Web Insecurity

FDIC: Best Practices Against Spyware

July 23rd, 2005

The Federal Deposit Insurance Corp. (FDIC) has presented a letter of recommendation to all banks informing them of a list of best practice to secure their instution from spyware. The simple recommendations are supprisingly informative and are a good resource to inform friends and family.

The letter states the following best practices:
# Restricting users from downloading software, especially software not previously approved by the bank. This would prevent users from unwittingly downloading spyware.
# Ensuring that user settings are set to prompt the user whenever a Web site tries to install a new program or Active X control.2 If possible, configure the browser to reject Active X controls to lessen the likelihood that spyware could be installed on computers through normal Internet browsing.
# Maintaining software patches. Several spyware programs take advantage of reported vulnerabilities that, if patched, would limit the spyware’s effectiveness.
# Installing and maintaining current versions of anti-virus and anti-spyware programs.
# Expanding the risk-assessment process to consider threats from spyware. This ensures that the financial institution considers all risks to private customer information and takes appropriate steps to mitigate those risks.
# Expanding security and Internet use policies to include risks associated with spyware and acceptable user behavior (e.g., prohibiting Internet downloads and visits to inappropriate Websites). In addition, management should take steps to enforce these policies and reprimand staff who fail to comply with them.
# Expanding user awareness sessions to include the risks associated with spyware. Users will then become cognizant of the behavior they should adopt to prevent spyware on bank computers and on personal computers that are used to connect to the bank’s network.
# Installing and configuring firewalls to monitor both inbound and outbound traffic. If possible, block outbound ports that are not necessary for business functions. Financial institutions should assess the need for employee access to instant messaging as well as peer-to-peer services, and prevent access when a legitimate business need is not present.
# Implementing tools to scan e-mail for SPAM and either block the e-mail or designate it as SPAM. E-mail scanning can limit the likelihood that users could unknowingly infect their computers by viewing or reading e-mail that contains spyware.
# Implementing tools to restrict or prevent pop-up windows. This limits the likelihood that spyware will be downloaded through pop-up windows, either automatically or through user error.
# Following industry trends and developments regarding spyware and its prevention. Awareness enables the financial institution to adjust its practices as new spyware threats and prevention methods emerge.
# Reviewing the list of trusted root certificates3 on a regular basis. Some spyware installs its own trusted certificates allowing it to intercept secure Internet communications or the execution of malicious code. Organizations that audit their trusted root certificates are more likely to identify certificates installed by unknown or untrusted sources. After researching the validity of these certificates, the financial institution can remove the ones that are installed by spyware.
# Analyzing firewall logs to determine whether a significant number of customers are connecting to Internet banking Web sites using the same Internet address. If research determines that the Internet address belongs to a service that intercepts Internet communications, consider blocking access to the Internet banking site from that address.
# Educating customers about the risks associated with spyware and encouraging them to implement steps to prevent and detect them on their own computers. In addition, advise customers of the risks of using public computers to connect to online banking Web sites.
# Investigating the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer’s ID, password and account numbers.

You can read the entire publication here.

Entry Filed under: Web Application Security