臺灣博碩士論文加值系統

環球銀行金融電信協會(Society for Worldwide Interbank Financial Telecommunication, SWIFT)為目前國際電匯服務基礎設施的提供者，自從2016年孟加拉國央行發生震驚全球的8,100萬美元網絡(Cyber)劫案後，SWIFT組織針對其跨境支付電文交換系統所面臨的網絡威脅，啟動了SWIFT客戶(即使用SWIFT電文系統之組織，如金融機構等)安全計劃。於SWIFT客戶安全計劃中提供一套客戶安全控制框架(Customer Security Controls Framework, CSCF)，SWIFT組織要求所有客戶於客戶端自建之SWIFT電文系統基礎設施必須實施。
惟自2017年實施後，於2018年初馬來西亞央行仍發生利用SWIFT電文系統盜轉資金案件，此案究為馬來西亞央行未遵照SWIFT組織要求實施確實，亦或SWIFT CSCF仍有若干可強化之處，值得進一步探究。鑒於SWIFT電文系統主要使用者為金融領域，該領域之資訊較為封閉，第一手資料取得不易，且過往對於SWIFT電文系統資訊安全相關研究較缺乏，故本研究針對SWIFT CSCF是否仍有可強化之處進行探索式研究，蒐集目前可公開取得之資訊，使用文獻分析法來探究。
本研究利用美國國家標準與技術研究院之網絡安全框架(Cybersecurity Framework, CSF)，發展客戶端SWIFT電文系統基礎設施目標輪廓做為比較基準，以SWIFT CSCF做為當前輪廓進行比較，以找出SWIFT CSCF可強化之處。經比較後，初步發現的四個SWIFT CSCF未竟周全之處，並對其提出改進方向建議，以期能降低SWIFT電文系統再度發生盜轉案件之風險。

The Society for Worldwide Interbank Financial Telecommunica-tion (SWIFT) is the infrastructure provider for the current global in-ternational wire transfer service. Since the Bangladesh Central Bank’s $81 million cyber heist shocked the world in 2016, SWIFT had launched the Customer Security Programme (CSP) to enhance security of all Customer s’ local SWIFT infrastructure. In the CSP, SWIFT had completed the Customer Security Controls Framework (CSCF), and required all its customers to implement. However, since SWIFT CSCF was implemented in 2017, the Malaysia Central Bank still had a case of using SWIFT message system to steal funds in early 2018. In this case, did the Malaysia Central Bank not comply with the requirements of SWIFT CSCF? or SWIFT CSCF still has a few problems to solve, which deserves further exploration.
This study is exploratory research, explores whether SWIFT CSCF can still be reinforced by collecting the information currently available publicly, and uses literature analysis. In this study, the Cy-bersecurity Framework of the National Institute of Standards and Technology is used to develop the target profile of SWIFT message system infrastructure on the customer side as a comparative baseline and SWIFT CSCF as the current profile. By comparing the current profile with the target profile to find out what SWIFT CSCF can be reinforced. After comparison, four incomplete aspects of SWIFT CSCF are preliminarily found, and suggestions for improvement are put forward in order to reduce the risk of recurrence of theft cases in SWIFT message system.

目 錄

一、 緒論 1
1.1 研究背景 1
1.2 研究動機 2
1.3 研究問題與目的 3
1.4 研究範圍、研究架構及研究方法 4
二、 文獻探討 6
2.1 SWIFT國際金融電文交換服務 6
2.1.1 SWIFT組織簡介 6
2.1.2 SWIFT核心服務平台 - SWIFTNet 7
2.1.3 SWIFT電文系統基本架構 9
2.2 SWIFT因應網絡威脅之作為 13
2.2.1 SWIFT客戶安全控制框架發展背景 13
2.2.2 SWIFT客戶安全計畫 18
2.2.3 SWIFT客戶安全控制框架 20
2.3 NIST因應網絡威脅之作為 25
2.3.1 NIST 網絡安全框架發展背景 25
2.3.2 NIST網絡安全框架 26
2.3.3 NIST CSF三大組件基礎概念 28
2.3.4 利用NIST CSF建立網絡安全計畫 33
三、 研究方法 35
3.1 探索式研究 35
3.2 文獻分析法 37
3.3 研究流程 38
3.4 探索SWIFT CSCF問題之方法 39
四、 研究結果 40
4.1 產生SWIFT電文系統網絡安全預期成果 40
4.2 SWIFT電文系統網絡安全預期成果 45
4.3 SWIFT CSCF與目標輪廓比較結果 46
4.3.1 SWIFT CSCF與NIST CSF涵蓋範圍之探討 47
4.3.2 SWIFT CSCF與目標輪廓子類別差異之探討 48
4.4 研究結果分析與建議 52
4.4.1 SWIFT CSCF未完整涵蓋NIST CSF五個功能 52
4.4.2 未使用SWIFT電文系統審核、放行之盜轉風險 53
4.4.3 SWIFT全球客戶眾多控制措施實施難以一致 54
4.4.4 傳統資安事件通報的觀念，不足以應付CIP需要 55
五、 結論 57
5.1 研究結論 57
5.2 研究限制與未來研究方向 58
參考文獻 60
附錄一、NIST網絡安全框架核心原文列表 64
附錄二、客戶端SWIFT電文系統網絡安全成果表 78

