Proofpoint: “IoT Will Be The Next Industrial Revolution For Cybercriminals”

My own interest in security began several years ago after I offered to help friends and family members who had become flummoxed by various computer problems they were experiencing. For the most part, the issues they had were centred around getting games to work (the youth of today don’t know how lucky they are with their consoles and services such as Steam), but beyond that, viruses were always the motivation behind their frantic phone calls.

Research on the then new-fangled web thing often proved fruitful, in combination with some trial and error, and their shiny new 386s and 486s were quickly restored to full working order.

Time moves on though and nowadays we see some pretty decent security products on the market. Whilst they are no golden bullet, they do allow the average home user to avoid the constant headache of trying to manually remove the latest virus (as long as they are sufficiently security-aware that they don’t invite them onto their system in the first place).

But that doesn’t mean that the threat to home users has completely disappeared.

On the contrary, many users may soon find themselves voluntarily inviting more potential problems into their homes via the Internet of Things (IoT).

The interconnected home of the not-so-distant-future could pose far more danger than the old PCs of the past, especially given how malware has progressed far past the point of presenting victims with nothing more than some quaint graphics and some humorous text.

With fridges, hoovers, lights and thermostats being manufactured with far too much attached connectivity – in my opinion (and I’m not alone in having concerns) – the Internet of Things presents new challenges according to Hewlett-Packard (HP).

In a study of the ten most popular IoT devices, HP discovered a total of 250 security vulnerabilities.

The unnamed devices each featured some form of cloud and remote mobile application component. Additionally, 90% collected personal information which in some cases included names, addresses, dates of birth and credit card details.

Seven of the ten devices transmitted data over an unencrypted network and sixty percent featured insecure interfaces. Eight of the ten devices allowed weak passwords to be deployed, including such classics as “1234.” (do you know how to choose a strong password?)

The report suggests that device manufacturers should follow the OWASP Internet of Things Top 10 project that was used as part of the test.

HP also suggested that vendors should -

  • conduct security reviews of devices and all associated components
  • adopt stringent standards that must be met before production commences
  • apply security principles throughout the product lifecycle

Commenting on the report, Mark Sparshott, director of EMEA at Proofpoint, envisages IoT as the next big threat in the security field in terms of phishing attacks:

“In January 2014 Proofpoint discovered hacked internet connected home devices being enrolled into botnets and used to distribute spam and malicious emails. Given the explosive growth in IoT devices (Cisco predicts 50bn connected devices by 2020) Proofpoint believes that the IoT will be the next industrial revolution for cybercriminals bringing about technological, socioeconomic, and cultural changes which deeply concern forward thinking security professionals. An almost endless supply of new IP addresses will make the traditional IP reputation systems that many security vendors still rely on extinct.

Today each single bot that Proofpoint tracks will typically send 100s or 1,000s of phishing emails in campaign after campaign providing an opportunity to identify and blacklist them. However last year Proofpoint saw cybercriminals start using database marketing techniques such as IP, sender and content rotation within targeted email attacks called “longlining” that bypass reputation systems.

Future IoT botnets will be 100s or 1,000s of times larger exponentially increasing the rotation available. It is conceivable that a future IoT bot could send just 1 phish and never appear on any reputation block list. The IoT and the increasing use of zero-day threats to bypass signature-based security systems means that enterprise security strategies have to evolve to leverage cloud based dynamic sandboxing and malware analysis as well as focus on reducing the time to remediate the inevitable breach through automated security response.”

Considering all the other potential threats posed by IoT, I for one hope that vendors get their acts together and weigh the security implications on a par with the need for innovation and profit.

