1 / 12

Financial Real-Time Threats: Impacting Trading Floor Operations

Financial Real-Time Threats: Impacting Trading Floor Operations. Dr Yiannis Pavlosoglou OWASP Project Leader Information Risk Management yiannis@irmplc.com. September 6 th , 2007. Outline. Background Motivation Architecture Findings Scenario Conclusions. Background.

talib
Download Presentation

Financial Real-Time Threats: Impacting Trading Floor Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Financial Real-Time Threats: Impacting Trading Floor Operations Dr Yiannis PavlosoglouOWASP Project Leader Information Risk Management yiannis@irmplc.com September 6th, 2007

  2. Outline • Background • Motivation • Architecture • Findings • Scenario • Conclusions

  3. Background • PhD in Information Security • Emergence in Designing Routing Protocols • UK Security Scientist • DefCon 2007, IEEE, IEE, BCS, CISSP • Java Developer Background • J2SE, JEE • OWASP Project Leader • JBroFuzz • Employer: Information Risk Management, UK • www.irmplc.com

  4. Motivation • How long can you be out of the market for? “the cash desk, the derivatives desk, the program desk … bring them all together” “ Do you have trading technology that allows you to trade across every asset in every country?” “We offer you the ability to trade from your PDA” “Our traders can trade across multiple asset classes simultaneously”

  5. Motivation • How long can you be out of the market for? • Regulatory requirements • Business loss opportunities • Liability issues regarding prices • Increase in number of people on the floor

  6. The Freakonomics of Security and Personel • Scenario: Member of Staff A, holds a password of ‘operational importance’ Technical Attack Approach Human Attack Approach • Password is stored in the form of a 128 bit hash • The cost of obtaining the hash would require an insider’s presence • To check for a single value would cost: $0.00000000001 • To check for more than half of the values: ≈$ 184 million • Clerical A Staff Salary pays: $ 40 K / Year • A successful career of, say 25 years • Total Earnings: ≈ $ 1 million …

  7. Trading Floor Security Testing Architecture

  8. Trading Floor Security Testing Architecture • Console Audit Test • Application Assessment • Network Assessment • Penetration Test • Application Security Test • Software Product Review • Application Architecture Assessment • Firewall Review • VPN / RAS Test • Messaging System Audit • Secure Development Training • Application Assessment • Network Assessment • VPN / RAS Test

  9. Typical Assessment Findings

  10. Initial Internal Assessment External Penetration Test Risk Assessment Initiated Scenario Operational System

  11. External Penetration Test Final Risk Assessment Fun and Profit Enterprise Attack • A1: Cross Site Scripting • A2: Cross Site Request Forgery • A4: Web Application DoS • A7: Weak Session Cookies • A9: Insecure Communications • A1: Non Internet Facing Application • A2: Scarce Data Manipulation Attacks • A4: Application recovers successfully • A7: Users not technical enough • A9: Internal Switched Network • A4: Cause a Web Denial of Service • A1: Mass Internal Phishing Email • A2: Manipulate Data being on the fly • A7: Hijack administrator’s data • A9: Bounce data off mail gateway Scenario Results

  12. Conclusions • Complex “Enterprise Level” applications will experience “Enterprise Level” attacks • An application, subsystem or component must be able to withstand a targeted specialized attack • Simplicity is key for a Secure System Implementation

More Related