Our Ref:

 B1/15C
B9/29C

8 September 2003

The Chief Executive

All Authorized Institutions

Dear Sir / Madam,

Recent Outbreak of Computer Viruses

The HKMA has been reviewing the recent outbreak of a number of highly infectious computer viruses and worms, such as W32.Blaster.Worm, W32.Welchia.Worm and W32.Sobig.F@mm, which have reportedly infected millions of computers and affected certain banks locally and overseas. The purpose of this letter is to recommend some precautionary measures that will help to reduce the risk of your institution being affected.

Discussions on these attacks have been held with banks, some of which have experience in dealing with these viruses and worms. There seems to be a general consensus that an institution could be infected through the following channels or control weaknesses:

  1. direct connection of the institution's computing devices (including servers, desk-top computers and mobile computing devices) to the internet through dial-up modems;

  2. connection of employees' infected home computers to the institution's corporate network;

  3. virus infection through the network connections with external service providers, counter-parties, contractors or overseas offices;

  4. improperly configured corporate firewalls;

  5. delays in applying patches to fix high risk system vulnerabilities; or

  6. infrequent updates of anti-virus software.

Although most AIs have established virus control and prevention procedures, we would like to remind you to review the procedures of your institution to ensure that they are effective in preventing similar attacks. In particular, the following precautionary measures are recommended for your consideration:

  1. enhance, and enforce where necessary, your desk-top computing policy to ensure that, unless prior approval has been obtained and adequate security measures1 have been implemented, employees should not be allowed to have:

    • any direct connection of your institution's computing devices within the corporate network to the internet through dial-up modems; and

    • their home computers connected to your institution's corporate network;

  2. confine your critical production systems and corporate network on dedicated network segments, and use appropriate devices such as firewalls and routers to separate them from other segments (e.g. connections to the internet, extranet connections with external parties and market data feeds);

  3. perform a detailed review of all corporate firewalls to ensure that they are properly configured, and all network and system services on each firewall are justified and documented. Unnecessary communication ports and services on the firewalls should be closed. AIs should, on an on-going basis, conduct frequent reviews and updates of the firewall configurations to enhance protection against newly identified vulnerabilities and system weaknesses;

  4. remove unused software components, which might be exploited by viruses or worms, from major computing devices. AIs should establish clear procedures to ensure that the necessary patches and security updates developed from time to time by relevant vendors are identified, assessed, tested and applied to the systems in a timely manner. Newly deployed computing devices should be installed with the latest and tested security patches and deployed with appropriate security configurations;

  5. establish procedures and responsibilities for preventing, detecting and handling computer virus attacks. These cover installation and regular updates of anti-virus software provided by reputable vendors, frequent virus scanning of all computing devices, and contingency procedures for recovering from virus infections;

  6. review your email services to ensure that they are adequately configured to block, quarantine, or remove emails that contain file attachments commonly used to spread viruses; and

  7. provide continuous security and computer virus awareness education to all of your staff.

AIs should also have regard to the module of the Supervisory Policy Manual "General Principles for Technology Risk Management" issued in June 2003 for further guidance when strengthening their network security and monitoring controls. In the meantime, the HKMA is working with the banking industry, the Hong Kong Police Force and the Hong Kong Computer Emergency Response Team (HKCERT) to consider setting up a process to provide AIs with early alerts on computer viruses.

I hope you will find the above useful. If you have any questions on this letter, please feel free to contact Mr. Shu-Pui Li at 28781826 or Mr. Raymond Suen at 28781817.

 

Yours faithfully,

Raymond Li
Executive Director (Banking Development)

 

 

1 The security measures include installation of a personal firewall and anti-virus software on mobile computing devices (e.g. notebook computers) and employees' home computers if these devices need to be connected to your institution's corporate network.

 

 

 

Back to Top