Information Commissioner’s Office Reports On Big Data And Privacy

The Information Commissioner’s Office (ICO) has today released a new report that considers how big data will operate within existing data protection laws which ensure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

The Big data and data protection report accepts that the use of big data can bring benefits to companies and doesn’t wish to stifle innovation. That said, the ICO is keen to point out that organisations still have an obligation to keep information both private and secure, offering the following practical advice for dealing with personal information used in big data analytics:

  • Personal data - Does your big data project need to use personal data at all? If you are using personal data, can it be anonymised? If you are processing personal data you have to comply with the Data Protection Act.
  • Privacy impact assessments - Carry out a privacy impact assessment to understand how the processing will affect the people concerned. Are you using personal data to identify general trends or to make decisions that affect individuals?
  • Repurposing data - If you are repurposing data, consider whether the new purpose is incompatible with the original purpose, in data protection terms, and whether you need to get consent. If you are buying in personal data from elsewhere, you need to practice due diligence and ensure that you have a data protection condition for your processing.
  • Data minimisation - Big data analytics is not an excuse for stockpiling data or keeping it longer than you need for your business purposes, just in case it might be useful. Long term uses must be
    articulated or justifiable, even if all the detail of the future use is not known.
  • Transparency - Be as transparent and open as possible about what you are doing. Explain the purposes, implications and benefits of the analytics. Think of innovative and effective ways to
    convey this to the people concerned.
  • Subject access - People have a right to see the data you are processing about them. Design systems that make it easy for you to collate this information. Think about enabling people to
    access their data on line in a re-usable format.

The ICO’s head of policy delivery, Steve Wood, says that there is a buzz around how big data can be used for social benefits as well as the more obvious economic advantages it can provide. He did, however, highlight how organisations are struggling to understand how they can put big data to innovative new uses without falling foul of the law. Wood also explained that individuals are also expressing concern over how their personal data is being used in big data scenarios.

The answer, he says, begins with organisations being more transparent about how they are using big data:

“What we’re saying in this report is that many of the challenges of compliance can be overcome by being open about what you’re doing. Organisations need to think of innovative ways to tell customers what they want to do and what they’re hoping to achieve.

Not only does that go a long way toward complying with the law, but there are benefits from being seen as responsible custodians of data.”

The ICO report says that openness is a key factor, pointing out how organisations need to ensure that personal information is only used in ways previously communicated to users. The complexity of big data, it says, should not be used as an excuse to use data without consent.

Responding to concerns that existing data protection law is insufficient in the face of big data, Wood added that:

“Big data can work within the established data protection principles. The basic data protection principles already established in UK and EU law are flexible enough to cover big data. Applying those principles involves asking all the questions that anyone undertaking big data ought to be asking. Big data is not a game that is played by different rules.
The principles are still fit for purpose but organisations need to innovate when applying them.”

The organisation notes how the area of big data is fast-evolving, leading it to conclude that its guidance will likely change over time. In light of that, the ICO positively encourages feedback which can be sent to [email protected] up until September 12 of this year.

MailPoet Update Goes Unnoticed, Up To 50,000 Websites Compromised So Far

Users of the popular MailPoet plugin for WordPress are being urged to update it after it was revealed that up to 50,000 websites may have been compromised.

As I reported at the beginning of June, the vulnerability in MailPoet allows attackers to remotely upload files to a website without the need for authentication.

MailPoet released an update the same day but I wondered then whether it had been sufficiently well publicised. Now, according to Sucuri, the security firm that first flagged the vulnerability, we have our answer.

The plugin, which has been downloaded close to two million times, has not been updated by all. According to Sucuri, thousands of WordPress sites have been compromised since they first discovered the vulnerability, with hackers taking advantage of the flaw to inject malware into them.

The attack begins with the uploading of a custom and malicious theme. Once in place, the attackers have a backdoor into the site which affords them full control over it.

As part of the process, several core WordPress files become corrupted, causing PHP error messages to appear on affected websites. Therefore blog owners who do not have a good backup strategy are especially at risk from this attack.

Daniel Cid, CTO of security firm Sucuri, explained that it is not only websites that have MailPoet installed that are at risk though:

“To be clear, the MailPoet vulnerability is the entry point. It doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website.”

