James McKinley, head of information security of data protection and PCI DSS at Worldline at Atos, opened the discussion by questioning whether the ‘P' in ‘Persistence' stood for persistent hackers coming back repeatedly or gaining a digital ‘foothold' in an organisation, while others, including Quocirca's Bob Tarzey and WorldPay head of payment security, Tim Lansdale, said that an APT was simply a targeted attack using an assortment of tools.Jay Colley, senior director at Akamai Technologies, mentioned how DDoS attacks – sometimes used as a distraction technique – had grown up to 340Gbps in size and are expected to continue growing in the year ahead.
Meanwhile, one head of information security – who wished to remain unnamed – said that APTs should not fall into the bracket of common cyber-crime, adding: “It's about gain and benefit. We need to take away just looking at financial [reasons].”Others at the table noted how SCADA systems are now under threat as more devices become internet-connected, although Colley said that most of these systems retain closed infrastructures and are separated from the rest of the network. He added that other industries should push defensive measures into the cloud, and some delegates questioned whether cyber-terrorism was likely, and asked why we had not seen it yet. Tony Morbin of SC Magazine noted how a Swedish hydroelectric plant manager attending the 4SICS conference in Stockholm had confirmed that his plant had been put out of operation for a day by a targeted virus attack.
Others argued that risk assessment should be continually monitored, with Lacey stating that an independent risk assessment should be required. Save The Children CISO Ray Evans said that there is ‘no common understanding of risk' and urged firms “be very careful when subcontracting, and get them to provide an assurance that they have an understanding of risk in accord with your own.”This communication extends to the boardroom, says Tarzey, who said that messages about the nature of a risk and its potential consequences, and the preventative action and resources required to prevent it, should be described simply by the CISO to the CEO.
“You're trying to describe it to the CEO, who doesn't understand cyber-security, that this is a targeted attack,” said Tarzey.Experts summarised that information security teams should benchmark best practise, be open and honest with C-level about their capabilities, and – where appropriate – outsource risk management and log management.
When looking at potential solutions, white-listing of approved apps, services and connections came highly recommended, with the ability to provide category approval overcoming some of the issues related to constant updates and patches at a large organisation. Constant monitoring of all network traffic in real time, establishing what was normal, and then reacting quickly to all abnormal activity was seen as key to closing down attacks.
Resources to tackle a 24 hour opponent, and the skills gap, trying to get the right staff at smaller enterprises was also an issue, with one delegate asking, “I just don't have the time or the staff to thoroughly investigate all our log files - what should I do?” Unsurprisingly, Colley suggested that the solution might well be to outsource to an organisation that did have the resources in place, such as a cloud provider, and which would take the focus of any attack away from the target company.On a straw poll, half of the delegates said that they would use or were using cloud services, and half did not feel confident about outsourcing to a cloud provider due to security concerns - or, in the case of smaller concerns, a perception that the cost may be too high.
Click here for more information on SC Magazine's Editorial Roundtable Series
Also tune in to SC's APT eConference on 17 February 2015