Security Experts:

Opinion: ISACA Study Adds Fuel to the APT Fire

According to a recent study from ISACA, one in five enterprises have experienced an APT attack. In addition, 94 percent of the 1,500 IT professionals surveyed agreed that APTs represent a credible threat to national security.

We wish we were joking, but unfortunately, this is real data. At SecurityWeek we’re IT people, so we do like the ISACA. But, we’re not what you’d call fans of the term APT. It’s marketing, pure and simple, and in the last few years it’s been used to spread nothing but Fear, Uncertainly and Doubt (FUD).

The ISACA study revealed that 53 percent of the survey’s respondents reported a total lack of belief when it comes to APTs being different from traditional threats, “indicating that many do not fully understand APTs.”

FUD Used in MarketingI disagree with this line of thought. Most of the time, attacks considered APTs use 0-Day exploits, or malware that slips past poorly updated AV software, or phishing to compromise a host or organization. There is nothing advanced about attacks like these. Such a thing happens all the time, and is successful due to poor security practices. Lately, what hits the headlines as a sophisticated attack or APTs are the same types of attacks businesses have been facing for years.

“APTs, an espionage tactic often intended to steal intellectual property, have made headlines in recent years for breaching major enterprise and government networks worldwide. Attacks such as the Google Aurora threat and the RSA breach make it clear that they pose a major threat to organizations in all industries, not just government,” an ISACA press release explains.

If an attacker is after your corporate assets, they will keep coming until they get what they’re after, so persistent is correct, but again – phishing (as was the case with Google and RSA) isn’t advanced.

The attackers targeted corporate secrets, no shocker there! People will pay good money for that type of data. Of course attackers are targeting valuable information.

As for APTs being a threat to national security, I disagree there too. Aside from Stuxnet, which the U.S. helped create, there is nothing but speculation for this point. Plus, the U.S. can hardly complain when other nations copy a process that clearly worked against Iran.

The nation’s critical infrastructure is poorly managed and protected. You won’t need to look far for proof; vendors are constantly reporting SCADA vulnerabilities, and just this week a kid used default passwords to take over the Emergency Alert System in Montana.

Moving on, the ISACA study says that “antivirus and antimalware (95 percent) and network perimeter technologies such as firewalls (93 percent) top the list of controls their enterprises are using to stop APTs—a concerning finding, given that APTs are known to avoid being caught by these types of controls.”

The reason they avoid being caught by controls is due to lack of patching, lack of rules updates for the firewall (or rules that are too open), lack of signature updates, and employees who open any email attachment delivered to them. Again, Google and RSA were cited as examples, and both attacks were only successful due to Phishing. So the technology isn’t the issue, it’s the upkeep and poor implementation that often causes the dominos to fall.

“ISACA's research reveals that enterprises are under attack and they don’t even know it. Bringing this awareness into the curriculum of education for security professionals is necessary to enable them to build the custom defense they need to combat these targeted attacks,” said Tom Kellermann, vice president of cyber security for Trend Micro.

This, I agree with. Organizations are always going to be attacked. It’s how they deal with the problem during and after that counts. If they’re lucky some of the smaller attacks will be stopped entirely. Otherwise, the attackers are always at the gate and they will get in eventually. But they won’t be using advanced tools or special weapons. They will use your organization’s own assets against you – and that’s likely going to be someone in a cube answering an email.

Tell us, what do you think about APTs? We love a good debate.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.