Customer Security Programme (CSP) Denis Kruger SWIFT Head Sub-Sahara Africa April 2017 v17
CSP | Modus Operandi Step 1 Step 2 Step 3 Step 4 Attackers compromise customer's environment Attackers obtain valid operator credentials Attackers submit fraudulent messages Attackers hide the evidence Common starting point has been a security breach in a customer’s local environment In all cases, the SWIFT’s network and core messaging services have not been compromised Attackers are well-organised and sophisticated Attackers compromise the bank’s local environment by introducing malware either directly at the bank or remotely, e.g. e-mail phishing campaigns, via a USB stick or rogue internet URLs Attack can be started from either a malicious insider or an external attacker, or both Attackers are looking for valid account ID and password credentials from staff who have legitimate access to payment infrastructure Once they obtain them, they have the ‘keys’ to the system At this stage they very often watch and wait to familiarise themselves with how banks’ back office process and systems work Once an attacker has valid credentials and enough knowledge on how to access and use the applications, they can log in, impersonate the operators from whom they stole the credentials, and submit fraudulent payments – all without raising suspicion Sometimes happens outside the normal bank working hours Attackers hide the evidence Numerous methods have been used, e.g. tampering with the reconciliation process; deleting or manipulating records / logs either remotely or using malware This wins time to make sure the transfer of funds happens without detection CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
Customer Security Programme CSP | Framework Customer Security Programme While all SWIFT customers are individually responsible for the security of their own environments, a concerted, industry-wide effort is required to strengthen end-point security On May 27th, 2016 SWIFT announced its Customer Security Programme that supports customers in reinforcing the security of their SWIFT-related infrastructure CSP focuses on mutually reinforcing strategic initiatives, and related enablers CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
CSP | You > Security Guidelines and Assurance Security Guidelines and Assurance Framework Enhance security guidelines. Develop security requirements and related assurance compliance framework to strengthen the secure management of SWIFT messages at customer sites. Some guidelines will become mandatory Actions to Date In July 2016, we published an expanded security guidance document for Alliance Products, outlining minimum controls recommended for customer implementation, including 2FA, segregation of networks, segregation of duties and RMA management practices Next Steps Further enhancement of guidance documents for Customer Managed Interfaces and Alliance Lite2 Following customer validation via NMG. A first version will be published in Q1 2017 and come into play through self-attestation in Q2 2017 CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
CSP Security Controls Framework CSP | You > Security Guidelines and Assurance Security Controls CSP Security Controls Framework Secure Your Environment 1. Restrict Internet access 2. Segregate critical systems from general IT environment 3. Reduce attack surface and vulnerabilities 4. Physically secure the environment Know and Limit Access 5. Prevent compromise of credentials 6. Manage identities and segregate privileges Detect and Respond 7. Detect anomalous activity to system or transaction records 8. Plan for incident response and information sharing 3 Objectives 8 Principles Applicable to all customers and to the whole end-to-end transaction chain beyond the SWIFT local infrastructure Mapped against recognised international standards 16 controls are mandatory and 11 are advisory Documentation and collateral available since end of October 2016 27 Controls CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
CSP | You > Security Guidelines and Assurance
CSP | You > Security Guidelines and Assurance
CSP | You > Security Guidelines and Assurance Self-Attestation Where customer positively asserts that it meets the security requirements First- and second-line of defence – provided by senior management All customers with an interface All customers with a small local footprint Assurance Framework Self Attest Self-Inspection Where customer’s Internal Audit asserts that the customer meets the security requirements Third-line of defence - provided by Internal Audit function Risk based sample of customers with a small local footprint Self Inspect Third-Party Inspect Third-Party Inspection For an external party that provides independent validation that the customer meets the security requirements All traffic concentrators (extended SIP), executed by SWIFT Risk based sample of customers with an interface, executed by third-party auditors CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
CSP | You > Security Guidelines and Assurance Q2 2016 Q3 2016 Q4 2016 H1 2017 H2 2017 2018 Milestones Collateral V0 for Validation V1 Mandatory Alliance R7.2 Community Engagement Bilateral Consultation Validation Self Assessment Self Attestation Pilot Inspections Inspections Pilot CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications Enforcement of Mandatory Software Updates Reinforcement of Cyber-Incident Reporting to SWIFT Enforcement of Controls Enforcement
CSP | You > SWIFT Tools Further strengthen security requirements for interfaces, tools and software (including those from third-parties) to better protect local environments and continue efforts to harden SWIFT-provided products Actions to Date Release 7.1.14 Release 7.1.20 and 7.0.70 with stronger default password management, enhanced integrity checking and in-built 2FA for Alliance Access clients who do not have existing 2FA implementations Bilateral engagement with vendors on third-party certification for interface providers Release 7.0.50 for Alliance Gateway and SWIFTNet Link introducing enhanced integrity monitoring capabilities Next Steps Planning of security enhancements for AMH 3.6 Q2 2017 Access 7.2 Q2 2017 Focus on enforcement of mandatory updates CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
