NASDAQ Breach: You Should be ConcernedHow Long Were Hackers Prowling Around the Systems?
Since news of the NASDAQ systems breach broke earlier this week, I've been reading with interest the updates about this still-unfolding cyber case.
See Also: Passwords Alone Aren't Enough
To me, the incident is interesting for a couple of reasons. For one, it proves that even the mightiest organizations have security gaps that cyberthieves can find. Second, if hackers were trolling around NASDAQ systems and servers for months and we're just now hearing about, we all should have some serious concerns.
"Rather than going in the front door, the hackers that hit NASDAQ came in through the service entrance."
On Feb. 5, a story broke about the NASDAQ breach. In a statement issued by NASDAQ this week, NASDAQ says it learned of the breach through routine monitoring. "We detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our web facing application, Directors Desk, was potentially affected," the statement says. "We immediately conducted an investigation, which included outside forensic firms and U.S. federal law enforcement. The files were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers. Our trading platform architecture operates independently from our web-facing services like Directors Desk and at no point was any of NASDAQ OMX's operated or serviced trading platforms compromised."
Let's examine the security gaps point first.
In the wake of our recent Faces of Fraud survey, I've spoken with a number of InfoSec and fraud experts recently about fraud detection and prevention, and steps the financial industry is taking to fill their security gaps.
David Navetta, an attorney who focuses on IT security, says large organizations such as NASDAQ may invest more money in security, but they also have more complexities that leave room for gaps. "No company is immune from a data security breach," Navetta says. "Some large brand-name companies are extremely complex, and oftentimes have decentralized and inconsistent security. So, on that level, it does not surprise me that this breach occurred."
NASDAQ's use of Director's Desk, a NASDAQ subsidiary that offers Web-based tools to executives and board members for document-sharing and board-meeting participation, seems to have left a gap. Rather than going in the front door, then, the hackers that hit NASDAQ came in through the service entrance. Imagine that? It seems so obvious, but it's surprising how often those sidedoors and backdoors are left unlocked. As Josh Corman, research director of enterprise security for analyst firm The 451 Group, points out, "It's pretty common for an attacker to get in and then move laterally."
Distinguished Gartner Analyst Avivah Litan agrees the NASDAQ attack was probably no different than most the financial industry faces these days. Cybercrimes target those that have the money. "This could have been the work of someone who knows exactly what NASDAQ-related information they are after for financial gain, or, more likely, this was the work of young cybergangs that just sit around looking for sensitive targets and go probing around their sites," she says.
Despite NASDAQ's claims that Director's Desk provides high-level security that ensure the confidentiality of all board-member communications, the service was not given the same level of security scrutiny given to other parts of NASDAQ's systems. "This illustrates what I said above," Navetta says. "Many large companies have many moving parts, in terms of outsourcing relationships, software packages and systems they rely on. They can be very secure in some areas; but add some new functionality to their IT, and their security risk can change, [especially] if that new IT poses weaknesses or was not integrated properly into the overall system."
And that brings us to the second concern. How long were the hackers probing around for a weakness, and how many did they find? As Navetta says: "Criminals will seek to exploit these vulnerabilities and try to burrow deeper into an organization's information technology. Luckily, in this case, it appears that NASDAQ segregated its systems in a way that allowed its mission-critical trading systems to avoid breach."
But how sure can we really be? If the hackers spent a year monitoring systems and poking for holes, who can be certain they did not gain access to quite a bit more, just waiting for the right moment to strike?
And, perhaps an even a greater question, how was it possible for hackers to breach the system and go and in out several times without anyone at NASDAQ noticing? According to The Wall Street Journal, NASDAQ hacker penetrations were reported in October and November to the Securities and Exchange Commission. Who knows how long those penetrations were going on before that?
The story raises more questions than answers. One positive thing it has done, however, is open our eyes anew to this reality: None of us is too big to be breached.