2. ► NYSE Euronext[1]
► NASDAQ OMX Group[2]
► Hong Kong Stock Exchange[3]
► TMX Group[4]
► BATS Global Markets[5]
► Chicago Board Options Exchange[6]
► Bursa Malaysia[7]
► Tel Aviv Stock Exchange[8]
► Tadawul (Saudi Arabia)[9]
Publicly Known Attacks on Stock Exchanges
Top 10
Downtime
3. ► It is Too Easy to Cause Impact
► - Morphology
► Resolution:
Transition from a 2-phase security
approach to a 3-phase security
approach
Agenda
2 Case Studies
5. Day I
10:51 Attack begins:
- UDP flood
- HTTP flood
- FIN+ACK flood
- Empty connection flood
Target: Stock Exchange News Site
Protection: Partial
Impact: Heavy
4 hour outage to News Site
Collateral damage to other sites
13:30 Noon trading opens, but trade is closed for several companies
16:00 Trading ends for the day
Evening Mitigation equipment is deployed and configured
Attacks halted (temporarily)
Network Impact Sever
Business Impact Sever
11. Day 2
08:00 Additional mitigation actions
Organization is concerned of false-positive
10:36 Attack begins: HTTP Flood
Target: Stock Exchange News Site
Protection: Connection Rate Limit + Temp ACL
Impact: 10-15 minutes slowness/outage
Network Impact Low
Business Impact None
12. Day 2
“Stock exchange IT
have been working
intensively to resolve
all issues”
“Experts successfully
implemented a
protection against the
attacks”
“Additional measures
were taken such as a
redundant New Site”
19. ► Stock Exchange remains in highest alert
► Eventually there were no serious attacks
► Protect additional networks
► Forensic process (with police)
► Arrests
Week 2
30. January 3
Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers and
other personal sensitive information.
January 16
Early Morning
0xOmar and the Pro-
Jerusalem Post, threatens to attack EL-AL website.
9:30 AM
EL-AL, Tel Aviv Stock Exchange, and several banks are attacked and are
unavailable for hours.
January 17
-
Exchanges websites.
January 18
Additional Israeli websites were targeted.
Case Study 2
39. 3-Phase Security Model
“Peace” Period
Pre-attack
Phase
Attack Period
THE SECURITY GAP
Attacker has time to bypass automatic mitigation.
Defenders have no skill/capacity to sustain it.
“Peace” Period
Post-attack
Phase
40. Industry Security Survey
Howmuchdidyourorganizationinvest ineachofthefollowingsecurityaspectsin
thelastyear?
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Before During After
Procedures
Human skills
Equipment
Radware 2012 Global Application and Network Security Report
41. THE SECURITY GAP
Attacker has time to bypass automatic mitigation.
Defenders have no skill/capacity to sustain it.
Be prepared for prolonged attacks!
3-Phase Security
“Peace” Period
Pre-attack
Phase
Attack Period
“Peace” Period
Post-attack
Phase
Response Team
44. ► It is Too Easy to Cause an Impact
► - Morphology
► Resolution:
Transition from a 2-phase security
approach to a 3-phase security approach
Summary
46. ► Radware 2012 Global Application and Network Security Report
► Radware 2011 Global Application and Network Security Report
► Cyber War Rooms: Why IT Needs New Expertise To Combat Today's
Cyberattacks - Avi Chesla
Additional Reading