Stock exchanges face threats despite stronger security

The function of stock exchanges as a "meeting place" and the need to be time-sensitive make them vulnerable to security threats, despite their more stringent security infrastructure compared to banks, note security insiders, who say exchanges need to adopt a comprehensive security strategy to prevent breaches.

"[Stock exchanges are] a meeting place for many different companies to do business [and require] timely and predicable execution of any trade orders," Dirk-Peter van Leeuwen, vice president and general manager, Red Hat Asia-Pacific told ZDNet Asia. These two characteristics make them unique security challenges, he said.

Over 50 percent of global trading volume runs on Red Hat, which stock exchange clientele includes Singapore Exchange, Tokyo Stock Exchange and New York Stock Exchange.

"While both banks and stock exchanges share the necessity for highly secure environments, exchanges provide a much higher amount of access to clients from internal systems. With increased access comes increased environmental and data sensitivity," van Leeuwen explained.

Data and trade services, which are closely associated with an exchange, are direct network connections that allow clients to prove pricing information and receive order requests, he said. Exchanges, hence, have to ensure added security while simultaneously processing massive quantities of trade information, he noted.

There is also a rise of "near-hosting", or the hosting of competing clients on-site in exchange data centers, he said. Multi-tenancy within the same center creates a wide set of security risks, with the high value of not only trades but also propriety algorithms that generates them, he explained, making the exchange data center "a tempting target for ambitious hackers".

"Hacking attempts into these stock exchanges [are] a regular occurrence for any high profile organization," van Leeuwen said.

Just last month, the Hong Kong Stock Exchange was forced to halt trading of seven companies after hackers broke into its news Web Site. A week earlier, the Zimbabwe Stock Exchange's Web site was attacked by hackers and shut down. Google earlier this year also flagged up the London Stock Exchange's Web site as a malware risk, in which a visit to the page resulted in the downloading of malicious software.

According to van Leeuwen, Insider threats are also a major problem, but unlike external hackers, inside threats move past the perimeter security and have intimate knowledge of the system and data.

Increased focus on insider threats has heightened the need for system- and data-level security, such as the encryption of all data and active monitoring of internal networks, he said.

Additionally, denial-of-service (DoS) attacks will slow systems and services run by stock exchanges, he added. Slowing down one part of the system may require the exchange to cease trading, and such attacks can also be "sophisticated and coordinated", he explained, but added that, fortunately, no financial incentives can be gained by hackers from DoS attacks.

However, van Leeuwen maintained that most financial institutions restrict users' access to minimize exposure and have dedicated teams that work closely with vendors as well as a strong network of security professionals to thwart attacks.

Adopting more stringent security
The security infrastructure of stock exchanges is no different from banks or other large companies, comprising firewalls, intrusion detection or prevent systems, end-point protection systems, anti-malware and patch management tools, Gerry Chng, advisory partner at Ernst & Young Singapore, told ZDNet Asia.

However, Tan Shong Ye, partner at PwC Singapore, said their security requirements are generally higher than a bank's system as any network failure in a stock exchange usually affects the entire financial market, causing players to lose money if they cannot execute trades to clear positions on time.

"There is less tolerance for failure of stock exchange systems," Tan told ZDNet Asia in an e-mail. "A 10-minute downtime during trading hours in a stock exchange system could have more severe business impact than a 10-minute shutdown of a bank's ATM network."

van Leeuwen chimed in that the IT infrastructure of stock exchanges is protected by automated security systems which guard the mission-critical infrastructure from malicious parties. These allow traders and brokers to connect to the IT infrastructure in a secure manner, and ensure data is not compromised, he said.

Stock exchanges also train their IT personnel to identify suspicious activity which may be a prelude to intrusions and attacks on the company's IT infrastructure, he added.

He also shared that recent technology enhancements have been able to ensure operating systems provide applications, such as those for trading purposes, with a more secure environment. These applications can be "cocooned" in an operation environment so that the entire system will not be compromised, regardless of inherent flaws or security weaknesses in an application that have been exploited by an attacker, he explained.

While contacted, Singapore Exchange declined to comment on its security infrastructure.

Holistic security needed
Tan said: "Stock exchanges need a comprehensive security programme that covers physical security, network security, database and server security, personnel security, identity and access management, threat and vulnerability management and data loss prevention."

According to van Leeuwen, breaches occur due to the lack of diligence in maintaining network security. He noted that access methods should be updated and verified regularly, and regular audits and reports will provide a baseline for defence against suspicious software.

Real-time monitoring or vulnerability scanning is also needed, allowing system administrators to monitor the network for potential system compromises, he said, adding that warning signals can be quickly raised and ensure administrators act upon a problem as soon as it is discovered.

Organizations should also think of their contingency plans and look to load-balance heavy network traffic, or create "cold or hot site" or secondary sites in the event of disasters, Chng of Ernst & Young said. This will be essential in the event of unusual load or physical disruption to a geographical location, he said, but added that it would not work for distributed denial of service (DDoS) attacks.

He explained that such setups appear transparent to the Internet where traffic is sent to the same destination and organizations handle the load-balancing without impacting the user. In a DDoS attack, malicious traffic would simply "swing over" to the new infrastructure that was created to support the additional load.

"Instead, what organizations should do is to revisit their business continuity plan to identify key processes or infrastructure that should be brought up in the event of such attacks, and plan for alternate communication plans and separate infrastructures to support the operations," Chng suggested.