FDIC Issues Paper
on Risks Related to Internet Use
In response to the ever-increasing number of financial institutions
using the Internet, the FDIC has issued the attached paper identifying
many of the risks to an institution's information system security associated
with Internet use. The paper also describes several risk controls.
The Internet offers financial institutions a wide array of opportunities
to access resources and to deliver information, products and services.
However, the principal benefits of Internet access, namely its global
reach and open architecture, also present significant security risks.
The paper, Security Risks Associated with the Internet, offers
helpful information to financial institutions that are currently using
or are planning to use the Internet as an information resource or delivery
channel. The paper does not make specific recommendations as to which
technical solutions an institution should deploy. This will depend on
each institution's individual system design and objectives. However, bank
management must recognize the risks that the Internet presents and implement
appropriate controls. Further, given the dynamics of technology, risks
and controls should continue to be evaluated on an ongoing basis.
This paper is designed to complement the FDIC's safety and soundness
examination procedures for electronic banking activities. The safety and
soundness procedures focus on non-technical functions such as planning,
administration, internal controls, and policies and procedures. Technical
examinations of these systems are referred to FDIC information systems
specialists and electronic banking subject matter experts. The FDIC has
initiated a comprehensive training program for these specialists and is
developing technical examination work programs.
For further information, please contact your Division of Supervision
Regional Office or Examination Specialist Cynthia A. Bonnette at (202)
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained
through the FDIC's Public Information Center, 801 17th St., NW, Room 100,
Washington, DC 20434 (800-276-6003 or (703) 562-2200).
Security Risks Associated
with the Internet
Federal Deposit Insurance Corporation
Division of Supervision
SECURITY RISKS ASSOCIATED WITH THE INTERNET
This paper alerts financial institutions to the fundamental technological
risks presented by use of the Internet. Regardless of whether systems
are maintained in-house or services are outsourced, bank management is
responsible for protecting systems and data from compromise. This paper
is intended to provide foundational information to be considered by management,
but should not be relied upon to identify all potential risk factors.
Appendix A discusses applicable security measures.
Continuing advances in technology and its prominent role in commerce
are leading financial institutions toward the Internet in increasing numbers.
Uses of the Internet may include information-only, information transfer,
or fully transactional sites on the World Wide Web (Web), or the capability
to access the Internet may exist from within the institution. Regardless
of the use, numerous risks exist which must be addressed within the bank's
risk management program. Security breaches due to some of the following
factors may currently be rare, but as banks expand their role in electronic
commerce they could potentially become prominent targets of malicious
III. Security Risks
The Internet is inherently insecure. By design, it is an open network
which facilitates the flow of information between computers. Technologies
are being developed so the Internet may be used for secure electronic
commerce transactions, but failure to review and address the inherent
risk factors increases the likelihood of system or data compromise. Five
areas of concern relating to both transactional and system security issues,
as discussed below, are: Data Privacy and Confidentiality, Data Integrity,
Authentication, Non-repudiation, and Access Control/System Design.
Data Privacy and Confidentiality
Unless otherwise protected, all data transfers, including electronic
mail, travel openly over the Internet and can be monitored or read by
others. Given the volume of transmissions and the numerous paths available
for data travel, it is unlikely that a particular transmission would be
monitored at random. However, programs, such as "sniffer" programs, can
be set up at opportune locations on a network, like Web servers (i.e.,
computers that provide services to other computers on the Internet), to
simply look for and collect certain types of data. Data collected from
such programs can include account numbers (e.g., credit cards, deposits,
or loans) or passwords.
Due to the design of the Internet, data privacy and confidentiality
issues extend beyond data transfer and include any connected data storage
systems, including network drives. Any data stored on a Web server may
be susceptible to compromise if proper security precautions are not taken.
Potentially, the open architecture of the Internet can allow those with
specific knowledge and tools to alter or modify data during a transmission.
Data integrity could also be compromised within the data storage system
itself, both intentionally and unintentionally, if proper access controls
are not maintained. Steps must be taken to ensure that all data is maintained
in its original or intended form.
