All security vendors need to issue prescriptive guidance to their users, detailing the precise steps they must take to lock down the software or hardware against attackers. And that includes the bank-owned cooperative SWIFT, says networking expert Doug Gourlay, corporate vice president at security startup Skyport Systems.
Gourlay has been reviewing the security recommendations that Brussels-based SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, has been offering to its 11,000 users.
"Their security guidance is accurate, but weak - it's broad brush stroke," he says. "It's that: 'Hey, use security. Zone. Put firewalls in. Segment this.' It's not an actionable security document, and it frankly doesn't get into the levels of security best practices that are necessary against the threat landscape that they face today."
Indeed, banks are getting targeted by attackers who are conversant in wielding malware and injecting legitimate-looking, money-moving messages into the SWIFT network, resulting in the theft of $81 million from Bangladesh Bank (see Vietnamese Bank Blocks $1 Million SWIFT Heist).
Meanwhile, SWIFT continues to assert that its software and network remain secure and that it is incumbent upon users to better secure themselves. At the same time, however, "their name is getting dragged through the mud, because their application is the one being compromised," Gourlay says.
Target the Lowest Common Denominator
The cooperative must do more to help users, he says, noting that big banks are typically better prepared, but many regional and some international banks always struggle to bring sufficient resources and expertise to bear. "So it's incumbent upon the vendor to be able to teach and inform - to the lowest common denominator - what is the level of security capabilities, infrastructure, best practices, people, process, technology and so on, that has to be applied to secure their application."
In this interview with Information Security Media Group (see audio player below photo), Gourlay discusses:
- Why more vendors - including Microsoft - now offer detailed, prescriptive security advice to customers.
- Examples of the security capabilities that all SWIFT users should put in place, ranging from hardware validation and backups to digital forensics and physical access controls.
- Why SWIFT will likely create a security standard - akin to the Payment Card Industry's Data Security Specification - backed by auditors, with which users must comply.
Gourlay is corporate vice president at Skyport Systems. He was previously vice president of systems engineering at Arista Networks and vice president of data center solutions at Cisco. He also served as an infantry officer in the U.S. Army.