Speaking to PC World, Cid further explained that:

“On most shared hosting companies—GoDaddy, Bluehost, etc.—one account can not access files from another account, so the cross-contamination would be restricted to sites within the same account.

If the server is not properly configured, which is not uncommon, then [the infection] can spread to all sites and accounts on the same server.”

If you use the plugin on your own personal or business blog you have two choices – either disable and uninstall the plugin or update to the latest version (2.6.7).

If you choose the latter option then the update process is quite simple:

Navigate to your blog’s Dashboard

From there, click on Plugins > Update Available and look for the MailPoet plugin. Directly underneath it you will see the option to ‘upgrade now’. Click on that and follow the instructions.

Alternatively, you can find the plugin via WordPress.org (click here), download the latest version and then follow the installation guide.

As ever, I would advise running a full backup of your site before making any changes such as updating core files or plugins and, if you don’t already have one, now would also be a good time to implement a regular backup schedule, just in case anything does ever go wrong in the future (the popularity of WordPress ensures that it is often a target for fake and corrupted plugins).

Advanced Fee Fraud Now Plagued By RATs

From: The Boys from Lagos,
Somewhere entirely different to where they claim,

Dear Sir,

I am writting to you in respect of your recent attempt to settle the modalities concerning your quatation for Iran May Order (see attachment).

As you will know doubt see, there has been a problem with the Randam Access Tables (RAT) in the document.

please verify the integrity of the details, including full name and notional insureance number and reply immediately so that we may continue your Order and release the payment of 20 million dollars US (twenty million united states dollars) to the account of your choice with the utmost speediness.

Awaits your reply.

The Reverend Netwire,
DataScrambler,
Nigeria.

Advance fee fraud via email – we’ve all seen it many hundreds of times before and, with a few exceptions, we’ve all deleted those messages post haste.

Unfortunately, however, a few people around the world do actually fall victim to this kind of scam, sending large sums of money oversees, not knowing that they will never get it back.

Even so, in a world where people are becoming more aware and better educated towards this type of trick , the perpetrators persist, though a new report shows that the tactics may be changing a bit.

The report, from Palo Alto Networks, shows that Nigerian cybercriminals have started to employ remote access tools (RATs) in order to gain access to victims’ devices:

“The paper shows that these individuals’ tactics have evolved as they’ve begun using Remote Administration Tools (RAT) and other malware tools as part of their attacks. While these actors are not nearly as sophisticated as the top cyber crime and espionage groups in the world, we believe they represent an emerging threat to businesses.”

The RAT in this case – Netwire – is typically hidden in an email attachment which the sender will try to get the victim to open via a call to action in the accompanying email. A second piece of malware – DataScrambler – is also be included in order to aid avoid detection by security software.

The Santa Clara-based security firm is not sure how the attackers pick their victims but did note that the targets were all businesses operating in South Korea and Taiwan. Palo Alto Networks was able to confirm that the attacks originated from Nigeria though, as not all of the orchestrators had proven sufficiently adept at hiding their true IP addresses:

“Specific individuals within this attack group have demonstrated either an extreme lack of understanding of operational security, or simply believe they stand no chance of being caught and prosecuted. It is likely that shining light on this activity will cause these actors to change their tactics and begin tightening their security procedures.”

The company highlighted how the attackers were unable, or unwilling, to use software vulnerabilities to get their payloads onto  target computers, relying instead upon social engineering, a common threat posed to all businesses which can be countered through the adoption of a good security awareness program.

The report concludes that the motives for such an attack surround the snaffling of passwords and other data which can then be used to fuel further attacks. “Thus far,” the report says, “we have not observed any secondary payloads installed or any lateral movement between systems, but cannot rule out this activity.”

