Exclusive: Lax security at Nasdaq helped hackers | Reuters.
A federal investigation into last year’s cyber attack on Nasdaq OMX Group found surprisingly lax security practices that made the exchange operator an easy target for hackers, people with knowledge of the probe said. The sources did not want to be identified because the matter is classified.
The ongoing probe by the Federal Bureau of Investigation is focused on Nasdaq’s Directors Desk collaboration software for corporate boards, where the breach occurred. The Web-based software is used by directors to share confidential information and to collaborate on projects.
…investigators were surprised to find some computers with out-of-date software, misconfigured firewalls and uninstalled security patches that could have fixed known “bugs” that hackers could exploit. Versions of Microsoft Corp’s Windows 2003 Server operating system, for example, had not been properly updated.
This story is interesting on several fronts. First, we find out that when the FBI is brought into a criminal breach investigation, it evaluates the victim organization’s information security posture, i.e. is the organization following best practices? While this may be obvious, one might want to know what the FBI’s definition of best practices is.
Second, this leak could have a chilling effect on organizations’ willingness to report cybercrimes to the FBI. On the other hand, the breach laws in most states will most likely still compel organizations to report breaches.
Overall though, I believe the compounded loss of reputation from disclosing a breach and the disclosure of lax information security practices will increase organizations’ motivation to strengthen the latter to reduce the risk of the former.
Ars Technica provides an excellent analysis of the potential threats to users of RSA Secure-ID tokens as a result of the breach RSA announced.
RSA’s announcement was not specific in the information it gave, so exactly what this means for SecurID isn’t clear. In the likely worst case, the seed values and their distribution among RSA’s 25,000 SecurID-using customers, may have been compromised. This would make it considerably easier for attackers to compromise systems dependent on SecurID: rather than having to acquire a suitable token, they would be required only to eavesdrop on a single authentication attempt (so that they could determine how far through the sequence a particular token was), and from then on would be able to generate numbers at their whim.
The article also covers more benign, more grave, and less likely possibilities. I would think that RSA customers are receiving more precise information.
While Secure-ID is probably the most popular two-factor authentication solution, it may be worth noting that there are many other choices available from RSA and its competitors.
Carpe Breachum: How the HBGary breach can make us stronger – CSO Online – Security and Risk.
Nick Selby makes an interesting point in his analysis of the HBGary Federal breach – we are all targets and we all get hacked. Therefore we should be more willing to share information about attacks which will enable us all to better defend ourselves.
A famous security researcher once answered my question about how he avoids being hacked, “Hell, Nick, I get hacked all the time”. He said it as if I were asking a really stupid question, because in fact, I was.
Admitting that we are all targets; admitting that we’ve all been hacked; admitting that we all face the same issues, means that we can move from psychological and marketing objections, and look instead to solving or at least addressing the logistical and pragmatic barriers to information and intelligence sharing.
Enterprise security strategy – Is More Cyber-Security Regulation the Answer? – eWeek Security Watch.
A survey of critical infrastructure companies by Enterprise Strategy Group reported that the companies with the most industry regulations to address tended to have better security practices, something that did not strike me as all that surprising. What did strike me as somewhat surprising, though, is some of the things people agreed the government should do in regards to cyber-security.
According to the survey (PDF) – which fielded answers from a total of 285 security pros in industries such as food and agriculture, defense and information technology – 39 percent said the government should “enact more stringent cyber-security legislation along the lines of PCI.” Thirty-two percent believed the government should create legislation with higher data breach fines.
It seems to me that the federal government should enact some cyber-security legislation, but not like PCI. Government bureaucracy is too slow moving to be effective. In fact, IMHO, the PCI DSS bureaucracy is too slow moving. PCI DSS 2.0 could have done much more but chose to simply focus on clarifications. I think the federal government should (1) force more and more complete breach disclosure and (2) possibly increase penalties for breaches. The latter was a tactic the government took to with HITECH to strengthen HIPAA.
In the mean time, the states have been moving aggressively, e.g. Massachusetts 201 CMR 17.