What is an APT – and how do you explain it to the board?
Today SC Magazine hosted its second roundtable in central London this year with a look at advanced persistent threats (APTs) and what was most striking was that, even among the most senior and celebrated IT security managers, there remains a difference of opinion on what actually constitutes an APT.
One CISO, working for a UK-based charity, said at the roundtable: “The puzzling thing is that APT sort of reinvents itself every few years.”
Another delegate said that this is often compounded by APTs being used in marketing campaigns by security vendors, and questioned whether “Persistence” really means an attacker that keeps coming back or malware that persists on the network.
Asked by this reporter how information security managers can adequately relay the APT threat to the boardroom if industry professionals themselves are divided – an information security head for a multinational firm answered: “Don't talk about APTs – you will get thrown out the room. You need to talk about the risk to the business.”
Delegates also disagreed about whether their organisation was likely to have been breached, splitting 50:50. It was also recognised that different companies had different appetites for risk. They did agree that it was advisable to assume a breach had occured, and plan and react accordingly. They also agreed that while regulation and compliance may rase base level security standards, they would not provide security, let alone a solution to APTs.
Among main points of advice were to monitor traffic on your network to the extent that you know what is normal, so that you are able to identify abnormal. Consider whitelisting of apps and software allowed to execute on the network, preferrably using policy-based approaches; get a remediation plan in place and practice it. Train and re-train staff on awareness - and use hard technical fixes to restrict ability to download software, including IT staff where practical. And - be aware that there is no silver bullet that provides the answer to preventing APTs. Ongoing vigilence is essential. And if you can't do it yourself, outsource to someone who can.
In the same week, security researchers at Kaspersky Lab detailed how the ‘Dark Hotel' APT has been stealthily targeting travelling business execs – via hotel Wi-Fi – to steal intellectual property. A Korean threat actor is behind the malware which is still active.
For more details on our upcoming roundtables, please click here.
The latest TLS vulnerability
Microsoft rolled out 14 security patches on Tuesday, including four rated as ‘critical' and eight described as ‘important', as part of its Patch Tuesday programme.
The former specifically relates to a bug in the Microsoft secure channel (SChannel) security component, which implements the Secure Sockets Layer (SSL) and transport layer security (TLS) protocols used to handle encryption and authentication in Windows – including on HTTP applications.
According to the Microsoft advisory, the MS14-066 flaw is brought about by the “improper processing of specially crafted packets”, which could in turn be exploited by attackers remotely executing sending malicious traffic to a Windows-based server.
There is no workaround for the bug, which affects both servers (Windows Server 2003, 2008 and 2012) and desktop devices (Vista, windows 7, 8, 8.1 and Windows RT). Microsoft says that there are no in-the-wild exploits as it stands.
Notably, this isn't the first vulnerability against the TLS stack over the last year. Apple's Secure Transport, Open SSL, NSS, GNU TLS and now SChannel have had varying level of vulnerabilities – with Open SSL (Heartbleed came from a programming mistake in the Open SSL implementation of the TLS/DTLS 'heartbeat' extension) undoubtedly the worst.
Other patches were released for serious bugs with OLE and Internet Explorer, which affected all versions back to IE 6.0.
EU Generation Data Protection remains a concern
On Thursday, security vendor Ipswitch announced the results of an online survey designed to test the attitudes of IT professionals towards regulation and - specifically – the EU General Data Protection Regulation, which is pencilled in to launch across 28 member states early next year.
Some of the headline stats make for ‘frightening' reading; approximately 56 percent of respondents could not accurately identify what GBPR means while more than half (52 percent) admitted that they were not ready for the regulation. More than a third (35 percent) confessed to not knowing whether their IT policies and processes were up to date, and only 12 percent felt ready for the change.
A further 64 percent of respondents also conceded they had no idea when this regulation is due to come into effect – with only 14 percent correctly identifying that the GDPR is due to come into effect in late 2014/early 2015. SCMagazineUK.com understands that regulators are currently aiming for May.
This is a massive problem, as, before the regulation – regardless of delays and challenges – there are massive business repercussions that can't be ignored, chief among them the 72-hour data breach notification and fines of up to five percent of global turnover.
NHS hit by six data breaches a day...for three years
Civil liberties pressure group Big Brother Watch this week released a new research report – based on freedom of information (FOI) requests – which revealed that there were at least 7,255 data breaches across the NHS between April 2011 and April 2014.
The firm added that there were at least 103 instances of data theft or loss during the period, and at least 124 instances relating to IT systems. Furthermore, there were 236 instances where data was shared inappropriately via email, letter or fax – and 50 instances of this being posted on social media. Data was shared with third parties inappropriately 251 times. There is one court case pending, relating to an infringement of the 1998 Data Protection Act.
All of this will come as no surprise to many – the NHS has had porous security before, from data theft to missing laptops, and in June the ambulance service reported private content had been published online. Such revellations are likely to fuel the public's hesitancy to adopt the now-delayed care data programme, which aims to collect patient data at GP offices.
For the rest of this week's news coverage on SCMagazineUK.com click here.