Nastiness at NASDAQ

Did you catch the article in the February 5, 2010 Wall Street Journal about hacker intrusions at NASDAQ? It is by Devlin Barrett and has the title “Hackers Penetrate Nasdaq Computers.” It is believed that the initial penetration of NASDAQ’s networks and systems dates back to 2010. And it appears, though it is not stated, that the compromised state of NASDAQ’s IT infrastructure and systems was only now released because of the involvement of the Secret Service and the FBI.

From my particular perspective, the most disturbing aspect of the incident, as reported, is that either NASDAQ staff or law enforcement apparently do know what the intruders did or did not do. It appears, from an outsider’s perspective, that the instrumentation within the systems was inadequate, so that they do not know exactly who is navigating around their systems and networks and what they are doing during their wanderings. Without instrumentation to collect the data, there is (obviously) none of the data readily available to populate logs, which, in turn, could be aggregated and correlated by a SIEM (Security Information and Event Management) system. And without such analysis, there are no warnings about unauthorized activity, and hence no basis for detecting, responding and correcting vulnerabilities.

For the record, I did raise these issues at RSA 2010 when I presented on the woeful inadequacy of security data collection, particularly at the application layer. A few in the audience got it and thanked me for giving them the ammunition to introduce such data collection and analysis practices into their companies. Others didn’t find my presentation entertaining enough … they obviously didn’t understand my sophisticated humor, preferring the ubiquitous RSA slapstick. This is why I decided not to offer to present at RSA this year. Not that I would be invited back, having scored so low on the entertainment scale. As an aside, I do recognize the RSA Conferences as being outstanding networking opportunities for vendors and practitioners, just not a good place for serious professionals to get their ideas across to the masses.


  1. Vivek Oct 11, 2015 at 10:51 pm | Permalink

    Unfortunately, many people stick to the sinayg “if it ain’t broke, don’t fix it!” but this mentality when having to do with security is normally very dangerous.I think that in security (especially in IT Security) we need a proactive approach as you did with the 5-year plan, but not everyone does this – in most cases, security is considered a luxury and they only realise the importance of security once they fall victims to some attacks – but by this time, most of the damage is already done.

  2. Alex Oct 11, 2015 at 11:04 pm | Permalink

    Having the CISO report to the CIO only works if the CIO spprouts and understands the importance of security. This directly relates to the culture of a company and can only be remedied (in my humble opinion) by direct reporting to Compliance or Operational Risk.Unfortunately in an environment where the CIO marginalises security, it is far easier for projects to steam roll their way into the enviornment

Post a Comment

Your email is never published nor shared. Required fields are marked *