Vulnerabilities / Threats
12:31 PM

Advanced Threats Touch Two-Thirds Of Enterprises

Worse news: Sophisticated cyber attacks combining stealth and severity are leading only half of businesses to employ more automated defenses and better training.

Nearly two-thirds of information security managers report that their businesses have been targeted by advanced persistent threats (APTs), and 72% expect to see such attacks persist in the future. Furthermore, 30% of security managers at large enterprises rate their business as being vulnerable to future such attacks.

Those findings come from a new report on APTs released Tuesday by market researcher Enterprise Strategy Group (ESG). The study is based on a survey of about 250 U.S. information security professionals, conducted in August.

Who's wielding APTs against businesses? Respondents said they suspect--in order of likelihood--such attacks to be coming from hacktivist groups such as Anonymous, organized criminal rings, competitors conducting reconnaissance or perpetrating industrial espionage, foreign governments, and terrorists.

Increasingly, security professionals are turning to more automated technology to help them spot and then stop APTs. "Even sophisticated IT shops preparing for APTs are using automation more," said Jon Oltsik, senior principal analyst at ESG and the primary author of the study, in an interview. "Automation detects an attack that's underway, and they're willing to use automation to take a system off the network, or block a protocol." The days of only using manual remediation, he said, appear to be over.

[The people charged with overseeing enterprise security may make you vulnerable to attack. Are Your IT Pros Abusing Admin Passwords?]

Notably, of all organizations surveyed, the 52 businesses that ESG rated as best prepared to stop APTs used network management tools (at 69%), security incident and event management tools (58%), log file analysis (46%), and intrusion detection or prevention system alerts (44%). But respondents to the study also complained that they need even more sophisticated tools, as well as better training, and more personnel. "There's a real skill shortage, across the board. We saw people saying that they didn't have the right skills to identify attacks in progress, to do analysis of attacks," said Oltsik.

One aspect of APTs that makes them difficult to spot is that they can be deceptively simple. Many experts, for example, think that social engineering attacks are the leading APT attack vector. Because such attacks rely not on sophisticated technology, but simply tricking people into revealing information directly (for example, divulging passwords over the phone) or indirectly (opening a malicious attachment that then installs a Trojan application on their PC), they're incredibly difficult to combat.

In fact, there's only one sure-fire technique for blocking social engineering attacks: training employees to spot them. But according to ESG's study, both executives and non-IT employees don't seem to be getting enough training. Roughly half of respondents rate both the overall security knowledge and APT awareness of non-IT employees at their business as only fair, if not poor.

Other than training, how else can businesses better combat APTs? The study found that the best-prepared businesses took a very proactive approach to risk management, including maintaining and enforcing security policies that covered everything from physical security and data encryption to access controls and background checks on users with access to sensitive data.

Furthermore, 44% of the best prepared businesses conduct formal penetration tests against their network--employing outside experts to simulate hack attacks and discover unseen weaknesses--more than once per quarter. Conversely, only 15% of businesses that ESG rates as "somewhat" prepared to combat APTs were conducting penetration tests more than once per quarter.

For businesses that need to do a better job of battling APTs, Oltsik recommends starting with three steps. First, make employees think seriously about security. Next, accurately assess the business's current information security vulnerabilities. "If you can't do that, yourself get professional help," he said.

Finally, senior executives must take a more proactive approach to security, especially in light of the study's finding that the rise of APTs hasn't led to any changes in budgeting, training, or security assessment frequency at 51% of surveyed businesses, he said. "Think about security as the cost of doing business. It's not something you glue on after the fact, you have to add it to every layer of your organization, and IT."

The good news, however, is that half of surveyed businesses have altered their security behavior in light of APTs. In particular, 51% said that senior executives had allocated funds to increase the amount of security training for general employees; 33% had begun meeting more frequently with their chief information security officer (CISO) or IT risk team; and 18% had created the role of CSO or CISO, or another type of senior security position.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.