Is the NASDAQ hack the start of things to come?

In light of the NASDAQ Stock Market publicly confirming that it was the victim of a hack, technology experts are predicting this is in fact the start of a larger string of hacks targeted specifically at exchanges.

The NASDAQ hack was aimed at a service which lets business leaders share confidential information – by accessing sensitive documents like this, hackers could have made significant money based on the insider information.

Similarly, according to a report out in the US last week, 20% of emails that come from the US government to external parties are falsified with the intention of seeing personal information.

These previously secure environments have opened up internet services to their stakeholder communities, which in turn introduce risks – hackers are very sophisticated at finding these weaknesses and exploiting them.

The NASDAQ hack is perhaps an example of the hackers’ mindset – nothing is too sensitive or too high profile for them to target. The EC carbon credits hack was another example of a highly targeted attack designed to make a lot of money.

The remedy for such cases is full and proper risk assessment of these systems before they go live instead of a tick in the box security assessment. It is a game of chess. Historically the miscreants have been underestimated but many are playing the game at grand master level and we have to think as many moves ahead as they do to remain secure.

With over 25 years experience in IT, Paul Vlissidis is a recognised expert on all aspects of IT and Internet security. He heads technical research and new product development for the Ethical Security Testing division of NCC Group, Europe’s leading independent provider of IT security testing and assurance services. He previously held senior IT risk roles within the utilities (nuclear) industry. Paul is an experienced PCI QSA advising on technical and procedural security and risk management. He provides the technical lead for a large team of ethical hackers on projects with national and international corporations, several large merchants and service providers, public sector organisations, emergency services and local authorities, testing network security. He has security clearance under the government’s CESG CHECK and CTAS schemes, enabling him to work on some of the UK’s most sensitive and confidential testing projects, and is a founding member of the security testing industry body CREST (Council of Registered Ethical Security Testers).