Taking Stock of the NASDAQ Breach

One of the bigger data breach stories dominating the headlines as we head into RSA 2011 is the NASDAQ breach. While this is considered a “high-profile” breach, the real, behind-the-scenes story is that the hackers had been “trolling” around the NASDAQ system for months.  And, on top of that, the breach confirms that complex systems such as NASDAQ’s are highly vulnerable and leave many gaps for hackers to penetrate.

Tracy Kitten at BankInfoSecurity recently did a post along these lines that reinforces a core tenet of application security:  no organization is impervious.

Because larger organizations like NASDAQ have highly complex and decentralized applications working in concert to bring this exchange to life, hackers can exploit this complexity for their own gain.  And, as Ms. Kitten highlighted, these enterprising hackers were staking out the exchange for months – much like a cat burglar cases a home for an extended period of time and waits for the homeowners to go on vacation.

The financial services media has raised wider awareness of this breach.  U.S. lawmakers are now calling for investigations into the vulnerability of 10 exchanges and clearinghouses.  We all know that lawmakers need some sort of catalyst to get involved and most often, it takes some sort of high profile breach.  Do you recall how much our world changed in the wake of 9/11?  It’s very difficult to be proactive when it costs money and everyone ‘feels’ safe.

I am in no way minimizing the security efforts that have been in place for NASDAQ and other exchanges.  The security professionals responsible at these organizations are top-notch experts.  But as with any entity that maintains private or valuable assets, there is a need to know where every security gap and vulnerability exists.

Discovering every hole in your enterprise is not an easy thing to do.  But, security professionals should (and some do) use every tool available to get close to this goal.  With both manual and automated assessments, security professionals can ensure that they have discovered the most complete set of vulnerabilities in their environment.  Then, business cases can be made to prioritize and attack them with usually limited resources.  And, this will simply allow them to better protect precious assets, sleep better at night and no lawmakers will be inserting their own ‘expert opinions’ about how security should be achieved.



About the Author:

Greg Reber is the founder and CEO of AsTech Consulting. Since 1997, AsTech has helped Fortune 1000 companies meet the challenge of securing their information assets. In 2001, AsTech was among the first to see the emerging threat posed by customer-facing Internet applications and developed an application vulnerability assessment solution which has continuously evolved to meet today’s threat environment head-on..