Data leaks are increasingly becoming a challenge in security concerns with the unprecedented rise in communication mediums. Most data leaks are unintentional rather than deliberate, but can nevertheless cause irreparable damage to a company's clientele, reputation, or compliance requirements for maintaining confidentiality. Despite the widespread implementation of security devices such as firewalls and data encryption, data theft is still a relatively common phenomenon. There are many causes of security breaches: one third of data leakages in the previous year occurred because of virus attacks and another third through frauds committed by insiders with access to high security data. Leaks can also inadvertently occur when, for example, an employee decides to take work home for the weekend and uses unprotected mail systems such as Yahoo! to access sensitive work information. HTTP and FTP links can also act as avenues through which your information can leave your premises without your knowledge. There are a few strategic ways in which you can monitor your data to check for fraudulent or unintentionally subversive activities: Many solutions are targeted toward incident response, but effective measures of prevention also need to be implemented to prevent incidents from occurring. All companies should consider acquiring more stringent methods of safeguarding their data and implement Security Awareness Training for employees to prevent unwarranted or deliberate leaks of information. For some companies, Data Leak Prevention resources are critical. For example, companies under compliance regulations or who regularly work with proprietary client-confidential data, companies that frequently outsource work, or companies with projects being conducted on offshore premises should definitely consider a professional data security package. Data leaks do not always occur through technology breaches. Always use caution when giving out information about yourself, your clients or your employees over the telephone. Spammers or phishers often penetrate the defenses of their targets by posing as representatives of an organization such as a bank or government office. Managing your intellectual property takes considerable effort and constant monitoring. Never think that your company is too small or your information too irrelevant to be at significant risk of potential pharming or phishing attacks. Prevention systems need to follow the three key strategies listed below in order to be completely effective. If one or more of these steps is not taken to ensure the protection of your data, you could find yourself the target of various forms of security breaches that could compromise your compliance to regulations or your business as a whole. The discovery of sensitive data and its extant locations is the first key process in identifying your data security needs. This includes internal databases and possible avenues through which such information may be released or distributed. Even legitimate channels of distribution such as internal mail servers and intranets should be identified as carriers of sensitive data which are subject to breaches. Only when these mediums are identified can you efficiently create data protection policies and regulations and implement them successfully. Once mediums carrying confidential data are identified and the relevant policies have been implemented successfully, it is imperative that such channels be monitored around the clock. Professionally developed data leak prevention tools not only monitor your data, but also create reports so that you are kept constantly updated on the status of your information and its locations. Always ensure that your data leak prevention policies are mapped to the rest of your business processes. Automated regulation policies can monitor and control your databases and run real-time checks on your information to ensure that it is secure and to inform you of any breaches as soon as they occur. DLP tools can make you confident that your data is protected at all times, both when it is in use and also while it is stored. One vendor in particular stands out. Websense provides data leak prevention solutions that can help you manage your databases and the fluidity of your information networks by enabling you to manage your information and the channels through which it is distributed. Websense can assist you in many ways, protecting your data and ensuring that you are the one in charge of who has access to your information: Many providers of professional security data leak prevention systems offer free risk assessments. You might consider such a program to gauge the risks that your intellectual property and sensitive information are exposed to every day. By implementing data leak prevention tools, you can protect your data from external as well as internal leakage and ensure that your business processes run more smoothly.
Tuesday, March 11, 2008
Data Leaks: The Silent Attacker
Wednesday, January 30, 2008
Why Using Non-Conventional Security Awareness Training is Crucial!
