I have investigated multiple cyber incidents pertaining to swift transfers including malware and insider collaboration, the ground reality at the most institutions is that their infrastructure are poorly designed and are insecure by default. In one of the bank's I visited, the Swift AGS was on the same vlan as the rest of the network, including admin and receptionist's PC. No EDR, basic AV, no application aware firewalls, no network baselining, improperly configured AD events, 2 month log retention period, lack of standardized OS golden images and pirated operating systems cracked using executables downloaded from internet. Worst, AGS was managed through a PC accessible via TeamViewer protected through a weak password. You may consider this as an isolated case, but on ground, most of the banks only focus on CBS and security takes a backseat, until something happens.
You could be describing the security of any organization. I've seen the same sort of mess at well funded government organizations that should (and do) know better.
It's interesting that those cable cars in Switzerland get more frequent and in-depth inspections.
You don't know how right you are about infrastructure in businesses. I've seen the inside of hundreds of companies over the years... everything from 5 man law firms to fortune 500, and it was a rarity to see good infrastructure.
It's a management problem, but it's also a problem because the people responsible aren't doing a good job convincing management. Which is why I think enginners/sysadmins/devs who have the ambition should start getting mbas and going for the CTO/CIO position... which is the main executive position (if it even exists) failing.
It's also why I'm working on my data science degree now. Execs don't like you, they don't trust you, and they generally don't listen well... but they love numbers and pretty graphs!
I mean, can you actually convince execs it's a good idea, no matter how charismatic you are? As a citizen, an engineer, and a consumer I think software and infrastructure security needs to be taken much more seriously due to how much breaches hurt people.
But if I was an executive or shareholder? Why would I care? We've seen time and time again how data breaches are just a blip in the stock price, the government doesn't punish anyone for negligence, and if someone manages to take serious money from you the government will go after them on your behalf. Security is expensive, and the odds of you having a breach that actually hurts you for more than a short period seem astronomically low.
We have more businesses saying they are shutting down or leaving the EU market over the fact that they can't take user data without permission than we have shutting down because they leaked all their users data or let hackers in through complete negligence of any modern security practices
> I mean, can you actually convince execs it's a good idea, no matter how charismatic you are? As a citizen, an engineer, and a consumer I think software and infrastructure security needs to be taken much more seriously due to how much breaches hurt people.
On SWIFT, yes, you can, thanks to their own reply to the Bangladesh incident: a reasonably thorough set of security guidelines called CSP/CSCF (Customer Security Program/Control Framework), compliance to which is now mandatory. Network isolation, 2-factor authentication, secure VDI for access, physical access controls, log retention, it's all in there. It's the perfect chance to get money and people from management and sanitize the situation.
Actually if in May 2018 you don't already have a running project and resources for compliance, you should be quite worried.
I found an openly accessible link which gives you at least an overview of each of the security controls. Everything else is behind a login prompt, sorry.
Well the pressure allows for new models to emerge. It's like a never ending war. The front lines keep moving back and forth between those who put themselves before others and those who don't.
The thing to remember is one side cannot fully ever take out the other.
Completely agree about the management part. Unfortunately, for them, security is not tangible and the capex to implement security tech gives them no revenues in return. Additional opex to maintain it only increases their skepticism if it is worthwhile at all. I remember, for one client, I recommended SIEM with threat intel integration (free one, Alienvault OTX) and asked them to implement it. It went on backburner because they never felt the need to dedicate 2 FTEs, one small server cluster and dedicate operational time for this. Also, since it was not regulated at that time, they never even bothered.
Fast forward to 3 years, they had wannacry and had no clue which was the patient zero thanks to ill managed logs and what to even do about it. 500 man hours and ~1000 encrypted workstations (spread across 150 branches) later, they implemented it as part of their "proactive" defense strategy.
I'm responsible for a SWIFT installation and the stuff you quote is outright horrifying. I am not formally in charge of security - we have dedicated teams of professionals for that - but it's been a past occupation of mine so I strive to stay on top of things, and literally cannot imagine the work attitude leading to the situations you describe.
I actually run my local firewall in addition to the network one (to which I have no access) and am toying with a WAF I'm adding to the picture, gradually tightening the ruleset.
Just one question: AGS = SAG? I've never seen it written like that.
Then you get situations where the cabled network security is incredibly restricted but the wifi network works off the same 10 digit code for years.
Folks then have to log off the restricted network and onto the wifi to run simple processes that require data that is inaccessible through the cabled network.
The potential for abuse by an intruder is obvious.
If only there was a stringent regulatory audit across financial sector that only focused on cyber security as a substance, they you would see that 7 out of 10[1] financial institutions lack even the most basic defenses / ignore the basic sanity measures / or have poorly configured point solutions as their best defense against any cyber attack. A member of my team came across an institution that hosted the PII data for a country on third party cloud accessible via a poorly written API. Since, regulatory laws were pretty lax, they (the institution) simply shrugged it off.
