Andrew Wild is the Chief Security Officer of Qualys, a leading provider of cloud security and compliance solutions.
You see them all over the news – reports of high-profile data breaches and computer attacks. This is a result of increased dependence on computers and increasing sophistication of the threats. Organizations and individuals who rely on computers, whether they sit in the boardroom or the family room, are wondering how they can protect against attacks, both old and new.
As technology evolves, so do the threats. While there have been significant improvements in software development, the complexity of modern systems, the demand for rapid software delivery and the improved organization of cyber criminals (along with the development of an underground hacker economy) have led to more and more attacks.
Criminals have figured out how to monetize the exploitation of software vulnerabilities, resulting in large amounts of theft of both financial assets and intellectual property. Now, hacking is big business, with losses measured in the billions of dollars. Some of these threats have been categorized with a relatively new label: Advanced Persistent Threats (APTs).
Sneaking in with zero days
The term “APT” is used so frequently it’s become a buzzword. It’s a threat that uses advanced technology, typically zero day exploits that take advantage of a previously unknown software vulnerability. This makes them extremely dangerous because there is no fix and anti-virus and intrusion detection systems, which rely on signatures of known exploits to work, aren’t able to detect zero days.
APTs are persistent because once attackers are inside a target network, they install remote control software, typically “Remote Access Tools,” to maintain control of the system and access other computers in the organization where account log-in credentials and intellectual property are stored.
Firewalls and intrusion prevention systems, which consume so much of the IT department’s time and budget, don’t effectively detect these kinds of attacks. Once an attacker is in the network all bets are off.
The fact that perimeter-based security can’t prevent criminals from compromising internal systems should be reason enough for organizations to aim for a balance between preventative and detective security controls. If you can’t stop all attacks, you need to be able to detect attacks so they can be contained and to minimize loss of data.
However, as detailed in the 2013 Verizon Data Breach Investigations Report, most organizations are not successful in detecting intrusions. Nearly 70 percent of the breaches were discovered by law enforcement, third-party security monitoring providers or others and not the victim.
It’s also interesting to note that a majority (78 percent) of the data breaches included in the Verizon report were a result of intrusions that were considered easy. This seems at odds with the widespread focus on APTs. If the majority of data breaches are resulting from easy intrusions, how can organizations possibly expect to manage the much more sophisticated targeted and advanced attacks?
Phishing for APT victims
One of the most common compromise methods is phishing, where victims are lured into clicking on malicious email attachments or URLs.
Chances are greater than 50 percent that a link or attachment in an email sent to three employees will be clicked by at least one of them, according to research conducted by ThreatSim, as detailed in the Verizon report. With success rates as high as this, attackers don’t need to use advanced methods.
Statistics like these have led to a bunch of new anti-APT products. Security conferences are full of vendors making exaggerated claims that they can prevent APTs. While many solutions may in fact be valuable tools in an organization’s arsenal, they aren’t adequate on their own.
Without a strong risk-based approach, an organization won’t have much of a fighting chance of managing the potential loss of data and other consequences from an attack, even with the latest APT tools.
So, how do you build a strong, risk-based information security program?
Frameworks focused on risk that have been around for awhile, such as ISO-27000 and NIST SP-800-53. They are fairly straightforward, but their implementation can be challenging, especially for information security teams that are already very low on resources and overwhelmed by the challenges of maintaining their existing controls and compliance program requirements.
20 Critical Controls
One way to solve this problem is to adopt a methodology that includes controls that have been proven to be effective at reducing the risk of real threats. The 20 Critical Security Controls does, plus it’s appropriate for organizations with mature risk programs and those with less mature programs.
They were first published by the Center for Strategic and International Studies and later maintained by the SANS. They have recently transitioned to the newly formed international organization, The Council on CyberSecurity.
Currently in their fourth major release — version 4.1 — the controls are updated as necessary, based on international collaborative research on current threats and effective measures at preventing attacks. The 20 Critical Controls include 15 technical security controls that lend themselves to automation and five foundational controls that may require manual validation.
The fact that most can be automated is significant. Information security vendors have thrown support behind the controls and are working to provide automated tools to implement them. Because it’s a community-driven effort it’s likely to thrive.
This project is seeking input from all parties. I recently attended a summit in Washington D.C. on the 20 Critical Security Controls that was extremely productive. A similar summit was held in London this past spring. This collaborative effort seems to be gaining traction among organizations as a common sense approach to the challenges and evolving threats they face.
Many information security professionals are excited about the potential for improving their information security programs by using a prioritized, flexible methodology. It’s important to know that it does not replace ISO-27000 and NIST SP-800-53, as the controls include mappings to both. Instead, the controls provide an approach that allows organizations to prioritize control implementation in a way that can be tailored to fit their needs.
While APTs present a very real threat, the terms we use to describe current threats will change over time. Today, we are talking about APTs and phishing. In the past we’ve faced worms, viruses and trojans. Who knows what the threats of tomorrow will be?
The key to improving your organization’s information security posture is to adopt a risk-based approach that balances preventative and detective capabilities, with extensive automation and flexible, proven controls.