http://www.reuters.com/article/us-cyber-heist-swift-idUSKCN11600C
I found this article from this morning pretty interesting. SWIFT, which basically allows financial transactions between banks worldwide, declared that their were new cyber attacks on its member banks. They said that attacks have ramped up since the Bangladesh Bank lost $81 million dollars back in February’s cyber attack. The attackers are specifically targeting banks that lack proper security for “SWIFT-enabled transfers.” It seems like SWIFT is having trouble with their member banks complying to security procedures. The biggest issue stated in this article is that SWIFT does not have “regulatory authority over its members.” So they cannot FORCE these banks to comply to proper security controls. SWIFT is threatening to disclose security lapses for these banks, which I don’t see how it helps. Before these banks were capable of using the SWIFT transaction system, SWIFT should have sent their own IT auditors to make sure these banks had the proper IT security and controls in place. Otherwise, we will see problems like this where banks or companies in general, especially in developing countries, aren’t taking IT security seriously.
Ahmed,
This is a classic example of one of this week’s readings where an organization fails to apply its due diligence to properly vet business partners. As it is stated it SANS’ article, “Using Open Source Reconnaissance Tools for Business Partner Vulnerability Assessment,” IT security is not only about aligning an organization with the most sophisticated IT Security tools, but also must legally and ethically investigate how secure are vendors and business partners. In order to efficiently accomplish so, open source tools such as search engines, Shodan, Search Diggity, and Recon-ng can provide a company security profile without directly accessing target firms,” stated SANS’ Susanne Young. This is a lesson that SWIFT will need to learn the hard way, but can be prevented in the future if apply the principle explained above.
I think SWIFT definitely needs to enforce best practices for use of their product. Although SWIFT has no regulatory authority over the companies it does business with, it can make business agreements that are contingent upon the banks implementing SWIFT’s technology in a secure manner. I think this is especially important for SWIFT as the negative publicity that the compromised banks receives will also affect SWIFT’s reputation. If SWIFT becomes less reputable, banks in business with SWIFT and potential clients might take their business elsewhere. Definitely something SWIFT needs to address ASAP.