Information Assurance Sites for Tracking IT Security Vulnerabilities and Threats
The FFIEC agencies adopted joint guidelines establishing Standards for Safeguarding Customer Information that went into effect on July 1, 2001. The guidelines, which implement section 501(b) of the GLBA, require financial institutions to establish information security programs, that among other things, protect against any anticipated threats or hazards to the security or integrity of customer records or information, and protect against unauthorized access to or use of these records or information that would result in substantial harm or inconvenience to a customer. The guidelines supplement implementation of information security procedures designed to safeguard a financial institution's information systems. These programs should include monitoring information assurance warnings concerning viruses, cyber attacks, software and equipment vulnerabilities, and other threats.
There are a variety of sites that provide security alerts as well as mitigation information. Financial institutions should identify sites that provide information and alerts appropriate to their needs. Below are Internet links to three government/nonprofit sites that provide detailed information about system and product vulnerabilities, mitigation procedures, and links to vendor information.
Simple Network Management Protocol Vulnerabilities
These sites are useful in reviewing recently published information on potentially serious vulnerabilities in the Simple Network Management Protocol (SNMP), a software protocol widely used in internal networks and the Internet. The protocol also is used in products and services provided by the telecommunications industry. Financial institutions should be aware that these vulnerabilities may be exploited to gain unauthorized access to information systems or to cause denial of service attacks resulting in network disruptions. We recommend that information security personnel review these or other credible sites and take appropriate steps to implement the mitigation procedures to protect the integrity of information systems and safeguard customer information. Financial institutions also should contact their information technology service providers and software vendors directly to ascertain that they are assessing SNMP vulnerabilities in their products and taking steps to mitigate risks.
Federal Computer Incident Response Center (FedCIRC)
Advisory on Simple Network Management Protocols (SNMP) Vulnerabilities
CERT Coordination Center Advisory on Simple Network
Management Protocols (SNMP) Vulnerabilities
System Administration, Networking, and Security Institute