Current Filter: Security>>>>>Feature>

   

The year 2013 might be remembered as the year of the breach. Major cyberattacks on organisations resulted in millions of exposed records, billions spent on remediation and significant damage to many brands. While cybercriminals enjoyed a profitable year at the expense of many enterprises, the APT has continued to enjoy success stealing sensitive data in espionage attempts.

Cybersecurity issues are not decreasing, according to ISACA's 'Advanced Persistent Threat Awareness' study. In fact, industry and vendor reports indicate that attacks are on the rise. "Cybercrime, hacktivism and advanced attacks all continue to threaten enterprise networks.

Some progress in defending against cyberattacks has been made: many preventive controls have emerged that have made it more difficult for those with malicious intent to penetrate networks, and detective controls have helped to identify quickly when a breach does occur. Still, some are very difficult to spot," according to ISACA.

APTs continue to make headlines, much to the chagrin of many organisations, the study reports. "In 2012, APTs relied heavily on spear-phishing attempts, which often included an attachment or a link that contained malware or an exploit that would ultimately make an APT possible. However, many APTs now leverage the web as the main attack vector. Watering hole attacks have increased in frequency and often use a browser-based zero-day attack. In fact, a recent report by vendor FireEye states that its analysis found that web-based attacks outnumbered email-based attacks nearly three to one."

There are differing opinions on what makes a threat an APT. Some state that APT is just a marketing term, while others say that there is no difference between an APT and a traditional threat, and yet others say that an APT is a nation-state sponsored activity that is geared toward political espionage. So what is true? "APTs are often seen in nation-state sponsored attacks (but it is very hard to prove) and they do often use the same attack vectors that traditional threats leverage, but they also leverage different attack methodologies and have different characteristics than traditional threats," ISACA argues.

"Because there are so many differing opinions of what constitutes an APT existing in the market, establishing the definition for the initial study was critical. In the follow-up survey, ISACA retained the definition used in the original study, namely that "APTs are often aimed at the theft of intellectual property (espionage), as opposed to achieving immediate financial gain, and are prolonged, stealthy attacks".

What the new study has revealed most of all is that, while a large number of respondents feel APTs are a significant threat and have the ability to impact national security and economic stability, the controls being used to defend against APTs might not be sufficient to adequately protect enterprise networks.

UNPREPARED FOR ATTACK
The newly released ISACA global study shows that one in five organisations (21%) have experienced an advanced persistent threat (APT) attack, while 66% believe it's only a matter of time before their enterprise is hit by an APT. Yet only 15% of enterprises believe they are very prepared for an APT attack. And among the companies that have been attacked, only one in three could determine the source.

"APTs are stealthy, relentless and single-minded, and their primary purpose is to extract information such as valuable research, intellectual property or government data," says Tony Hayes, ISACA's immediate past international president. "In other words, it is absolutely critical for enterprises to prepare for them and that preparation requires more than the traditional technical controls."

The majority of responding organisations say their primary APT defence is technical controls such as firewalls, access lists and anti-virus, which are critical for defending against traditional treats, but not sufficient for preventing APT attacks. Nearly 40% of enterprises report that they are not using user security training and controls to defend against APTs-a critical component of a successful cybersecurity plan. Worse yet, more than 70% are not using mobile controls, even though 88% of respondents recognise that employees' mobile devices are often the gateway to an APT attack.

Page   1  2