Earlier this week forensic experts confirmed a second instance of sophisticated attacks on banks using the Society for the Worldwide Interbank Financial Telecommunication (or SWIFT) financial messaging system.
SWIFT allows its customer firms to quickly, accurately, and securely send and receive information such as money transfer instructions worldwide. SWIFT was quick to advise its customers that neither the SWIFT network nor SWIFT messaging systems and software had been compromised in either incident. The first incident resulted in the theft of $81 million from a bank in Bangladesh. That bank was also found to be using $10 secondhand switches without firewalls to connect to SWIFT systems. The second attack involved an unnamed commercial bank in Vietnam at some point during the last several months.
The point here is that the entire worldwide financial messaging network was essentially brought to a halt because of weak links in the member banks accessing the system – not the system itself. The bad guys find and exploit the weak link to get at what they want – in this case, for a great deal of money. According to Verizon, nearly nine out of ten breaches have a financial or espionage motive. What do you have that criminals might be after?
The next question is, what does this have to do with my business beyond the potential impact to the banking system? Two specific areas come to mind: The attackers’ game plan and the interconnected nature of today’s business.
First, while the malware (also tied to the Sony breach) used to accomplish these attacks was extremely sophisticated, the attackers’ game plan is nothing new. The same scenario is played out daily in the small business environment here in Phoenix. It goes something like this:
1. Bad guy gets access to the (poorly protected) systems of you or one of your business partners probably by a phishing attack (like clicking on a link in a hijacked email). Malware payload delivered.
2. Once inside your network, the attacker lurks around and obtains legitimate credentials to access desired systems (like HR, payroll, banking and financial sites.)
3. Information is then exfiltrated from your systems and sent to the attackers.
4. Attackers submit fraudulent messages by impersonating the people whose credentials they compromised to obtain what they want.
5. Attackers then hide evidence by removing traces of their activity.
The difference with this attack is that it may have resulted in a devastating loss to a small business.
One such case my firm assisted in investigating followed the scenario above and resulted in the fraudulent wire of $300,000 – money that was to be used by the target company for payroll the following day. The company did not know of the attack until their bank advised them of the overdraft. In that case, the company’s accountant was taking their (minimally protected) laptop home and letting his children use it for “homework.” The laptop was compromised by accessing a hijacked website and then plugged back into the company’s network the next day.
The weak link in this matter was the company and its lack of proper controls for securing the laptop and its use outside of the office, which ultimately resulted in the compromised credentials. Why would a computer used to access sensitive banking materials be allowed to leave the office and be used for kids’ homework assignments? You might then ask: Are there business partners, vendors and/or employees that connect to your business systems that lack common-sense controls? How do you know for sure?
In light of the points illustrated above, what should you do to improve your overall security? Here are a few suggestions to get you on the right track:
- Carefully examine who has access to your company systems and what levels of permission they have. Everyone with access to sensitive systems and information should be scrutinized periodically.
- Restrict access to sensitive information and systems from the general user population. Does the accountant’s computer used for wire transfers really need to share files with everyone on the network? Doubtful. Protect what is sensitive and grant access only on a need to know basis.
- Invite a professional third party to review and assess your systems and internal controls to look for blind spots and weaknesses.
- Review the systems that you are connected with (cloud services, online storage, etc.) and explore their information security policies and protections. What promises are they making to you? Pick your partners carefully.
- Look at your obligations for connecting to other business partners’ systems. What promises are you making? Are you really fulfilling your responsibilities? You don’t want to be the weak link in their system.
The recent attacks discovered using the SWIFT financial system revealed weaknesses that criminals were able to exploit resulting in significant losses. The attacks also show a typical game plan for an attack. If one of the most secure systems in the world can be jeopardized by the poor practices of some of its member institutions, couldn’t the same happen in your business network?
Take a moment to explore who you are connected with and what steps they are taking to protect you. Also take a look at who you are connected to and see what your obligations are to them. Understanding the interconnectivity of your network will improve your security.
Chuck Matthews is chairman and CEO of Scottsdale-based WGM.