A Thing
The Green SheetGreen Sheet

Tuesday, February 8, 2011

Could a Nasdaq-style breach happen to you?

Cyber attackers targeting computers used by Nasdaq OMX Group Inc. – the company that runs the Nasdaq Stock Market – apparently didn't gain access to the company's trading systems but did manage to infiltrate its Director's Desk portal, a web-based tool used by directors of companies to share governance information.

According to a statement released by Nasdaq, the company had "detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our web facing application Directors Desk was potentially affected." Nasdaq conducted an investigation, brought in outside forensic firms and U.S. federal law enforcement, and ended up removing the files in question.

Flaws in custom-developed apps

Nicholas Percoco, Senior Vice President and head of Trustwave's advanced security team, SpiderLabs, said the level of the users and type of information shared across the application makes the portal "a pretty juicy target for attackers."

Although noting that Trustwave is not involved in the Nasdaq investigation, Percoco remarked that "web application flaws are common in custom-developed applications. A motivated attacker has infinite time to find these flaws because these applications are maintained on the Internet and can be accessed from anywhere in the world."

Percoco said SpiderLabs frequently finds flaws in client companies' web portals, business intranets and document exchange systems. "If the systems are being developed and used to house sensitive information from high-profile, high-ranking people within companies, you need to make sure that the security controls are very tight and that the security around application development is tight as well," he said.

Delayed notification

Although The Wall Street Journal broke the story about the breach on Feb. 5, 2011, suspicious activity within the Director's Desk platform had allegedly occurred over a period of months, according to a follow-up article by the publication.

The statement by Nasdaq also indicated the U.S. Department of Justice had asked Nasdaq to delay notifying customers of Director's Desk about the breach until at least Feb. 14 to "facilitate the continuing investigation." In light of public revelations about the breach, however, Nasdaq "immediately decided, in consultation with the authorities," to inform customers.

Nasdaq acquired the company that created Director's Desk in 2007 so the application could be used for exchange of proprietary information, such as financial data and planning documents, among "multinationals or any organization with dozens or hundreds of subsidiary boards." It is used by approximately 5,000 board members from hundreds of companies.

No evidence of theft yet

Percoco believes more findings may surface regarding the Director's Desk breach in coming weeks, despite Nasdaq's assurance that there is no evidence customer information was accessed or acquired by hackers.

"You look at the press releases and statements from companies that have been breached in the past, and they all use similar language," Percoco said. "It usually says something to the effect of, 'we have no indication that there was any data loss at this time.' And then a week or a month later, the story changes." end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing