Source: OCC (2000-14) Subject: Infrastructure Threats -- Intrusion Risks Description: Message to Bankers and Examiners Date: May 15, 2000 To: Chief Executive Officers of National Banks, Federal Branches and Agencies, Service Providers, Software Vendors, Department and Division Heads, and Examining Personnel.PURPOSE AND SUMMARYThis bulletin provides guidance to financial institutions on how toprevent, detect, and respond to intrusions into bank computer systems.Intrusions can originate either inside or outside of the bank and canresult in a range of damaging outcomes, including the theft ofconfidential information, unauthorized transfer of funds, and damage to aninstitution's reputation.The prevalence and risk of computer intrusions are increasing asinformation systems become more connected and interdependent and as banksmake greater use of Internet banking services and other remote accessdevices. Recent e-mail-based computer viruses and the distributed denialof service attacks earlier this year revealed that the security of allInternet-connected networks are increasingly intertwined. The number ofreported incidences of intrusions nearly tripled from 1998 to 1999,according to Carnegie Mellon University's CERT/CC. [Note 1: CarnegieMellon's CERT/CC is part of a federally funded research and developmentcenter that helps organizations identify and recover from intrusions. Itprovides up-to-date information on vulnerabilities, specific attacktechniques, and procedures for responding to these attacks.]Management can reduce a bank's risk exposure by adopting and regularlyreviewing its risk assessment plan, risk mitigation controls, intrusionresponse policies and procedures, and testing processes. This bulletinprovides guidance in each of these critical areas and also highlightsinformation-sharing mechanisms banks can use to keep abreast of currentattack techniques and potential vulnerabilities. It supplements OCCBulletin 99-9, "Infrastructure Threats from Cyber-Terrorists" (March 5,1999), and other security-related OCC guidance listed in the referencesection.CONTENTS PAGESecurity Strategies and Plans .................................. 2Intrusion Risk Assessment Plan ................................ 2Controls to Prevent and Detect Intrusions ...................... 3Intrusion Response Policies and Procedures ..................... 6Information Sharing ........................................... 8Responsible Office ............................................ 9References .................................................... 10SECURITY STRATEGIES AND PLANSSenior management and the board of directors are responsible foroverseeing the development and implementation of their bank's securitystrategy and plan. Key elements to be included in those strategies andplans are an intrusion risk assessment plan, risk mitigation controls,intrusion response policies and procedures, and testing processes. Theseelements are needed for both internal and outsourced network managementand operations and are consistent with the technology risk managementprocess outlined in OCC Bulletin 98-3, "Technology Risk Management"(February 4, 1998); OCC Bulletin 98-38, Technology Risk Management: PCBanking (August 24, 1998); and the "Internet Banking" booklet of theComptroller's Handbook (October 1999).Intrusion Risk Assessment PlanThe first step in managing the risks of intrusions is to assess theeffects that intrusions could have on the institution. Effects mayinclude direct dollar loss, damaged reputation, improper disclosure,lawsuits, or regulatory sanctions. In assessing the risks, managementshould gather information from multiple sources, including (1) the valueand sensitivity of the data and processes to be protected, (2) current andplanned protection strategies, (3) potential threats, and (4) thevulnerabilities present in the network environment. [Note 2: The networkenvironment should be interpreted broadly, including but not limited tointernal and external connectivity, hardware and software and theirconfiguration, contractors and employees involved in the operation of thenetwork, and the current means used to mitigate risks.] Once informationis collected, management should identify threats and the likelihood ofthose threats materializing, rank critical information assets andoperations, and estimate potential damage.The analysis should be used to develop an intrusion protection strategyand risk management plan. The intrusion protection strategy and riskmanagement plan should be consistent with the bank's information securityobjectives. It also should balance the cost of implementing adequatesecurity controls with the bank's risk tolerance and profile. The planshould be implemented within a reasonable time. Management shoulddocument this information, its analysis of the information, and decisionsin forming the protection