By Mike Fenton, CEO Redscan Cyber Security Ltd
The impending publication of new security controls by The Society for Worldwide Interbank Financial Telecommunications (SWIFT) may be viewed cynically across an industry already heavily inundated with regulation, yet the banking sector cannot afford to take this newly introduced set of standards lightly if it is to keep up the fight against evolving cyber-threats.
To been forced from January 2018, the SWIFT Security Program is a set of over 20 controls designed to reinforce the security of the global banking system by helping SWIFT members secure their networks, control access to systems, and detect and respond to a wide range of attack vectors.
Taking the latest threats seriously
More automated and interconnected than ever, today’s banks face the challenge of defending themselves across a growing attack surface. With an increasing number of entry points for hackers to target and a heavy reliance on third party systems which can too easily introduce vulnerabilities, it’s important that standards are frequently challenged to ensure that they remain effective.
Organisations that fail to take cyber threats seriously not only face financial damage but reputational damage too. To expose its members to wider scrutiny, SWIFT is making the compliance status of each of its member banks available to other members and will report non-compliant organisations to governing industry regulators.
Addressing key security challenges
Despite the benefits, implementation of SWIFT’s standards does present banks with a number of key challenges. 2018 is not far away. This, coupled with the requirement for each member to provide detailed self-attestation against mandatory controls from the second quarter of next year, does not give organisations much time to start preparing and implementing appropriate controls.Institutions that currently lack resources and security expertise to assess, detect and respond to threats are likely to encounter difficulties.
In preparing for the SWIFT standards, all banks need to establish where the greatest risks across their infrastructure lie so that they can start prioritising remediation and allocating budgets and resources accordingly. While the full draft security program standards are yet to be published, the initial controls outlined suggest that organisations need to be mindful of improving not just technological defences but physical controls, formal risk processes, and employee awareness too.
To illustrate the need for wide-range security controls, the hackers that carried out the heist on the Bangladesh Central Bank employed a variety of techniques to infiltrate the network and trigger a series of bogus currency transfer requests. This involved hijacking high privilege accounts and using malware to prevent the printing of transaction records.
Early planning needed
Due to resource and time pressures, fundamental security tasks, such as keeping hardware systems patched through regular maintenance, restricting user privileges and conducting background checks on new employees, can often fall to the bottom of the priority list.These easy to implement procedures are a great way for banks to start quickly remediating key vulnerabilities and are therefore likely to form a central part of the SWIFT requirements.
To addresses more complex SWIFT demands, such as integrity and authentication checks, organisations need to commence the process of testing network infrastructure as soon as possible.Vulnerabilities across complex interconnected banking systems can take time to resolve so by preparing early, banks give themselves the best possible chance of achieving compliance.
The commissioning of internal and external penetration testing is an excellent way for organisations to reveal vulnerabilities across systems, services and applications. For the best results, testing should include a variety of automated and manual assessments to uncover vulnerabilities that off-the-shelf tools are unable to detect.
For a wider, more comprehensive assessment, a simulated cyber-attack simulation known as a red team engagement is as close an organisation can get to fully understanding how prepared it is to defend against a real-world incident.Designed to accurately reproduce the steps and methodologies that an attacker would take, a red team operation is typically conducted over a number of months to include detailed surveillance and espionage as well as test detection of evasive hacking practices.
A red team engagement can assess an organisation’s ability to detect highly personalised spear-phishing and vishing attacks, as well as challenge physical controls by dispatching intruders to breach assets such as server rooms and data centres.
The importance of early threat detection
While identifying and addressing key vulnerabilities is critical, the determination and persistence of hackers means that systems can be breached. For this reason, it’s no surprise that network logging and monitoring, as well as cyber incident response planning,will form a key part of SWIFT’s security controls.
The importance of proactive monitoring is demonstrated by the failure of the Bangladesh Central Bank to detect numerous fraudulent inter-bank messaging requests totalling US$ 1bn. In this example, it was not security policy that detected what would have been one of the largest cyber bank heists in history, but a spelling mistake that led to an automatic transaction being checked by staff and halted.
Now’s the time to act
The threat landscape is changing on an almost daily basis. Just like the adversary, banks need to keep planning and adapting if they are to defend against the latest sophisticated threats. By choosing to regularly assess security posture,banks will not only be in a much better position to meet forthcoming SWIFT standards, they’ll significantly reduce their cyber risk and help to boost much needed confidence across markets.
