Study Results
Advanced Persistent Threat Awareness
The 2010 Google Aurora attack
forever changed the way we
look at Internet security.
This large-scale, sophisticated
attack showed us that all
sectors, from private to public,
are vulnerable to a new class
of security breach:
The Advanced Persistent
Threat
© 2013 ISACA. All rights reserved
3
in its adaptability, APTs were
once thought to be limited to
attacks on government
networks.
APTs exploit zero-day threats – unknown weakness.
APTs also often take the form of well-designed
spear fishing attacks.
© 2013 ISACA. All rights reserved
ADVANCED,
STEALTHY AND
CHAMELEON-LIKE
4
The 2011 RSA SecurID attack was attributed to an APT.
So was the Internet worm “Flame.”
Following the Google attacks*
similar targeted intrusions quickly
followed, garnering media scrutiny
– and growing concern that the
APT was more damaging
than it seemed.
*Google attacks affected nearly three
dozen well-known tech, finance and
defense enterprises
© 2013 ISACA. All rights reserved
5
How well do security
professionals understand APTs?
How are they affecting different
industries and organizations
throughout the world?
What is being done
to prevent them?
In Q4 of 2012, ISACA launched the APT Awareness Survey to find out.
© 2013 ISACA. All rights reserved
6
So ISACA asked 1,500 people
worldwide – from tech service
consultants, to people in the
banking industry – about APTs. 19%
Asia
32%
8%
3%38%Europe / Africa
North America
Latin America
Oceania
© 2013 ISACA. All rights reserved
7
42.5% of respondents were familiar…
28.6%, somewhat familiar…
And only 25.1% very familiar about APTs.
Overall, 96.2% were somewhat familiar with APTs…
But most importantly:
AWARENESS
of respondents understood
APTs as a very credible,
serious threat to national
security and economic stability.
93.6%
25%
42%
29%
4%
VeryFamiliar
Familiar
SomewhatFamiliar
Not at AllFamiliar
© 2013 ISACA. All rights reserved
8
Just 46.6% of respondents
believed that APTs were a
unique threat.
And more than half (53.4%)
believe this advanced set of
threats is no different to what
they’ve been dealing
with in the past.
WHAT DOES THIS MEAN?
53%Similar
47%Unique
© 2013 ISACA. All rights reserved
There’s a huge disconnect in the IT industry about APTs … A lack of understanding and education.
© 2013 ISACA. All rights reserved
10
Highest Risks on Enterprises from APTs
Other key highlights
89.7% of respondents believe the use
of social networking sites like Facebook
or Twitter increases the likelihood of a
successful APT attack.
BELIEVE THAT87.3%
JAILBREAKS, ROOTING &
BYOD GREATLY
INCREASE THE CHANCES
OF AN APT OCCURRING.
© 2013 ISACA. All rights reserved
11
Although just 21.6% of
respondents reported having
been victims of an APT attack
63% – three times that amount –
believe it’s only a matter of time
before their business is targeted.
Suffering with an APT 63%
BELIEVE IT’S ONLY A MATTER OF TIME BEFORE THEIR BUSINESS IS TARGETED.
© 2013 ISACA. All rights reserved
12
The majority of survey takers –
up to 60% – believed that they
have the ability to ID, respond to
and stop a successful APT attack.
31.1% said they have incident
management plans in place to
fight an APT.
49.5% are prepared, but without
a concrete solution.
Detect APT Attacks
Respond to APT Attacks
Stop a SuccessfulAttack
0% 20% 40% 60%
How able is your enterprise to deal with an APT attack?
Very Able
Able
Not Able
Not at All Able
© 2013 ISACA. All rights reserved
How are people handling the threats? Most respondents are using technology in a risk based layered approach to prevent and combat APTs.
94.9% Anti-Virus / Anti-Malware
92.8% Network Tech (Firewalls, etc.)
71.2% IPS
© 2013 ISACA. All rights reserved
14
There aren’t enough precautions being taken against the threat of an APT.
Up to 81.8% of survey takers have not updated their agreements with vendors who provide protection against APT.
And 67.3% reported that they haven’t held any APT awareness training programs for their employees.
A Troubling Lack of Initiative
Has your enterprise increased security training as a result of APTs?
Very Likely
Likely
Not Very likely
Not at All Likely
0% 20% 40% 60% 80%
© 2013 ISACA. All rights reserved
Yes
No
APTs are serious threats. We need more consideration to their consequences.Enterprises must adopt more technology awareness training, vendor management, incident management and increased attention from executives.
© 2013 ISACA. All rights reserved
16
Advanced Persistent Threats
differ from the traditional,
average virus, and need to be
classified as such. Many
enterprises and companies
have made some positive
inroads into fighting APTs, like
better security management.
But there’s still a lack of
cohesion and understanding to
what APTs are and how to
defend against them. Market
conditions have not sufficiently
changed, and the technology to
fight APTs isn’t fully evolved yet.
Conclusion But there’s still a lack of cohesion and understanding to what APTs are and how to defend against them.
© 2013 ISACA. All rights reserved
© 2013 ISACA. All rights reserved
ISACA is here to serve its members
against any security breach – especially
the Advanced Persistent Threat.
A series of educational products to
address challenges in cyber security,
and guard against APTs, is currently
in development.
Take Action AgainstAPTs
To learn more visit us at WWW.ISACA.ORG/CYBERSECURITY
QUESTIONS & COMMENTS
© 2013 ISACA. All rights reserved