The recommendations and remediation measures (wonder if there were any) get lost in the ocean of PPT files.
- Hackers gain access to Bangladesh's Central Bank computer network.
- Over months they quietly observe user activity and credentials, incrementally escalating their privelages until they gain access to a connected SWIFT server
- The attackers wait for the optimal weekend, which included a national holiday, so that central bankers would be least available and able to communicate.
- On that weekend the attackers send a series of wires from Bangladesh, to NY, to the Philippines, totalling near $1b
- The attackers cover their tracks by deleting digital records on the
Bangladeshi systems and interfering with their printers
- When the money arrives in the Philippines it is laundered through a complex system of casinos involving Macau and North Korea
- In the end "only" $81m was stolen, rather than $1b, because one of the wires referenced an organization with the word "Jupiter" in its name, which by dumb luck happened to be a word on an international blacklist due to a completely unrelated company with a similar name that broke Iran sanctions, triggering an investigation.
The main weakness seems to be that the Philippines does not enforce proper kyc/aml and is therefore a haven for laundering - otherwise it would be difficult to get the money to an actual human, even if SWIFT was coerced into sending invalid transactions.
> one of the wires referenced an organization with the word "Jupiter" in its name, which by dumb luck happened to be a word on an international blacklist
Really makes you think about what you should name your company! Imagine trying to start a Venmo competitor called "Jupiter Pay" and discovering mid-launch that all your payments are delayed due to an opaque process. Sounds a lot like the problems people have when they share a name with some terrorist and try to board a plane.
Or, for the reverse use case, you could start a company with a blacklisted name and get it white listed for your use case. Use that company for money laundering and flags maybe skipped over and attributed to the company name
I've read a few articles on this story, and this one was pretty good, until it got to the North Korea attribution. Funny how FireEye is always around getting paid while pointing the finger at the same group of belligerents... but sorry no specifics, NDA and all that. (But of course the NDA doesn’t prevent the NYT from broadcasting FireEye’s conclusion.)
FireEye's incentive is to deliver attribution, a "bad guy" for the breached victim to shift the blame to. That's why major companies and governments hire them after a breach; because they want answers, not necessarily the truth. If FireEye said "sorry, we're not sure who did this," business would not go so well for them.
Trouble is, attribution is hard, and must be qualified by a degree of certainty. FireEye should be willing to say "we don't know" sometimes, because that is often the truth! But monetary incentives obstruct their ability and/or willingness to do so.
It's easy to find evidence when you don't know exactly what you're looking for, everything could mean anything, and you’ll get paid for finding something.
We saw this exact thing not too long ago with CrowdStike and the DNC. One thing that still baffles me is why did the DNC choose a for profit consultant over the United States Government. I guess when it's a private company that you are paying you can cantrol the narrative.
When your job is to hammer nails everything starts looking like a nail.
The United States government came to the same conclusion that CrowdStrike did [0]. And the USG presumably is able to get over the "attribution is hard" problem with HUMINT and SIGINT sources that FireEye and CrowdStrike do not have.
> One thing that still baffles me is why did the DNC choose a for profit consultant over the United States Government
I think it's really obvious why a political party would want an independent conclusion other than a government conclusion, but that's me. In the end it was the same result.
>One thing that still baffles me is why did the DNC choose a for profit consultant over the United States Government.
This is brilliant thinking, the DNC should have given the FBI more material to leak to Guiliani. Then Comey could have based his October surprise on something in the DNC servers, instead of having to obfuscate the fact that the emails he was basing his 're-opening' of the case on weren't anything new. Oddly enough, he had no problem concealing the fact that the other candidate was the current subject of a counter-intelligence investigation opened when the ambassador of australia formally notified the us that the trump campaign claimed to be cooperating with a hostile foreign power.
A contradiction your comment creates and you don't actually engage is the fact that the Crowdstrike report and the IC report on election interference both support each other. If you claim the DNC was trying to control the narrative, it's only necessary to hire outside expertise if you're trying to challenge the credibility of different experts. If the experts are already going to be saying the same thing as you, there's no need to pay an outsider to parrot it.
Without getting into questions about motive, I can think of a good reason to choose CrowdStrike over the FBI. If you hire CrowdStrike, you can choose what happens with the findings. If you let the FBI do it, they're going to do as they choose with the findings.
perspective: have worked as a consultant for south asian mobile phone carriers, in backbone network engineering
network security and IT security is incredibly lax and weak in pakistan, india and bangladesh. It's an afterthought at best.
The people who are best qualified to implement real network+endpoint security are not working for $21,000/year salaries in Dhaka, but have emigrated to the USA/Canada/UK.
Do any folks here know which companies actually have adequate security measures in place as an example? I have heard of a couple that went all out on security, but who has an amount you would consider reasonable for their size and situation?