strategy and risk management plan. Bydocumenting this information, management can better control the assessmentprocess and facilitate future risk assessments.Management should re-evaluate the strategy and plan when changes are madethat could affect the potential for loss, when new vulnerabilities areuncovered, and when the nature and extent of threats change significantly.Changes to network security identified through assessments or otherevaluations should be implemented promptly.Controls to Prevent and Detect IntrusionsManagement should determine the controls necessary to deter, detect, andrespond to intrusions, consistent with the best practices of informationsystem operators. Controls may include the following:Authentication. Authentication provides identification by means of somepreviously agreed upon method, such as passwords and biometrics. [Note 3:A method of identifying a person's identity by analyzing a unique physicalattribute.] The means and strength of authentication should becommensurate with the risk. For instance, passwords should be of anappropriate length, character set, and lifespan [Note 4: The lifespan of apassword is the length of time the password allows access to the system.Generally speaking, shorter lifespans reduce the risk of passwordcompromises.] for the systems being protected. Employees should betrained to recognize and respond to fraudulent attempts to compromise theintegrity of security systems. This may include "social engineering"whereby intruders pose as authorized users to gain access to bank systemsor customer records.Install and Update Systems. When a bank acquires and installs new orupgraded systems or equipment, it should review security parameters andsettings to ensure that these are consistent with the intrusion riskassessment plan. For example, the bank should review user passwords andauthorization levels for maintaining "separation of duties" and "need toknow" policies. Once installed, security flaws to software and hardwareshould be identified and remediated through updates or "patches."Continuous monitoring and updating is essential to protect the bank fromvulnerabilities. Information related to vulnerabilities and patches aretypically available from the vendor, security-related web sites, and inbi-weekly National Infrastructure Protection Center's CyberNotes. [Note 5:Available at http://www.fbi.gov/nipc/cybernotes.htm] Software Integrity. Copies of software and integrity checkers [Note 6: Anintegrity checker uses logical analysis to identify whether a file hasbeen changed.] are used to identify unauthorized changes to software.Banks should ensure the security of the integrity checklist and checkingsoftware. Where sufficient risk exists, the checklist and software shouldbe stored away from the network, in a location where access is limited.Banks should also protect against viruses and other malicious software byusing automated virus scanning software and frequently updating thesignature file [Note 7: The signature file contains the informationnecessary to identify each virus.] to enable identification of newviruses.Attack Profile. Frequently systems are installed with more availablecomponents and services than are required for the performance of necessaryfunctions. Banks maintaining unused features may unwittingly enablenetwork penetration by increasing the potential vulnerabilities. Toreduce the risk of intrusion, institutions should use the minimum numberof system components and services to perform the necessary functions.Modem Sweep. While access to a system is typically directed through afirewall, sometimes modems are attached to the system directly, perhapswithout the knowledge of personnel responsible for security. Those modemscan provide an uncontrolled and unmonitored area for attack. Modems thatpresent such vulnerabilities should be identified and either eliminated,or monitored and controlled.Intrusion Identification. Real-time identification of an attack isessential to minimize damage. Therefore, management should consider theuse of real-time intrusion detection software. Generally, this softwareinspects for patterns or "signatures" that represent known intrusiontechniques or unusual system activities. It may not be effective againstnew attack methods or modified attack patterns. The quality of thesoftware and sophistication of an attack also may reduce the software'seffectiveness. To identify intrusions that escape software detection,other practices may be necessary. For example, banks can perform visualexaminations and observations of systems and logs for unexpected orunusual activities and behaviors as well as manual examinations ofhardware. Since intrusion detection software itself is subject tocompromise, banks should take steps to ensure the integrity of thesoftware before it is used.Firewalls. Firewalls are an