Infosec newbie looking for entry level training? So is SWIFT International payments clearing-house SWIFT wants extra hands to keep its stable doors closed. In a job ad that inexplicably fails to mention the hundreds of millions of dollars missing, in a variety of currencies because of astonishingly-lax security, it seeks an information security trainee. As previously documented, SWIFT' …
According to SWIFT the compromises were in the customer-bank networks connecting to SWIFT, not in their network itself, and I've read nothing to suggest that this is wrong. What evidence does El Reg have to suggest that SWIFT themselves were hacked - or do they just make an easy target for sloppy reporting?
I thought the same based on reading only some of the early articles on the heists. However the Reg article linked to in this one does go some way towards implying that SWIFT were a bit backwards in improving their security - e.g. a lack of 2FA and monitoring s/w. Plus the CEO now coming out with an "action plan" to deploy additional countermeasures. Doesn't speak volumes about SWIFT being proactive in their approach to security, tbh.
But financial centres don't like change - firstly, it costs money, and secondly it probably adds risk, so they only change when it is demonstrably needed.
SWIFT consisted of the Alliance software suite in conjunction with an Oracle database running on an Operating System. The hack consisted of changing two bytes in a running DLL process on this unnameable Operating System. The hackers also diverted confirmatory msgs to the printer that would have alerted staff to the hack.
SWIFT's security advice may well have been outdated, but it was just that - advice. Quite honestly any bank that's so clueless about IT security that it has to rely on advice from the organisation it's connecting to, rather than make its own decisions on how to protect itself from fraud, shouldn't be in the business of handling other people's money anyway.
Entry-level role, as in we'll pick your brains, then fire you and pretend we did the work. Actually the job interview is where management soaks up most of the knowledge (seriously). As far as responsibilities go, they left off the most relevant one, have the trainee try and break security at SWIFT and see just how far he gets before detecting the intrusion, assuming they do manage to detect the intrusion. All the rest of the itemized 'security monitoring' is just so much arse-covering.
'work experience with scripting languages' .. for jazus' sake .. wanted: carpenter with work experience in joining together pieces of wood.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
