C. Warren Axelrod

NASDAQ Hack and the Failure of InfoSec

The front cover page of the July 21-27, 2014 issue of Bloomberg Businessweek magazine screams out “THE NASDAQ HACK.” The headline refers to the lead article by Michael Riley with the title “How Russian Hackers Stole the Nasdaq: It was easier than you think.” The article describes, in great detail, the events surrounding the discovery and investigation of a hack of NASDAQ systems, which “seemingly” began some time in 2010. The article appears to be an update to a much earlier article by Michael Riley on March 30, 2011 in BusinessWeek (not then owned by Bloomberg) with the title “U.S. Spy Agency Is Said to Investigate Nasdaq Hacker Attack.”  That article is now available at http://www.bloomberg.com/news/2011-03-30/u-s-spy-agency-said-to-focus-its-decrypting-skills-on-nasdaq-cyber-attack.html I discuss the first of Riley’s article in my April 25, 2011 BlogInfoSec column “Nastier at NASDAQ and the ROI of Security.” This column succeeded my earlier BlogInfoSec column “Nastiness at NASDAQ” posted on March 7, 2011.

In his more recent article, Riley repeats many of the deficiencies discovered back in 2010/2011 and adds a few tidbits. He says that “Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movement, were almost nonexistent.” I’m not sure what he means by “ALMOST nonexistent.” It sounds to me as though he was being kind, and that there weren’t in fact ANY useful logs of user (and abuser) activity. He later writes that “Without a clear picture of exactly what data was taken from Nasdaq and where it went—impossible given the lack of logs and other vital forensics information—not everyone in the government or even the FBI agreed with the finding [that the Russians were not trying to sabotage Nasdaq but to clone Nasdaq’s systems] …”

The Riley article goes on to describe how other major financial institutions had not been so attacked, but not because they were not vulnerable (they were, according to Riley). It appears that the hackers just didn’t have such attacks planned. There is a quote in the article from Christopher Finan, a former cybersecurity expert in the Obama White House, that “Our assumption was that, generally speaking, the financial sector had its act together much more … It doesn’t mean that they’re perfect, but on a spectrum they’re near the top.”

Having worked in IT and InfoSec in the financial services sector for some four decades, I am well aware of the state of security in many financial institutions. It is fair to say that they are way ahead of most other sectors with respect to protecting against cybersecurity attacks. Only some government agencies may have better security, though that is debatable. Nevertheless, it is clear that top security postures are not sufficient in and of themselves. We need to do better … much better.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*