October is National Cyber Security Awareness Month in the U.S. — it’s a time to share information, guidance, and tools to improve privacy, safety, and security in the digital age. In that spirit, I want to follow up on a blog post I wrote recently called “Securing High-Value Apps in Financial Services IT“. In that post, I introduced SWIFT’s Customer Security Programme (CSP) that was created to support customers in the fight against cyber fraud.
Here, I will focus on the core concepts from the SWIFT CSP framework and explain how Citrix can provide support for many of the requirements. If you are attending SIBOS in Toronto, I invite you to join me in Theatre 2 on October 19 at 10 a.m. where I will discuss how financial institutions around the world are using Citrix to protect their access to the SWIFT network.
With a compliance deadline of December 31, 2017, the CSP establishes a common set of security controls designed to help financial institutions secure their local environments and to foster a more secure financial ecosystem. The framework is split into three sections. In SWIFT’s documentation, Citrix is identified specifically as a common and recommended mode to access the secure zone that is segmented away from general IT and back office applications.
Operators connect from their general-purpose operator PC to the secure zone via a jump server located within the secure zone, using a Citrix-type solution or Microsoft Terminal Server.
How else can Citrix help address the CSP security controls?
Citrix provides the jump server architecture using XenApp. NetScaler reduces the attack surface by providing end-to-end encryption and exposing only TLS port 443 outside of the secure zone. This creates an isolated and secured enclave with controlled access.
The first concept is to Protect Your Environment. Segmentation between the user’s local SWIFT infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyberattacks which commonly involve compromise of the general enterprise IT environment. Attackers seek to:
- Compromise credentials of the local and system administrators of the enterprise Active Directory, thereby gaining access to all log-in credentials stored in the directory.
- Compromise supporting IT infrastructure (for example, scanning server, patching server), located in the general IT environment, to steal system credentials and subsequently access the local SWIFT infrastructure.
- Fool an operator to click on a malicious link in an e-mail, unknowingly downloading malware which compromises the local PC.
SWIFT recommends additional security controls to be implemented for remote access, such as use of virtual desktop infrastructure, dedicated channels for connectivity (for example, dedicated jump servers for remote users, and leased lines).
The second concept is to Know and Limit Access. Attackers often use the privileges of a compromised account to move laterally within an environment and progress an attack. Implementing multi-factor authentication provides an additional layer of protection against common authentication attacks (for example, shoulder surfing, password re-use, or weak passwords) and further account compromise. Citrix adopts a zero-trust model where context-aware security policies can block malicious users before entering the network. Here are a few tips for how you can better implement a limited access model:
- Before providing access to SWIFT GUI/Client, confirm where the user is connecting from and/or what is the state of device being used. Based on various factors decide to prevent access, limit it to certain resources or apply more restrictive sets of policies.
- NetScaler integrates with existing Identity Providers for multifactor authentication and enhances the authentication process by changing the question from “Who is there?” to “Who is there, where are you coming from and which device are you using?”
- NetScaler’s SmartAccess and SmartControl features fortify the authorization process. Using granular policies, define what users are allowed to do; what resources they have access to; and to assign network privileges before reaching the application.
The final concept is to Detect and Respond. The goal is to record security events and detect anomalous actions and operations within the local SWIFT environment. Citrix offers a number of user and administrative logging including:
- Identifying anomalies in credentials or access to funds transfer systems (e.g., excessive logins, accessing the system at unusual times). All SWIFT sessions can be recorded with Session Recording and be available for audit when required.
- Logging Citrix farm administrative activities separately into an administrative logging database. Citrix Director monitoring records all login attempts to the Citrix platform as well as historical session information.
- Using PVS non-persistent XenApp hosting also means that if an application anomaly has been detected, simply rebooting the affected XenApp host will reset the application to the known good state.
Financial services organizations have apps and data that are a constant target for hackers and thieves. And while no security control is foolproof, we must continuously adapt and raise the bar for defense – as the threat landscape grows more sophisticated and innovative. We must focus on prevention but plan for containing the blast radius of a breach through virtualization, isolation, segmentation, and containerization.
To learn more visit http://www.citrix.com/solutions/financial-services/swift.html.