1 / 32

Customer Security Programme ACSDA Cyber Security Workshop

Customer Security Programme ACSDA Cyber Security Workshop. Dan Moran, SWIFT Solution & Security Architecture. CSP | An Overview.

mhale
Download Presentation

Customer Security Programme ACSDA Cyber Security Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Customer Security ProgrammeACSDA Cyber Security Workshop • Dan Moran, SWIFT Solution & Security Architecture

  2. Customer Security Work Session

  3. CSP| An Overview Customer Security Programme (CSP)Launched in May 2016, the CSP supports all customer segments in reinforcing the security of their local SWIFT-related infrastructure You Secure and Protect SWIFT Tools Security Controls Framework Your Community Share and Prepare Intelligence Sharing SWIFT ISAC Portal Your Counterparts Prevent and Detect Transaction Pattern Detection – RMA, DVR and ‘In Flight’ Sender Payment Controls Customer Security Work Session

  4. CSP | Modus Operandi • Attackers are well-organised and sophisticated • There is no evidence that SWIFT’s network, core messaging services or OPCs have been compromised • All IOC details are published on the SWIFT ISAC portal Step 1 Step 2 Step 3 Step 4 Attackers obtain valid operator credentials Attackers submit fraudulent messages Attackers compromise customer's environment Attackers hide the evidence • Keylogging / screenshot malware looking for valid account ID and password credentials • Attacker impersonates the operator / approver and submits fraudulent payment instructions • May happen outside the normal bank working hours / over public holiday • Gain time by: • Deleting or manipulating records / log used in reconciliation • Wiping Master Boot Record • Malware injected by e-mail phishing, USB device, rogue URL or insider • Long reconnaissance period monitoring banks’ back office processes Heat Customer Security Work Session

  5. CSP | A case study Customer Security Work Session

  6. CSP | Evolution of the Threat Landscape • Industry Reliance on the Cloud • Overhead of constantly patching critical software vulnerabilities • 'Arms-Race' as New Technologies Mature – AI and Machine Learning Ab(use) of New Technology • Rise in intense DDoS Attacks • Rise in Ransomware • Evolving Zero-Day APTs • Advanced ‘Undetectable’ Malware • Larger Data Breaches • (Possible) Targeting of Critical Infrastructure • Endless (Spear) Phishing • Rise in Insider Threats – The Enemy Within • Deep Skills Shortage Evolving Cyber Threat Landscape Evolving Attack Vectors The Weakest Link • Geo-political tensions, macro-economic trade instability and ongoing conflicts • Nation states have used cyberattacks as a way to counter aggression from geopolitical rivals • GDPR with Fines for PII Breaches • CPMI-IOSCO Cyber Resilience for FMIs • ECB Cyber Resilience Oversight Expectations for FMIs Geo Political Tensions New Regulation Customer Security Work Session

  7. CSP | Secure and Protect – Customer Security Controls Framework v1 Security Controls 3 Objectives 8 Principles • Applicable to all customers and to the whole end-to-end transaction chain beyond the SWIFT local infrastructure • Mapped against recognisedinternational standards – NIST, PCI-DSS and ISO 27002 • 16 controls are mandatory, 11 are advisory 27 Controls Customer Security Work Session

  8. CSP | Security Controls – Mandatory and advisory 1/3 Advisory controls are notated with an "A" after the control number (for example, "2.4A") Customer Security Work Session

  9. CSP | Security Controls – Mandatory and advisory 2/3 Advisory controls are notated with an "A" after the control number (for example, "2.4A") Customer Security Work Session

  10. CSP | Security Controls – Mandatory and advisory 3/3 Advisory controls are notated with an "A" after the control number (for example, "2.4A") Customer Security Work Session

  11. CSP | Customer Security Controls Framework v2019 Security Controls 3 Objectives 8 Principles • 19 controls are mandatory – 3 advisory promoted: • 2.6 Secure Operator sessions • 2.7 Yearly vulnerability scanning • 5.4 Physical and Logical Password Storage • 10 controls are advisory - 2 new advisory controls: • 1.3A Virtualization Platform Protection • 2.10A Application Hardening • Full compliance against mandatory controls by end 2019 29 Controls Customer Security Work Session

  12. CSP Update| Customer Security Controls Framework v2019 Raise the bar – new advisory controls 1.3A Virtualization Platform Protection 2.10A Application Hardening Raise the bar – advisory controls promoted to mandatory Customer Security Work Session

