Security Staff Feel Largely Unprepared for Cyber-Espionage and APTs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/view/34750/security-staff-feel-largely-unprepared-for-cyberespionage-and-apts/

Advanced persistent threats (APTs) are insidious, multi-pronged and
stealthy – and aimed at siphoning off an organization’s intellectual
property. But when it comes to protecting those crown jewels, the thieves
seem to be staying one step ahead of security departments.

A survey of senior IT security professionals revealed that 52% of
respondents are “not confident” that that their IT staff could detect the
presence of an attacker who was attempting to breach their network or
extract private data.

The survey from Lieberman Software polled nearly 200 attendees at the
recent Black Hat USA Conference in Las Vegas, and found that more than a
third of respondents (36%) did not think their organizations’ existing
products and processes could keep up with new and emerging threats in
general.

That’s not to say that security staff are unaware of the cyber-espionage
issue (and the rising threat tide overall) – most are taking steps to fix
it. A majority (63%) of respondents said that they believed that a
state-sponsored hacker would attempt to breach their organization in the
next six months. In order to try and combat that, 90% had made efforts to
protect themselves.

This included 90% of them giving user training to protect against APTs,
while the same number had also added new security appliances. About 89% had
carried out endpoint testing to protect against APTs. Also, 81% of
respondents’ organizations carry out penetration testing.

“The fact that businesses acknowledge what a challenge APTs present to
their networks and are willing to do something about it proves that this is
no smokescreen,” said Philip Lieberman, president and CEO of Lieberman
Software, in a statement. “As our survey found, almost 90% of the senior IT
security professionals we spoke to at Black Hat had invested in penetration
testing services or education of users, and it is good to see such a high
number making preparations for the worst eventuality.”

That worst eventuality is pretty bad, according to the respondents. More
than 74% said they are not confident that their network has never been
breached by a foreign state-sponsored attack or an APT. Nearly 58% of those
surveyed think that the US is losing the battle against state-sponsored
attacks. And, an overwhelming 96% of respondents think the hacking
landscape is only going to get worse.

“The hacking landscape will be getting much worse over time,” saidAmar
Singh, ISACA Security Advisory Group Chair, in the report. “The icing on
the cake, from the malicious hackers’ perspective, will be when the world
fully embraces IPV6, the next-generation internet protocol that will allow
every single human being on this planet to own at least 2000 fixed and
permanent cyberspace addressees. Think about the attack surface when your
TV, your watch, your wristband, your car's engine, your car's brake systems
have a unique cyber space address and these devices will be always
connected to cyberspace!”

Overall, the survey turns up the fact that the threat of state-sponsored
attacks and APTs is considered an extremely serious issue for IT security
personnel. Most said that the probing of IT infrastructures in both
corporate and government environments is likely occurring constantly, and
attacks are being launched frequently.

“Since I would assume that state-sponsored attacks are a covert operation,
it sort of begs the question whether anyone can know the full extent,”
noted Martyn Croft, CIO of The Salvation Army UK, in the report. “I guess a
certain amount of inference from the known attacks, e.g.Stuxnet, would lead
one to believe that it's become a commonplace occurrence.”

While the findings from this survey indicate that these types of attacks
are very difficult to identify, let alone stop, Lieberman added that the
10% of respondents that are content to rely on existing defenses should be
considered a shocking number.

“What was also striking was that more than a third felt that their current
IT infrastructure was insufficient in the face of a heavy-set attack, yet
not all of the respondents were prepared to do something about it,” he
said. “I wonder if they feel that sitting tight and hoping for the best is
efficient and sufficient protection.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.