The Digital Insider: Backdoor Trojans new security paper that should be appearing shortly on the world bank e-security/e-finance web pages e-security/e-finance main web page: http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/9f941053fd4293dc852569510022c5a0/77768cb67681ae7c85256d09005807df?OpenDocument publications web page (where above reference should be appearing shortly) http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Publications other papers from the above web page Electronic Safety and Soundness: Securing Finance in a New Age Thomas Glaessner, Tom Kellermann, and Valerie McNevin (October 2003) This Monograph focuses on the sustainable development of e-finance and e-commerce. It raises awareness on the risks involved, as well as offers recommendations on how to mitigate these cyber-risks so that the shift to electronic financial services is conducted in a safe and sound manner. This paper and its technical annexes identify and discuss four key pillars that are necessary to foster a secure electronic environment and a sustainable global financial sector. Phishing in the Digital Streams: The Growing Threat of Cyber Social Engineering to the Financial Sector Tom Kellermann, CISM and Yumi Nishiyama (October 2003) Phishing is a form of social engineering that is increasingly threatening the financial sector. Fake or spoofed bank websites, illegitimate emails, malicious code and other such deceptive methods are used to lure sensitive information (such as bank account information) away from users. Criminals then use this stolen information to conduct financial theft. Blended Electronic Security Threats: Code Red, Klez, Slammer, and Bugbear Tom Kellermann and Yumi Nishiyama (June 2003) Blended threats (e.g. worms) exploit vulnerabilities in software code, allowing them to circumvent perimeter defenses like firewalls, intrustion detection systems, virus scanners and encryption. According to CERT 4,000 such vulnerabilities were found last year. This report depicts some of the most prolific worms of the information age. Electronic Security: Risk Mitigation in Financial Transactions Thomas Glaessner, Tom Kellermann, and Valerie McNevin (June 2002) This is the new and improved version of this paper. A new Pillar 8 on layered security has been added as to have major improvements within the sections on Insurance, Regulatory and Supervision and Annex I. We took over five months of comments and criticisms from around the world to finalize this third version. It builds on a previous series of papers (see Claessens, Glaessner, and Klingebiel, 2001, 2002) that identified electronic security as a key component to the delivery of e-finance benefits. This paper and its technic al annexes identify and discuss seven key pillars necessary to the fostering of a secure electronic environment. Hence, it is intended for those formulating broad policies in the area of electronic security and those working with financial services providers (e.g., executives and management). The detailed annexes of this paper are especially relevant for chief information and security officers responsible for establishing layered security. First, the paper provides definitions of electronic finance and ele ctronic security and explains why these issues deserve attention. Next, it presents a picture of the burgeoning global electronic security industry. Then, it develops a risk-management framework for understanding the trade-offs and risks inherent in the electronic security infrastructure. It also provides examples of trade-offs that may arise with respect to technological innovation, privacy, quality of service, and security in the design of an electronic security policy framework. Finally, it outlines issues in seven interrelated areas that often need attention in the building of an adequate electronic security infrastructure. These are (i) the legal framework and enforcement; (ii) electronic security of payment systems; (iii) supervision and prevention challenges; (iv) the role of private insurance as an essential monitoring mechanism; (v) certification, standards, and the roles of the public and private sectors; (vi) improving the accuracy of information about electronic security incidents and creating better arrangements for sharing this information; and (vii) improving overall education about these issues as a key to enhancing prevention. Mobile Risk Management: E-Finance in the Wireless Environment Tom Kellermann (May 2002) This paper documents the risks to electronic security via identity theft, hacking, etc. that wireless technologies may present in the context of delivery of financial services. E-Finance in Emerging Markets: Is Leapfrogging Possible? Stijn Claessens, Thomas Glaessner, Daniela Klingebiel (June 2001) E-Finance can lead to much lower costs and greater competition in financial services. For countries with underdeveloped financial systems, e-finance offers an opportunity to leapfrog. Electronic Finance : Reshaping the Financial Landscape Around the World Stijn Claessens, Thomas Glaessner, Daniela Klingebiel (July 2000) Financial Sector Discussion Paper No: 4 (July 2000) - The authors analyze the changes that have occurred in the financial products and services industry and their implications for public policies relating to areas such as safety and soundness and systemic considerations; competition policy; consumer protection and education; global public policy. also key readings: http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Key+Readings URLs from above: International Strategy for Cyberspace Security American Bar Association (ABA) (August 2003) By setting forth the categories of infrastructure to be protected, the key legal parameters and international initiatives, information on best resources and practices, guidance on the development of a complete security program, and implementation and technical considerations, this book in intended to to articulate an international strategy for cyberspace security. Risk Management Principles for Electronic Banking The Basel Committee on Banking Supervision (July 2003) The Basel Committee on Banking Supervision identifies 14 risk management principles to improve upon the banking industry's electronic banking risk oversight policies and processes. HIPAA Security Standards Department of Health and Human Services (February 2003) HIPAA (Health Insurance Portability and Accountability Act) security standards, to take effect 4/21/2005. Sections pertain to security of digital records. The National Strategy to Secure Cyberspace U.S. Government (February 2003) The White House's national strategy to secure this critical infrastructure. Common Sense Guide for Home Users Internet Security Alliance (February 2003) Explains why and how intruders break into home computers Outlines ways to prevent intruders from enter a home computer.. Additional Actions Needed to Better Prepare Critical Financial Market Participants U.S. General Accounting Office (February 2003) GAO study on effects of wide-scale disasters on the financial market. The GAO examined: 1) effects of 9/11 on facilities and telecom; 2) physical and information security plans; 3) regulatory efforts to improve both preparedness and market oversight to reduce risks Critical Infrastructure Protection: Efforts of the Financial Services Sector to Address Cybert Threats U.S. General Accounting Office (GAO) (January 2003) "Since 1998, the federal government has taken steps to protect the nation's critical infrastructures, including developing partnerships between the public and private sectors. These cyber and physical public and private infrastructures, which include the financial services sector, are essential to national security, economic security, and/or public health and safety." Technology Risk Management Guidelines for Financial Institutions Monetary Authority of Singapore (January 2003) The purpose of this document is to make financial institutions aware of the myriad dimensions of technology risks, and the actions they should take to improve information technology security and protect their information assets. FFIEC's Information Systems IT Examination Handbook Federal Financial Institutions Examination Council (FFIEC) (December 2002) Examiners may use this booklet when evaluating the financial institution's risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial insitution. The National Security Agency's (NSA) Guide to Securing Microsoft Windows XP R. Bickel, M. Cook, J. Haney, M. Kerr (DISA), CT01 T. Parker (USN), H. Parkes (October 2002) A guide to educating consumers about Windows XP Professional recommended security settings. -- Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm
