Rogue Code by Mark Russinovich Read Free Book Online

suspicion is that one of our own employees inadvertently opened the door for this bot. Pull no punches. I want you to be sneaky as hell. Learn our exposure and tell us where it is so it can be fixed. Our own people won’t even know what you’re up to. It is absolutely essential that the integrity of our trading software not be subject to question. The stability of world financial markets depends on it.”
    “Pentests” were the cybersecurity equivalent of military war games, designed to evaluate the security of a computer system by simulating a malicious attack from outsiders as well as insiders. Once the pentest was completed, its results were presented to the system operator. The report included an assessment of the system’s security and vulnerability along with specific recommendations to counter them.
    The pentest itself involved an analysis for gaps that were usually a consequence of inadequate system configuration, hardware or software flaws, or other operational process weaknesses or lax security countermeasures. Those conducting a pentest approached the computer system as a potential attacker might and sought to aggressively exploit any security holes they discovered. Those chinks in the armor could include misconfigured and unpatched software or systems not properly secured. Employees might be lured into visiting infected Web sites or opening malicious e-mails. Malware then tried to take advantage of missteps in the system.
    Jeff and Frank Renkin, Daryl’s replacement at Red Zoya, had been housed in a Holiday Day Inn Express off nearby Water Street and were given an office on Wall Street in IT operations not far from the Exchange itself. Jeff was surprised the software development and computer operations were housed here, as it was some of the most expensive real estate on earth. The location was especially questionable, as the main data center was in New Jersey. The Exchange’s primary IT operation could have been housed anywhere; much of its supporting IT operation was, in fact, in Chicago. Apparently, NYSE Euronext had money to burn.
    Access granted to a receptionist or data-entry employee was the weakest link of the Exchange’s cyberdefense because through those users, malware could gain entry into the system. Receptionist-level accounts on the network position served as Red Zoya’s starting point. Frank and Jeff were given contractor key cards to enter the building and assigned a shared office. They found it to be standard IT issue. Jeff had worked in dozens, likely more than a hundred, similar offices, each interchangeable with every other. The staff itself worked from cubicles, with managers occupying real offices around the perimeter. Jeff and Frank were given one of the small outer offices containing two desktop computers with flat-panel monitors, a modest gesture acknowledging the significance of their work but really chosen for privacy concerns.
    The staff was told that the consultants were software contractors finishing the last stages of a project on-site. They were given computer accounts with the limited access permissions of basic staff unaffiliated with any particular group or project. The e-mail program that came with the accounts contained a directory of users, while the browser was programmed by default to open the Exchange’s intranet portal. That page served as a central source of company news and was a hub to which department and team sites were linked. It also served as a search facility that enabled users to find documents and sites across the network. With no more information than that, Jeff and Frank were to launch their attack.
    *   *   *
    Neither Jeff nor Frank had been surprised at being hired by the Exchange, or the nature of their project. NYSE Euronext was entirely computer and software driven. It was essential that the trading public and world financial system have faith in the Exchange’s operation, so its security needed to be as close to perfect as