Irish Data Protection Commissioner Shuts Down Government Genealogy Website Over Data Fears

The Irish government closed its genealogy website on Friday after Billy Hawkes, the Data Protection Commissioner, said that the availability of citizens’ data on the site presented “obvious risks”, including the potential for identity theft.

The site – IrishGenealogy.ie – created by the Department of Arts, Heritage and the Gaeltacht, gave people who had been either born or married in Ireland the opportunity to search for civil records, such as birth certificates, in order to aid their investigations of their ancestory.

Unfortunately, and perhaps far too obviously, those same records contain a huge pile of passwords under the guise of mother’s maiden names and dates of birth (sarcasm intended).

[Dr Jessica Barker: "There are different classes of social norms and my talk explained the pitfalls of descriptive norms. If you only use descriptions to explain a problem / solution then people tend to average out their behaviour to match those being described. So if we tell users that most people use their mother’s maiden name as their password, it will have a good effect on those people using their own surname (as they will likely start using their mother’s maiden name!) but research suggests it will lower the behaviour of everyone else."]

Such sensitive data isn’t defined as being sensitive under Irish data protection legislation, despite the fact that far too many people use it either as a password or as the answer to the all-too-common security questions we see all across the web today. Nonetheless, Mr Hawkes stepped in regardless, saying that:

“I assume it comes under the heading of ‘cock-up’ because anyone with a moment’s thought would have seen this.

Obviously nobody thought about this and it’s a particularly shocking example, frankly, of the public service falling down on the job.”

Hawkes explained that his office had been consulted about the civil records search facility in advance of its Thursday launch but was under the impression that the information available would be historical and solely in reference to people who were already dead.

Hawkes said that it was a “total shock” to discover that the site actually offered “live information” which, he said, could have made it a “treasure trove for people of evil intent.”

The ability to access the information offered by IrishGenealogy.ie is nothing new as it has always been available to the public, though a fee had always been required in order to access an individual record. The problem in this instance was the fact that bulk searches could be performed without cost, which is obviously an appealing proposition for would-be identity thieves, as well as some potential employers who may wish to find answers to questions they are not permitted to ask under Irish employment law.

The search function, which is still unavailable, simply notes that a “further update will be provided.”

The First Rule Of Data Breach Response Is…

I would like to think that the first thing any company would do in the wake of a data breach is to crack open its incident response plan and start following through a well planned strategy that had been formulated long in advance of the breach actually occurring.

Whilst maybe not being the first priority, I would also like to think that the response would include notifying customers as quickly as possible after the breach occurred.

But it appears not all companies think that way.

Take Australian daily deals site Catch of the Day for example.

The website has just revealed that it was hacked and that credit cards and passwords were compromised… early in 2011!

In a note sent to customers, the company said:

“In early 2011, Catchoftheday and other online retailers were targeted by an illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted) passwords. In some cases credit card data was compromised. Other websites in our Group were not affected.

At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators.”

The notice goes on to say that the Australian Privacy Commissioner had been informed of the intrusion but did not note when exactly.

Without disclosing why it took the company over three years to disclose the breach to the public, it urged holders of accounts created before 7 May 2011 to change their passwords, adding that:

“With technological advances it means there is an increasing risk that those hashed passwords may become compromised, which is why we are asking all those users with accounts created before 7 May 2011 to change their passwords.”

Fortunately, it looks like Catch of the Day left payment processing to a third party bank (which one can only hope is fully PCI DSS compliant), meaning that it only holds a limited set of data about each account, including

  • customer name
  • delivery address
  • email address

Catch of the Day itself only stores partial credit card numbers, it says, but even so, I’m not sure that makes a three year delay in reporting even remotely acceptable.

My opinion counts for nought though – its the law of the land that matters – and in Australia there is no legislation to mandate data breach disclosure at this time, though the Register reports that there is a possibility that such a law may find its way onto the statute books in the future.

