A series of cyber-attacks involving the SWIFT banking network have come to light in recent years. The first public report of these attacks came from the Bangladesh Central Bank, and we have also seen attacks at State Bank of Mauritius, Cosmos Bank (India) and City Union Bank (India).
To strengthen security, Indian regulator Reserve Bank of India (RBI) issued several communications in this regard, and even imposed penalties on 36 banks in March for non-compliance on SWIFT operations. SWIFT also came forward with a revised Customer Security Programme (CSP), wherein it has released a security baseline for the entire community that must be implemented by all users on its local SWIFT infrastructure.
The controls in the CSP revolves around three objectives:
- Secure your environment
- Know and limit access
- Detect and respond
There are several actions that banks should take to Strengthen the SWIFT infrastructure and operations, including:
- Isolate the general IT environment from SWIFT Infrastructure.
- Disable USB, email and internet from SWIFT workstations.
- Restrict the gateway timings as per their business requirement and integrate the same with SIEM for proper monitoring and reporting anomaly detection.
- Patch the servers and endpoints regularly.
- Monitor the user logon activity through SIEM and report any anomaly detection.
- Regularly review the existing RMA (Relationship Management Application) and remove the obsolete RMAs.
- RBI has asked all banks to integrate the SWIFT with CBS (Core Banking Solution) for both financial and non-financial messages. However, many banks have not implemented STP (Straight Through Processing) for non-financial messages. So, banks should integrate SWIFT with SIEM, and any direct message created in SWIFT should be reported immediately.
- Regularly reconcile the NOSTRO account.
- If any Bank is using middleware applications between SWIFT and CBS, they should do online reconciliation using any recon tool for messages generated in middleware and SWIFT.
- Ensure SoD (Segregation of Duties) in letter and spirit.
- Monitor the activities of privileged users in the SWIFT system using any Privileged Identity Management tool.
- Carry out vulnerability assessments periodically.
- Implement multi-factor authentication in both CBS and SWIFT.
- Logs of SWIFT infrastructure should be sent to SIEM, and the SOC should monitor integrity for both software and database.
- Create, publish and test an incident response procedure and conduct a tabletop exercise frequently.
- Lastly, security awareness should be mandatorily imparted to all users, as security is a shared responsibility.