By Greg Wilson
While the numbers of black hat hackers are growing, Bahrain’s stock exchange moves to a virtual business environment. But a secure IT environment demands more anti-virus software...
Introduction|~||~||~|“Anybody can go into an Internet café and launch an attack, it’s dead easy,” mused the head of IT at Bahrain’s stock exchange, Jassim Karim Salman. “There are a million anomalies on the Internet. You can log on to a purely legitimate site that can’t be barred and you can use them to launch an attack,” he adds.What’s more warns Salman, the situation is going to get worse, and what little evidence there is, supports his view. Within the last seven months a number of PTTs and ISP monopolies have been brought to a virtual standstill by denial of service attacks. Etisalat, the UAE’s PTT was the initial case, when its service was disrupted over the course of ten days mid way through last year. At the beginning of February, King Abdulaziz City of Science & Technology (KASCT), the custodian of Saudi’s Internet access, also experienced ‘an usually high level of packets hitting its servers,’ that appeared consistent with a denial of service attack and finally, claims Salman, Bahrain’s own sole ISP, Batelco also suffered a service disruption nearly two months back.With the threat growing, how is Salman going about securing the $7 billion worth of assets that are traded on the Bahrain Stock Exchange? His answer is simply ‘from the ground up.’ Starting with the physical security of the building and then taking into consideration the security aspects of every component of the IT environment. “Security isn’t just about somebody hacking into your business,” says Salman. “It goes to the very heart of the business. Too many companies only think about security after they have built their system. This is like building [an office block] without considering the security. When you bring in a security consultant a year later it will cost you ten times the amount than if he was brought in at the beginning. You have to keep [security] in mind, when designing the IT infrastructure,” he adds.Before a computer entered the stock exchange building, a solid security system was installed on site. Any visitor to the building is recorded on closed circuit television from the moment they step foot over the threshold to the moment they leave. Also all the doors are keypad activated and access — particularly to the data centre — is tightly controlled. Every time a door is opened within the Bahrain Stock Exchange, it’s filmed and logged on a database held elsewhere in the building. “The first level of security is the physical well being of the hardware, the information stored in it and your premises. You then develop your security from there out,” comments Salman.Similarly, security considerations were topping the agenda when the backend platforms for the trading system were chosen. To run the trading system, Bahrain Stock Exchange deployed two AS/400s – one hosting the production data and the other sat next to it mirroring the trading information. Two RS/6000s provide the horsepower for the daily transactions, matching stocks to bids on the trading system, and then uploading the information to the DB2 databases hosted on the AS/400s.||**||Direct link|~||~||~|All of the brokers have direct IP addresses which link straight into the trading engine running on the RISC machines from their NT workstations. “We went for the AS/400 platform because its one of the most secure — it’s never been hacked and there aren’t viruses for it. We can secure it down to the object level. Even if the RISC machine is infected or wiped [the stock exchange] would lose only a minimal amount of information. It would take [the IT team] half an hour to wipe it and get it ready to start again,” says Salman.Currently, the brokers also have to be physically present in the building if they are to trade from their set IP address. Although brokers can remotely view the stock exchange information, they are not — as yet — able to trade.However, says Salman, this isn’t because of the threat of a hacker entering the system remotely — it’s mostly about ensuring that brokers can get the same opportunity to trade. “On hotly traded issues it sometimes comes down to a few seconds. But if somebody is on a slower line we can’t guarantee them the same access,” he explains.However, the robustness of the AS/400 platform alone isn’t what attracted Salman to IBM’s workhorse platform. Support was absolutely critical in choosing a platform, says Salman. “If you have a serious issue, you want to know that they can solve it and you won’t be left waiting for a fix… IBM has an escalation procedure — if push comes to shove [IBM] will rip the spare out of another machine and fly it to you,” says Salman. “Although there may be hotter technologies out there, we wanted reliability and security,” he adds.With next generation e-mail viruses appearing everyday, support from security vendors is also of primary importance to Bahrain’s stock exchange. The IT director has already dropped CA’s Inoculate IT anti-virus software after finding the support unsatisfactory. The Bahrain Stock Exchange is currently testing Trend Micro. The anti-virus software scans all outgoing and incoming e-mails for suspect attachments and the user definitions are upgraded on a daily basis, says Salman. “When users boot up their systems in the morning the server downloads the latest virus definitions to their desktops,” he adds.However, security technologies alone aren’t enough to secure the IT environment. There has to be a education within the user population — only with education will users realise the need for strict control on such things as the introduction of unauthorised software into the IT environment and the customisation of workstations. “Education is an important element of any secure environment, but there also has to be a degree of control,” says Salman. “But control has to be introduced gradually, otherwise [users] could rebel.”A greater degree of control is being brought to the stock exchange’s e-mail system. Disclaimers, are soon to be introduced that will be attached to all out-going e-mails, which in the absence of digital certificates will act as verification that the e-mail was generated by a person within the Bahrain Stock Exchange. Furthermore, reference numbers will also be tagged to the e-mail at the server level, logging the subject line and destination address of every single mail sent from the exchange.||**||Virtual trading|~||~||~|Security issues at Bahrain’s stock exchange are going to intensify as it moves to a virtual method of trading, based around a central repository, to be hosted on the AS/400 platform. The project is only in the planning stage, but when completed it will take the whole trading process from the physical paper-orientated system of today, to one entirely dependant on the data held within the system. “With the central repository in place security issues will be paramount because the entries on the system will be final… If somebody could go into that system and alter the numbers there would be serious consequences, which couldn’t be easily rectified,” says Salman.The initial step to ensuring the integrity of the data in the central repository is the strict segregation. “The first thing that we will do is bar ourselves from accessing the production data,” comments Salman. “On the application layer we will have to make sure that the people that enter the information are separated from those who approve it,” he adds.Furthermore, the virtual stock markets raises issues of transaction verification on the exchange. Transactions that go directly to the transaction engine shouldn’t be a problem, predicts Salman. But those investors that wish to leverage stock — by basically borrowing against it — could prove more tricky to verify, and may require a change in the local law to allow digital certificates of even a PKI infrastructure of some description.Further moves to the virtual, such as taking the stock exchange online, are also on hold. However, the volume of trades on the exchange has to increase before Bahrain Stock Exchange can justify the expense of taking the system online. Putting the stock exchange online will also involve legislation, Salman adds.However, Salman admits that even though his department is already very experienced in dealing with security issues it is not enough. “No matter how much we look at the IT systems, we could always miss something. We can’t see everything. We can only try,” says Salman. To gain an objective view of the stock exchange’s security situation a security audit will be carried out by an independent third party prior to switch over, to ensure the accuracy of the data and the integrity of the security systems.||**||