Essential in electronic commerce is the need to verify that a particular
communication, transaction, or access request is legitimate. To illustrate,
computer systems on the Internet are identified by an Internet protocol
(IP) address, much like a telephone is identified by a phone number. Through
a variety of techniques, generally known as "IP spoofing" (i.e., impersonating),
one computer can actually claim to be another. Likewise, user identity
can be misrepresented as well. In fact, it is relatively simple to send
e-mail which appears to have come from someone else, or even send it anonymously.
Therefore, authentication controls are necessary to establish the identities
of all parties to a communication.
Non-repudiation involves creating proof of the origin or delivery of
data to protect the sender against false denial by the recipient that
the data has been received or to protect the recipient against false denial
by the sender that the data has been sent. To ensure that a transaction
is enforceable, steps must be taken to prohibit parties from disputing
the validity of, or refusing to acknowledge, legitimate communications
Access Control / System Design
Establishing a link between a bank's internal network and the Internet
can create a number of additional access points into the internal operating
system. Furthermore, because the Internet is global, unauthorized access
attempts might be initiated from anywhere in the world. These factors
present a heightened risk to systems and data, necessitating strong security
measures to control access. Because the security of any network is only
as strong as its weakest link, the functionality of all related systems
must be protected from attack and unauthorized access. Specific risks
include the destruction, altering, or theft of data or funds; compromised
data confidentiality; denial of service (system failures); a damaged public
image; and resulting legal implications. Perpetrators may include hackers,
unscrupulous vendors, former or disgruntled employees, or even agents
The following topics represent potential areas of vulnerability related
to access control and system design.
System Architecture and Design
The Internet can facilitate unchecked and/or undesired access to internal
systems, unless systems are appropriately designed and controlled. Unwelcome
system access could be achieved through IP spoofing techniques, where
an intruder may impersonate a local or internal system and be granted
access without a password. If access to the system is based only on an
IP address, any user could gain access by masquerading as a legitimate,
authorized user by "spoofing" the user's address. Not only could any user
of that system gain access to the targeted system, but so could any system
that it trusts.
Improper access can also result from other technically permissible activities
that have not been properly restricted or secured. For example, application
layer protocols are the standard sets of rules that determine how computers
communicate across the Internet. Numerous application layer protocols,
each with different functions and a wide array of data exchange capabilities,
are utilized on the Internet. The most familiar, Hyper Text Transfer Protocol
(HTTP), facilitates the movement of text and images. But other types of
protocols, such as File Transfer Protocol (FTP), permit the transfer,
copying, and deleting of files between computers. Telnet protocol actually
enables one computer to log in to another. Protocols such as FTP and Telnet
exemplify activities which may be improper for a given system, even though
the activities are within the scope of the protocol architecture.
The open architecture of the Internet also makes it easy for system
attacks to be launched against systems from anywhere in the world. Systems
can even be accessed and then used to launch attacks against other systems.
A typical attack would be a denial of service attack, which is intended
to bring down a server, system, or application. This might be done by
overwhelming a system with so many requests that it shuts down. Or, an
attack could be as simple as accessing and altering a Web site, such as
changing advertised rates on certificates of deposit.
Security Scanning Products
A number of software programs exist which run automated security scans
against Web servers, firewalls, and internal networks. These programs
are generally very effective at identifying weaknesses that may allow
unauthorized system access or other attacks against the system. Although
these products are marketed as security tools to system administrators
and information systems personnel, they are available to anyone and may
be used with malicious intent. In some cases, the products are freely
available on the Internet.
Logical Access Controls
A primary concern in controlling system access is the safeguarding of
user IDs and passwords. The Internet presents numerous issues to consider
in this regard. Passwords can be obtained through deceptive "spoofing"
techniques such as redirecting users to false Web sites where passwords
or user names are entered, or creating shadow copies of Web sites where
attackers can monitor all activities of a user. Many "spoofing" techniques
are hard to identify and guard against, especially for an average user,
making authentication processes an important defense mechanism.
