Over 100 senior executives met behind closed doors to talk freely about the APT threat and regulatory changes
In a closed-door summit on advanced persistent threats, CISOs, CIOs and CEOs revealed their organisations had been breached at least once by sophisticated attackers intent on stealing sensitive information. Several admitted they would not be able to tell if they had been attacked.
On 13 September, trade group TechAmerica and RSA Security, EMC’s security division, released interim key findings summarising the discussion between forum attendees.
Widespread APT Activity
More than a 100 C-level executives from major organisations attended the Summit on Advanced Persistent Threats (APTs) in Washington DC last July and candidly discussed what they were doing about cyber-security and targeted attacks, Eddie Schwartz, chief security officer for RSA Security told eWEEK.
He said he was surprised at how pervasive APT activity was. “Literally everyone had something to say,” he said, noting that many of the executives discussed incidents they had not yet disclosed publicly even though customers may be affected.
“The frequency and volume of attacks has reached pandemic levels,” Schwartz said.
Security professionals from government agencies and the private sector acknowledged that they must assume they are already compromised, Schwartz said. Organisations have to plan and act as though they already have a breach, and act accordingly to minimise the time the attackers are undetected in the network and thereby limiting damage.
The perimeter defence trying to block all incoming threats does not work when there are so many ways for attackers to get in, Schwartz said. Instead, the organisation has to ensure the “crown jewels” are protected at all times, especially since attackers are now targeting individuals with spear phishing attacks instead of breaking into systems.
RSA Knows About Compromise
Schwartz knows what being in a “state of compromise” feels like. In March, RSA disclosed that unknown attackers had breached its systems and stolen sensitive information relating to its SecurID two-factor authentication technology. The information was later used to launch follow-up attacks on several defence contractors in May.
RSA talked about what had happened with the breach and also “listened to everyone else talk”, Schwartz said, adding that being able to hear what other executives were doing and experiencing gave attendees some ideas on what to implement in their organisation.
There was a significant “level of shared concerns” among the attendees, which was a clear indicator that these kinds of attacks, while not new, were more pervasive than originally perceived, Schwartz said. More organisations are experiencing attacks, and there is a “growing willingness” to talk about it, he added.
The bad guys are better at information sharing and much faster at analysing data, Phil Bond, CEO of TechAmerica told eWEEK. In contrast, companies have a hard time sharing information or discussing incidents with the larger community. In many cases, organisations may be held liable for information shared with third parties because it would violate privacy regulations, even if it was for security purposes, Bond said. There needs to be some tweaks in policy to make it easier for companies to share information with the security community and with the government.
Attendees also acknowledged that cyber-incidents should not just be handled by the security team, but needed to be embedded in the organisation’s overall strategy. Just as the executives plan for natural disasters and sudden downturns in the stock market, cyber-attacks needed to be treated as a disaster and all major divisions included in the preparation for defence and incident response, Schwartz said.
Traditional Training Ineffective
Organisations have all conducted some form of employee training or awareness programmes, but the traditional programmes were generally perceived as being a waste of money, according to Schwartz. Employees did not see the relevance of the training, and the programmes “did not make them want to follow the rules“, Schwartz added.
Some organisations were taking “forward-leaning approaches” to training, such as running scenario-based “war-games” where users were actually compromised and then called in to face the consequences, Schwartz said. The employees were shown exactly how a specific action, such as opening an unknown file, resulted in specific amount of money lost, employees laid-off or even someone injured, he added.
An in-depth report from the summit is expected in October.