[1] 立法院，「立法院第9屆第1會期第7次會議議案關係文書」，立法院，台北，民國一百零五年。
[2] 行政院科技顧問組，「關鍵資訊基礎建設保護政策指引」，行政院科技顧問組，台北，民國一百年。
[3] 吳 定，公共政策辭典，增訂再版，五南圖書出版股份有限公司，台北，民國九十二年，第158頁。
[4] 榮泰生，圖解研究方法，二版二刷，五南圖書出版股份有限公司，台北，民國一零六年九月，第006頁。
[5] Ananthalakshmi, A. & Bergin, T., “Malaysian central bank says foiled attempted cyber-heist”, Reuters (London), https://www.reuters.com/article/us-malaysia-cenbank-cybersecurity-incide/malaysian-central-bank-says-foiled-attempted-cyber-heist-idUSKBN1H50YF, 29 March, 2018, visited by 31 October, 2018.
[6] Beek, C. & Samani, R., “Taiwan Bank Heist and the Role of Pseudo Ransomware”, McAfee, https://securingtomorrow.mcafee.com/mcafee-labs/taiwan-bank-heist-role-pseudo-ransomware/, October 2017 , visited by 25 March, 2018.
[7] Das, K. N. & Paul, R., “Exclusive: Bangladesh probes 2013 hack for links to central bank heist”, Reuters, https://uk.reuters.com/article/us-cyber-heist-bangladesh/exclusive-bangladesh-probes-2013-hack-for-links-to-central-bank-heist-idUKKCN0YG2UT, May 2016 , visited by 21 March, 2018.
[8] Finkle, J., Nguyen, M. & Pham, M., “Vietnam bank says inter-rupted cyber heist using SWIFT messaging”, Reuters, https://www.reuters.com/article/us-vietnam-cybercrime/vietnam-bank-says-interrupted-cyber-heist-using-swift-messaging-idUSKCN0Y60EN, May 2016 , visited by 16 March, 2018.
[9] Kovensky, J., “Hackers reportedly steal $10 million from a Ukrainian bank through SWIFT loophole”, Kyiv Post, https://www.Kyivpost.com/article/content/ukraine-politics/hackers-steal-10-million-from-a-ukrainian-bank-through-swift-loophole-417202.html, June 2016 , visited by 20 March, 2018.
[10] Lazurca, F., “Securing High-value Apps in Financial Services IT”, Citrix, https://www.citrix.com/blogs/2017/06/22/securing-high-value-apps-in-financial-services-it/, 26 June, 2017, visited by 13 May, 2018.
[11] National Institute of Standards and Technology (NIST),“Cybersecurity Framework | NIST”, NIST, https://www.nist.gov/cyberframework/framework, 2019, visited by 19 February, 2019.
[12] National Institute of Standards and Technology (NIST), “Frame-work for Improving Critical Infrastructure Cybersecurity”, Version 1.0, NIST, Gaithersburg, 12 February, 2014.
[13] National Institute of Standards and Technology (NIST), “Frame-work for Improving Critical Infrastructure Cybersecurity”, Version 1.1, NIST, Gaithersburg, 16 April, 2018.
[14] National Institute of Standards and Technology (NIST), “Webcast: Cybersecurity Framework Version 1.1 Overview”, NIST, https://www.nist.gov/news-events/events/2018/04/webcast-cybersecurity-framework-version-11-overview, April, 2018, visited by 19 February, 2019.
[15] Obama, B., “Improving Critical Infrastructure Cybersecurity”, Executive Order 13636 (EO 13636), The White House, Washington, D.C., 12 February, 2013.
[16] Pagliery, J. & Riley, C., “North Korea-linked 'Lazarus' hackers hit a fourth bank in Philippines”, CNNMoney (New York), http://money.cnn.com/2016/05/26/technology/swift-bank-hack-philippines-lazarus/, May 2016, visited by 24 March, 2018.
[17] Riley, C., “Hackers stole millions in third attack on global banking system”, CNNMoney (New Delhi), http://money.cnn.com/2016/05/20/news/swift-bank-attack-global-ecuador/index.html?iid=EL, May 2016, visited by 15 March, 2018.
[18] Sharma G., “Nepal recovers 'most' of the money hacked from bank”, Reuters, https://www.reuters.com/article/us-cyber-heist-nepal/nepal-recov-ers-most-of-the-money-hacked-from-bank-idUSKBN1D72JP, 8 November, 2017, visited by 31 October, 2018.
[19] Society for Worldwide Interbank Financial Telecommunication (SWIFT), “Alliance interfaces” , SWIFT, https://www.swift.com/myswift/customer-security-programme-csp/security-controls, 2019 , visited by 13 April, 2019.
[20] Society for Worldwide Interbank Financial Telecommunication (SWIFT), “Customer Security Programme (CSP)”, SWIFT, https://www.swift.com/myswift/customer-security-programme-csp/security-controls, 2017 , visited by 23 February, 2018.
[21] Society for Worldwide Interbank Financial Telecommunication (SWIFT), “SWIFT Presentations Channel”, SWIFT, https://www.slideshare.net/SWIFTcommunity, 2018, visited by 6 March, 2018.
[22] Society for Worldwide Interbank Financial Telecommunication (SWIFT), “SWIFT Customer Security Controls Framework”, 1.0, SWIFT, La Hulpe , 2017.
[23] Society for Worldwide Interbank Financial Telecommunication (SWIFT), “SWIFT Customer Security Controls Framework”, v2019, SWIFT, La Hulpe , 10 August, 2018.
[24] Stubbs, J., “Hackers stole $6 million from Russian bank via SWIFT system: central bank”, Reuters, https://www.reuters.com/article/us-russia-cyber-swift/hackers-stole-6-million-from-russian-bank-via-swift-system-central-bank-idUSKCN1G00DV, February 2018, visited by 28 March, 2018.
[25] Wikimedia, “Bangladesh Bank robbery”, Wikimedia, https://www.wikimedia.org/wiki/Bangladesh_Bank_robbery, March 2018, visited by 13 March, 2018.