Investigators were surprised to find that Nasdaq had outdated and improperly patched software running in its environment, Reuters said.
More details leaked from the investigation into the cyber-attack on
Nasdaq OMX Group in the fall of 2010 show that the stock exchange was
surprisingly lax in its security, Reuters
Federal investigators found that some of the exchange's computers were
running out-of-date software and some of the firewalls were improperly
configured, Reuters reported on Nov. 18. The Federal Bureau of
Investigation is investigating the cyber-attack in which unknown
perpetrators breached the Directors Desk
collaboration Web application and installed software that allowed them
to spy on the communications being posted on the platform.
Nasdaq's basic computer architecture was sound and kept the
trading systems safe from the attackers, sources told Reuters. The
sources were not named because the investigation was classified,
according to Reuters.
"This was easy pickings. You would have thought they would be
like a cyber Fort Knox, but that wasn't the case at all," a source told
Some of the computers were still running Microsoft's Windows
2003 Server operating system that had not been properly updated, and
security patches that closed known vulnerabilities were not installed,
according to Reuters.
Investigators were "surprised" that the exchange had not been more
vigilant about its cyber-hygiene, considering its importance to
financial systems, Reuters said.
Nasdaq is not the first company to have been breached because
of improper security hygiene. There were reports that Sony had been
running outdated software and did not even have a firewall installed
when attackers broke into PlayStation Network and Sony Online
Entertainment back in April.
Attackers who breached Gawker Media's servers and leaked more than
200,000 passwords last year reported that the company's Linux servers
were out-of-date, the software on the servers were unpatched, the
Websites were vulnerable to SQL injection attacks and the database was
Carl-Magnus Hallberg, senior vice president of IT services for
Nasdaq OMX, told Reuters it was unfair to conclude that security
practices were lax simply because the Directors Desk program was
breached. It was "virtually impossible" to defend against attacks using
malware that had not been previously disclosed, Hallberg said.
Nasdaq claimed to invest heavily in network security and has about 1,000 people working on IT issues worldwide.
Enterprises are spending an aggregate of $20 billion on IT
security each year but they continue to be compromisd, Ashar Aziz, CEO
of security firm FireEye, told eWEEK
The "security gap" means enterprises are investing in standard defenses
that are unable to block new threats, he said. Criminals are
increasingly becoming more effective at breaking through firewalls and
other traditional products because they are employing dynamic tactics,
according to Aziz.
Organizations need to shift their defenses from signature-based
methods that rely on knowing what malware will be used on known attack
vectors to more proactive techniques that allow organizations to stop
unknown threats, Aziz said.
Nasdaq did not disclose last fall's breach on Director's Desk
until February. While Nasdaq OMX said at the time that there was no
evidence that customer information had been accessed, Reuters reported
last month that investigators said the malicious software spied on
"scores" of directors who had logged on to the Web application to share