By Gale Yocom Copyright2008 Financial Institutions can look to more in-depth examinations this year since the FDIC issued FIL-105-207, which updated the IT Examination Officer's Questionnaire. The FDIC wants to make sure that insured depository institutions have security programs that guarantee the confidentiality of customer information in addition to anticipating and protecting against security threats and unauthorized access of customer information. To ensure that these issues were addressed, there are five sections on the questionnaire, which includes Risk Assessment, Operations Security & Risk Management, Audit/Independent Review Program, Disaster Recovery/ Business Continuity Management and Vendor Management/Service Provider Oversight. Parts 1 and 4, namely Risk Management and Disaster Recovery are much the same as the 2005 questionnaire, with some minor changes. The other sections have a number of significant changes; one of the most important is that the 2007 questionnaire has included an entirely new section that focuses on questions about Vendor Management. One particular topic of concern addresses the FIL, because most institutions do not have standard security awareness training programs in place. Training Awareness Using Non-Conventional Methods With so many new complex threats going beyond the standard pharming, phishing and vishing attacks, assaults are now focusing on the end user or client side exploits. These attacks are exploiting and affecting mail readers, Internet browsers and third party applications such as Adobe Reader. Because of these more sophisticated attacks, it is more important than ever to educate users/employees about these risks, which can be achieved by making sure IT Managers have compliant training sessions in place. What we at Covetrix discovered is that most security awareness training programs are simply not enough. They are usually done annually or only when the employee is initially hired. Even with extensive training, the level of absorption of these topics is often forgotten in just a matter of weeks, usually because of a lack of interest or because of the approach of the material presentation. After a while, employees almost get the feeling of someone crying wolf when it comes to phishing / pharming / vishing attacks, which for future reference we will refer to social engineering. The training programs must be adapted so that the critical level of importance remains high. We believe by providing non-conventional, educational and real world examples, a financial institution will not only be able to educate employees with increased absorption, but they will also be able to understand how these scams work thereby being able to spot a scam and then quickly catching it before it impedes on the customer's privacy. Tracking Employee Review is Critical to Retention As our clients are eager to improve on their security levels, we believe it is vitally important to build strong teams, teams that can provide a quick response to potential threats, keeping security risks from causing havoc in the financial institution. At Covetrix, we see a need to track employee reviews of the security training material. The reason? It has been proven that more often then not, an individual may watch security awareness training videos, read e-mail messages, or review computer use handbooks with the best of intentions, yet their level of retention and absorption of the security knowledge is often limited. Covetrix has designed IT training videos that keep interest high and retention longer. The way they work is the video pauses and asks the viewer questions about the previously viewed content before continuing. This information is also reported to IT staff for compliance during examinations. Trained individuals must be ready and prepared to make quick decisions so that nothing threatens the security of the financial institution. Yet even with willing participants, individuals are sometimes overwhelmed with too much information. Despite the idea of ensuring that videos are watched and questioned and then asked about their understanding of content, we need the information to stick. To ensure that training methods stay in the minds of the users/employees, new ways of implementing the information must be enforced, which means it is necessary to implement non-conventional techniques. How Non-Conventional Methods Work In the event of identity theft scams, placing untrained people in security roles is not going to keep security risks away! What will keep them away is giving individuals the proper training, continually expanding on knowledge through effective training programs. As a well-qualified technology expert and experienced security specialist, it has become very obvious that when individuals are properly trained, they retain and absorb information more readily. And based on my years of experience, one of the best ways to help retain and absorb information is through non-conventional strategies. What do I mean by non-conventional strategies? In most training programs, the user is given a direction of lists which may include things like the following: 1. Don't open bad mail 2. Don't go to a bad website 3. Report all phishing emails The problem stems from the user's actual understanding of this information. Our videos are using non-conventional training by actually showing a user exactly what is a bad mail, how they are created, or how a hacker creates a phishing site and attacks their institution. Combined with the employee's review of the information and non-conventional training, the knowledge transfers information in a far more effective manner. The Outcome As a result of implementing these innovative awareness training video strategies, we have seen a high level of success during our third party penetration testing and audits. Equally important are the individuals who are able to understand and retain information more efficiently. It's very clear that even the most effective training program requires periodic testing to ensure that the training program is serving the ever-changing needs of the financial institution. And just as technological challenges continue to change and grow, so too must training programs grow and change as well. With non-conventional training strategies, financial institutions have a far better chance of keeping customers safe from scams and unauthorized access to private information. About the Author Mr. Gale Yocom is a recognized technology expert and President of the Dallas-based security specialist company Covetrix. For the past ten years his company has provided full service networking and security solutions to government entitities, financial institutions, and commercial businesses across the U.S. Performing security audits, asessments and implementation of security measures on ISP networks, he brings a wealth of knowledge and information to Internet security. Mr. Yocom is known for effectively uncovering weaknesses in large institution's security practices and has impressively strengthened the security posture of many financial institutions. Mr. Yocom can be reached by contacting him at gale@covetrix.com or by visiting him on the web at www.covetrix.com
Wednesday, January 09, 2008
Security Awareness Training Video
One of our sales directors said this to our customer in a meeting:
If you have related stories you would like to share please let us know; one organization’s experience is someone else’s prevention.
