The breach on Nasdaq’s Directors Desk application provides an interesting opportunity to analyze their actual state of security with their advertised state of security. According to the Directors Desk website: “Directors Desk has taken extreme measures to protect user information against unauthorized access.” Given the confidential nature of public company board meetings – what they discuss can move markets – it’s natural that Nasdaq’s Directors Desk service would need to discuss security. And if what a company says about security implied security, then Nasdaq would be Fort Knox, so this is a great opportunity to review their security statements. First off, lets look at what Directors Desk does. According to the website “Directors Desk offers a comprehensive solution designed to improve board communications and effectiveness while relieving corporate executives of the paperwork and time involved in keeping boards informed.” The service includes features for collaboration, calendaring, document management, “secure” email, voting, surveys, contact management and web conferencing. Given these rich features delivered in a realm of confidential board environments, its not surprising that the Directors Desk website discusses security. In fact, the Directors Desk Security page is overflowing with statements that conjure up a notion of high security and data confidentiality (the bolding is mine):
The highest level of security available to protect confidential board communications.
Directors Desk incorporates state-of-the-art technology, processes and protocols to ensure the highest level of security.
Our policies comply with the ISO27001 security standard, providing multiple levels of protection to guard our clients’ confidential data against undesired access. The ISO27001 standard includes employee background screening; policies that restrict physical and logical access to classified information; management of information systems; firewalling; intrusion detection; risk assessment; and guaranteed destruction of expired data.
Directors Desk provides multiple layers of security to protect our clients’ most vital corporate records.
- User authentication is tightly controlled through “strong passwords,” fully encrypted transport, procedures surrounding account activation, and encryption of all service level passwords in the system.
- Role-based security protocols control which content is available to each user upon logging in.
- Network and host-based Intrusion Detection Systems (IDS) protect all hardware and applications in the Directors Desk server farm.
- storing all data in hosting facilities that are SAS-70 Level II Certified
- Secure Sockets Layer / SSL
- storing user information in secure offline repositories not accessible to routine “hacking” attempts
- engineering sophisticated application security technologies specifically designed to detect and protect against unauthorized data access
- treating all user information stored in web applications as highly confidential during storage, transmission, and backup.
So what does all this mean. First off, to be fair we don’t yet know much about the technical details of the Nasdaq security breach. No one can ever be 100% secure and it could be that Nasdaq’s security posture is really not all that bad. Security is tedious, very complex and dynamic – no one has perfected it. The point is this: security is all about the effectiveness of controls, not their mere existence (see our post on the gear myth). So its dangerous to rely too heavily on a company’s statements about security. It’s always good to have a healthy dose of skepticism when reading the verbiage.