SWIFT- The Way the World moves Value. Part 3
SWIFT’s CSP Requirements
As discussed earlier, the Customer Security Program was introduced and mandated for all the consumers of the SWIFT services in order to maintain and ensure a minimum guaranteed security to avoid fraudulent transactions.
The customers should consider the requirements of SWIFT with the highest priority. Failure to comply is usually to be reported to the regulators on an annual basis. Every member should go through different steps such as assessment, defining, documentation, implementation, and attestation to demonstrates how the compliance of their SWIFT Local infrastructure processes and technologies with SWIFT controls mentioned below.
Swift Customer Security Controls
SWIFT CSP controls are designed to enhance the security posture of SWIFT environments operated by members and have a total of To raise the security standard of SWIFT to international standards such as NIST, PCI-DSS and ISO 27002, the authorities managed to present twenty-seven controls. They were keen to divide the security requirements into three stages such as: These are divided into 3 categories as follows.
- Securing the environment
- Understanding and restricting the access
- Detecting and responding towards the threat
Each of this division is again divided into several mandatory and advisory controls. After assessing each of these controls, the users must self-attest the compliance of their SWIFT local environments against Customer Security Controls Framework.
The Requirements
1. SWIFT Environment protection
The CSP guidelines mandate all the SWIFT related systems, data and services to be separated from the general IT environment of the organization. It is done to protect the SWIFT environment from the potential compromises and threats faced by the general IT infrastructure. This secure zone comprises of a collection of systems that works under the same access control policy. The following are the requirements at a high level.
The operator PCs and the components (defined in the CSCF) within the secure zone should not have access to the internet or whitelisted to a select few destinations that are mission-critical.
- Communication between the components of the secure zone and outside the secure zone should be encrypted.
- All communication through the boundary firewall should be logged.
- All-access to the components within the secure zone should be controlled through ACLs
- Access to the Internet and the general IT services should be governed through a jump server.
- The operator PCs should have only the bare minimum software installed to conduct day to day business.
2. Operating system privileged account control
CSP guidelines mandate the operators and other users to have the bare minimum access level required to conduct business. This is mandated to prevent inadvertent or /deliberate execution of malicious programs by the operators. The privileged user events should be logged in order to maintain an audit trail in case of an incident.
During emergencies, individual accounts having administrator-level privileges or accounts having capabilities to rise to administrative access can also be used. For tracking the incidents easily, SWIFT enforced to log the administration accesses and usage. If there is no such emergency, then an account having minimum privilege is required to access.
3. Virtualization Platform Protection
For CSP-2019, the virtualization platform protection is added as an advisory control group. This specific control mandates the virtual assets hosting the SWIFT components within the secure zone to comply with international standards such as NIST, CIS, etc.
4. Internal data flow security
Another requirement of SWIFT’s CSP is to safeguard the internal data flow to minimize information leakage. It also mandates to use crypto protocol and the size of the key to be in line with international banking standards to keep the encrypted data from being breached by making use of readily available exploits to decrypt the traversing traffic. This can be done by using a single secure browser application having a multi-factor authentication system.
5. Security updates
One of the major requirements is to keep the software and hardware on operator workstations and inside the secure zone up to date. The mandatory software updates and security updates should be carried out promptly and periodic checks should be conducted to keep the services from being exploited against known available vulnerabilities. The user should frequently conduct a security risk assessment process to check for security updates and patches.
6. System hardening
The Ssystem hardening is very important to maintain good operational state for messaging interfaces. The usual system operations that are not required must be disabled to harden the services, environment, and features and a s. A Minimum Securityminimum-security bBaseline maintained in compliancet with international standards. Following requirements must be complied to achieve this:
- Restrict the usage of normal or default passwords
- Unnecessary user accounts should be removed
- Irrelevant protocols, ports, and services should be restricted
- Delete unnecessary software
- Disable USB ports
- Vulnerable default configurations should be adjusted
- Limit the access to brokers by enabling message broker administration security
7. Back-office data flow security
Another major requirement is to create a secure mechanism between the messaging interface and back-office applications to assure the integrity, mutual authentication, and confidentiality of the data flows between SWIFT infrastructure and applications.
8. External Transmission Data Protection
In case SWIFT related data is being transmitted for some reason to another system outside the organization’s designated Secure zone, then SWIFT Advices that the communication is encrypted using any of the encryption algorithms with a key size mandated for international banking standards.
9. Operator session confidentiality and integrity
SWIFT mandates all the interactive sessions to be encrypted. An inactive timeout should be set to a minimum timeframe within which the session to the SAA is forcefully made to expire and if the operator PC is idle for a minimum period of time, then the system should be locked requiring the operator to re-type the password.
10. Vulnerability Scanning
SWIFT mandates frequent and regular vulnerability scanning to be done against the assets within the SWIFT secure zone and the operator PCs and a mechanism to patch open vulnerabilities. And that the automated scans should be done using a reputed tool
11. Critical Activity Outsourcing
If the organization has outsourced any part of its SWIFT activity, SWIFT advices to perform a risk assessment on the third party at the start of the engagement and that the SLA/contracts reviewed regularly.