I though that was a great idea. Send me your stories to share with others so that maybe we can all learn something from someone else tribulations.
First training video from Covetrix is making progress, we decided on the topic to be Incident Response Plan to Pharming and Phishing Attacks. I hope you guys enjoy it.
GY
Share Your Stories.
One of our sales directors said this to our customer in a meeting:
If you have related stories you would like to share please let us know; one organization’s experience is someone else’s prevention.
I though that was a great idea. Send me your stories to share with other so that maybe we can all learn something from someone else tribulations.
First traing video from Covetrix is making progress, we decided on the topic to be Incident Response Plan to Pharming and Phishing Attacks. I hope you guys enjoy it.
GY
Friday, January 04, 2008
Examples from Community Banks
This is an email from the IT Dept of a community bank in Arkansas
From:
Sent: Friday, January 04, 2008 11:49 AM
To:
Subject: Phishing
I just received a phone call from a person who stated that she was a representative from Experian. She said that she needed to update their records. She was given my first name from the teller who transferred the call to me and from my greeting. She asked me for my last name and if I was in charged of my location. She asked for my title, how long I have been with the bank, the last name of the teller who transferred her, and what her position in the bank is. I did not give her any of this information.
I asked her why Experian needed to verify bank information. She told me that she just needed to verify and update the banks information for the New Year. When I told her that I needed to know why she needed to verify my information and information about the bank when she works for Experian. I told her that Experian should have all of the information that they need. She asked if there was anyone else she could speak to who could verify information about the bank.
I told her that I would transfer her to Marketing and she asked for the Marketing person’s name. I gave her the first name. Then she asked for her last name, and if she was in charge of Marketing or just worked in Marketing. I told her that I would not give her that information. But, I would be happy to transfer her. When I began to transfer the call, she hung up.
Please use caution when giving out information about the bank and the Associates. Anonymity in these situations is crucial. It is important to ask questions, so do not be afraid to. Please be aware of the signs of a phishing phone call. If you get one please transfer the call to your Manager or HR.
Thursday, January 03, 2008
Sophisticated Attacks on Community Financial Institutions Increasing!
By Gale Yocom Copyright2007 In today's' high tech world, maintaining the privacy and protection of customers and employees' information grows more and more difficult particularly for many financial institutions. These days' scammers are getting bolder and more brazen in their abilities to get personal information from banking customers as they aggressively target the smaller locally owned community financial institutions. In fact, a recent customer reported a complex, malicious, and targeted attack took place on their institution's customers and employees. A well-recognized phishing activity trends website reported that financial institutions saw a continuing rise in phishing activities with 92.5% of attacks targeted on financial institutions. On average, a phishing site stays online for 3.8 days. The relevance to the number of days online is that the longer it remains online, the more possibilities for the scammer to gather personal information. It is imperative that we are prepared for this type of incident and the response that is needed. Phishing and Pharming Attacks There was a time when only the larger financial institutions such as Wells Fargo bank were targeted for phishing and pharming scams, but that's no longer the case. The increase in phishing attacks on community financial institutions stems from the fact that smaller financial institutions are simply more profitable and are usually less protected from fraudulent activities. As mentioned above, one of our local community financial institutions was hit with a complex and sophisticated vishing/pharming/phishing telephone scam that focused on customers as well as on the bank's employees. Fortunately, we have been preparing our client for years for these types of attacks, and therefore they were on the alert, so the attack caused minimum disruption. Sharp customers and employees recognized that the e-mail messages were a scam because of poor grammar and content in addition to the salutation being addressed to "member" or some other non-descript person. A genuine message from a financial institution always addresses the customer by their full name. Furthermore, the scams did not provide a means for contacting the institution if there were any questions, but instead told the customers and employees in the e-mail message not to reply. No legitimate institution would ever tell you not to reply. But even with preparation and after years of working in the Internet security arena, we were surprised at the combination of attack vectors used. Combination of Attack Vectors The scammers' used a variety of strategies starting with a mass email and pharming scam as an attempt to steal personal information using a Do-IT-Yourself Phishing kit. The initial attack was then followed up with telephone calls to certain area codes with spoofed numbers and using a technique called Vishing. Besides, using pharming, phishing, and vishing tactics aimed at stealing