SWIFT, the global financial messaging system, disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February’s high-profile $81 million heist at Bangladesh Bank. IT security experts from Tripwire, Lieberman Software, MIRACL, Imperva and ESET comments on the attacks:
Tim Erlin, Director, Security and IT Risk Strategist at Tripwire:
“Basic security best practices work, and failing to implement them consistently will increase the risk to your organization. They are considered best practices with good reason.
Attackers will always take the path of least resistance, so starting with the basics is important, but it’s not enough to combat today’s threats. Any SWIFT user should take note of the recommendations and work to exceed them.
Unfortunately, without regulatory authority over members, it will be difficult for SWIFT to push meaningful change to security practices. Driving these kinds of changes through the lessons of repeated compromises is the most expensive and painful way to get the job done.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Banks are one of the few verticals that are constantly improving security. Of course, that doesn’t mean they do it equally well. Since they are such a ripe target for any financially motivated attacker, banks are forever caught in an arms race with the bad guys. And like any other organization they are dealing with fallible end users, platforms unknown to be vulnerable until they become compromised, and limited resources. After all, the banks’ cyber defence team is only getting a small portion of the budget since it’s a cost center, and their enemies are getting literally all the budget since breaking into the banks is the bad guy’s whole business model.
The only option banks have is to mitigate the effects of attacks because there is no way to make them stop. As long as there is money in the bank the bad guys will keep coming for it.
If I’m a CIO watching the pounding banks are taking despite their significant efforts and knowing my company may be next on the bad guy’s list, then I should be making a serious assessment of my own readiness to mount a real cyber defence and incident response.”
Brian Spector, CEO at MIRACL:
“Verifying people’s identities is the only way to securely enable the multitude of digital transactions taking place on SWIFT systems worldwide. All too often, bad actors orchestrate attacks of this magnitude by stealing employee credentials – usually just a username and password. Attackers know that when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems, gaining access to financial controls and making away with some eye-watering thefts.
But hackers don’t just follow the money – they can also go after the huge treasure troves of sensitive data within financial systems which can then be put up for sale on the dark web. The solution is two-fold: banks must insist on robust, multi-factor authentication to be used in all financial transactions. We also need to eliminate today’s outdated security infrastructure, including passwords, root keys and stored credentials, which enable hackers to carry out data theft and identity fraud on a massive scale.”
Amichai Shulman, CTO and Co-Founder at Imperva:
“Banks have been targets of all kinds of crime and fraud essentially forever because of the old cliché “that’s where the money is”. Cybercrime is an industry that is maturing and has found parts of the financial infrastructure to be a soft target. Banks constantly improve their security posture focusing their attention on specific issues at any point in time.
Attackers, by their nature, move faster to find the soft spots not yet handled by defenders or new soft spots introduced with new systems and new technologies. What banks need to do is what any cyber security target needs to do. Identify what systems and data are the most valuable, understand what an attacker might stand to gain from compromising them, and put in place security controls that mitigate the threat.”
Mark James, Security Specialist at ESET:
“Unfortunately, security nearly always costs money to implement. One of the problems with the computer eco sphere is that technology changes at such a fast pace. If you don’t keep up to date on the latest types of hardware or operating systems then when the time comes where you are actually forced to upgrade, the costs are so much higher as you quite often have to upgrade complete units or devices as compatibility changes and causes problems.
In this modern day economic climate, companies are always looking to save money, it’s a fact. The choice may be as simple as “save money or stop trading”. Making cuts and holding off essential upgrades will all have an impact on keeping security at its required standards.
Education and money are the only two ways to combat these kinds of attacks on banks. Staff and users need to be aware of what they can do to help protect the company, it’s no longer the just the job of the IT department to keep you safe, it’s everyone’s job. Attacks can happen from any possible point of entry and at any time so keeping systems up to date and ensuring money is spent on out of date hardware needs to happen. If they want to stop the hackers using old and often known attack methods moving away from vulnerable hardware or software must happen.
The most important security practises for security in financial institutions are:
– Keeping your operating systems, applications and especially hardware and firmware up to date.
– Ensuring no default passwords are still being used along with regular reviews of your security measures will help to keep you safe.
– Using a good multi-layered internet security product on endpoints and servers will also help with the day-to-day protection.
– Ensure your staff are educated on current threat types and the methods they employ.”