Cybersecurity: 2013 is already “the year of the hack”

BY KEN TYSIAC

Many organizations are unprepared to protect themselves against an emerging, relentless cybersecurity danger that threatens national security and economic stability, according to a new global survey.

Advanced persistent threats (APTs) are not easily deterred, which makes them different from traditional threats, according to global IT association ISACA. But an ISACA survey of more than 1,500 security professionals found that 53% of respondents do not believe APTs differ from traditional threats.

This disconnect indicates that IT professionals and their organizations may not be fully prepared to protect themselves against APTs, according to ISACA.

“APTs are sophisticated, stealthy, and unrelenting,” ISACA International Vice President Christos Dimitriadis said in a news release. “Traditional cyberthreats often move right on if they cannot penetrate their initial target. But an APT will continually attempt to penetrate the desired target until it meets its objective—and once it does, it can disguise itself and morph when needed, making it difficult to identify or stop.”

High-profile examples of APTs are thought to include the notorious Google Aurora attack, disclosed in January 2010, and an attack on security, compliance, and risk management provider RSA in 2011. Although APTs are espionage tactics that often are intended to steal intellectual property, according to ISACA, the Google Aurora and RSA attacks show that these threats are not confined to government entities.

Although more than 70% of the IT professionals surveyed said their organizations are able to detect APT attacks, and more than 70% said they are able to respond to APT attacks, their description of controls indicate a misunderstanding and lack of preparation, according to ISACA. Top controls enterprises are using to stop APTs were identified as anti-virus and anti-malware programs (95%), and network perimeter strategies such as firewalls (93%).

But APTs have been known to avoid being detected or deterred by these types of controls. Mobile security controls can be effective but are used much less frequently, according to ISACA. “APTs call for many defensive approaches,” ISACA Director Jo Stewart-Rattray said in a news release.

Those approaches include:

  • Awareness training.
  • Amending third-party arrangements to ensure vendors are well-protected.
  • Implementing technical controls.


An RSA blog on the APT attack it suffered said such threats often target the weakest element in the cybersecurity chain—the humans. An employee in the RSA attack was tricked into retrieving an email from a junk mail folder and opening an attached Excel file.

APT hackers are known to use social media to learn information about employees of organizations. Then they send “spear phishing” emails that may appear legitimate because they are targeted. Ninety percent of respondents in the ISACA survey said the use of social networking sites increases the likelihood of a successful APT attack.

Educational training was more prevalent as a defense among organizations that believed they were very likely (82%) or likely (74.1%) to become targets of APT attacks. But a majority of organizations appear to be at risk.

Although just 22% of respondents said they had been subject to an APT attack, 63% said it is only a matter of time before their enterprise is targeted by an APT.

“We are only in February, and already we can declare 2013 as the year of the hack,” Tom Kellermann, vice president of cybersecurity for Trend Micro said in the news release. “… Enterprises are under attack, and they don’t even know it.”

Ken Tysiac ( ktysiac@aicpa.org ) is a JofA senior editor.

SPONSORED REPORT

Tax reform complicates year-end tax planning

Get your clients ready for tax season with these year-end tax planning strategies, which address how to make the most of recent tax law changes, such as the new deduction for qualified business income and the cap on the deductibility of state and local taxes.

VIDEO

What RPA is and how it works

Robotic process automation is like an Excel macro that can work on multiple applications, says Danielle Supkis Cheek, CPA. RPA can complete routine, repetitive tasks such as data entry, freeing up employee time from lower-level chores.