SWIFT Banking System Breach

A report by Retuers revealed that SWIFT, the financial global messaging system, has disclosed new hacking attacks on its member banks following on from February’s high-profile $81 million heist at Bangladesh Bank. Following the new disclosures SWIFT have pressured their member banks to comply with new security procedures, suggesting that cyber thieves may have specifically targeted banks with lax security procedures for SWIFT-enabled transfers. IT security experts from VASCO, Balabit, FireMon and HPE Security – Data Security commented below.

Shane Stevens, Data Security Director of Omni-Channel Identity and Trust Solutions at VASCO: 

“With so many attack vectors, it was just a matter of time before SWIFT became a focal point for cybercriminals with their financial understanding of the sector’s common reactive-ness mentality, or in other words, ‘let us see what gets hacked, and then we will react tactically to address it.’  Now there are 3 areas that required stronger oversight and assessment.  Authentication & anti-fraud framework, Authorization controls and Transaction analytics & monitoring.  SWIFT got a wake-up call finally for its decision to stay with passwords, albeit stronger ones, when there are far more effective means of authentication available and the 30-year old technology of passwords has long been been proven easy to defeat.  Many now realize that the most signification protection starts upfront with simple and intelligent authentication controls across the user access points.  By getting this in place, you create an iron wall of stronger protection that then allows an organization to further optimize other areas of underdeveloped cyber security controls.”

István Szabó, PhD, Product Manager at Balabit:

“Even if banks upgrade and improve their current security tools and procedures as recommended by SWIFT, it is important to highlight that these attacks are not primarily machine based and current security tools won’t spot them, as the attackers have already gained foothold behind the defense perimeters.  As the account they’ve used for such actions might already possess the highest level of privileges, the bad actors can often do whatever they want and cover up their tracks with ease. Privileged users are the main target of these kind of attacks. Such sophisticated attacks require more sophisticated methods to discover and stop them. To counter such a dangerous yet hard-to-notice threat, a solution that’s capable of seeing the unseen is required.

“The better method is for participating organizations to monitor their privileged users, build user specific profiles and apply behavior analytics on top of that. Profiles can be obtained from mouse movements, keystroke habits, command usage regularity, users IP / port and protocol in a transparent way if using a proxy based monitoring technology. The habits of every individual user are unique indicators and impossible to copy. These profiles provide a baseline of normal behavior for individual users, and algorithms can detect anomalies in real time when someone is performing a harmful action, giving security teams a chance to cope with the threat.

“This approach adds an additional layer complementing the existing security infrastructure and focusing on threats that were undetected and unmatched, allowing full visibility over the privileged user activities of internal or external (3rd party) staff members and authorized users. It gives organizations faster response and forensic capabilities, it highlights gaps in IT security, and it provides a clean and simple indication on suspicious anomalies.

Dawid Kowalski, Technical Director EMEA at FireMon:

“Recent events related to Bangladesh Bank exposed weak points of risk management. A low risk score was associated to the SWIFT network because it was known to be closed to external parties, therefore presumably protected from attacks. This was proven not to be the case and exposes a bigger problem when it comes to the need for and intelligent security management platform.

Latest revelations show that for at least one of the attacks on banks, there was lack of firewall management, not to mention any security posture assessments or event correlation. To improve security, banks and other organisations have to increase importance of cyber-security risks by measuring real-time security concerns, integrate management of multiple security solutions like firewalls, IPS, AV, end-point security, etc. under the single umbrella of a security intelligence platform.

There is also a need to correlate events automatically in real-time as part of rapid event triage coming from multiple sources, including mail systems, database systems and other infrastructure and end-point oriented security solutions.

One of the biggest challenges these days is not a lack of solutions, but spread of data across different data silos. Often this leads to security experts responsible for end-point solutions failing to discuss alarms with firewall experts. SIEM solutions tried to address some of these aspects, but the lack of capability to process unstructured data and the fact that they have a limited set of supported data format proves the need for real-time automated security analytics and threat hunting.”

George Rice, Senior Director, Payments at HPE Security – Data Security:

“Here is yet another example of the ever-increasing challenge of preventing unauthorised access to repositories of sensitive data. Strict network access controls and perimeter security are essential tools for securing data environments, but have proven inadequate in preventing sophisticated criminals from gaining access to valuable business and customer data. Consequently, these strategies must be combined with field-level security approaches, such as Format-Preserving Encryption and tokenisation in order to truly protect sensitive data from loss. In doing so, sensitive data such as log-in credentials, transactional records, PCI and PII data may be protected in a way that maintains usability for the business but removes their value to unauthorised users that may gain access to data environments.”