Nasdaq Breach – What it says about what acompany says about their securityThe breach on Nasdaq’s Directors Desk applicatio...
Application SecurityDirectors Desk provides multiple layers of security to protect our clients’ most vital corporate recor...
of 2

Nasdaq breach – What It Says About What a Company Says About Their Security

The breach on Nasdaq's Directors Desk application provides an interesting opportunity to analyze their actual state of security with their advertised state of security
Published on: Mar 3, 2016
Published in: Technology      Business      
Source: www.slideshare.net


Transcripts - Nasdaq breach – What It Says About What a Company Says About Their Security

  • 1. Nasdaq Breach – What it says about what acompany says about their securityThe breach on Nasdaq’s Directors Desk application provides an interesting opportunity to analyzetheir actual state of security with their advertised state of security. According to the Directors Deskwebsite: “Directors Desk has taken extreme measures to protect user information againstunauthorized access.” Given the confidential nature of public company board meetings – whatthey discuss can move markets – it’s natural that Nasdaq’s Directors Desk service would need todiscuss security. And if what a company says about security implied security, then Nasdaq would beFort Knox, so this is a great opportunity to review their security statements. First off, lets look atwhat Directors Desk does. According to the website “Directors Desk offers a comprehensive solutiondesigned to improve board communications and effectiveness while relieving corporate executives ofthe paperwork and time involved in keeping boards informed.” The service includes features forcollaboration, calendaring, document management, “secure” email, voting, surveys, contactmanagement and web conferencing. Given these rich features delivered in a realm of confidentialboard environments, its not surprising that the Directors Desk website discusses security. In fact, theDirectors Desk Security page is overflowing with statements that conjure up a notion of high securityand data confidentiality (the bolding is mine):The highest level of security available to protect confidential board communications.Directors Desk incorporates state-of-the-art technology, processes and protocols to ensure thehighest level of security.Operational SecurityOur policies comply with the ISO27001 security standard, providing multiple levels of protectionto guard our clients’ confidential data against undesired access. The ISO27001 standard includesemployee background screening; policies that restrict physical and logical access to classifiedinformation; management of information systems; firewalling; intrusion detection; risk assessment;and guaranteed destruction of expired data. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
  • 2. Application SecurityDirectors Desk provides multiple layers of security to protect our clients’ most vital corporate records.  User authentication is tightly controlled through “strong passwords,” fully encrypted transport, procedures surrounding account activation, and encryption of all service level passwords in the system.  Role-based security protocols control which content is available to each user upon logging in.  Network and host-based Intrusion Detection Systems (IDS) protect all hardware and applications in the Directors Desk server farm.But the security position of Directors Desk does not stop here. The Nasdaq Directors Desk privacypolicy (version: 8/18/2009) elaborates further – Here are some excerpts:  storing all data in hosting facilities that are SAS-70 Level II Certified  Secure Sockets Layer / SSL  storing user information in secure offline repositories not accessible to routine “hacking” attempts  engineering sophisticated application security technologies specifically designed to detect and protect against unauthorized data access  treating all user information stored in web applications as highly confidential during storage, transmission, and backup.So what does all this mean. First off, to be fair we don’t yet know much about the technical details ofthe Nasdaq security breach. No one can ever be 100% secure and it could be that Nasdaq’s securityposture is really not all that bad. Security is tedious, very complex and dynamic – no one hasperfected it. The point is this: security is all about the effectiveness of controls, not their mereexistence (see our post on the gear myth). So its dangerous to rely too heavily on a company’sstatements about security. It’s always good to have a healthy dose of skepticism when reading theverbiage. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

Related Documents