CSP | Your Counterparts > Transaction Pattern Detection Extend the use of existing tools for fraud detection and prevention, to explore the extension of future 'opt-in' fraud prevention services and to share and develop market practice for fraud detection through the SWIFT community Actions to Date Launch of global RMA campaign to promote use of existing tools as a first line of defence against unwanted or unexpected message flows ‘Daily Validation Reports’ designed to help customers identify possible security concerns in their daily transaction flows Next Steps Development of market practice for correspondent banking fraud and stopping/cancelling payments, with the SWIFT community CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
CSP | Your Community > Intelligence Sharing Deepen our cyber security forensics capabilities so that we can create unique intelligence on SWIFT- related events and disseminate anonymised information to the community Actions to Date Established a Customer Security Intelligence (CSI) forensics team that has built a detailed inventory of malware… Contribution of intelligence to existing organisations and published anonymised threat intelligence to the community Launched Security Notification Service Engagement in industry forums and on a bilateral basis with customers, at CISO and COO level Building a comprehensive CISO network Next Steps Establish ‘SWIFT Intelligence Sharing and Analysis Centre (ISAC)’ to share information and best practice with the SWIFT community as well as the cyber intelligence community CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
CSP | Your Community > Third-Party Providers Structural enhancement of customer security requires the extensive support of third-party providers, e.g. security software and hardware, consulting and training, implementation services, providers of fraud detection solutions, service bureaus and auditors Foster a secure ecosystem through partner programmes, organisation of industry events where such providers can engage with our customers, and certification programmes Next Steps Engage through industry events, African Regional Conference, Business and Technical Forums, Innotribe, the SWIFT Institute and Sibos CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
CSP | Your Community > Customer Engagement and Communications General awareness sessions Security Controls / Assurance sessions Deep-dive workshops Premium Plus events Industry Forums and SWIFT events CISO registration Communications Press releases Customer and vendor letters CSP Home Page – FAQs, presentations, webinars, training materials CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
CSP | Your Community > Customer Engagement and Communications Training Course Category # Courses Available Tue 4 Oct # Additional Courses Available by end 2016 x30 SWIFTSmart eLearning Courses Introduction Courses 4 courses - Security Best Practices Courses 5 courses Security on Alliance Access Courses Operating RMA Courses 7 courses x30 How to Videos Managing PKI: "on Premises" Infrastructure 17 courses Managing PKI: Cloud Infrastructure 9 courses Managing RMA Customer Training Courses CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications
You Your Community Your Counterparts CSP | Your Community > Customer Engagement and Communications You Secure your local environment Sign up to our Security Notification Service Stay up to date with SWIFT’s latest security updates Get ready to adopt our new security requirements Actions for Customers Your Community Your Counterparts Inform SWIFT if you suspect that you have been compromised Provide contact details of your company’s CISO for incident escalation At the same time we noticed this did not only happen within our own training place but in the industry at large. A changing world and workforce Different behaviour and expectations ‘Clean-up’ your RMA relationships Put in place fraud detection measures
? … Questions and open discussion CSP | Open Discussion CSP will reinforce and evolve the security of global banking, in the face of ever-increasing cyber threat, consolidating and building upon existing SWIFT and industry efforts. Within the scope of CSP: Define new security guidelines and audit frameworks - We will introduce new audit frameworks and certification processes to help you ensure that your internal procedures meet key security and operational baselines Enhance SWIFT-related tools - We are strengthening the security requirements for customer-managed software. We will also continue our efforts to harden our own products with further tools and monitoring capabilities Information Sharing - We are supporting greater levels of information sharing across the global community. This means a greater exchange of cyber threat information between customers and SWIFT, and we’ll be keeping you informed of any preventive and detective measures that will help safeguard the community CSP will be limited to customer infrastructure and operations related to SWIFT, both SWIFT products and services as well as third party software products. Scope includes cyber security incidents, either actual or planned, that could result in: Compromise of SWIFT infrastructure, products, services or SDC Fraudulent SWIFT messages being carried over the SWIFT network, or other networks Breach of confidential information, e.g. disclosure of SWIFT message payloads Scope also includes messages generated by back-office applications GTB-BPC meeting at Sibos – 26 September 2016