Vulnerabilities / Threats

11/1/2011
12:31 PM
50%
50%

Advanced Threats Touch Two-Thirds Of Enterprises

Worse news: Sophisticated cyber attacks combining stealth and severity are leading only half of businesses to employ more automated defenses and better training.

Nearly two-thirds of information security managers report that their businesses have been targeted by advanced persistent threats (APTs), and 72% expect to see such attacks persist in the future. Furthermore, 30% of security managers at large enterprises rate their business as being vulnerable to future such attacks.

Those findings come from a new report on APTs released Tuesday by market researcher Enterprise Strategy Group (ESG). The study is based on a survey of about 250 U.S. information security professionals, conducted in August.

Who's wielding APTs against businesses? Respondents said they suspect--in order of likelihood--such attacks to be coming from hacktivist groups such as Anonymous, organized criminal rings, competitors conducting reconnaissance or perpetrating industrial espionage, foreign governments, and terrorists.

Increasingly, security professionals are turning to more automated technology to help them spot and then stop APTs. "Even sophisticated IT shops preparing for APTs are using automation more," said Jon Oltsik, senior principal analyst at ESG and the primary author of the study, in an interview. "Automation detects an attack that's underway, and they're willing to use automation to take a system off the network, or block a protocol." The days of only using manual remediation, he said, appear to be over.

[The people charged with overseeing enterprise security may make you vulnerable to attack. Are Your IT Pros Abusing Admin Passwords?]

Notably, of all organizations surveyed, the 52 businesses that ESG rated as best prepared to stop APTs used network management tools (at 69%), security incident and event management tools (58%), log file analysis (46%), and intrusion detection or prevention system alerts (44%). But respondents to the study also complained that they need even more sophisticated tools, as well as better training, and more personnel. "There's a real skill shortage, across the board. We saw people saying that they didn't have the right skills to identify attacks in progress, to do analysis of attacks," said Oltsik.

One aspect of APTs that makes them difficult to spot is that they can be deceptively simple. Many experts, for example, think that social engineering attacks are the leading APT attack vector. Because such attacks rely not on sophisticated technology, but simply tricking people into revealing information directly (for example, divulging passwords over the phone) or indirectly (opening a malicious attachment that then installs a Trojan application on their PC), they're incredibly difficult to combat.

In fact, there's only one sure-fire technique for blocking social engineering attacks: training employees to spot them. But according to ESG's study, both executives and non-IT employees don't seem to be getting enough training. Roughly half of respondents rate both the overall security knowledge and APT awareness of non-IT employees at their business as only fair, if not poor.

Other than training, how else can businesses better combat APTs? The study found that the best-prepared businesses took a very proactive approach to risk management, including maintaining and enforcing security policies that covered everything from physical security and data encryption to access controls and background checks on users with access to sensitive data.

Furthermore, 44% of the best prepared businesses conduct formal penetration tests against their network--employing outside experts to simulate hack attacks and discover unseen weaknesses--more than once per quarter. Conversely, only 15% of businesses that ESG rates as "somewhat" prepared to combat APTs were conducting penetration tests more than once per quarter.

For businesses that need to do a better job of battling APTs, Oltsik recommends starting with three steps. First, make employees think seriously about security. Next, accurately assess the business's current information security vulnerabilities. "If you can't do that, yourself get professional help," he said.

Finally, senior executives must take a more proactive approach to security, especially in light of the study's finding that the rise of APTs hasn't led to any changes in budgeting, training, or security assessment frequency at 51% of surveyed businesses, he said. "Think about security as the cost of doing business. It's not something you glue on after the fact, you have to add it to every layer of your organization, and IT."

The good news, however, is that half of surveyed businesses have altered their security behavior in light of APTs. In particular, 51% said that senior executives had allocated funds to increase the amount of security training for general employees; 33% had begun meeting more frequently with their chief information security officer (CISO) or IT risk team; and 18% had created the role of CSO or CISO, or another type of senior security position.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.