important component of network security andcan be effective in reducing the risk of a successful attack. Theeffectiveness of a firewall, however, is dependent on its design andimplementation. Because misconfigurations, operating flaws, and the meansof attack may render firewalls ineffective, management should consideradditional security behind the firewall, such as intrusion identificationand encryption.Encryption. Encryption is a means of securing data. Data can by encryptedwhen it is transmitted, and when it is stored. Because networks are notimpervious to penetration, management should evaluate the need to securetheir data as well as their network. Management's use of encryptionshould be based on an internal risk assessment and a classification ofdata. The strength of encryption should be proportional to the risk andimpact if the data were revealed.Employee and Contractor Background Checks. Management should ensure thatinformation technology staff, contractors, and others who can make changesto information systems have passed background checks. Management alsoshould revalidate periodically access lists and logon IDs.Accurate and Complete Records of Uses and Activities. Accurate andcomplete records of users and activities are essential for analysis,recovery, and development of additional security measures, as well aspossible legal action. Information of primary importance includes themethods used to gain access, the extent of the intruder's access tosystems and data, and the intruder's past and current activities. Toensure that adequate records exist, management should consider collectinginformation about users and user activities, systems, networks, filesystems, and applications. Consideration should be given to protectingand securing this information by locating it in a physical locationseparate from the devices generating the records, writing the data to atamperproof device, and encrypting the information both in transit and instorage. The OCC expects banks to limit the use of personally identifiableinformation collected in this manner for security purposes, and tootherwise comply with applicable law and regulations regarding the privacyof personally identifiable information.Vendor Management. Banks rely on service providers, software vendors, andconsultants to manage networks and operations. In outsourcingsituations, management should ensure that contractual agreements arecomprehensive and clear with regard to the vendor's responsibility fornetwork security, including its monitoring and reporting obligations.Management should monitor the vendor's performance under the contract, aswell as assess the vendor's financial condition at least annually.Intrusion Response Policies and ProceduresManagement should establish, document, and review the policies andprocedures that guide the bank's response to information systemintrusions. The review should take place at least annually, with morefrequent reviews if the risk exposure warrants them. The OCC will assessthe adequacy of policies and procedures that address the bank's handlingof network intrusions in the context of the risks faced by the bank.Policies and procedures should address the following: o The priority and sequence of actions to respond to an intrusion. Actions should address the containment and elimination of an intrusion and system restoration. Among other issues, containment actions include a determination of which business processes must remain operational, which systems may be disconnected as a precaution, and how to address authentication compromises (e.g., revealed passwords) across multiple systems. o Gathering and retaining intrusion information, as discussed below. o The employee's authority to act, whether by request or by pre-approval, and the process for escalating the intrusion response to progressively higher degrees of intensity and senior management involvement. o Availability of necessary resources to respond to intrusions. Management should ensure that contact information is available for those that are responsible for responding to intrusions. o System restoration tools and techniques, including the elimination of the intruder's means of entry and back doors, and the restoration of data and systems to the pre-intrusion state. o Notification and reporting to operators of other affected systems, users, regulators, incident response organizations, and law enforcement. Guidelines for filing a Suspicious Activity Report for suspected computer related crimes are discussed below, and in OCC Advisory Letter 97-9, "Reporting Computer Related Crimes" (November 19, 1997). o Periodic testing, as discussed below. o Staff training resources and requirements.Gathering and Retaining Intrusion Information. Particular care should betaken when gathering intrusion information. The OCC expects management toclearly assess