The unauthorized or unsuspected acquisition of data such as passwords,
user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate
an attempt at unauthorized access to a system or application. If passwords
and user IDs are a derivative of someone's personal information, malicious
parties could use the information in software programs specifically designed
to generate possible passwords. Default files on a computer, sometimes
called "cache" files, can automatically retain images of such data received
or sent over the Internet, making them a potential target for a system
Security Flaws and Bugs / Active Content Languages
Vulnerabilities in software and hardware design also represent an area
of concern. Security problems are often identified after the release of
a new product, and solutions to correct security flaws commonly contain
flaws themselves. Such vulnerabilities are usually widely publicized,
and the identification of new bugs is constant. These bugs and flaws are
often serious enough to compromise system integrity. Security flaws and
exploitation guidelines are also frequently available on hacker Web sites.
Furthermore, software marketed to the general public may not contain sufficient
security controls for financial institution applications.
Newly developed languages and technologies present similar security
concerns, especially when dealing with network software or active content
languages which allow computer programs to be attached to Web pages (e.g.,
Java, ActiveX). Security flaws identified in Web browsers (i.e., application
software used to navigate the Internet) have included bugs which, theoretically,
may allow the installation of programs on a Web server, which could then
be used to back into the bank's system. Even if new technologies are regarded
as secure, they must be managed properly. For example, if controls over
active content languages are inadequate, potentially hostile and malicious
programs could be automatically downloaded from the Internet and executed
on a system.
Viruses / Malicious Programs
Viruses and other malicious programs pose a threat to systems or networks
that are connected to the Internet, because they may be downloaded directly.
Aside from causing destruction or damage to data, these programs could
open a communication link with an external network, allowing unauthorized
system access, or even initiating the transmission of data.
Utilization of the Internet presents numerous issues and risks which
must be addressed. While many aspects of system performance will present
additional challenges to the bank, some will be beyond the bank's control.
The reliability of the Internet continues to improve, but situations including
delayed or misdirected transmissions and operating problems involving
Internet Service Providers (ISPs) could also have an effect on related
aspects of the bank's business.
The risks will not remain static. As technologies evolve, security controls
will improve; however, so will the tools and methods used by others to
compromise data and systems. Comprehensive security controls must not
only be implemented, but also updated to guard against current and emerging
threats. Security controls that address the risks presented in this letter
are discussed in Appendix A.
PART ONE: Discusses the primary interrelated technologies, standards,
and controls that presently exist to manage the risks of data privacy
and confidentiality, data integrity, authentication, and non-repudiation.
I. Encryption, Digital Signatures, and Certificate Authorities
Encryption techniques directly address the security issues surrounding
data privacy, confidentiality, and data integrity. Encryption technology
is also employed in digital signature processes, which address the issues
of authentication and non-repudiation. Certificate authorities and digital
certificates are emerging to address security concerns, particularly in
the area of authentication. The function of and the need for encryption,
digital signatures, certificate authorities, and digital certificates
differ depending on the particular security issues presented by the bank's
activities. The technologies, implementation standards, and the necessary
legal infrastructure continue to evolve to address the security needs
posed by the Internet and electronic commerce.
Encryption, or cryptography, is a method of converting information to
an unintelligible code. The process can then be reversed, returning the
information to an understandable form. The information is encrypted (encoded)
and decrypted (decoded) by what are commonly referred to as "cryptographic
keys." These "keys" are actually values, used by a mathematical algorithm
to transform the data. The effectiveness of encryption technology is determined
by the strength of the algorithm, the length of the key, and the appropriateness
of the encryption system selected.
Because encryption renders information unreadable to any party without
the ability to decrypt it, the information remains private and confidential,
whether being transmitted or stored on a system. Unauthorized parties
will see nothing but an unorganized assembly of characters. Furthermore,
encryption technology can provide assurance of data integrity as some
algorithms offer protection against forgery and tampering. The ability
of the technology to protect the information requires that the encryption
and decryption keys be properly managed by authorized parties.
Symmetric and Asymmetric Key Systems
There are two types of cryptographic key systems, symmetric and asymmetric.
With a symmetric key system (also known as secret key or private key systems),
all parties have the same key. The keys can be used to encrypt and decrypt
messages, and must be kept secret or the security is compromised. For
the parties to get the same key, there has to be a way to securely distribute
the key to each party. While this can be done, the security controls necessary
make this system impractical for widespread and commercial use on an open
network like the Internet. Asymmetric key systems can solve this problem.
