Bangladeshi Bank Hack – Firewalls, Fat Fingers and ‘Fandation’

Written by

The malware that attacked the Bangladeshi central bank via the SWIFT payment platform reportedly exploited a poorly configured network switch, leaving its firewall unguarded.

The bank’s naïve approach to managing this firewall was made worse by the use of second-hand routers to connect their internal systems to the global financial networks. Clearly the bank skimped on network security and security software, allowing the hackers to steal $81m, but what other lessons can be learnt?

Fortunately for the bank, a spelling mistake of ‘foundation’, misspelt as ‘fandation’ in one of the transfer orders alerted staff to the hack and this sharp-eyed human intervention resulted in the rest of the transactions, amounting to almost one billion dollars, being cancelled. Whilst a functioning firewall would have made the hack attempt more difficult, would it have kept the network safe from further cyber threats?

Firewalls aren’t enough for complex, modern day hacks

A number of organizations still think that a firewall or anti-virus is enough to protect their enterprise network. Hackers are becoming more devious and their methods counter-intuitive. Organizations must address the security issue at a much deeper level, looking at their systems’ structural designs rather than relying only on generic network security components like firewalls, which are no longer enough to keep hackers at bay. Complete security must start with good structural code quality.

Of course, whenever an organization has weaknesses in its software, openings are likely to be exploited by attackers. This is especially poignant if the organization has sensitive files or financial information. Network security helps deter cyber-criminals, but it too becomes exposed if there are flaws in underlying software code.

This is clear from the number of hacks which occur because of SQL Injection, one of the most basic and preventable code vulnerabilities. Making an application fundamentally secure means addressing the software vulnerabilities in its codebase.

Secure software development practices must be incorporated from the start in order to minimize risks. When software is created with a solid architectural design that emphasizes critical health factors such as reliability, resiliency and robustness, it becomes much harder to penetrate or for hackers to find cracks in the foundation. Poor software design by contrast provides vulnerabilities that, especially within complex systems, offer a way for attackers to penetrate core systems without even being detected.

Security must be designed and built into every application as it is coded and then vigorously verified. Later stage security audits or adding of firewalls does not suffice and can lead to a false sense of security. The code quality verification process should ideally be carried out continuously, across every release of an application and it is with this systematic approach that organizations can stay secure, protect their data, and meet customer requirements and quality standards.

Structural designs offer a much more complete security defense

Addressing security concerns at the code level means being able to analyze and measure the performance of critical applications developed in-house as well as those outsourced to trusted partners. This will tell the organization whether exploitable vulnerabilities exist, either malicious or unintentional. It goes beyond measuring if the application functions will perform as intended, which is the role of the more common, structural testing.

Structural code testing, measuring how well the code is written, ensures the security of the system overall and has additional benefits such as improving coding efficiency. After all, applications which are slow or unstable, are attractive to hackers as they are more easily breached and more seamlessly conceal malware.

Software must be architected to overcome this and be structured for continuous improvement. Only certain procedures should be able to touch data with the highest classifications, and all software should be regularly checked to make sure it adheres to the secure data classification architecture. Doing this makes it extremely difficult for someone to write a piece of code that can access critical data, and would have served as a much better line of defense in the Bangladeshi bank SWIFT hack.  

Following industry standards ensures strong foundations

Failing to build structural code that meets industry standards, such as those espoused by CISQ (the Consortium for IT Software Quality) can result in unsecure applications. Such standards are important because around half of security problems stem from design flaws which cannot be found by a simple code review or code quality testing. It is structural analysis, of the type CISQ recommends, which truly evaluates how components communicate and helps protect from code-related security vulnerabilities.

Following coding best practises, and using tools such as static code analysis, helps developers reduce critical mistakes at the application layer and have a clearer picture on security hotspots. Organizations looking to protect themselves and not risk suffering the same fate as the Bangladeshi bank must not let poor structural quality, insufficient security practices or overlooked vulnerabilities affect their future.

Every organization should take security defenses seriously. With the number of high profile breaches increasing, and cyber-attackers becoming more daring and skillful, relying on a firewall is not an effective solution compared to comprehensively building software from a secure starting point. This really does build the foundation of a strong, secure platform that can stand the tests of time and increasingly ingenious cyber-criminals.

What’s hot on Infosecurity Magazine?