7 Conclusion
The developed threat modeling for stock exchange determine that the most effort should be applied to online trading servers. Digital Certificates, which are based on SSL/TLS protocols, are considered as the countermeasures to prevent, or mitigate the effects of threats to the environment.
The results emphasize that there is a particular lack of attention towards information security as demonstrated in the case study. The regulation, as a high level document, is good if it is considered as baseline. Thus, companies cannot depend on it for security technologies deployment. Guidelines should be released to help implementing technologies, related to regulation, best practices. Moreover, the regulator should monitor the companies constantly and pay attention to those who violate the regulation.
Needless to say that more assessments needed to complete the whole picture. These assessments aim to make sure that all regulation points are well covered by brokerage companies. Regulation point 3 is an example. Do brokerage companies follow firewalls deployment best practices? Do they maintain and update their technologies (operating systems, services such as mail & web, database engines, network equipment, antivirus, firewall, IPS, ... etc.) to the latest release that cover volubilities found in the previous versions or not? Another subject is “Software Security”. Is the trading web application used is protected from Buffer Overflow, SQL injection ... etc.? All these assessment are considered as future work.