  13. CSP | Evolution of the Controls Framework (CSCF) With the release of CSCF v2020 we will formally require that All attestations be further substantiated by an Internal or External Assessment 2020: Independent Assessment to substantiate Attestation of Compliance by 31Dec20 Customer Security Work Session

  14. All customers need to self-attest that they fully comply with all mandatory security controls by 31 December 2018. Self-attestations need to be renewed every 12 months. CSP | Compliance with security controls Customer Security Work Session

  15. To encourage community transparency, SWIFT will report the status of users that fail to complete their self-attestation to their local supervisors. From Q1 2019 – and every six months thereafter – SWIFT will report the status of users that have failed to self-attest compliance with all the mandatory security controls to their local supervisors CSP | Regulatory Reporting Customer Security Work Session

  16. CSP | Attestation Consultation • Users should consider to consult counterparty attestation data and integrate this into their risk management and business decision-making processes. • Using the KYC-SA, customers can share their attestation data with their counterparties and request data from others. • Customers remain in control of their attestation data – they can grant or deny requests of their attestation data. Customer Security Work Session

  17. CSP | Quality Assurance SWIFT has identified a set of risk indicators to track the overall effectiveness and quality of the Customer Security Controls Framework and associated activities (i.e., attestation, compliance, consultation) If the risk indicators (either individually or collectively) suggests an underlying problem, SWIFT will evaluate the information, engage the community or segment, make a formal recommendation, and execute the appropriate corrective actions. Each risk indicator has specific measurements to track the indicator. Additionally, the QA process will examine compound risk across multiple indicators. Risk thresholds will not be defined at this time. Additional insights will be captured through surveys and engagement with Users, Community groups, Vendors, Auditors & Consulting firms, and other stakeholders. Customer Security Work Session

  18. Your Counterparts SWIFT is helping its customers to improve the prevention and detection of fraud in operational processes. You Secure and Protect SWIFT Tools Customer Security Controls Framework • Your • Counterparts • Prevent and Detect • Relationship Management Application • Daily Validation Reports • Payment controls Your Community Share and Prepare Intelligence Sharing SWIFT ISAC Portal Customer Security Work Session

  19. Module 1 Reporting Daily Validation Reports Activity and Risk reporting Inbound and Outbound Group and/or Entity reporting Module 2 Alerting Real-time alerting/blocking Outbound Subscriber-controlled rules Customer Security Work Session 19

  20. Module 2 Rule types Business Calendars Profiling/ Learning Identify & protect against payment behaviour that is uncharacteristic, based upon past learned behaviour Identify payments that are sent on non-business days or outside normal business hours Identify & protect against payment behaviour that is uncharacteristic, based upon past learned behaviour Threshold Badly Formed Messages Protect against individual and aggregated payment behaviour that is a potential fraud risk or falls outside of business policy Identify and stop messages where preceded by repetitive NACKs to the same recipient Suspicious Accounts New Institutions Verify end customer account numbers against an institution black list of account numbers believed to be high risk Identify payments involving individual institutional participants or chains that have not been seen previously, based upon historical message flows Customer Security Work Session

  21. ü 10M ü Module 2 5M Monitoring capabilities 2 û ü Flexible parameters including: 7 1 60M 4 ? ACC:1234 6 ü 20M US AU ü û GB AM ü û CA KZ 3 û CN IR 10M 8 ! 5 4M Counterparty Originator Intermediary Beneficiary Customer Security Work Session 21 Business hours and days Currency whitelist / blacklists, single & aggregate payment limits Country whitelist / blacklists, single & aggregate payment limits Country & currency threshold combinations Single & group institution limits New payment flows Suspicious accounts Uncharacteristic behaviours Across the complete payment chain

  22. Your Community SWIFT has deepened its cyber security forensics capabilities, providing unique intelligence on customer security-related events. This information is disseminated to the community in an anonymised manner. You Secure and Protect SWIFT Tools Customer Security Controls Framework Your Counterparts Prevent and Detect Transaction Pattern Detection – RMA, DVR and Payment Controls Your Community Share and Prepare Intelligence Sharing SWIFT ISAC Portal Customer Security Work Session

