Many organizations are unprepared to protect themselves against an emerging, relentless cybersecurity danger that threatens national security and economic stability, according to a new global survey.
Advanced persistent threats (APTs) are not easily deterred, which makes them different from traditional threats, according to global IT association ISACA. But an ISACA survey of more than 1,500 security professionals found that 53% of respondents do not believe APTs differ from traditional threats.
This disconnect indicates that IT professionals and their organizations may not be fully prepared to protect themselves against APTs, according to ISACA.
“APTs are sophisticated, stealthy, and unrelenting,” ISACA International Vice President Christos Dimitriadis said in a news release. “Traditional cyberthreats often move right on if they cannot penetrate their initial target. But an APT will continually attempt to penetrate the desired target until it meets its objective—and once it does, it can disguise itself and morph when needed, making it difficult to identify or stop.”
High-profile examples of APTs are thought to include the notorious Google Aurora attack, disclosed in January 2010, and an attack on security, compliance, and risk management provider RSA in 2011. Although APTs are espionage tactics that often are intended to steal intellectual property, according to ISACA, the Google Aurora and RSA attacks show that these threats are not confined to government entities.
Although more than 70% of the IT professionals surveyed said their organizations are able to detect APT attacks, and more than 70% said they are able to respond to APT attacks, their description of controls indicate a misunderstanding and lack of preparation, according to ISACA. Top controls enterprises are using to stop APTs were identified as anti-virus and anti-malware programs (95%), and network perimeter strategies such as firewalls (93%).
But APTs have been known to avoid being detected or deterred by these types of controls. Mobile security controls can be effective but are used much less frequently, according to ISACA. “APTs call for many defensive approaches,” ISACA Director Jo Stewart-Rattray said in a news release.
Those approaches include:
- Awareness training.
- Amending third-party arrangements to ensure vendors are well-protected.
- Implementing technical controls.
An RSA blog on the APT attack it suffered said such threats often target the weakest element in the cybersecurity chain—the humans. An employee in the RSA attack was tricked into retrieving an email from a junk mail folder and opening an attached Excel file.
APT hackers are known to use social media to learn information about employees of organizations. Then they send “spear phishing” emails that may appear legitimate because they are targeted. Ninety percent of respondents in the ISACA survey said the use of social networking sites increases the likelihood of a successful APT attack.
Educational training was more prevalent as a defense among organizations that believed they were very likely (82%) or likely (74.1%) to become targets of APT attacks. But a majority of organizations appear to be at risk.
Although just 22% of respondents said they had been subject to an APT attack, 63% said it is only a matter of time before their enterprise is targeted by an APT.
“We are only in February, and already we can declare 2013 as the year of the hack,” Tom Kellermann, vice president of cybersecurity for Trend Micro said in the news release. “… Enterprises are under attack, and they don’t even know it.”
Ken Tysiac (
) is a JofA senior editor.