the tradeoff between enabling an easier recovery bygathering information about an intruder and the risk that an intruder willinflict additional damage while that information is being gathered.Management should establish and communicate procedures and guidelines toemployees through policies, procedures, and training. Intrusion evidenceshould be maintained in a fashion that enables recovery while facilitatingsubsequent actions by law enforcement. Legal chain of custodyrequirements must be considered. In general, legal chain of custodyrequirements address controlling and securing evidence from the time ofthe intrusion until it is turned over to law enforcement personnel. Chainof custody actions, and those actions that should be guarded against,should be identified and embodied in the bank's policies, procedures, andtraining.Suspicious Activity Reporting. National banks are required to reportintrusions and other computer crimes to the OCC and law enforcement byfiling a Suspicious Activity Report (SAR) form and submitting it to theFinancial Crimes Enforcement Network (FinCEN), in accordance with 12 USC21.11. This reporting obligation exists regardless of whether theinstitution has reported the intrusion to the information-sharingorganizations discussed below. For purposes of the regulation and the SARform instructions, an "intrusion" is defined as gaining access to thecomputer system of a financial institution to remove, steal, procure orotherwise affect information or funds of the institution or customers. Italso includes actions that damage, disable, or otherwise affect criticalsystems of the institution. For example, distributed denial of serviceattaches (DDoS) attacks s hould be reported on a SAR because they maytemporarily disable critical systems of financial institutions.Testing. Management should ensure that information system networks aretested regularly. The nature, extent, and frequency of tests should beproportionate to the risks of intrusions from external and internalsources. [Note 8: In accordance with OCC Bulletin 98-38, "Technology RiskManagement: PC Banking" (August 24, 1998), management should ensure thatan objective, qualified source conducts a penetration test of Internetbanking systems at least once a year or more frequently when appropriate.]Management should select qualified and reputable individuals to performthe tests and ensure that tests do not inadvertently damage informationsystems or reveal confidential information to unauthorized individuals.Management should oversee the tests, review test results, and respond todeficiencies in a timely manner.INFORMATION SHARINGInformation sharing among reliable and reputable experts can helpinstitutions reduce the risk of information system intrusions. The OCCencourages management to participate in information-sharing mechanisms aspart of an effort to detect and respond to intrusions and vulnerabilities.Mechanisms for information sharing are being developed by many differentorganizations, each with a different mission and operation. In addition,many vendors offer information sharing and analysis services. Threeorganizations that are primarily involved with the federal government'snational information security initiatives are the Financial ServicesInformation Sharing and Analysis Center (FS/ISAC), the Federal Bureau ofInvestigation (FBI), and Carnegie Mellon University's CERT/CC.The FS/ISAC was formed in response to Presidential Decision Directive 63:Critical Infrastructure Protection (May 22, 1998), which encourages thebanking, finance, and other industries to establish information-sharingefforts in conjunction with the federal government. The FS/ISAC allowsfinancial services entities to report incidents anonymously. In turn, theFS/ISAC rapidly distributes information about attacks to the FS/ISACmembers. Banks can contact FS/ISAC by telephone at (888) 660-0134,e-mail at admin@fsisac.com or their Web site at http://www.fsisac.com.The FBI operates the National Information Protection Center Infraguardoutreach effort. Since Infraguard supports law enforcement efforts,Infraguard members submit two versions of an incident report. Onecomplete version is used by law enforcement and contains information thatidentifies the reporting member. The other version does not contain thatidentifying information, and is distributed to other Infraguard members.Banks can contact the FBI by contacting local FBI field offices or viae-mail at nipc@fbi.gov.CERT/CC is part of a federally funded research and development center atCarnegie Mellon University that helps organizations identifyvulnerabilities and recover from intrusions. It provides up-to-dateinformation on specific attacks (including viruses and denial of service)and collates and shares information with other organizations. CERT/CCdoes not require membership to report problems. Banks