@securiTay – Taylor has better security than some banks transferring millions using SWIFT
Recently there has been what is likely the beginning of a wave of break-ins and financial exfiltrations via the SWIFT Alliance. Reports vary a bit, but between vendor/operator mistakes, weak security controls, lack of integrated forensics, and some not-so-best practices we have ended up witnessing the theft of over $80 million dollars. (It could have been over $950 million dollars but for the successful identification of typos by some astute bank operators.)
I spent some time going through the SWIFT Alliance’s publication ‘Security Guidance for Alliance’ published on 18 March 2016 (current version is 29 April 2016) to understand what their baseline security recommendations and architecture are and then thought about how I would re-implement them to protect against some of the more malicious threats we are seeing today.
TLDR; the document is a fairly comprehensive approach to securing SWIFT against the types of attacks that were prevalent a decade ago. Times have changed, their model does not seem to have adapted to the threat landscape we are facing today. If you operate a SWIFT infrastructure or just find armchair quarterbacking and 20/20 hindsight to be fun to read – please continue! I’ll do my best to make this entertaining and hopefully informative.
Continue Reading →
a rather simple pictorial of a jump server logically segmenting admins from assets
I read two interesting articles on securing critical IT systems recently – rather diametrically opposed viewpoints on the role of the jump server or jump box as some people refer to it in securing the critical IT assets of an organization.
The first article was from 2013 by Roger Grimes discussing how to harden and secure your jump server. It’s a good read and provides some advice worth implementing.
The second article taking the contrarian view was by Rajat Bhargava and ran on O’Reilly’s TechRadar. In all fairness Rajat’s article discusses using jump servers in the cloud and argues they are less relevant – there are some merits to his arguments but I think he misses a few key points – one specifically highlighted in the notable Code Spaces hack or ‘corporate murder’.
Four Reasons I disagree with Mr. Bhargava… (although on most things I am very well aligned with his assertions!)
Continue Reading →
In the last 7 years our ability to secure switches and routers has not improved – yet the threat landscape has evolved considerably
I was having a fun discussion with a co-worker this week about how to secure network infrastructure. The challenge being that if someone were to gain access to a switch, router, firewall, or other important transit device they could pretty easily execute a man-in-the-middle attack, or wreck complete havoc on an organization. We saw a great example of this with the City of San Francisco back when Gavin Newsom was the mayor and Terry Childs, a former Cisco SE, decided to show, with great fanfare and aplomb, what power he wielded.
In 2008 he changed the passwords on the network equipment and then deleted the configuration stored on non-volatile flash. The password recovery procedure requires a reboot of the device – thus the recovery of the password deletes the run-time configuration effectively rendering the device inoperative. We can assume that the City of San Francisco did not have a configuration repository separate from what the network admins had access to, or any keystroke logging via a jump server (a few simple things that would have prevented this situation).
Seven years later, today – the password recovery procedure on the switches and routers has not changed. Any networking admin or person with reasonable access and skills can hijack and destroy a network. Vendors have done little to nothing to improve the security and operational manageability of the systems we all depend on. A case in point: Ars Technica reported this week that “Attackers are hijacking critical networking gear from Cisco.” I read through this article a few times and it basically occurred to me to say, “duh… of course they are – vendors have been incredibly lazy regarding security.”Continue Reading →