In an asymmetric key system (also known as a public key system), two
keys are used. One key is kept secret, and therefore is referred to as
the "private key." The other key is made widely available to anyone who
wants it, and is referred to as the "public key." The private and public
keys are mathematically related so that information encrypted with the
private key can only be decrypted by the corresponding public key. Similarly,
information encrypted with the public key can only be decrypted by the
corresponding private key. The private key, regardless of the key system
utilized, is typically specific to a party or computer system. Therefore,
the sender of a message can be authenticated as the private key holder
by anyone decrypting the message with a public key. Importantly, it is
mathematically impossible for the holder of any public key to use it to
figure out what the private key is. The keys can be stored either on a
computer or on a physically separate medium such as a smart card.
Regardless of the key system utilized, physical controls must exist
to protect the confidentiality and access to the key(s). In addition,
the key itself must be strong enough for the intended application. The
appropriate encryption key may vary depending on how sensitive the transmitted
or stored data is, with stronger keys utilized for highly confidential
or sensitive data. Stronger encryption may also be necessary to protect
data that is in an open environment, such as on a Web server, for long
time periods. Because the strength of the key is determined by its length,
the longer the key, the harder it is for high-speed computers to break
Digital signatures authenticate the identity of a sender, through the
private, cryptographic key. In addition, every digital signature is different
because it is derived from the content of the message itself. The combination
of identity authentication and singularly unique signatures results in
a transmission that cannot be repudiated.
Digital signatures can be applied to any data transmission, including
e-mail. To generate a digital signature, the original, unencrypted message
is run through a mathematical algorithm that generates what is known as
a message digest (a unique, character representation of the data). This
process is known as the "hash." The message digest is then encrypted with
a private key, and sent along with the message. The recipient receives
both the message and the encrypted message digest. The recipient decrypts
the message digest, and then runs the message through the hash function
again. If the resulting message digest matches the one sent with the message,
the message has not been altered and data integrity is verified. Because
the message digest was encrypted with a private key, the sender can be
identified and bound to the specific message. The digital signature cannot
be reused, because it is unique to the message. In the above example,
data privacy and confidentiality could also be achieved by encrypting
the message itself. The strength and security of a digital signature system
is determined by its implementation, and the management of the cryptographic
Certificate Authorities and Digital Certificates
Certificate authorities and digital certificates are emerging to further
address the issues of authentication, non-repudiation, data privacy, and
cryptographic key management. A certificate authority (CA) is a trusted
third party that verifies the identity of a party to a transaction. To
do this, the CA vouches for the identity of a party by attaching the CA's
digital signature to any messages, public keys, etc., which are transmitted.
Obviously, the CA must be trusted by the parties involved, and identities
must have been proven to the CA beforehand. Digital certificates are messages
that are signed with the CA's private key. They identify the CA, the represented
party, and could even include the represented party's public key.
The responsibilities of CAs and their position among emerging technologies
continue to develop. They are likely to play an important role in key
management by issuing, retaining, or distributing public/private key pairs.
The implementation and use of encryption technologies, digital signatures,
certificate authorities, and digital certificates can vary. The technologies
and methods can be used individually, or in combination with one another.
Some techniques may merely encrypt data in transit from one location to
another. While this keeps the data confidential during transmission, it
offers little in regard to authentication and non-repudiation. Other techniques
may utilize digital signatures, but still require the encrypted submission
of sensitive information, like credit card numbers. Although protected
during transmission, additional measures would need to be taken to ensure
the sensitive information remains protected once received and stored.
The protection afforded by the above security measures will be governed
by the capabilities of the technologies, the appropriateness of the technologies
for the intended use, and the administration of the technologies utilized.
Care should be taken to ensure the techniques utilized are sufficient
to meet the required needs of the institution. All of the technical and
implementation differences should be explored when determining the most
PART TWO: Discusses the primary technical and procedural security
measures necessary to properly govern access control and system security.
I. System Architecture and Design
Measures to address access control and system security start with the
appropriate system architecture. Ideally, if an Internet connection is
to be provided from within the institution, or a Web site established,
the connection should be entirely separate from the core processing system.
If the Web site is placed on its own server, there is no direct connection
to the internal computer system. However, appropriate firewall technology
may be necessary to protect Web servers and/or internal systems.
