Open to attack

With exchanges around the world processing trillions of euros-worth of stock every day, cyber security is coming under increasing scrutiny, writes Rachel Wolcott

Feature image

In the first quarter of 2011, Nasdaq OMX revealed it found suspicious files in the                   servers of its web-facing Directors Desk application, which stores data from Fortune 500 companies. Nasdaq OMX claims none of the confidential and market-sensitive information on the system was stolen.

A couple of weeks later, the London Stock Exchange’s website was infected with malware that was later found to have been caused by an advert it ran. An LSE spokesman played down the exchange’s vulnerability to attack, saying its trading platforms worked on a closed system that did not connect to the internet.

Rajesh Nagella, head of algorithmic products for Emea in Citigroup’s electronic markets business, said: “We need to take the Nasdaq OMX incident as a warning shot. We are serious about cyber security and this incident demonstrates its importance.”

Mark Harris, vice-president at financial IT vender SophosLabs, said: “I’m sure that on a day-to-day basis exchanges are dealing with attempts to get into their organisations. The stakes are high. If someone gets in and is undetected for even a short period, there would be a big impact.”

Need to know information
Security specialists say it is difficult to quantify the number and nature of cyber attacks on exchanges and financial services firms, because they are often kept quiet and only reported if required by regulators or law enforcement agencies. Greg Day, director of security strategy at McAfee, an IT security firm, said: “The industry is shy about sharing what happens for two reasons. One is the embarrassment factor. The other is concern on what kind of impact it will have on their reputation with their customer base.”

Giles Nelson, deputy chief technology officer at Progress Software, said: “We’re seeing exchanges grow up a bit. They’ve realised they’ve broadened access to their networks and one of the unintended consequences is they’re more vulnerable to electronic attack.”

Suspected hacking incidents at exchanges mark a shift in strategy by cyber criminals. According to Mr Day and other security experts, some criminals have moved away from “smash-and-grab” attacks and have started to infiltrate companies and industries in an organised way. Trading venues and financial services firms are obvious targets for cyber criminals seeking to steal valuable data or intellectual property.

Multi-layered strategy
Banks and exchanges use different tools to create a multi-layered security strategy to keep out intruders. Mr Harris said: “It’s a testimony to how seriously exchanges take security that systems breaches don’t happen more often.”

One layer of protection comes from thoroughly vetting traders using their private networks, so in theory exchanges and financial institutions should know who is on their networks at all times. Once inside one of these private trading networks, application-level security should stop any abusive behaviour.

There is also perimeter security, such as firewalls and anti-denial-of-service attack technology, to prevent cyber criminals from accessing a system. In addition, there is a host of software aimed at detecting and preventing security breaches. Some big firms such as Citigroup employ so-called ethical hackers to test their security systems for weak points, which the bank’s business information security team then fixes. Mr Day said: “Some of the right controls are in place, but there’s no room for complacency. It’s easy to forget how fast technology evolves. A network may be secure now, but in six months’ time it will come under attack from something new.”

The bigger they come
The Nasdaq OMX break-in, along with the furore surrounding WikiLeaks’ publication of US embassy cables, underscored the urgency around data security. Accordingly, one of the big themes in cyber security circles is user-access control to ensure that only authorised people can access data.

Mr Harris said: “There’s a lot of effort put into securing data, but the technology has its own problems. More and more people are using mobile devices, but how do you secure them? If one is lost and it holds information on how to access a network, then a door is opened to cyber criminals.” Equally, effort is being put into preventing hackers extracting data from a network they have compromised. Mr Day said: “We have to think about what we don’t want them to take and secure it. At the same time we need to create a barrier so even if they get in, they can’t get anything out.”

One frustration for security chiefs is resistance to security measures from traders seeking to execute trades faster to keep up with the marketplace. Mr. Day said: “Security chiefs are seen as naggers. They’re not involved in a lot of the strategic decision-making. There is a mentality of ‘we have security, but our leading traders can do what they want because they make money.’ They are probably the highest-risk targets.”

Even though many trading venues run on private networks, it does not mean they are impenetrable. Cyber criminals are going to great lengths to gain insider knowledge and understanding of private systems like those on which exchanges run. There are well-documented cases of the virus-like Stuxnet worm and the Night Dragon cyber attacks infiltrating closed systems, controlling networks and stealing data from infrastructure companies and the oil and gas sector.

Risk from mobiles
Mobile devices such as smart phones and tablets are considered to be a huge risk to exchanges and financial institutions trying to maintain a secure environment. These devices are small, portable and easily compromised by hackers. Some firms have policies prohibiting their use in certain workplace areas, but people still use them. Mr Day said: “Only some of the smarter organisations are starting to understand the threat from mobile devices.”

Increasingly, hackers are using Facbook, LinkedIn and Twitter to build relationships with key individuals at firms. Mr Harris said: “Security is only as good as your weakest link, and that’s the user. It only takes one person to click on a link for hackers to gain access.”