financial real-time threats: impacting trading floor operations
DESCRIPTION
Financial Real-Time Threats: Impacting Trading Floor Operations. Dr Yiannis Pavlosoglou OWASP Project Leader Information Risk Management [email protected]. September 6 th , 2007. Outline. Background Motivation Architecture Findings Scenario Conclusions. Background. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Financial Real-Time Threats: Impacting Trading Floor Operations
Dr Yiannis PavlosoglouOWASP Project LeaderInformation Risk [email protected]
September 6th, 2007
![Page 2: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/2.jpg)
2OWASP
Outline
Background Motivation Architecture Findings Scenario Conclusions
![Page 3: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/3.jpg)
3OWASP
Background
PhD in Information SecurityEmergence in Designing Routing Protocols
UK Security ScientistDefCon 2007, IEEE, IEE, BCS, CISSP
Java Developer Background J2SE, JEE
OWASP Project Leader JBroFuzz
Employer: Information Risk Management, UKwww.irmplc.com
![Page 4: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/4.jpg)
4OWASP
Motivation
“the cash desk, the derivatives desk, the program desk … bring them all together”
“ Do you have trading technology that allows you to trade across every asset in every country? ”
“Our traders can trade across multiple asset classes simultaneously”
“We offer you the ability to trade from your PDA”
How long can you be out of the market for?
![Page 5: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/5.jpg)
5OWASP
Motivation
How long can you be out of the market for?
Regulatory requirements
Business loss opportunities
Liability issues regarding prices
Increase in number of people on the floor
![Page 6: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/6.jpg)
6OWASP
The Freakonomics of Security and Personel Scenario: Member of Staff A, holds a
password of ‘operational importance’ Technical Attack Approach
Password is stored in the form of a 128 bit hashThe cost of obtaining the hash would require an insider’s presenceTo check for a single value would cost: $0.00000000001To check for more than half of the values: ≈$ 184 million
Human Attack Approach
Clerical A Staff Salary pays: $ 40 K / YearA successful career of, say 25 yearsTotal Earnings: ≈ $ 1 million
…
![Page 7: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/7.jpg)
7OWASP
Trading Floor Security Testing Architecture
![Page 8: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/8.jpg)
8OWASP
Trading Floor Security Testing Architecture
Penetration TestApplication Security TestSoftware Product ReviewApplication Architecture Assessment
Console Audit TestApplication AssessmentNetwork Assessment
Secure Development TrainingApplication AssessmentNetwork AssessmentVPN / RAS Test
Firewall ReviewVPN / RAS TestMessaging System Audit
![Page 9: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/9.jpg)
9OWASP
Typical Assessment Findings
![Page 10: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/10.jpg)
10OWASP
Scenario
Operational System
Risk Assessment Initiated
Initial Internal Assessment
External Penetration Test
![Page 11: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/11.jpg)
11OWASP
Scenario Results
External Penetration TestA1: Cross Site ScriptingA2: Cross Site Request ForgeryA4: Web Application DoSA7: Weak Session CookiesA9: Insecure Communications
Final Risk Assessment
A1: Non Internet Facing Application A2: Scarce Data Manipulation Attacks A4: Application recovers successfullyA7: Users not technical enough A9: Internal Switched Network
Fun and Profit Enterprise Attack
A4: Cause a Web Denial of ServiceA1: Mass Internal Phishing Email A2: Manipulate Data being on the flyA7: Hijack administrator’s data A9: Bounce data off mail gateway
![Page 12: Financial Real-Time Threats: Impacting Trading Floor Operations](https://reader036.vdocument.in/reader036/viewer/2022062521/568167df550346895ddd408b/html5/thumbnails/12.jpg)
12OWASP
Conclusions
Complex “Enterprise Level” applications will experience “Enterprise Level” attacks
An application, subsystem or component must be able to withstand a targeted specialized attack
Simplicity is key for a Secure System Implementation