In a survey carried out at the Black Hat conference in Las Vegas this August, the identity management solution provider indicated that the majority of IT professionals still believe that legacy controls are adequate to face advanced attacks, with only 22 percent believing that firewalls, antivirus and other legacy tools would not be enough in defending against APTs.
Reacting to the report, the company's CEO and founder Philip Lieberman said that the results are a concern.
“Our survey reveals that while the majority of organisations are prepared for amateur hackers and low-level criminals, they are completely ill-equipped to deal with today's advanced attacks,” he said in a statement, before going on to add that firms should not be ‘solely dependent on perimeter security products' such as firewalls and intrusion detection systems (IDS).
“Traditional perimeter security products are effective at spotting and stopping known threats, but they can't keep up with today's rapidly increasing volume of advanced targeted attacks. The most effective methods for securing yourself from these types of attacks are the use of air-gap networks (machines not connected to the internet) that disconnect systems with sensitive data."
He added: "Assume that others have already penetrated your network and institute multi-factor authentication and adaptive privilege management to assure that a compromised system is not a jumping off point for an organisation wide attack.”
Independent security technologist and ethical hacker Jonathan Care told SCMagazineUK.com that today's IT security teams need to develop a ‘three-pronged approach' if they are to properly defend against APTs.
“It is no longer enough for an IT organisation to buy and install their favourite firewall, antivirus and feel confident that they have done enough. Modern information security requires a three-pronged approach [of] protect, detect and respond.”
He added that, during the ‘protect' stage, IT security managers should pay close attention to making their own software security ‘as robust as your infrastructure' and also look to understand their threat model.
“Ensure you understand your threat model and have identified actors, both internal and external. Don't hobble your penetration testers with poorly defined scopes. If your auditor (or penetration tester) recommends you only test a part of your system, fire them. That is not how an attacker will work.”
Care went onto suggest that teams implement IDS systems to watch their network traffic ‘like a hawk', and to act upon threat intelligence by centralising and correlating data logs. Care said that you should also look to contract a managed security service provider (MSSP) to see if they can assist with key tasks.
“Make the assumption that you are going to be breached. Unless you truly are the smartest guy on the planet, this is a safe assumption - someone out there will be more capable, better resourced, and more motivated.
“When that time comes, have an incident response plan tested, and ready."
Tim Holman, CEO of QSA 2-Sec and president of the ISSA-UK security professionals user group, said to SC that the headline statistic was worrying, and a sign that most companies are not doing IT security properly.
“That's a worrying statistic and kind of alludes to a large number of organisations employing IT security professionals that evidently haven't a clue what they're doing,” he said in an email.
“It doesn't take a highly paid CISO to be able to explain what an APT is and how modern malware has been specifically coded to evade the firewalls and anti-virus solutions that we're put in fifteen years ago to defend against yesterday's threat.”
“In the eyes of the law, ignorance or indeed naivety is no excuse for when your company is subject to a cyber- attack, so the companies from which these statistics were drawn need to get real and up their game.”