valuable information such as credit cards, social security numbers, IDs and passwords, the attackers didn't stop there. The scammers also included Spear Phishing, an email spoofing fraud that targets financial institution employees in an attempt to gain unauthorized access to confidential data. Because of the banks watchful eye, they caught it in time, but these types of attacks are getting bolder and more commonplace and require a great deal more vigilance in keeping personal information away from scammers. Why Customers Are Fooled Approximately 19% of recipients respond to Spear-Phishing, which today is one of the most menacing threats to Internet users. Unfortunately, users do not clearly understand the importance of checking for authenticity, which should include specific indications that the site they are being sent to is secure. As a busy society, we are so focused on getting the job done quickly and efficiently, we often don't check for important clues, which is why many users receiving messages or paying bills online don't watch out for the clues that indicate whether an e-mail message or site is fraudulent. An Incident Response Plan As these scams are on the rise in financial institutions, if a financial institution is prepared, and in today's world, they have to be, the consequences will be minimal. In the event of phishing and pharming scams, staff members in a financial institution should know how to deal with this type of situation effectively. To ensure the customer's safety and privacy, an incident response plan should be in place and is required by examiners to be in place. Included in the plan should be an organized approach as to how the problem is going to be handled as well as having a clearly laid out plan to address the situation. The following should be considered in regard to an Incident Response Plan: This is not intended to be a complete incident response plan, but trigger the thought process on items to be covered. At one time or another your institution will be affected by a fraud scam, therefore being prepared with a good response plan for employees as well as providing customer education, in addition to having the resources (either in-house or outsourced) to handle the problem efficiently and effectively are the most effective preventive actions. Prevention of course is primary insofar as keeping phishing and pharming scams at bay, and therefore as a preventive measure, customers who use online banking in any financial institution should be warned to use caution when opening any type of email with links that appear to come from their financial institution. Even if the message looks legitimate, prudence is always best. Educate customers to be proactive rather than reactive. Alert customers not to click any links that come in emails, especially if they appear somewhat suspicious. In addition, if the customer has any doubt about the e-mail message, alert the customer to call their financial institution directly to determine whether it could potentially be a phishing or pharming scam. Provide customers with Security Awareness Training by developing a web page about information disclosure in addition to providing About the Author Mr. Gale Yocom is a recognized technology expert and President of the Dallas-based security specialist company Covetrix. For the past ten years his company has provided full service networking and security solutions to government entitities, financial institutions, and commercial businesses across the U.S. Performing security audits, penetration testing and implementation of security controls, he brings a wealth of knowledge and information to Internet security. Mr. Yocom is known for effectively uncovering weaknesses in institution's security practices and has impressively strengthened the security posture of many financial institutions. Mr. Yocom can be reached by contacting him at gale(at)covetrix.com or by visiting him on the web at www.covetrix.comPreventative Actions
a closely monitored email address for this activity should be set up by your institution where customers can send suspicious activities.
Wednesday, November 30, 2005
IPSec Vulnerability
Multiple Vulnerabilities Found by PROTOS IPSec Test Suite
Introduction
Numerous vulnerabilities have been reported in various Internet Key Exchange version 1 (IKEv1) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause an IKEv1 implementation to behave in an unstable/unpredictable manner.
What is Affected?
Potentially any configuration of IPsec that uses Encapsulating Security Payload (ESP) in tunnel mode with confidentiality only, or with integrity protection being provided by a higher layer protocol. Some configurations using AH to provide integrity protection are also vulnerable.
Impact
Successful exploitation of the vulnerability on the Cisco MDS Series may result in the restart of the IKE process. All other Cisco MDS device operations will continue normally. Successful exploitation of the vulnerabilities on all other Cisco devices may result in the restart of the device. The device will return to normal operation without any intervention required.
Vulnerable Products
Cisco IOS versions based on 12.2SXD, 12.3T, 12.4 and 12.4T
Cisco PIX Firewall versions up to but not including 6.3(5)
Cisco PIX Firewall/ASA versions up to but not including 7.0.1.4
Cisco Firewall Services Module (FWSM) versions up to but not including 2.3(3)
Cisco VPN 3000 Series Concentrators versions up to but not including 4.1(7)H and 4.7(2)B
Cisco MDS Series SanOS versions up to but not including 2.1(2)
Details
* Authentication Header (AH): provides authenticity guarantees for packets, by attaching strong cryptographic checksum to packets.
