day1 - cyber threats - any silver bullet

Cyber threats: Any silver

bullet?

SWIFT Benelux Forum

22 April 2015

Jacques Hagelstein, Deputy CSO, SWIFT

Cyber threats: the world is moving

• Amateur

→ Industrialised

• Targeting the public

→ Targeted at a particular

entity

• Limited resources

→ Advanced skills

and large resources

• Loners

→ Organised groups

→ State-sponsored

Cyber threats: Any silver bullet? – SWIFT Benelux Forum – April 2015 2

SCADA Attacks

DDoS >100Gbps

Citadel

State-Sponsored

Botnets

Snowden Allegations

Duqu

Malware Black

Market

APT

Flame

Gauss

Stuxnet

Water Holing

Spear Phishing

Blackhole


Technology?

NG-FW

IDP WAF

HSM

SIEM

PKI IPSec

IAM

A/V

People?

Rehearsing

Vetting

Awareness

Certifying

Training

SDLC

PenTesting

Monitoring Red

Teaming

Cyber

Governance

Recovery Intelligence

Management

Cyber

Consultants

Auditing

SOC

MSS

Any silver bullet?

BCP

3rd parties

Processes?


You need all of it

… and more

An FNAO view of Cyber

•DON’T UNDERESTIMATE IT Or detect attacks that would defeat your prevention

• PREPARE FOR THE WORSE Or be ready to contain the detected attacks

• COMPLICATE ITS LIFE Or prevent cyber attacks

• KNOW YOUR ENEMY Or understand your exposure

Learn

Prevent

Plan

Manage


FNAO

FNAO = Failure is Not An Option

Know your enemy

Key take-away:

You better know

what you protect

and against what


• Risk management process

• Data classification and security requirements

• Risk assessments

• Intrusion tests

• Threat lanscape

• Liaison

• PIMR, etc Learn

Prevent

Plan

Manage

FNAO

Cyber threats: Any silver bullet? – SWIFT Benelux Forum – April 2015

Who is my enemy … and what is he after?

Networks

Systems

Data

People

Buildings

Application

Internal

Threats

Ex

tern

al T

hre

ats

Ex

tern

al T

hre

ats

Hackers

Organised

crime

Service

providers

States

Terrorism

Customers

7

Know your enemy … and yourself

• Set up a repeatable risk assessment process

– Based on assets criticality rating

– Record and track risks in a Risk Registry

– Pay special attention to "worst-case risks"

• Document your cyber exposure

– Regularly review changes in threats, business, technology • Threat intelligence sources = open sources, public sector, industry groups,

private companies

– Analyse hackers’ Modus Operandi – would it have worked against you?

• Exploit internal knowledge – Trends in Risk Registry

– Post-incident analysis – Abuse scenarios – Red team, etc


Complicate the life of your enemy

Key take-away:

Many attacks can still

be countered with

appropriate

technology


• Firewalls

• Anti-virus

• Vulnerability mgt

• IDP

• Reverse proxies

• Integrity checks

• WAF

• VPN

• DMZ

• Etc

Learn

Prevent

Plan

Manage

FNAO

Complicate the life of your enemy

• It’s about more than your infrastructure - Do not overlook

– Your software development activities: security requirements, security training, code review, pentest, static code analysis, etc • Do not secure applications after the fact but from the start

• Design for security

– Your hardware, software and service providers • Their security practices

• The delivery cycle

– Your staff: vetting, training, awareness, 4-eyes procedures, social engineering tests, etc • One of the best returns on investment

• Invest to close the main gaps revealed by “Know your enemy”


Design for security - SWIFTNet


Customer

SNL

Back

office

Customer

network

HSM

SWIFT

Op. Center

Customer

SNL

Back

office

Customer

network

HSM Two independent encryptions

Optional third encryption

Three independent authentications

Private network providers available

SWIFT-provided

equipment for customers

to secure their connection

SWIFT in the middle of

customer-to-customer

Messaging – Proxying

and validating

SWIFT

Offices

Strong isolation of our

Operating Centers

Do not under-estimate your enemy

Key take-away:

You cannot assume any

longer that all attacks will

be prevented


• nIDS

• NBA

• Network logs

• System logs

• Application logs

• SIEM

• Correlation rules

• Business rules

• Etc

Learn

Prevent

Plan

Manage

FNAO

Do not under-estimate your enemy

• Big change from the past - More detection is needed

– Without sacrificing prevention

• Invest to close the main gaps revealed by “Know your enemy”

– Especially where prevention reaches its limits

– Use the Modus Operandi that you analysed

– Build upon internal knowledge

– Example: we run brainstorms with application and security experts to imagine all forms of attacks and how to prevent and detect them

• Go beyond the tools

– You need people to understand the events

– Test and practice


Plan for the worst

Key take-away:

To remedy a severe

attack needs serious

preparation


• Incident

response

framework

o Skills

o Processes

o Tools

• Simulations

Learn

Prevent

Plan

Manage

FNAO

Plan for the worst

• Have people, policies, processes, tools ready

• Think of all dimensions

– Investigations • Do you capture the right data: secure logs, network recorders

• Do you have the right organisation, tools and skills

• Do you need forensic evidence

– Technical recovery vs Business recovery (customers)

– Decision chain • To stop the malware or to first observe it

– Internal and external communication

– Law enforcement engagement

– Etc

• Don’t forget

– To test and practice

– That you may need external help – prepare for it


Is there a silver bullet?


Know your enemy

Complicate its life

Do not under- estimate it

Prepare for the worse

FNAO

O

V

E

R

A

N

D

O

V

E

R

Many

attacks can

still be

countered

Do not

assume that

all attacks

will be

countered

To remedy a

severe

attack needs

serious

preparation

You better

know what

you protect

and against

what


Thank you

day1 - cyber threats - any silver bullet

Economy & Finance

swift cyber threats

fnao cyber threats

cyber attacks

silver bullet

swift benelux forum

cyber exposure

fnao fnao

enemy key