February 9, 2011 – At 1:55 p.m. Monday, the Nasdaq Stock Market was up 21.55 points to 2,790.85.

That is as it should be. Market participants showed no concern about the disclosure over the weekend that “suspicious files” were found on its servers in the United States, presumably from hackers.

For now. Because a ‘web facing’ application like Nasdaq OMX Group’s Directors Desk is only one potential point of failure for capital markets, here and elsewhere.

The files appear to have done no damage and did not affect trading systems. But if you are a board member – particularly of Nasdaq OMX or another exchange group – this is not likely to be comforting.

This is a service that is used by roughly 10,000 members of boards around the world. It’s intended to help them communicate with each other and exchange documents about upcoming meetings.

That a hacker could get this close to a company’s most sensitive documents certainly gives no comfort to present or future users of this service. Even if no information was lost this time, as Nasdaq OMX Group made clear over the weekend.

That’s because hackers keep pressing the pedal to the keyboard on any vulnerability they can find on a ‘web-facing’ application. They’re looking for access to not just sensitive information, but, in best case (in their eyes) a back door into other systems hidden from the Net.

As network security firm FortisNet notes in its January 2011 assessment of the “threat landscape,” hackers focus on vulnerabilities that open doorways to execute any available commands on a target machine. And 60 percent of new vulnerabilities, it estimates, get exploited.

And if, in fact, Directors Desk in any fashion could be reached via the public Web, as appears to be the case, then that defies logic for security in financial markets. You take services off the ‘Net.

As one commenter on the aptly named Lunatic Outpost said:

“One has to ask... Why are THESE servers connected to the Internet in the first place?

“Why is it governments and companies complain of their secure networks’ being hacked... if they are secure why do you have them connected to the biggest totally UNSECURE network in the world?''

That however is not the case with the systems beating at the hart of real-time American finance: an exchange’s trading systems.

As Larry Tabb, founder and chief executive of the Tabb Group, notes, most exchange platforms for trading in securities are run on private networks. You can only get to them via direct connections or extranets.

But let’s suppose the greatest or most determined of the code crackers could get through, what’s the danger? Little, Tabb said.

“Even if they were hacked, there isn’t much you can do that would go unnoticed,’’ he told Securities Technology Monitor today.

Here are the kinds of hurdles they would face – even if they somehow got into a platform:

  1. Market participation identification. If you did not have a customer number, forget it. You’d get tossed immediately.
  2. Port logic. Broker orders come in on certain ports. If customer A comes in on port B, a flag goes up. And the order gets flagged.
  3. ID logic. So if you want to come in on a specific port, you need to come up with an ID for that very port. You’d have to get that from someone who would be putting their business at risk.
  4. Cash logic. Even if you could affect the trade, cash has to make it through the settlement process. Unauthorized trades would gbet caught in the clearing and settlement process.

All of which suggests that if it’s money that a hacker was really after, that it would be more likely that the hacker would take the Willie Sutton route: Break in where the money is.
“The only hack that may be possible on the trading side would be to hack into an individual’s account at a broker and send a trade through that,’’ Tabb said. “But it would be way better if they just stole the money instead of traded over the account.’’

So, ‘web facing’ apps clearly are challenged. Exchanges’ trading platforms likely are not (for now). Market data feeds, Tabb notes, would be hard to disrupt, but what if just the trail of trades got lost?

Every potential avenue for disruption will get tested.

This column initially appeared on Securities Technology Monitor.




Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access