Companies think they're prepared for APT cyber attacks, but they aren't

If companies were as familiar with advanced persistent threats as claimed, they'd use more than antivirus software and firewalls to combat them

IT security professionals around the globe overwhelmingly appreciate the threats posed by APTs (advanced persistent threats). More than 60 percent anticipate it's just a matter of time before their organizations are targeted by an APT. Unfortunately, most companies are evidently clueless as to how to fight off an APT.

According to a new survey by ISACA of over 1,500 security professionals, most companies are using antivirus and antimalware products and network-perimeter technologies (firewalls) to ward off APTs. That's like warding off Martian Death Flu with Airborne and a glass of orange juice.

The problem is that while around 67 percent of respondents said they were at least familiar with APTs, just over half of respondents said that APTs are similar to traditional threats. Not so: APTs are sophisticated forms of cyber attacks through which malicious hackers use an array of techniques -- compromising particular types of servers and workstations, dumping passwords, placing back doors, collecting data, or loading remote-access Trojans -- to covertly infiltrate and entrench themselves in company networks to mine for sensitive corporate data over the long term. This approach is quite different from the traditional "hack, grab, and run" technique of old.

"APTs are sophisticated, stealthy and unrelenting," said Christos Dimitriadis, vice president of ISACA and head of information security at Intralot Group. "Traditional cyber threats often move right on if they cannot penetrate their initial target, but an APT will continually attempt to penetrate the desired target until it meets its objective, and once it does, it can disguise itself and morph when needed, making it difficult to identify or stop."

A laundry list of big-name companies have reportedly been victims of APT in recent years, including RSA, Google, Dupont, Walt Disney, Johnson & Johnson, Sony, General Electric, Morgan Stanley. Some of the world's largest oil and energy companies have been victimized (PDF) as well. The threat is evident, yet companies seemingly don't know how to change their security practices to fight them.

More than 60 percent of survey respondents say they are ready to respond to APT attacks, according to ISACA, yet antivirus and antimalware (95 percent) and network perimeter technologies like firewalls (93 percent) top the list of controls their enterprises are using to stop APTs. While certainly of value, these technologies alone aren't up to the task of fending off today's sophisticated IT security threats. This is true for a number of reasons, according to ISACA. Among them: "APTs exploit zero-day threats, which are often unknown vulnerabilities, and many APTs enter the enterprise through well-designed spear phishing attacks."

Far lower scores were seen for critical controls for mobile devices, RATs (remote access technologies), and logging/event correlation. "APTs call for many defensive approaches, from awareness training and amending third-party agreements to ensure vendors are well-protected, to implementing technical controls," said Jo Stewart-Rattray, director of ISACA and IT/IS director at BRM Holdich.

Companies think they're prepared for APT cyberattacks, but they aren't

The survey did find that most companies appreciate the importance of end-user education to protect against sophisticated cyber attacks: Around 70.6 percent of respondents said they are embracing training and education to help users recognize spear phishing and social engineering attacks. On the other hand, 67.3 percent of respondents said that they had not increased awareness training specifically relative to APTs.

Also, less than 20 percent of respondents said their companies had updated their vendor agreements to protect against APTs.

Part of the challenge faced by security professionals may be lack of understanding and support from on high, not surprising in that CXOs are notorious for skimping on security because it doesn't have an easily measurable ROI. Among respondents from organizations where upper management has become more involved in security initiatives, 79.8 percent said they were seeing "increased visible support from senior executives," 66 percent noted increased policy enforcement, and 46.9 percent saw an increase to their security budget.

This story, "Companies think they're prepared for APT cyber attacks, but they aren't," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.


Copyright © 2013 IDG Communications, Inc.