Indeed in many countries the situation is similar, with regulatory bodies advising breach disclosure but not universally requiring it under law. Do you think that is the correct stance or should companies be legally obliged to disclose all breaches? After all, knowing that the public will get to hear when things go wrong may just motivate organisations to tighten up their security in the first place.

Who Fines Who: Information Commissioner’s Office Breached

If asked how likely it is that an organisation will be breached it may not be unreasonable to reply along the lines of “it’s not so much if but when.”

And that is something the UK’s Information Commissioner’s Office (ICO) can certainly attest to as it becomes clear that it experienced its own breach in the last year.

The ICO, which itself is responsible for ensuring that British organisations and governmental departments keep private data secure, revealed the “non-trivial data security incident” in its 2013-2014 Annual Report:

“There has been one non-trivial data security incident. The incident was treated as a self-reported breach. It was investigated and treated no differently from similar incidents reported to us by others. We also conducted an internal investigation.

It was concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted. The internal investigation was also concluded.”

The Information Commissioner, Christopher Graham, was less than forthcoming with further details though, leaving a spokesman to say that a freedom of information request would need to be submitted.

Whether such a request would be fruitful is not known but the response to a previous breach in 2011, which was described as “[having] no resulting adverse impact on, or damage to, individuals and the ICO is treating the matter no differently from similar incidents report[ed] by others” gave very little further information away, as information governance manager Charlotte Powell wrote:

“We have decided that the public interest in withholding the information outweighs the public interest in disclosing it.”

Equally unknown is the monetary value of any fines (if any) the ICO may have levied upon itself in respect of the breach. The authority has the ability to issue fines of up to £500,000 for serious breaches of the Data Protection Act and the Electronic Communications Regulations.

The news coincides with a significant increase in workload for the ICO which saw a near 10% rise in the number of complaints made last year (as an aside it is interesting to note that only one percent of those complaints were in regard to the currently hot topic of data retention), which has led Graham to ask not only for more cash but also more powers in conjunction with greater guarantees of independence from the government.

Are We The Architects Of Our Own Insecurity?

Its a well known fact that people men are obsessed with something. (Note to self: make that two things but don’t mention the first).

Go to any shopping centre on a Saturday and you’ll notice all manner of sideways glances, secret peeks and longing stares as men of all ages centre their attention on anything but their significant others.

The object of their desire, of course, is technology. Like bees around a honey pot, we can’t help ourselves – new tech captivates us in ways we cannot explain and creates a longing and desire that nothing else can satisfy.

Boredom with the old and interest in the new is fed by some sort of crazy attention deficit that is ingrained into our very DNA I swear.

Technology manufacturers love it though. Such an interest, that is almost always backed up by demand where funds permit, drives them to create new products like there is no tomorrow.

But the never-ending rush to bring new ‘toys’ to market does have drawbacks.

The biggest one that I can see is the fact that the security issues surrounding new technology never seem to be given the attention they deserve ahead of a product release and are instead only considered later, in response to particular incidents or third-party research (think IoT for instance).

Additionally, as we now know thanks to Edward Snowden, some governments have their own agendas when it comes to technology, seeing computers, phones and tablets as an extension to their national surveillance campaigns.

Some nations are not standing for it though, as evidenced by China’s claims on Friday that the iPhone represents a security threat to the state. The national TV broadcaster criticised the iPhone’s  “Frequent Locations” function, saying that access to the data “could glean sensitive information such as the country’s economic situation or ‘even state secrets.’”

Apple hit back by saying that it ” does not track users locations – Apple has never done so and has no plans to ever do so,” adding that it had “never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will. It’s something we feel very strongly about.”

Whilst the iPhone is still freely available for sale in the country at this time I would not be surprised if that changes very soon, given the fact that China also moved quickly to outlaw the use of Windows 8 within government agencies.

The same state TV service branded Microsoft’s operating system as a threat to the nation’s cybersecurity, saying that it posed a “big challenge” and suggesting that the NSA may be using it to gather data.

