Back in February, I posted a note here about a security breach that had been discovered in some computer networks owned by NASDAQ (originally, the National Association of Security Dealers Automated Quotation system). The NASDAQ Stock Market is the largest US trading platform for stocks not listed on the New York Stock Exchange [NYSE]; it is also the largest screen-based trading exchange in the US, listing 2800+ issues, and the largest in the world by trading volume. A report in October suggested that the attackers had used access to the NASDAQ Directors’ Desk system, a sort of bulletin-board for senior corporate managements, as a launching point for attempts to obtain more specific confidential information.
Reuters has now reported that investigators probing the incident, including the FBI, have concluded that NASDAQ’s system security was not all that it should have been.
A federal investigation into last year’s cyber attack on Nasdaq OMX Group found surprisingly lax security practices that made the exchange operator an easy target for hackers, people with knowledge of the probe said.
The NASDAQ trading system was, apparently, sufficiently isolated to prevent the hackers from gaining access to it. But the security of some of NASDAQ’s other systems was not up to the same standard.
The sources, however, said the investigators were surprised to find some computers with out-of-date software, misconfigured firewalls and uninstalled security patches that could have fixed known “bugs” that hackers could exploit. Versions of Microsoft Corp’s Windows 2003 Server operating system, for example, had not been properly updated.
NASDAQ is hardly the only company that has not always been entirely diligent about keeping its installations up to date with respect to security patches. As a headline, Company XYZ had Unpatched Systems has about the same news value as Politician Caught Lying. It is still troubling, though, that organizations like NASDAQ, who surely must realize that they are attractive targets, apparently cannot do a better job.