What Businesses Can Learn from the SWIFT Cyber Attack

Like bacteria that mutates in order to thrive against powerful antibiotics, threats in today's cyber-environment are constantly changing to exploit new vulnerabilities. But just like antibiotics must evolve, our systems for protecting digital security - at personal, commercial and government levels - must change with the times and be equally active, robust, and innovative.

The latest reminder are recent reports that cyber criminals stole $81 million in funds from the central bank of Bangladesh, as well as a bank in Ecuador and at least one other country. The brazen theft is a painful lesson showing that the bad guys never sleep, and what was once "good enough" in terms of digital security is no longer so. To perpetrate this brazen, film noir-worthy heist, digital thieves snuck into what was thought to be the most secure financial messaging system in the world, known as SWIFT, a Belgian co-operative owned by member banks and used by 11,000 financial institutions globally.

The attack on the SWIFT banking network did not showcase a new type of computer attack, but it did reveal a shrewd scheme combining several existing attack methods in a devious, sophisticated, and unique way. SWIFT said the thieves stole legitimate operator credentials allowing them to send seemingly authentic messages that were used to conduct fraudulent transfers. Then they installed malicious software on bank computers that allowed them to manipulate printers and hide traces of the fraudulent messages.

"The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks - knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both," said SWIFT in a statement.

Protecting SWIFT and its members, or any similarly interconnected eco-system, today requires a collaborative, multi-faceted approach that must be managed like a serious business challenge, not simply a technological issue.

First, social engineering of human foibles by the bad actors must be fought with social engineering by the good guys. Previous attacks on payments networks have often involved so-called "spearfishing" attacks in which criminals lure people into opening fake emails and clicking on links that download malicious software on the user's computer allowing fraudsters to steal credentials as they log on to systems.

In addition to the malware, the cybercriminals deployed hacking tools, including key-logger software that monitors and records strokes on a keyboard, to steal Bangladesh Bank's credentials from the SWIFT system.

Ongoing education both within and outside of the technology organization about the latest spearfishing techniques will help drive awareness and reduce fraud. Mobile devices and other connected devices in the Internet of Things are new points of vulnerability and must be locked down. The bank thieves also took advantage of a weak link in the security chain-a lowly PDF reader used to generate reports of payment confirmations. A regular portfolio review approach focused on security across the entire business will help identify emerging threats, gaps, and mitigation strategies.

We also need to understand that the security perimeter is no longer the walls of the castle, no matter how fortified the castle. The new perimeter is identity. It's that point where the user - the millions of users - is accessing any given system on the edge of the network. Companies must be sure that users are who they say they are, and that the information and services they can access exactly matches their role.

Usernames and passwords are no longer sufficient for sensitive communications. Augmenting basic identity with advanced authentication protocols such as multi-factor authentication can help ensure identity authenticity, helping smaller banks upgrade their security in a relatively easy and cost-effective manner.

Some data and services may also need greater security than others. For example, a simple password may be sufficient to for a consumer to access balance information in an online banking scenario. But transferring funds by bank employees should require additional identity verification in order to complete the transaction.

And importantly, we also need to increase the monitoring and analysis of privileged user accounts. The increasing interconnectedness of our commercial, financial, and even government systems means that more users than ever before are being granted privileged access to run those various systems.

Privileged access should be given for only as long as necessary and needs to be monitored at all times. And activity must be monitored closely, especially as much cyber crime is perpetrated by insiders. Fraud detection software can recognize anomalous behavior like attempts to escalate privileges, or behavioral changes from these accounts. And if privileged access is compromised, account access histories will help you better understand what happened and why.

The SWIFT attacks are significant not just because a large amount of money was stolen, but because the attackers used a combination of well-known methods to compromise a financial system operating in the central nervous system of the global economy. Businesses must learn from this and carefully examine their own practices. We need to ask ourselves if we are going beyond "good enough" security to stay vigilant in maintaining the health and security of our systems. And we need to fight fire with fire by using a proven combination of well-known security antidotes to contain and prevent the spread of another SWIFT attack. Otherwise, the Bangladesh caper will only have more sequels.