Nasdaq Security Hygiene Was Lacking, Investigators Found

Investigators were surprised to find that Nasdaq had outdated and improperly patched software running in its environment, Reuters said.

More details leaked from the investigation into the cyber-attack on Nasdaq OMX Group in the fall of 2010 show that the stock exchange was surprisingly lax in its security, Reuters reported.

Federal investigators found that some of the exchange's computers were running out-of-date software and some of the firewalls were improperly configured, Reuters reported on Nov. 18. The Federal Bureau of Investigation is investigating the cyber-attack in which unknown perpetrators breached the Directors Desk collaboration Web application and installed software that allowed them to spy on the communications being posted on the platform.

Nasdaq's basic computer architecture was sound and kept the trading systems safe from the attackers, sources told Reuters. The sources were not named because the investigation was classified, according to Reuters.

"This was easy pickings. You would have thought they would be like a cyber Fort Knox, but that wasn't the case at all," a source told Reuters.

Some of the computers were still running Microsoft's Windows 2003 Server operating system that had not been properly updated, and security patches that closed known vulnerabilities were not installed, according to Reuters.

Investigators were "surprised" that the exchange had not been more vigilant about its cyber-hygiene, considering its importance to financial systems, Reuters said.

Nasdaq is not the first company to have been breached because of improper security hygiene. There were reports that Sony had been running outdated software and did not even have a firewall installed when attackers broke into PlayStation Network and Sony Online Entertainment back in April.

Attackers who breached Gawker Media's servers and leaked more than 200,000 passwords last year reported that the company's Linux servers were out-of-date, the software on the servers were unpatched, the Websites were vulnerable to SQL injection attacks and the database was publicly available.

Carl-Magnus Hallberg, senior vice president of IT services for Nasdaq OMX, told Reuters it was unfair to conclude that security practices were lax simply because the Directors Desk program was breached. It was "virtually impossible" to defend against attacks using malware that had not been previously disclosed, Hallberg said.

Nasdaq claimed to invest heavily in network security and has about 1,000 people working on IT issues worldwide.

Enterprises are spending an aggregate of $20 billion on IT security each year but they continue to be compromisd, Ashar Aziz, CEO of security firm FireEye, told eWEEK. The "security gap" means enterprises are investing in standard defenses that are unable to block new threats, he said. Criminals are increasingly becoming more effective at breaking through firewalls and other traditional products because they are employing dynamic tactics, according to Aziz.

Organizations need to shift their defenses from signature-based methods that rely on knowing what malware will be used on known attack vectors to more proactive techniques that allow organizations to stop unknown threats, Aziz said.

Nasdaq did not disclose last fall's breach on Director's Desk until February. While Nasdaq OMX said at the time that there was no evidence that customer information had been accessed, Reuters reported last month that investigators said the malicious software spied on "scores" of directors who had logged on to the Web application to share financial information.