* Encapsulating Security Payload (ESP): provides confidentiality guarantees for packets, by encrypting packets with encryption algorithms. ESP also provides optional authentication services for packets.
* Internet Key Exchange (IKE): provides ways to securely negotiate shared keys. AH and ESP have two modes of use: transport mode and tunnel mode. With ESP in tunnel mode, an IP packet (called the inner packet) is encrypted in its entirety and is used to form the payload of a new packet (called the outer packet); ESP typically uses CBC-mode encryption to provide confidentiality. However, without some form of integrity protection, CBC-mode encrypted data is vulnerable to modification by an active attacker.
By making careful modifications to selected portions of the payload of the outer packet, an attacker can effect controlled changes to the header of the inner (encrypted) packet. The modified inner packet is subsequently processed by the IP software on the receiving security gateway or the endpoint host; the inner packet, in cleartext form, may be redirected or certain error messages may be produced and communicated by ICMP. Because of the design of ICMP, these messages directly reveal cleartext segments of the header and payload of the inner packet. If these messages can be intercepted by an attacker, then plaintext data is revealed. Attacks exploiting these vulnerabilities rely on the following:
*Exploitation of the well-known bit flipping weakness of CBC mode encryption.
*Lack of integrity protection for inner packets.
*Interaction between IPsec processing and IP processing on security gateways and end hosts.
These attacks can be fully automated so as to recover the entire contents of multiple IPsec-protected inner packets. In more detail, the three identified attacks on ESP in tunnel mode work as follows:
Destination Address Rewriting
*An attacker modifies the destination IP address of the encrypted (inner) packet by bit-flipping in the payload of the outer packet.
*The security gateway decrypts the outer payload to recover the (modified) inner packet.
*The gateway then routes the inner packet according to its (modified) destination IP address.
If successful, the "plaintext" inner datagram arrives at a host of the attacker's choice.
IP Options
*An attacker modifies the header length of the encrypted (inner) packet by bit-flipping in the payload of the outer packet.
*The security gateway decrypts the outer payload to recover the (modified) inner packet.
*The gateway then performs IP options processing on the inner packet because of the modified header length, with the first part of the inner payload being interpreted as options bytes.
*With some probability, options processing will result in the generation of an ICMP "parameter problem" message.
*The ICMP message is routed to the now modified source address of the inner packet.
*An attacker intercepts the ICMP message and retrieves the "plaintext" payload of the inner packet.
Protocol Field
*An attacker modifies the protocol field and source address field of the encrypted (inner) packet by bit-flipping in the payload of the outer packet.
*The security gateway decrypts the outer payload to recover the (modified) inner packet.
*The gateway forwards the inner packet to the intended recipient.
*The intended recipient inspects the protocol field of the inner packet and generates an ICMP "protocol unreachable" message.
The ICMP message is routed to the now modified source address of the inner packet.
An attacker intercepts the ICMP message and retrieves the "plaintext" payload of the inner packet.
Summary
Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service.
IP Security (IPsec) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer; IPsec has been deployed widely to implement Virtual Private Networks (VPNs).
Three attacks that apply to certain configurations of IPsec have been identified. These configurations use Encapsulating Security Payload (ESP) in tunnel mode with confidentiality only, or with integrity protection being provided by a higher layer protocol. Some configurations using AH to provide integrity protection are also vulnerable. In these configurations, an attacker can modify sections of the IPsec packet, causing either the clear text inner packet to be redirected or a network host to generate an error message. In the latter case, these errors are relayed via the Internet Control Message Protocol (ICMP); because of the design of ICMP, these messages directly reveal segments of the header and payload of the inner datagram in clear text. An attacker who can intercept the ICMP messages can then retrieve plaintext data. The attacks have been implemented and demonstrated to work under realistic conditions.
