A memo sent Wednesday from the CEO of the Office of Thrift Supervision urges financial institutions and their technology service providers (TSPs) to “perform periodic risk assessments of their information security programs with respect to the prevention and detection of security incidents.” The memo was sent in response to the breach of data from RSA related to the company’s SecurID token product, which is used by numerous financial institutions and government agencies as an authentication factor on secure networks. The memo goes on to say,
Most security-related incidents occur because of the lack or failures of basic controls that allow attackers to gain entry into a target environment through phishing, spear-phishing, drive-by malware injection, and other techniques. Once attackers have entered an environment, they typically use sophisticated tools and techniques to gain access to sensitive data or systems. Successful attacks often compromise sensitive customer information or create fraud. The increasing sophistication of the tools and techniques attackers use often includes stealth or other means that make their detection more difficult.
Reference is made in the memo to another memo dated March 28 from the National Security Agency giving a series of recommendations for parties to follow in response to the SecurID breach. Links follow.
OTS Memo 4/20/11: http://www.ots.treas.gov/_files/25383.pdf
NSA Memo 3/28/11: http://www.ots.treas.gov/_files/4830106.pdf