Then there is the case of Russia which, shortly after Snowden’s defection, swiftly swapped computer hardware within the Kremlin for good old-fashioned typewriters in order to improve its security whilst creating a means for linking any created documents to a particular machine.

By way of contrast, the United Kingdom government is having a whale of a time with all this new technology, seizing upon the perceived threat of terrorism, peadophiles, etc., to rush in a law – which I think is draconian in nature – which will allow it to hold onto metadata for an entire year (if you want to know why that should concern you, whether or not you think you have ‘something to hide’, and including why it may pose a threat to democracy, then I highly recommend this recent post from Sarah Clarke in which she looks into the proposals in detail).

The fact that the UK government is doing a rush job on getting the proposals through Parliament leave little to no opportunity for MPs to debate the Bill and just as little time for us mere mortals to do the same either but what is noticeable is the fact that we, as a nation, are not standing up when practises that threaten our security and privacy are brought to our attention in the way that the likes of China and Russia are.

Maybe we don’t need to because, after all, we live in a democracy and our elected officials are there at our whim to do as we ask after all.

But then again I don’t feel that way myself – I think that we are allowing technology to control our lives to some degree rather than make them simpler and we are too blind to see what is happening.

I believe that new technology is a good thing but the way in which much of it is utilised these days warrants a level of scrutiny and subsequent control that just isn’t there right now. Alternatively, the insecurity could be all mine.

Rogue SSL Certs – Microsoft Issues Out-Of-Band Patch

Microsoft has issued an emergency security update – “Improperly Issued Digital Certificates Could Allow Spoofing” – just two days after its regular monthly Patch Tuesday release cycle in order to address forged security certificates that could have been used to spoof Google and Yahoo websites.

The forged certificates had been generated by India’s National Informatics Centre (NIC) and were detected by Google’s security team at the beginning of this month.

Whilst Google’s own products did not trust the Government of India Controller of Certifying Authorities (CCA), under which the NIC operates subordinate certifying authorities, Microsoft’s Trusted Root Store did.

All in, it was determined that attackers had issued at least 45 certificates after gaining access to the NIC generation systems, giving them the ability to potentially spoof search engines, banks, email providers and credit card processors.

 “The Microsoft advisory about fake Google and Yahoo certificates in the wild underscores the key risks of using public key infrastructure (PKI) to ensure the authenticity of a remote party. The system we use for securing websites is based on the network of trusted certificate authorities and subordinate authorities. When any one of these authorities is controlled by someone with malicious intentions it’s possible to impersonate services such as web sites, email, and file transfer. The malicious possibilities are limitless.

This problem is compounded by the fact that computers and SSL systems are designed to trust a long list of authorities. We’ve seen certificate authorities get compromised and used to sign counterfeit certificates several times in the recent past. This is why SSL implementations should always use revocation lists.

One of the best ways to protect users from this type of threat is through the use of pinned certificates. This is a deployment in which software is designed to require specific certificates instead of allowing any certificate signed by a ‘trusted’ authority. This practice is used in the Gmail app for Android, for example. Unfortunately this approach does not scale for general web browsing. To protect themselves from these kinds of incidents users may want to remove trust for regional certificate authorities that aren’t needed in the user’s locale.”

Craig Young, security researcher

Dustin Childs, group manager of response communications explained that the rogue certificates could be used not only to spoof content but also to perform phishing or man-in-the-middle attacks against web properties, with Google adding that “The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.”

The security update is being pushed out automatically to all users of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012 and Windows Server 2012 R2. Users of other versions of the operating system going back to Vista are also covered if they have the automatic updater of revoked certificates installed. Users of Vista or newer versions of Windows that run in a disconnected environment can install update 2813430.

Accordingly, Tyler Reguly, Tripwire’s manager of security research said:

“This is a fairly minor security concern that will address itself for most users because most certificates will be revoked automatically on most modern Windows systems.

