Skip Repetitive LinksFederal Financial Institutions Examination Council Logo linking back to the home page.
 
What's New
About the FFIEC
Press Releases
Reports
Reporting Forms
Handbooks, Catalogues & Infobases
Enforcement Actions
and Orders
On-line Information Systems
 

Examiner Education Office
Appraisal Subcommittee
HMDA
CRA
Financial Institution Call Report Data
Quantitative Impact Study 4
Loss Data Collection Exercise
 

Information Assurance Sites for Tracking IT Security Vulnerabilities and Threats

The FFIEC agencies adopted joint guidelines establishing Standards for Safeguarding Customer Information that went into effect on July 1, 2001. The guidelines, which implement section 501(b) of the GLBA, require financial institutions to establish information security programs, that among other things, protect against any anticipated threats or hazards to the security or integrity of customer records or information, and protect against unauthorized access to or use of these records or information that would result in substantial harm or inconvenience to a customer. The guidelines supplement implementation of information security procedures designed to safeguard a financial institution's information systems. These programs should include monitoring information assurance warnings concerning viruses, cyber attacks, software and equipment vulnerabilities, and other threats.

There are a variety of sites that provide security alerts as well as mitigation information. Financial institutions should identify sites that provide information and alerts appropriate to their needs. Below are Internet links to three government/nonprofit sites that provide detailed information about system and product vulnerabilities, mitigation procedures, and links to vendor information.

Simple Network Management Protocol Vulnerabilities

These sites are useful in reviewing recently published information on potentially serious vulnerabilities in the Simple Network Management Protocol (SNMP), a software protocol widely used in internal networks and the Internet. The protocol also is used in products and services provided by the telecommunications industry. Financial institutions should be aware that these vulnerabilities may be exploited to gain unauthorized access to information systems or to cause denial of service attacks resulting in network disruptions. We recommend that information security personnel review these or other credible sites and take appropriate steps to implement the mitigation procedures to protect the integrity of information systems and safeguard customer information. Financial institutions also should contact their information technology service providers and software vendors directly to ascertain that they are assessing SNMP vulnerabilities in their products and taking steps to mitigate risks.

Federal Computer Incident Response Center (FedCIRC) Advisory on Simple Network Management Protocols (SNMP) Vulnerabilities
http://www2.fedcirc.gov/advisories/FA-2002-03.html

CERT Coordination Center Advisory on Simple Network Management Protocols (SNMP) Vulnerabilities
http://www.cert.org/advisories/CA-2002-03.html

System Administration, Networking, and Security Institute (SANS)
http://www.sans.org

 

-HOME-

Note: Many of the documents available on-line are in Adobe Portable Document Format (PDF). Please visit our PDF help page for more information.

Maintained by the FFIEC. All suggestions regarding this site may be forwarded via e-mail to ffiec-suggest@frb.gov.
Last update: 08/16/2005 10:54 AM