Placing a "screening router" between the firewall and other servers
provides an added measure of protection, because requests could be segregated
and routed to a particular server (such as a financial information server
or a public information server). However, some systems may be considered
so critical, they should be completely isolated from all other systems
or networks. Security can also be enhanced by sending electronic transmissions
from external sources to a machine that is not connected to the main operating
Description, Configuration, and Placement
A firewall is a combination of hardware and software placed between
two networks which all traffic, regardless of the direction, must pass
through. When employed properly, it is a primary security measure in governing
access control and protecting the internal system from compromise.
The key to a firewall's ability to protect the network is its configuration
and its location within the system. Firewall products do not afford adequate
security protection as purchased. They must be set up, or configured,
to permit or deny the appropriate traffic. To provide the most security,
the underlying rule should be to deny all traffic unless expressly permitted.
This requires system administrators to review and evaluate the need for
all permitted activities, as well as who may need to use them. For example,
to protect against Internet protocol (IP) spoofing, data arriving from
an outside network that claims to be originating from an internal computer
should be denied access. Alternatively, systems could be denied access
based on their IP address, regardless of the origination point. Such requests
could then be evaluated based on what information was requested and where
in the internal system it was requested from. For instance, incoming FTP
requests may be permitted, but outgoing FTP requests denied.
Often, there is a delicate balance between what is necessary to perform
business operations and the need for security. Due to the intricate details
of firewall programming, the configuration should be reassessed after
every system change or software update. Even if the system or application
base does not change, the threats to the system do. Evolving risks and
threats should be routinely monitored and considered to ensure the firewall
remains an adequate security measure. If the firewall system should ever
fail, the default should deny all access rather than permit the information
flow to continue. Ideally, firewalls should be installed at any point
where a computer system comes into contact with another network. The firewall
system should also include alerting mechanisms to identify and record
successful and attempted attacks and intrusions. In addition, detection
mechanisms and procedures should include the generation and routine review
of security logs.
Data Transmission and Types of Firewalls
Data traverses the Internet in units referred to as packets. Each packet
has headers which contain information for delivery, such as where the
packet is from, where it is going, and what application it contains. The
varying firewall techniques examine the headers and either permit or deny
access to the system based on the firewall's rule configuration.
There are different types of firewalls that provide various levels of
security. For instance, packet filters, sometimes implemented as screening
routers, permit or deny access based solely on the stated source and/or
destination IP address and the application (e.g., FTP). However, addresses
and applications can be easily falsified, allowing attackers to enter
systems. Other types of firewalls, such as circuit-level gateways and
application gateways, actually have separate interfaces with the internal
and external (Internet) networks, meaning no direct connection is established
between the two networks. A relay program copies all data from one interface
to another, in each direction. An even stronger firewall, a stateful inspection
gateway, not only examines data packets for IP addresses, applications,
and specific commands, but also provides security logging and alarm capabilities,
in addition to historical comparisons with previous transmissions for
deviations from normal context.
When evaluating the need for firewall technology, the potential costs
of system or data compromise, including system failure due to attack,
should be considered. For most financial institution applications, a strong
firewall system is a necessity. All information into and out of the institution
should pass through the firewall. The firewall should also be able to
change IP addresses to the firewall IP address, so no inside addresses
are passed to the outside. The possibility always exists that security
might be circumvented, so there must be procedures in place to detect
attacks or system intrusions. Careful consideration should also be given
to any data that is stored or placed on the server, especially sensitive
or critically important data.
III. Product Certification and Security Scanning Products
Several organizations exist which independently assess and certify the
adequacy of firewalls and other computer system related products. Typically,
certified products have been tested for their ability to permit and sustain
business functions while protecting against both common and evolving attacks.
Security scanning tools should be run frequently by system administrators
to identify any new vulnerabilities or changes in the system. Ideally,
the scan should be run both with and without the firewall in place so
the firewall's protective capabilities can be fully evaluated. Identifying
the susceptibility of the system without the firewall is useful for determining
contingency procedures should the firewall ever go down. Some scanning
tools have different versions with varying degrees of intrusion/attack
IV. Logical Access Controls
If passwords are used for access control or authentication measures,
users should be properly educated in password selection. Strong passwords
consist of at least six to eight alpha numeric characters, with no resemblance
to any personal data. PINs should also be unique, with no resemblance
to personal data. Neither passwords nor PINs should ever be reduced to
writing or shared with others.