can contact CERT/CCby phone at (412) 268-7090 or e-mail at cert@cert.org.RESPONSIBLE OFFICEQuestions regarding this banking issuance should be directed to CliffordA. Wilke, director, Bank Technology Division, (202) 874-5920 or viaE-mail: clifford.wilke@occ.treas.gov._____________________________Clifford A. WilkeDirectorBank Technology DivisionAppendixAppendix -- ReferencesThe OCC issued Bulletin 99-9 (March 5, 1999) to identify and raiseawareness of the threats and vulnerabilities created by cyber-terrorism tothe financial services industry. It focused on a national bank's abilityto protect the integrity, confidentiality, and availability of informationtechnology resources. This document supplements Bulletin 99-9 andrelevant parts of OCC Bulletin 98-38, Technology Risk Management: PCBanking (August 24, 1998). It also supplements OCC Bulletin 98-3,Technology Risk Management (February 4, 1998), which describes theapplication of the OCC's supervision by risk ramework to the risks posedby technology. The objectives and procedures that examiners use toevaluate the quality of risk management and quantity of risk are addressedin the OCC's "Internet Banking" booklet(October 1999).The FFIEC recently issued an Information Security Precautions Advisory (astransmitted by OCC Advisory Letter 99-12 on November 22, 1999). Thatadvisory addressed the potential for information system intrusions duringthe Year 2000 rollover.For additional information on information security policies and controlssee the following documents. o Comptroller's Handbook -- Internet Banking, October 1999 o OCC Alert 2000-1, February 11, 2000 - "Internet Security: Distributed Denial of Service Attacks" (available at http://www.occ.treas.gov/ftp/alert/2000-1.doc) o OCC Bulletin 99-9, March 5, 1999 - "Infrastructure Threats from Cyber-Terrorists," (available at http://www.occ.treas.gov/ftp/bulletin/99-9.txt) o OCC Advisory Letter 97-9, November 19, 1997 - "Reporting Computer Related Crimes," (available at http://www.occ.treas.gov/ftp/advisory/97-9.txt) o OCC Bulletin 98-3, February 4, 1998 - "Technology Risk Management," (available at http://www.occ.treas.gov/ftp/bulletin/98-3.txt) o OCC Bulletin 98-38, August 24, 1998 - "Technology Risk Management: PC Banking," (available at http://www.occ.treas.gov/ftp/bulletin/98-38.txt) o OCC Banking Circular 229, May 31, 1988 - "Information Security" o FFIEC AL 99-12, November 19, 1999 - "Information Security Precautions Advisory" (available at http://www.occ.treas.gov/ftp/advisory/99-12.txt) o FFIEC IS Examination Handbook (1996) o FRB SR 97-32 (SUP), December 4, 1997 - "Sound Practices Guidance for Information Security for Networks" o FDIC FIL 99-68, July 17, 1999 -- "Risk Assessment Tools and Practices for Information System Security" (available at http://192.147.69.45/news/news/financial/1999/FIL9968a.HTML) o Presidential Decision Directive 63, May 22, 1998 - "Protecting America's Critical Infrastructures," (available at http://www.info-sec.com/ciao/63factsheet.html); o 18 USC 1030, Fraud and Related Activity in Connection with Computers," (available at http://www.usdoj.gov/criminal/cybercrime/1030_new.html) o General Accounting Office "Information Risk Assessment: Practices of Leading Organizations", November 1999 (available at http://www.gao.gov/AIndexFY99/abstracts/ai99139.htm) o Carnegie Mellon Software Engineering Institute Security Improvement Module CMU/SEI-SIM-004, "Securing Desktop Workstations," February 1999 (available at http://www.cert.org/security-improvement/modules/m04.html) o Carnegie Mellon Software Engineering Institute Security Improvement Module CMU-SIM-007, "Securing Network Servers," February 1999, (available at http://www.cert.org/security-improvement/modules/m07.html) o Carnegie Mellon Software Engineering Institute Security Improvement Module CMU-SIM-005, "Preparing to Detect Signs of Intrusion," June 1998 (available at http://www.cert.org/security-improvement/modules/m05.html) o Carnegie Mellon Software Engineering Institute Security Improvement Module CMU-SIM-001, "Detecting Signs of Intrusion," August 1997 (available at http://www.cert.org/security-improvement/modules/m01.html) o Carnegie Mellon Software Engineering Institute Security Improvement Module CMU-SIM-006, "Responding to Intrusions", February 1999 (available at http://www.cert.org/security-improvement/modules/m06.html) o Carnegie Mellon Software Engineering Institute Technical Report CMU/SEI-99-TR-028 "State of the Practice of Intrusion Detection Technologies," February 2000, (available at http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028abstract.html) o Financial Services Information Sharing and Analysis Center (available at http://www.fsisac.com) o Infraguard Outreach Effort (available at http://www.fbi.gov/nipc/outreachinfragd.htm) o CERT/CC (available at http://www.cert.org)
