Vulnerabilities / Threats
11/1/2011
12:31 PM
50%
50%

Advanced Threats Touch Two-Thirds Of Enterprises

Worse news: Sophisticated cyber attacks combining stealth and severity are leading only half of businesses to employ more automated defenses and better training.

Nearly two-thirds of information security managers report that their businesses have been targeted by advanced persistent threats (APTs), and 72% expect to see such attacks persist in the future. Furthermore, 30% of security managers at large enterprises rate their business as being vulnerable to future such attacks.

Those findings come from a new report on APTs released Tuesday by market researcher Enterprise Strategy Group (ESG). The study is based on a survey of about 250 U.S. information security professionals, conducted in August.

Who's wielding APTs against businesses? Respondents said they suspect--in order of likelihood--such attacks to be coming from hacktivist groups such as Anonymous, organized criminal rings, competitors conducting reconnaissance or perpetrating industrial espionage, foreign governments, and terrorists.

Increasingly, security professionals are turning to more automated technology to help them spot and then stop APTs. "Even sophisticated IT shops preparing for APTs are using automation more," said Jon Oltsik, senior principal analyst at ESG and the primary author of the study, in an interview. "Automation detects an attack that's underway, and they're willing to use automation to take a system off the network, or block a protocol." The days of only using manual remediation, he said, appear to be over.

[The people charged with overseeing enterprise security may make you vulnerable to attack. Are Your IT Pros Abusing Admin Passwords?]

Notably, of all organizations surveyed, the 52 businesses that ESG rated as best prepared to stop APTs used network management tools (at 69%), security incident and event management tools (58%), log file analysis (46%), and intrusion detection or prevention system alerts (44%). But respondents to the study also complained that they need even more sophisticated tools, as well as better training, and more personnel. "There's a real skill shortage, across the board. We saw people saying that they didn't have the right skills to identify attacks in progress, to do analysis of attacks," said Oltsik.

One aspect of APTs that makes them difficult to spot is that they can be deceptively simple. Many experts, for example, think that social engineering attacks are the leading APT attack vector. Because such attacks rely not on sophisticated technology, but simply tricking people into revealing information directly (for example, divulging passwords over the phone) or indirectly (opening a malicious attachment that then installs a Trojan application on their PC), they're incredibly difficult to combat.

In fact, there's only one sure-fire technique for blocking social engineering attacks: training employees to spot them. But according to ESG's study, both executives and non-IT employees don't seem to be getting enough training. Roughly half of respondents rate both the overall security knowledge and APT awareness of non-IT employees at their business as only fair, if not poor.

Other than training, how else can businesses better combat APTs? The study found that the best-prepared businesses took a very proactive approach to risk management, including maintaining and enforcing security policies that covered everything from physical security and data encryption to access controls and background checks on users with access to sensitive data.

Furthermore, 44% of the best prepared businesses conduct formal penetration tests against their network--employing outside experts to simulate hack attacks and discover unseen weaknesses--more than once per quarter. Conversely, only 15% of businesses that ESG rates as "somewhat" prepared to combat APTs were conducting penetration tests more than once per quarter.

For businesses that need to do a better job of battling APTs, Oltsik recommends starting with three steps. First, make employees think seriously about security. Next, accurately assess the business's current information security vulnerabilities. "If you can't do that, yourself get professional help," he said.

Finally, senior executives must take a more proactive approach to security, especially in light of the study's finding that the rise of APTs hasn't led to any changes in budgeting, training, or security assessment frequency at 51% of surveyed businesses, he said. "Think about security as the cost of doing business. It's not something you glue on after the fact, you have to add it to every layer of your organization, and IT."

The good news, however, is that half of surveyed businesses have altered their security behavior in light of APTs. In particular, 51% said that senior executives had allocated funds to increase the amount of security training for general employees; 33% had begun meeting more frequently with their chief information security officer (CISO) or IT risk team; and 18% had created the role of CSO or CISO, or another type of senior security position.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1414
Published: 2015-02-27
Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.

CVE-2015-2072
Published: 2015-02-27
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or...

CVE-2015-2075
Published: 2015-02-27
SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.

CVE-2015-2076
Published: 2015-02-27
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.

CVE-2015-2101
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.