Other security measures should include the adoption of one-time passwords,
or password aging measures that require periodic changes. Encryption technology
can also be employed in the entry and transmission of passwords, PINs,
user IDs, etc. Any password
Directories or databases should be
properly protected, as well.
Password guessing programs can be run against a system. Some can run
through tens of thousands of password variations based on personal information,
such as a user's name or address. It is preferable to test for such vulnerabilities
by running this type of program as a preventive measure, before an unauthorized
party has the opportunity to do so. Incorporating a brief delay requirement
after each incorrect login attempt can be very effective against these
types of programs. In cases where a potential attacker is monitoring a
network to collect passwords, a system utilizing one-time passwords would
render any data collected useless.
When additional measures are necessary to confirm that passwords or
PINs are entered by the user, technologies such as tokens, smart cards,
and biometrics can be useful. Utilizing these technologies adds another
dimension to the security structure by requiring the user to possess something
Token technology relies on a separate physical device, which is retained
by an individual, to verify the user's identity. The token resembles a
small hand-held card or calculator and is used to generate passwords.
The device is usually synchronized with security software in the host
computer such as an internal clock or an identical time based mathematical
algorithm. Tokens are well suited for one-time password generation and
access control. A separate PIN is typically required to activate the token.
Smart cards resemble credit cards or other traditional magnetic stripe
cards, but contain an embedded computer chip. The chip includes a processor,
operating system, and both read only memory (ROM) and random access memory
(RAM). They can be used to generate one-time passwords when prompted by
a host computer, or to carry cryptographic keys. A smart card reader is
required for their use.
Biometrics involves identification and verification of an individual
based on some physical characteristic, such as fingerprint analysis, hand
geometry, or retina scanning. This technology is advancing rapidly, and
offers an alternative means to authenticate a user.
V. Security Flaws and Bugs
Because hardware and software continue to improve, the task of maintaining
system performance and security is ongoing. Products are frequently issued
which contain security flaws or other bugs, and then security patches
and version upgrades are issued to correct the deficiencies. The most
important action in this regard is to keep current on the latest software
releases and security patches. This information is generally available
from product developers and vendors. Also important is an understanding
of the products and their security flaws, and how they may affect system
performance. For example, if there is a time delay before a patch will
be available to correct an identified problem, it may be necessary to
invoke mitigating controls until the patch is issued.
Reference sources for the identification of software bugs exist, such
as the Computer Emergency Response Team Coordination Center (CERT/CC)
at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh,
Pennsylvania. The CERT/CC, among other activities, issues advisories on
security flaws in software products, and provides this information to
the general public through subscription e-mail, Internet newsgroups (Usenet),
and their Web site at www.cert.org. Many other resources are freely available
on the Internet.
Active Content Languages
Active content languages have been the subject of a number of recent
security discussions within the technology industry. While it is not their
only application, these languages allow computer programs to be attached
to Web pages. As such, more appealing and interactive Web pages can be
created, but this function may also allow unauthorized programs to be
automatically downloaded to a user's computer. To date, few incidents
have been reported of harm caused by such programs; however, active content
programs could be malicious, designed to access or damage data or insert
Security problems may result from an implementation standpoint, such
as how the languages and developed programs interact with other software,
such as Web browsers. Typically, users can disable the acceptance of such
programs on their Web browser. Or, users can configure their browser so
they may choose which programs to accept and which to deny. It is important
for users to understand how these languages function and the risks involved,
so that they make educated decisions regarding their use. Security alerts
concerning active content languages are usually well publicized and should
receive prompt reviews by those utilizing the technology.
Because potentially malicious programs can be downloaded directly onto
a system from the Internet, virus protection measures beyond the traditional
boot scanning techniques may be necessary to properly protect servers,
systems, and workstations. Additional protection might include anti-virus
products that remain resident, providing for scanning during downloads
or the execution of any program. It is also important to ensure that all
system users are educated in the risks posed to systems by viruses and
other malicious programs, as well as the proper procedures for accessing
information and avoiding such threats.