APTs Cause Concern But User Behaviour Is Unchecked

While security professionals are worried about targeted attacks against their company, IT professionals are not putting enough safeguards in place to defend against them, according to a new report.

In many businesses, employees are allowed to indulge in risky IT security behaviour even through it can lead to data breaches from the outside.

Insider Threats Still A Big Concern

About 60 percent of IT and security professionals in Europe, the United States and Canada claimed their main concern was being hit by an advanced persistent threat (APT), according to the Bit9 Endpoint Security Survey. Insider threats, such as an employee posting sensitive information to external sites such as WikiLeaks, were the second most important, at 28 percent.

Company executives were worried about targeted attacks, similar to the tactics used against RSA Security and some defence contractors earlier this year, the survey found.

The Bit9 report also found that 26 percent of organisations were worried about vendor partners being compromised, such as what happened with Epsilon and other smaller vendors earlier this year. Finally, a quarter of the respondents were worried about a cloud application breach, similar to what happened with various Sony properties this spring.

However, the survey found a significant disconnect between these concerns and what businesses were doing to protect themselves against dirty software or malware from infecting their systems.

Half the companies surveyed either had an open software environment, which allows employees to download and install whatever software they wanted, or relied on an “honour system” for employees to comply with written policy regarding unauthorised software applications.

These companies did not have any mechanisms in place to enforce their own security policies or monitor what was being installed. In fact, 51 percent of the companies had an open environment, Bit9 found. The most common unauthorised applications on endpoints were digital music sites like iTunes, social media and instant messaging software.

“Companies are increasingly worried about advanced persistent threat attacks, but they continue to engage in risky behaviour,” said Tom Murphy, chief strategy officer of Bit9.

Lax Attitude To User Downloads

Almost 20 percent of IT executives admitted that unusual software found on the endpoint crashed company networks. Even so, more organisations appear to adopting less stringent policies regarding software downloads, Bit9 found. Executives have become “hands-off” in their software usage policy during the past three years, as the number of organisations with relaxed software rules increased 12 percent since 2010.

About 79 percent of the respondents said their organisations allowed employees to connect any kind of removable storage devices, including USB drives, to work computers. Nearly 30 percent said employees could use personal mobile devices to connect to the company Intranet site.

APTs are stealthy and often exploit zero-day vulnerabilities for which defences are not currently available. However, as the recent analysis by F-Secure of the malicious spreadsheet that took down RSA revealed, the mechanism was not all the sophisticated. It wrapped an exploit in a creative way around a zero-day vulnerability.

Anup Ghosh, founder and CEO of Invincea, said customers are overly concerned about APTs.

“We’re not that concerned with commercial malware; it is the APT stuff that scares us,” said Ghosh, referring to his company’s customers.

Organisations do not seem to “understand that virtually all malware has the potential to damage a company, to pilfer intellectual property, to expose their brand to irreparable harm, to cost them untold millions”, said Ghosh.

“Malware used in most of the APT attacks we’ve seen recently isn’t really all that nefarious; it’s just the new stuff on the market,” said Ghosh.

‘Just Good Enough’ Approach

Bit9’s findings about organisations not actually acting on their concerns are consistent with another report from Tenable Network Security. In a survey of security professionals who attended the Gartner Security and Risk Management Summit in June, Tenable found that while 90 percent of the professionals polled discussed large-scale, high-profile breaches with senior management, only 23 percent did anything beyond talking.

Nearly 85 percent of the attendees at the Gartner summit considered APTs a real concern, but only 28 percent pegged it as one of their top concerns for their business.

Ron Gula, CEO and CTO of Tenable, called the survey results a “clear sign” that the majority of security professionals are getting by on “just good enough security” that complies with an audit but does not actually provide meaningful security.