Connect with us

Hi, what are you looking for?


Malware & Threats

Opinion: ISACA Study Adds Fuel to the APT Fire

According to a recent study from ISACA, one in five enterprises have experienced an APT attack. In addition, 94 percent of the 1,500 IT professionals surveyed agreed that APTs represent a credible threat to national security.

According to a recent study from ISACA, one in five enterprises have experienced an APT attack. In addition, 94 percent of the 1,500 IT professionals surveyed agreed that APTs represent a credible threat to national security.

We wish we were joking, but unfortunately, this is real data. At SecurityWeek we’re IT people, so we do like the ISACA. But, we’re not what you’d call fans of the term APT. It’s marketing, pure and simple, and in the last few years it’s been used to spread nothing but Fear, Uncertainly and Doubt (FUD).

The ISACA study revealed that 53 percent of the survey’s respondents reported a total lack of belief when it comes to APTs being different from traditional threats, “indicating that many do not fully understand APTs.”

FUD Used in MarketingI disagree with this line of thought. Most of the time, attacks considered APTs use 0-Day exploits, or malware that slips past poorly updated AV software, or phishing to compromise a host or organization. There is nothing advanced about attacks like these. Such a thing happens all the time, and is successful due to poor security practices. Lately, what hits the headlines as a sophisticated attack or APTs are the same types of attacks businesses have been facing for years.

“APTs, an espionage tactic often intended to steal intellectual property, have made headlines in recent years for breaching major enterprise and government networks worldwide. Attacks such as the Google Aurora threat and the RSA breach make it clear that they pose a major threat to organizations in all industries, not just government,” an ISACA press release explains.

If an attacker is after your corporate assets, they will keep coming until they get what they’re after, so persistent is correct, but again – phishing (as was the case with Google and RSA) isn’t advanced.

The attackers targeted corporate secrets, no shocker there! People will pay good money for that type of data. Of course attackers are targeting valuable information.

As for APTs being a threat to national security, I disagree there too. Aside from Stuxnet, which the U.S. helped create, there is nothing but speculation for this point. Plus, the U.S. can hardly complain when other nations copy a process that clearly worked against Iran.

Advertisement. Scroll to continue reading.

The nation’s critical infrastructure is poorly managed and protected. You won’t need to look far for proof; vendors are constantly reporting SCADA vulnerabilities, and just this week a kid used default passwords to take over the Emergency Alert System in Montana.

Moving on, the ISACA study says that “antivirus and antimalware (95 percent) and network perimeter technologies such as firewalls (93 percent) top the list of controls their enterprises are using to stop APTs—a concerning finding, given that APTs are known to avoid being caught by these types of controls.”

The reason they avoid being caught by controls is due to lack of patching, lack of rules updates for the firewall (or rules that are too open), lack of signature updates, and employees who open any email attachment delivered to them. Again, Google and RSA were cited as examples, and both attacks were only successful due to Phishing. So the technology isn’t the issue, it’s the upkeep and poor implementation that often causes the dominos to fall.

“ISACA’s research reveals that enterprises are under attack and they don’t even know it. Bringing this awareness into the curriculum of education for security professionals is necessary to enable them to build the custom defense they need to combat these targeted attacks,” said Tom Kellermann, vice president of cyber security for Trend Micro.

This, I agree with. Organizations are always going to be attacked. It’s how they deal with the problem during and after that counts. If they’re lucky some of the smaller attacks will be stopped entirely. Otherwise, the attackers are always at the gate and they will get in eventually. But they won’t be using advanced tools or special weapons. They will use your organization’s own assets against you – and that’s likely going to be someone in a cube answering an email.

Tell us, what do you think about APTs? We love a good debate.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.