10 Feb. 2011 | Comments (0)
Statement on Security Violation to Nasdaq OMX Systems
“Through our normal security monitoring systems we detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our web facing application Directors Desk was potentially affected. We immediately conducted an investigation, which included outside forensic firms and U.S. federal law enforcement. The files were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers. Our trading platform architecture operates independently from our web-facing services like Directors Desk and at no point was any of NASDAQ OMX’s operated or serviced trading platforms compromised. “Subsequently, the U.S. Department of Justice requested that we refrain from providing notice to our customers until, at the earliest, February 14, 2011, in order to facilitate the continuing investigation. NASDAQ OMX was honoring the U.S. Government’s request to delay notification, but when a story ran in the media on Saturday, February, 5, 2011, regarding a hacking incident at NASDAQ OMX, we immediately decided, in consultation with the authorities, that we must inform our customers.” “We continue to evaluate and enhance our advanced security controls to respond to the ever increasing global cyber threat and continue to devote extensive resources to further secure our systems. Cyber attacks against corporations and government occur constantly. NASDAQ OMX remains vigilant against such attacks. We have been working in cooperation with the Government’s ongoing investigations and have received their technical advice for which we are appreciative.”In addition to the obvious IT security risk Nasdaq faces, there is the reputation risk associated with the Directors Desk name now that it has been hacked, but yet it still has a description up on its website http://www.directorsdesk.com/ that states, “Directors Desk provides multiple layers of security to protect our clients' most vital corporate records. User authentication is tightly controlled through ‘strong passwords,’ fully encrypted transport, procedures surrounding account activation, and encryption of all service level passwords in the system. Role-based security protocols control which content is available to each user upon logging in. Network and host-based Intrusion Detection Systems (IDS) protect all hardware and applications in the Directors Desk server farm.” While Nasdaq followed its crisis management plan on this incident (it contacted law enforcement officials early, detected and removed the suspicious files and disclosed all this to its customers), the actual hacking itself has not gone unnoticed by some media critics. Jeffrey Carr, a columnist with Forbes who writes Digital DAO, had some advice for Nasdaq and other corporations: “My advice to NASDAQ is to cut Directors Desk loose and stay focused on protecting your trading platform. My advice to corporations who are in high technology, banking, energy, and defense sectors (all high value targets to advanced persistent threat actors) is to avoid using any electronic boardroom software that makes you a bigger target than you already are.” There is one message that all boards may want to take away from this incident: Make sure you truly understand the technology your company and your board use to communicate with each other, stakeholders and the public.