Information Security Isn’t a Destination, It’s a Process – A Perspective on Hackers Penetrating Nasdaq Computers

Mark Rasch, Director of Cybersecurity and Privacy Consulting, CSC

After reading the article in the WSJ about hackers penetrating Nasdaq computers a simple analogy came to mind that paints a clear picture of how things have changed.  While bank robber Willie Sutton never actually said the phrase, it has long been a maxim that you rob banks because “that’s where the money is.”  While that may have been the case in the 1920’s and ‘30’s while Sutton was plying his trade, in 2011 the money – and most things of transferrable value – is now in Cyberspace.  It is for this reason that it is all the more distressing that the computers and computer networks belonging to the National Association of Securities Dealers Automated Quotations (better known by its acronym NASDAQ) were hacked into, reportedly some time last year.  While the trading systems that form the core of NASDAQ were apparently untouched, unknown and more importantly undetected hackers appear to have been able to enter the NASDAQ networks and collect information. And information is what modern hacking is all about.  Because information is not just power – information is money.  Trade information, corporate information, business process information, sales, privacy, trade secret, privileged information – all of it is at risk to modern hackers.  “Old-school” hackers would be satisfied to break into a system as a proof of concept, to show it could be done.  Website defacers often attacked their victims either to tag them or as a protest against them.  Cyberthieves of the past were the electronic equivalent of “smash and grab” thieves –  stealing data, privacy information, or money if they could.

The NASDAQ hack represents a more modern trend – a trend exemplified by things like the Stuxnet worm.  Sophisticated hackers who target specific companies and entities and patiently wait for a moment of opportunity.  These attackers may wait weeks, months or years before they are prepared to launch an attack.  The attack may be disruptive or destructive (as in the case of Stuxnet), or may be aimed at obtaining money or information. The entry is quiet and surreptitious, and goes unnoticed – despite numerous audits and assessments.  The goal is not a quick hit – it is to learn how the process works, how information flows, what other vulnerabilities exist, and how to inject new vulnerabilities. These attacks may come from organized gangs of criminals, state-sponsored attackers, intelligence agencies, or even sophisticated “script kiddies” with time and resources on their hands – only investigation will show.

The NASDAQ hackers reportedly did not attack the trading system of the exchange – or at least weren’t caught doing so.  Rather they hacked the so-called “Director’s Desk” application that allows members of a board of directors to share sensitive information with each other.  But have no fear, the NASDAQ website for Director’s Desk notes that “Directors Desk incorporates state-of-the-art technology, processes and protocols to ensure the highest level of security,” noting that it “complies” with the ISO27001 security standard and that intrusion detection software “protect[s] all hardware and applications in the Directors Desk server farm.”

The language of the website also points out some of the problems inherent in information security.  In order to gain consumer or customer confidence, we “promise” our customers that their information will be secure.  We assure them that we use “state of the art” technology, or that we “comply” with a particular standard.  This is supposed to assure the customer that it is safe for them to trust us with their most valuable information.  This suggests that information security is a destination.  It is not.  It is a process – and a rigorous one at that.  One which must invariably learn from its mistakes and deficiencies, and there will always be deficiencies.  However clever we might be in keeping hackers out, they will continue to redouble their efforts to get in – and they need only exploit on vulnerability, one weakness, one deficiency, one gullible employee, one software code to get in.  With complicated networks layered upon each other, and sensitive data traveling across publicly accessible domains, the business community must remain constantly vigilant.  Bolted on security will not suffice for new cloud based technologies – security and security awareness must be part of the corporate and government culture.

It is only a matter of time before hackers penetrate trading floors more deeply than they already have.  As they grow in resources and sophistication defenders must step up to the plate and dedicate the resources necessary to remain a responsible actor in cyberspace. Cyberspace, like the bank, will never by completely safe.  But if we can make it safer, there is no limit to what companies can accomplish.

This entry was posted in Cybersecurity, News and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s