Solution
The attacks are probabilistic in nature and may need to be iterated many times in a first phase in order to be successful. Once this first phase is complete, the results can be reused to efficiently recover the contents of further inner packets. Naturally, the attacker must be able to intercept traffic passing between the security gateways in order to mount the attacks. For the second and third attacks to be successful, the attacker must be able to intercept the relevant ICMP messages. Variants of these attacks in which the destination of the ICMP messages can be controlled by the attacker are also possible. Any of the following methods can be used to rectify this issue:
1. Configure ESP to use both confidentiality and integrity protection. This is the recommended solution.
2. Use the AH protocol alongside ESP to provide integrity protection. However, this must be done carefully: for example, the configuration where AH in transport mode is applied end-to-end and tunneled inside ESP is still vulnerable.
3. Remove the error reporting by restricting the generation of ICMP messages or by filtering these messages at a firewall or security gateway.
Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
For more information on this Security Advisory please use the following links:Cisco Users: http://www.cisco.com/en/US/customer/products/products_security_advisory09186a0080572f55.shtml
OR
Non Cisco Users: http://www.cisco.com/en/US/products/products_security_advisory09186a0080572f55.shtml In partnering with Cisco, Covetrix has performed many of these upgrades and has determined that some new configuration is necessary to move from the older versions of software to the patched. Please don't hesitate to give us a call for assistance at 1-877-780-1132 option 3.
For more information go to http://www.covetrix.com/index.jsp.
Friday, October 07, 2005
Pharming Capitalizes on Phishing's Success
Pharming - so named because scammers plant seeds and then harvest their crops- is a scam that redirects internet traffic to a computer designed to steal passwords and other personal information. This scam is so sneaky that victims don't even know they've been hit until the bills start arriving about a month later.
Experts quoted by the Sacramento Bee (3/24/05) consider pharming just one more in a fast-growing trend of internet crime, one that is closely related to another scam called phishing.
Phishing usually starts with an email that looks like it came from a trusted business, often a bank or other online financial institution. The email usually warns users that their account has been compromised and urges them to follow a link in the email to a site to provide personal information, such as username, bank account, and other identification numbers. These websites are fake; the computer hosting them is recording all the information.
Like phishing, pharming also steals personal information, but instead of using fake emails to lure users to visit malicious websites, pharming changes information in the Domain Name System, also known as DNS server. A DNS server works like a big phonebook for the internet. Here's how it works. Let's say someone enters an address such as www.msn.com.
The computer contacts the nearest DNS server and gets directions on how to find MSN on the internet. There are hundreds of official DNS servers around the world. Pharmers change the entry in a DNS server either by hacking into the system or by infecting it with a virus. Traffic is then redirected to a fake website or to a computer that records every keystroke made by the user. Several large pharming attacks have been discovered, including ones aimed at traffic going to google.com and amazon.com earlier this year.
According to the article in the Sacramento Bee, the largest pharming attack to date was directed toward Britain in December 2004. In that attack, traffic to a bank website was rerouted through a server that recorded every keystroke entered by the bank's customers. The pharmers were able to capture passwords, bank account information, user names, and other information that would allow them to steal people's identities and money.
For more information go to www.covetrix.com
Voice Over Internet Protocol (VoIP) Security Risk Guidance
The ability to utilize data networks for more than internet is making its way into many financial institutions, enterprise businesses, and government agencies nationwide. Covetrix security consultants are eagerly waiting to assist your organization with the process!
The benefits of Voice Over Internet Protocol (VoIP), lower cost and increased functionality, may complicate the Risk Assessment Process. Establishing a secure VoIP and data network is a complex process that requires great effort and expertise from knowledgeable security consultants.
The Federal Deposit Insurance Corporation (FDIC) is providing guidance to financial institutions on the security risks associated with implementing VoIP. The same risks that can harm or infect Internet data networks can interfere with VoIP and cause significant operational risks to financial institutions. Exposure to viruses, worms, Trojans, and hijacking are risks that must be addressed to eliminate the possibility of privacy loss.
When an organization decides to invest in VoIP technology, the associated risks should be evaluated as part of their periodic risk assessment and discussed in status reports submitted to the board of directors. Implementation of VoIP is much more complex than utilizing data-only networks.
The National Institute of Standards and Technology (NIST) published information security standards for financial institutions to implement in conjunction with their Voice over internet protocol. For a complete list of VoIP recommendations and FDIC standards, access the complete Financial Institution Letter at FIL-69-2005.
For the complete FIL go to http://www.covetrix.com/security/portal/updates/VoIP.jsp
