GO
Loading...

'Flash Freeze' postmortem: Protecting markets from hackers

Thomas Samson | AFP | Getty Images

Nasdaq officials say a "connectivity" problem was what shut down trading for three hours Thursday, but some cybersecurity experts are concerned that hackers may see an opportunity to attack the markets.

"This draws attention to a system that we know," said Alex McGeorge, a senior security researcher at Immunity Inc. "Even if this wasn't a malicious attack, this has some redundancy issues—meaning it is probably ripe for having some other types of security vulnerabilities."

The stock exchanges could implement a few key changes to enhance security, he said.

Read more: Cramer: Nasdaq was 'WRONG WRONG WRONG'

The Securities and Exchange Commission is working on new regulations for market technology. Only voluntary standards—some dating back to the 1980s—are in place now.

"Those standards reflect the time in which they were written. ... I think there needs to be an update, especially to address what we know about computer security, how we know attackers operate today," McGeorge said.

The exchanges have pushed back against regulation. But after the "Flash Freeze" on Thursday, the Nasdaq CEO Robert Greifield seemed more open to the SEC's proposals.

"When you look at the details of the rules, there's always ways to quibble," he told CNBC. "But the pure spirit of the rules are there, and we think we ought to go further on this concept of defensive driving."

Watch: Greifield on the Nasdaq Nightmare

McGeorge, who has been working in cybersecurity for the financial industry since 2008, said that the industry must take a broader view of the expense. While cybersecurity can be a big investment, the costs of an attack are far greater.

For example, he said, "the PlayStation network that's delivered by Sony … a very large network, had significant downtime, months, because of a security breach." If the same kind of thing were to happen to the exchanges, "I don't know if the economy could deal with something like this," he added.

Watch: Is Wall Street prepared for a cyberwar?

According to McGeorge, regulators and stock exchanges can take a few specific measures to increase cybersecurity.

For one, financial networks need to be better segregated. Thousands of people and firms need to access critical systems daily. Each person is a point of vulnerability.

"If I can compromise one of the users of this system, that gives me an avenue to attack the system itself," McGeorge said.

Stock exchanges also need more redundancies, or backups, he said. The Nasdaq glitch occurred when the central system for reporting prices—known as the securities information processor, or SIP—was compromised.

Greifeld told CNBC that the Nasdaq would be open to allowing competitors to set up SIPs of their own. That way if a system goes down, firms would have an alternative source for pricing information.

The SEC should require the financial industry to have third parties test its networks, McGeorge said, adding that he performs such tests for Immunity.

Read more: Yes, you can. Teaching children to hack safely

"Anything that's connected to an exchange has to undergo regular, manual third-party assessment," he said. "Nothing scripted or automated, because ... people willing to go through to this length to attack an exchange are going to doing it manually."

To hear more about all five steps the markets can take to protect themselves against cyberattacks, watch the video

—By CNBC's Jennifer Schlesinger and Scott Cohn. Follow Schlesinger on Twitter @jennyanne211 Cohn on Twitter @ScottCohnCNBC

  • Andrea Day

    Andrea Day covers Crime & Punishment for CNBC. She and her team have reported nearly $1 billion in fraud this year.

Inside the SEC

  • The Treasury estimates that $21 billion in potentially fraudulent refunds due to identity theft could be issued in the next five years.

  • CNBC's Gary Kaminsky takes a look at the massive amount of digital data that pours into the SEC's enforcement division, which is in charge of investigating violations of securities laws.

  • CNBC's Gary Kaminsky spent time with SEC's Bruce Karpati to learn more about his division, which investigates allegations of fraud committed by investment advisers. Kaminsky reports that if you're breaking the law, the agency will find you.

Madoff Trustee: Investigations Inc

Selling the American Dream

Investigations Inc.: Cyber Espionage

  • When a person enters information on a website, like an email or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. The result is a “malicious takeover of the system,” he said.

    By attacking business computer networks, hackers are accessing company secrets and confidential strategies and creating huge losses for the overall economy.

  • China is working feverishly to counteract its slowest GDP growth in recent years, and one of the ways it’s doing so, say U.S. officials, is through the theft of American corporate secrets.

  • US businesses are enduring an unprecedented onslaught of cyber invasions from foreign governments, organized crime syndicates, and hacker collectives, all seeking to steal information and disrupt services, cybersecurity experts say.