  23. CSP | From Customer Incident Handling to Information Sharing User fixes its environment SWIFT undertakes forensic analysis, with User User identifies suspicious activity User informs SWIFT or SWIFT receives an auto-alert SWIFT publishes anonymised threat intelligence to community SWIFT Community ISACs / CERTs LEAs / Regulators Customer Security Work Session

  24. CSP | SWIFT ISAC Portal • A 2nd release of SWIFT ISAC global information sharing portal was issued in February • This will enable the automated exchange of cyber-threat information using industry standard formats (STIX/TAXII) and allow access for non-SWIFT customers • The SWIFT ISAC continues to share threat intelligence with the community, including, indicators of compromise such as file hashes and details about malware samples observed. When possible, Modus Operandi used by attackers is described and machine-digestible files are provided (YARA rules, OpenIOC, etc.) Customer Security Work Session

  25. CSP | Supporting the CommunityWhere can I go if I need help? CSP pages Visit the CSP pages for programme news and updates MySWIFT A self-service portal containing “how-to” videos, guidance on frequently asked questions and Knowledge Base tips. SWIFT ISAC Portal Consult the portal for information related to security threats User Handbook SWIFTCustomerSecurityControlsPolicy SWIFTCustomerSecurityControlsFramework KYC-SARegistryBaseline KYC-SARegistryUserGuide Knowledge Base KYC-SAQuick-StartUserGuide:Tip5021858 How-tovideo’s: Tip 5021825: KYC-SA Role Families Tip5021826: KYC-SAAdministration Tip5021827: KYC-SADataContribution Tip5021828: KYC-SADataConsumption swift.com Customer Security Work Session

  26. CSP | Supporting the CommunityNeed more help? SWIFTSmart The SWIFTSmarte-learning training platform includes a portfolio of modules, including in-depth modules on each of the mandatory security controls SWIFT Customer Support SWIFT Customer Support teams are on hand 24/7 to answer specific queries if you don’t find the information resources you are looking for. Directory of Cyber Security Service Providers If you need practical, on-the-ground implementation support, you can consult the Directory of Cyber Security Service Providers on SWIFT.com to help find a third-party project partner that may be suitable for your needs. SWIFT Services To support best practices in infrastructure implementation and management SWIFT offers services such as the SWIFT infrastructure security review, Security bootcamps, SWIFT Admin. and Operation certifications, and recurring support contracts such as Alliance Managed Operations, Local support and Premium custom support. Customer Security Work Session

  27. CSP | Call to action for SWIFT users Ensure that you fully comply with all the mandatory security controls and re-attest by 31 December 2018 latest. 1 Engage in SWIFT ISAC, sign up for notifications – and contact us immediately if you suspect a breach of your SWIFT related-infrastructure 2 3 Ensure mandatory security updates of SWIFT softwareare installed. Request access to your counterparties attestation and grant access to your institution’s attestation (where appropriate). Consider your institution’s counterparty risk frameworks to utilise counterparty attestation data. 4 Consider SWIFT’s anti-fraud tools (Payment Controls, Daily Validation Reports, RMA clean-ups, etc.) 5 Customer Security Work Session

  28. What is the local community experience?

  29. We asked User Group Chairperson to take a survey on CSP…… • Local regulator(s) is strongly supportive and has already initiated rules / policies / initiatives to ensure early compliance with CSP • Local regulator(s) is supportive and actively encouraging local participants to comply with CSP • Local regulator(s) is positive of CSP, either publically or in-person • Local regulator(s) is agnostic / non-judgemental and has not really commented on CSP • Local regulator(s) is sceptical or negative, e.g. have similar 'competing' scheme and CSP confuses the picture and diverts resources “For your local market, what has been the reaction / perception of the local Regulator(s) / Supervisor(s) for the CSP Programme? Give positive / negative comments” Customer Security Work Session

  30. Local regulators involvelment

  31. NMG/UG survey results – general comments (n=93 comments) • Areas needing attention examples: • Need support for local languages • Lack of skilled resources • Competing projects and priorities • Budget issues • Differing interpretation / overly complex controls • Insufficient implementation time • No regulatory oversight for Corporates • Conflict with internal policies 73% 27% • Positive comment examples: • Raised awareness with senior management • Strong community awareness • Clear controls, definition guidance and support from SWIFT • Alignment with existing controls ISO / NIST frameworks • Some overseers using CSP as role model example • Established strong ties with local community • Strong alignment with local regulation • Strong community / industry support

  32. Customer Security Program - Sibos 2018

More Related