The New York Stock Exchange meltdown last Thursday gives a whole new meaning to “security vulnerability.” Imagine that supposedly technical errors in a transaction processing system could cascade into a disaster that affected literally the entire world.
According to the article in the Washington Post by Zachary Goldfarb and Jia Lynn Yang, the Exchange officials are quoted as saying the reason for the meltdown was “…probably caused by technical problems and could take weeks or months given the millions of trades being examined.” To see the article in full please visit www.ere-security.ca RSS feed May 10, 2010 or http://www.washingtonpost.com/wp-dyn/content/article/2010/05/07/AR2010050705087.html?sid=ST2010050705108
In my opinion, no matter what the New York Stock Exchange officials deem to be the perceived causes of the meltdown, two basic security practices need to be implemented in order to mitigate the chance of a repeat performance.
The first suggestion is really just plain common sense. Since it appears the Exchange is susceptible to anomalous transactions, where the requested sell price of an instrument is unreasonably below the current sell price, security policy needs to be implemented and enforced to have such transaction requests investigated by human beings prior to execution.
This type of inspection falls well within the realm of standard security practices for complex transaction processing systems, or for that matter, even the simplest web based on-line purchasing systems. In both the realms of the simple and the complex, it is customary to check data being input for “sanity” or for being credible.
The second suggestion is that anyone who is capable of entering requests for transactions into the Exchange transaction processing system, such as stock broker representatives, should undergo a regular background security appraisal for susceptibility to being induced to enter sell orders which are not deemed as credible.
Again this is Security 101, and organizations who deal with sensitive or critical data understand the need to do background checks on employees, both during the hiring process and periodically thereafter. Organizations with expertise in Information Security, such as ISACA, www.isaca.org, incorporate background checking into their cornerstone security policy document, COBIT. More information about COBIT may be found at www.isaca.org/cobit .
The Washington Post article goes on to explain the possible causation of last Thursday’s problem that caused the Exchange to temporarily drop by nearly1000 points in less than one hour, as “Computer programs designed to make lightning-fast decisions, based on complex mathematical rules, or algorithms, about what to buy and sell made massive trades without human input.” and “… electronic trading hubs had inconsistent rules about when to stop a sudden plunge in stock prices.”
While the debate continues about whether or not stock exchanges should slow down or interfere with automated trading, the root cause of the problem will still continue to exist: invalid sell requests. Automated trading may cause the observed cascade effect, but is not a root cause of the problem.
Indeed it would be productive for the Exchange to also address the second problem of resolving rule inconsistencies relating to automated trading. Again, ensuring software rules are consistent and compatible is a basic IT Security, whether designing rules for transaction processing systems or for firewalls.
While rule consistency is a laudable goal, it still will not address the root cause of the unnecessary plunge problem.
This plunge problem makes me think of an inverse “Terminator” situation. In the Terminator technology, “had malicious intent towards humanity”. I can imagine the NYSE transaction technology thinking…… “These guys want me to do what?”
Have a secure week.
Ron Lepofsky, CISSP, B.A. SC. (mechanical engineering)
