ideally, the scan should be run both with and without the firewall in place so the firewall's protective capabilities can be fully evaluated. Identifying the susceptibility of the system without the firewall is useful for determining contingency procedures should the firewall ever go down. Some scanning tools have different versions with varying degrees of intrusion/attack attempts.
IV. Logical Access Controls
If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others.
Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password Directories or databases should be properly protected, as well.
Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user’s name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless.
When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.
Tokens
Token technology relies on a separate physical device, which is retained by an individual, to verify the user’s identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one-time password generation and access control. A separate PIN is typically required to activate the token.
Smart Cards
Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.
Biometrics
Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.
V. Security Flaws and Bugs
Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued.
Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e-mail, Internet newsgroups (Usenet), and their Web site at www.cert.org. Many other resources are freely available on the Internet.
Active Content Languages
Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user’s computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus.
Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology.
VI. Viruses
Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques may be necessary to properly protect servers, systems, and workstations. Additional protection might include anti-virus products that remain resident, providing for scanning during downloads or the execution of any program. It is also important to ensure that all system users are educated in the risks posed to systems by viruses and other malicious programs, as well as the proper procedures for accessing information and avoiding such threats.