A short time ago the news got out that the Bangladeshi Federal Reserve bank lost $81,000,000 (million) dollars to a successful hacking attempt.
The fact these huge sums of money can be transferred without multiple levels of verification is a discussion all on its own, but in this case I’d like to talk about the heist and draw on its simplicity.
Examining the Hacker News article it’s apparent a second-hand networking switch was used to protect the system that was connected to the SWIFT network. That is the network that controls the payments between every account in the world. There was no Firewall…
I can’t get my head around the fact that somehow this piece of equipment got introduced to a network which one would assume to be one of the most heavily monitored and closely guarded in the world. I dread to think the scrutiny the teams who are responsible for the change must be under right now.
But the thought which scares me most is the thought that maybe this equipment doesn’t exist on any asset register, the CISO and other upper management were unaware of its existence and were only made aware when it became apparent there was a breach.
The sad truth is, all throughout my career (and this predates my involvement in information security) I have been witness to hundreds of similar situations, admittedly never with such a drastic impact as the attack on the SWIFT network, they have still posed considerable risk both from a business and IS perspective.
It is essential to remember, the majority of the time the employee is not the only one at fault. The majority of these types of incidents arise because of a lack of understanding of process or impact. Staff need to have an firm understanding of both to be effective at helping the business curtail the introduction of anything which leads to elevated risk.
There are a few things we can take away from this breach. First, an understanding at all levels of the business the impact any action may have further down the line. This is probably the most difficult as it requires buy-in from the top down and unfortunately there’s no COTS solution. Employee workshops, infosec inductions and ongoing training and monitoring are all key here.
Second, make sure asset registers are kept up to date and challenge them every once in a while. I do have my preferred tools for asset and inventory scanning however in the hopes of remaining vendor neutral I wont mention any by name. There are some fantastic automated solutions out there which can be dropped on a network to enumerate everything on the wire automatically with very little input from the user. It will add very little overhead and if properly planned it shouldn’t be overly costly. I’ve seen these types of assurance activities worked into even the most menial of budgets, they also require no (or very little in some cases) outside intervention, everything can be done with existing talent.
Third, take the view that at some point processes and procedures will not be followed and plan your controls and response around that. A good layered approach to monitoring and log collection should alert to any change in network topology, at the very least making the IS function aware.
Lastly, I am a strong believer in penetration testing to identify this type of low hanging fruit. Had an outside consultancy been tasked with identifying vulnerable or weak components of the SWIFT network, this likely would have been flagged up.