SWIFT CSP: Compliance is not security!

- (Cyber)security audit -

| What is SWIFT CSP?

SWIFT(Society for Worldwide Interbank Financial Telecommunication) is a cooperative society under Belgian law founded in 1973 with the idea of providing standards for data exchange between financial institutions. It is owned by its members, which include some of the world's largest banks.

Today, SWIFT provides a global interbank messaging network for the use of financial institutions (banks, trading rooms, large corporations). Due to the extreme sensitivity of the messages passing through this network and the increasingly high threats to the organization and its customers, SWIFT implemented the Customer Security Programme in 2017, which imposes on its customers a number of checkpoints (mandatory or advised) regarding the security of their IT network.

In 2016, prior to the CSP, the Bangladesh Central Bank, a member of the SWIFT network, was breached and attempted to embezzle funds. The hackers were initially aiming to embezzle $1 billion. However, they aroused the suspicions of Deutsche Bank, which limited the impact of the fraud to only $81 million.

For SWIFT, the enforcement of security measures across its users is crucial as the compromise of a single customer can lead to chain reactions across the network.

| CSP Issues

These control points must be the subject of an annual self-assessment by the customer, coupled with an audit that can be conducted by an external service provider such as Synetis.

Depending on the needs of each SWIFT network user, several types of services are offered by SWIFT that have more or less hold on the customer's network (from simple VPN access to the SWIFT network to hosting of SWIFT services).

If we take for example the case of a bank, it can have a SWIFT zone on its network which will make the link between its backoffice (which manages the bank's current operations) and the rest of the world.

In this case, the CSP imposes numerous measures (19 mandatory control points, 13 recommended) which are mainly aimed at :

• Reduce the attack surface and vulnerabilities: this requires strong network partitioning, a strong restriction of Internet flows, the updating and hardening of systems, and the separation of authentication means from the corporate network.

• Manage identities and separate privileges : as the SWIFT network of an entity is very sensitive, it is required to strictly manage the identities and accesses of the operators of the zone (in particular by using personnel control procedures) and to set up strong authentication means

• Detecting abnormal behavior on systems : the traceability of all actions (systems as well as business-related) is the starting point of the monitoring system required by the CSP. In addition, integrity mechanisms for applications and databases are required. In the event of an incident, the course of action to be taken must be written down beforehand.

These protection measures, which are ultimately only an expression of current best practices in information systems security, aim to prevent and/or detect the actions of an attacker, whose primary interest would be to generate or manipulate banking transactions fraudulently.

In practice, for operational teams, the recommendation guides published by the French National Agency for Information Systems Security (which we invite you to apply regardless of the information system concerned) are a very good source for the practical implementation of these measures.

Among the recommended but not mandatory measures, there is the performance of internal intrusion tests by an external provider. This allows to confirm that the measures put in place allow to prevent the risks of intrusion.

Experience has shown Synetis' auditors that, although the "SWIFT zones" are subject to particular attention through the implementation of security measures required by the CSP, the network equipment and means of administration between the internal network and the SWIFT network may, at times, be insufficiently partitioned. As a result, it is possible to take control of the SWIFT zone via the "classic" network of the company. Thus, a SWIFT zone that appeared to be compliant on paper is finally compromised in a few days, due to negligence on the network to which it is connected.

This shows that the principles inspired by the CSP should be followed for all information systems that are in one way or another linked to the SWIFT area.

Synetis, with its experience in the banking sector, can help you establish your compliance with the CSP. In addition, all the know-how of the audit team, in particular through intrusion tests, can be put at your service to validate the measures implemented on your SWIFT holdings as well as all the networks that access them.

| Sources 

• Official SWIFT website: https: //www.swift.com/
• Martin Untersinger, "Hackers steal $81 million from Bangladesh," Le Monde, April 26, 2016: https: //www.lemonde.fr/pixels/article/2016/04/26/comment-des-pirates-informatiques-sont-parvenus-a-derober-81-millions-de-dollars_4909101_4408996.html