Users that have disabled CRL updates or have systems that are disconnected from the Internet may need to take additional manual steps based on the advisory data.

It is always unfortunate when this happens but the advisory is basically the end of the problem. Once the certificates are added to the CRL, the problem becomes moot. It’s when people are unaware of the issue that it cause harm.

This is one of the inherent risks in the current system we use; it’s possible for mistakes and malicious actions to lead to improperly issued certificates.”

Further information, along with a list of the affected domains, can be found on Technet.

1 In 5 Organisations Have Experienced An APT Attack

“Advanced persistent threat (APT) is a term that has been used frequently in the course of security threat discussions; however, confusion exists as to what an APT is and how to manage the risk associated with it. Although the study reveals that a large number of respondents feel that APTs are a significant threat and have the ability to impact national security and economic stability, the study also indicates that the controls being used to defend against APTs might not be sufficient to adequately protect enterprise networks.”

So says a new report from ISCACA which shows that 21% of organisations have experienced an advanced persistent threat attack whilst 66% believe their company will be hit by an APT sooner rather than later.

Despite such experience and sentiment many enterprises are hardly prepared for such an attack with a mere fifteen percent declaring that they are well prepared for such an eventuality. Alarmingly, only a third of organisations that had already been on the wrong end of an APT attack could determine the source

“The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them—and more security training is critically needed.”

ISACA’s 2014 APT Study polled 1,220 security professionals from a broad range of organisations and found that the majority felt they were well positioned to identify, respond to and nullify an APT attack, primarily by adopting a risk-based approach to planning.

A range of controls were found to be employed by most enterprises though they were more robust amongst those which felt most at risk of an APT attack. The majority of organisations responded that their primary controls were technical in nature, citing firewalls, access lists and anti-virus as the most popular means of defence.

On the flip side, less than 30% of the organisations polled said they were utilising any mobile controls, despite the fact that 88% accepted the fact that employees’ use of mobile devices was often a major contributing factor in an APT attack.

Also of note is the fact that almost 40% of enterprises report that they are not using user security training and controls to defend against APTs which, if done well, could go a long way in mitigating the risks surrounding social engineering and spear phishing attacks. Even in organisations which recognise an increased likelihood of an APT attack, investment in training against the same is unlikely to have increased despite the quick gains that it offers.

Commenting on the report Mark Sparshott, director of EMA at Proofpoint had this to say:

“The fact that 50% of security professionals who responded to the survey do not see APTs as highly differentiated from traditional attacks means that 50% of those interviewed should consider a career change.

Organisations need to ensure the security teams that they are relying on to defend their business understand how easily APT attacks bypass traditional security controls like Firewalls, Anti-Spam, Anti-Virus and Anti-Malware tools that 96% said were a Technical Control for preventing APT attacks.

Encouragingly 92% of respondents recognised Social Networking makes APT attacks easier with personal information harvested from these sites used to craft compelling and believable targeted emails. As Proofpoint’s Human Factor research showed targeted email attacks like spear-phishing and longlining, the main initial APT attack vector, have a 1 in 10 success rate and Social Networking invites are the #1 lure with LinkedIn Invitations achieving the highest success rate of any email lure.”

Robert Stroud, international president of ISACA and a vice president at CA Technologies said:

“The good news is that more enterprises are attempting to better prepare for the APT this year. The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them—and more security training is critically needed.”

While more enterprises report that they are adjusting vendor management practices (23%) and incident response plans (56%) in order to address APTs this year, ISACA believes the numbers still need significant improvement with Tony Hayes, ISACA’s immediate past international president, saying:

“APTs are stealthy, relentless and single-minded, and their primary purpose is to extract information such as valuable research, intellectual property or government data. In other words, it is absolutely critical for enterprises to prepare for them, and that preparation requires more than the traditional technical controls.”

The report concludes by saying that seventy-five percent of respondents had noted a lack of guidance in the market focused on APTs – is that your experience?