Advanced Threats Touch Two-Thirds Of Enterprises

  /     /     /  
Publicated : 22/11/2024   Category : security


Advanced Threats Touch Two-Thirds Of Enterprises


Worse news: Sophisticated cyber attacks combining stealth and severity are leading only half of businesses to employ more automated defenses and better training.



Nearly two-thirds of information security managers report that their businesses have been targeted by advanced persistent threats (APTs), and 72% expect to see such attacks persist in the future. Furthermore, 30% of security managers at large enterprises rate their business as being vulnerable to future such attacks.
Those findings come from a new
report on APTs
released Tuesday by market researcher Enterprise Strategy Group (ESG). The study is based on a survey of about 250 U.S. information security professionals, conducted in August.
Whos wielding APTs against businesses? Respondents said they suspect--in order of likelihood--such attacks to be coming from
hacktivist groups
such as Anonymous,
organized criminal rings
, competitors conducting reconnaissance or perpetrating industrial espionage,
foreign governments
, and terrorists.
Increasingly, security professionals are turning to more automated technology to help them spot and then stop APTs. Even sophisticated IT shops preparing for APTs are using automation more, said Jon Oltsik, senior principal analyst at ESG and the primary author of the study, in an interview. Automation detects an attack thats underway, and theyre willing to use automation to take a system off the network, or block a protocol. The days of only using manual remediation, he said, appear to be over.
[The people charged with overseeing enterprise security may make you vulnerable to attack.
Are Your IT Pros Abusing Admin Passwords?
]
Notably, of all organizations surveyed, the 52 businesses that ESG rated as best prepared to stop APTs used network management tools (at 69%), security incident and event management tools (58%), log file analysis (46%), and intrusion detection or prevention system alerts (44%). But respondents to the study also complained that they need even more sophisticated tools, as well as better training, and more personnel. Theres a real skill shortage, across the board. We saw people saying that they didnt have the right skills to identify attacks in progress, to do analysis of attacks, said Oltsik.
One aspect of APTs that makes them difficult to spot is that they can be deceptively simple. Many experts, for example, think that
social engineering attacks
are the leading APT attack vector. Because such attacks rely not on sophisticated technology, but simply tricking people into revealing information directly (for example, divulging passwords over the phone) or indirectly (opening a malicious attachment that then installs a Trojan application on their PC), theyre incredibly difficult to combat.
In fact, theres only one sure-fire technique for blocking social engineering attacks: training employees to spot them. But according to ESGs study, both executives and non-IT employees dont seem to be getting enough training. Roughly half of respondents rate both the overall security knowledge and APT awareness of non-IT employees at their business as only fair, if not poor.
Other than training, how else can businesses better combat APTs? The study found that the best-prepared businesses took a very
proactive approach to risk management
, including maintaining and enforcing
security policies
that covered everything from physical security and data encryption to access controls and background checks on users with access to sensitive data.
Furthermore, 44% of the best prepared businesses conduct formal penetration tests against their network--employing outside experts to simulate hack attacks and discover unseen weaknesses--more than once per quarter. Conversely, only 15% of businesses that ESG rates as somewhat prepared to combat APTs were conducting penetration tests more than once per quarter.
For businesses that need to do a better job of battling APTs, Oltsik recommends starting with three steps. First, make employees think seriously about security. Next, accurately assess the businesss current information security vulnerabilities. If you cant do that, yourself get professional help, he said.
Finally, senior executives must take a more proactive approach to security, especially in light of the studys finding that the rise of APTs hasnt led to any changes in budgeting, training, or security assessment frequency at 51% of surveyed businesses, he said. Think about security as the cost of doing business. Its not something you glue on after the fact, you have to add it to every layer of your organization, and IT.
The good news, however, is that half of surveyed businesses have altered their security behavior in light of APTs. In particular, 51% said that senior executives had allocated funds to increase the amount of security training for general employees; 33% had begun meeting more frequently with their chief information security officer (CISO) or IT risk team; and 18% had
created the role of CSO or CISO
, or another type of senior security position.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Advanced Threats Touch Two-Thirds Of Enterprises