12. Transaction Business ControllsControls.
SWIFT also advises the partners to have appropriate Know Your Customer procedure to be placed for creation and maintenance of Relationship Management Application relationships and that these should be reviewed at least annually. Also, it mandates controls to be in place to monitor, flag or block any transaction initiated/approved after the bounds of business hours.
13. Application Hardening.
SWIFT advices all the applications operating within the bounds of the secure zone to a minimum-security baseline/vendor guidelines/regulatory guideline.
14. Physical Security
SWIFT mandates partners to have strict physical security in place to the housings of environment hosting the SWIFT components. This includes stringent access controls to the premises, access to the removable disks/devices, fire suppressant and electricity backup and proper CC monitoring of the premise. Also, all access should be logged and monitored
15. Password policy
SWIFT escalated the password policy to current industry standards by enforcing certain criteria:
- Password expiry
- complexity, length, composition, and other restrictions of password
- password reuse
- blocking after failed authentication attempts
16. Multi-factor authentication
One of the considerable prime requirements of SWIFT is multi-factor authentication which provides additional security to sensitive components of the SWIFT infrastructure. SWIFT mandates MFA to be either implemented at the Operator PCs and /PCs responsible for managing the security and network components within the secure zone or at the individual applications or at the jump server. Also, no shared account should be used.
17. Logical access control
SWIFT mandates the access to the applications and the secure zone should be provided on a need to know basis. Only the operators and application administrators should have access to the SWIFT application (through whitelisting and specific credentials). For those who have access, the privileges should be provided based on the least privilege principle. And all the processes especially the financial transaction and critical configuration changes should go through the 4-Eyes process.
18. Token Management
SWIFT mandates the distribution, access, destruction of all the tokens, PEDs, etc to be access controlled, logged and audited.
19. Personnel Vetting Process
All the operators and administrators of SWIFT related assets should be vetted periodically and assessed
20. Physical and Logical Password Storage.
SWIFT mandates the privileged passwords in the physical form to be stored in a safe which is access controlled to as few personnel as to possible and every entry and withdrawal of a credential should be logged in a physical log book mentioning, who, what, which and when.
Also, the credentials stored in the logical vault should be encrypted and logical access to the vault to be provided only to those required.
21. Malware Protection
SWIFT mandates all the endpoints to be monitored by a reputed anti-malware solution/endpoint security solution. The administrative operations of the solutions are to be disabled to the users of that endpoint and requires the endpoints to be continuously monitored. Any deviation from the acceptable configuration and action against malware should be alerted.
22. Software Integrity
SWIFT mandates integrity check on the software installed on all operators and the servers within the secure zone to be done at least once a day in addition to every time a system starts up.
23. Database Integrity
SWIFT mandates integrity checks to be conducted on the database on services hosted inside the secure zone, at a the record level ensuring there are no gaps in sequential transaction numbering.
24. Logging and monitoring
SWIFT enforced logging and monitoring system to track unusual and illicit activities in the SWIFT infrastructure within the secure zone. SWIFT mandates logging of all events of the operator PCs, the application, communication interface and the messaging interface. Logs should be offinclude but not limited to command-line history for privileged operating systems, Messaging and communication interface application and operating system, firewall and database logs.
It also mandates a defined monitoring and alerting process based on the information collected from the logs. Appropriate alerts are to configuredbe configured for any suspicious security events
25. Intrusion Detection
In addition to the basic set of controls, SWIFT also advises to incorporate and IDS solution and mechanism at either the network level or host level or both to provide an additional layer of security and to enforce Data Loss Prevention.
26. Cyber incident response planning
· For effective cyber incident response and reporting, the system should require updated contact details and escalation timers. On an annual basis, a proper review should be conducted and tested to ensure secure recovery of critical business operations. AlsoAlso, if any cyber-attack took place:
- Protocol to notify proper external and internal stakeholders
- Should employ skilled professionals to troubleshoot the problem
- Promptly notify the SWIFT Customer Support Centre
- Notify the users after resolving the problem
- Restrict the chances of future attacks by analyzing post-incident problems
- Should document the incident
27. Security Training and Awareness
SWIFT mandates all its operators and IT admins to undergo mandatory security awareness training incorporating high-level information of the various threat vectors, mechanisms and chronology of the attacks.
28. Penetration Testing
SWIFT also advices organizations to perform scenario-based penetration testing on modules of programs interacting with the SWIFT environment and the outcome documented for remediation planning
29. Scenario Risk Assessment
SWIFT advises a Scenario-based Risk assessment and planning to be conducted against the components to identify how an adversary can make a fraudulent transaction and also to identify new threat vectors. The outcome is used to plan for mitigation, incident identification and strategize contingency.