Interesting article on Advanced Persistent Threats (APTs) in the corporate/civil sector world.

From Wednesday's FT, FYI,
David
April 24, 2012 11:56 pm
Advanced persistent threats: ‘like jewel thieves’
By Ajay Makan
Every IT security specialist has a different analogy to describe advanced persistent threats (APTs) – guided missiles not lobbed grenades, and jewel thieves not opportunistic burglars are two of the most popular – but the underlying point is always the same. The perpetrator of an APT is after a specific piece of information from a particular company and will keep coming back.
Since the Stuxnet computer worm – believed to have been created by a government agency – caused physical damage to an Iranian uranium enrichment facility in 2010, the spectre of determined groups of hackers launching sustained precision attacks, which can have “real-world” consequences, has become a bigger worry for business.
The threat is magnified by its unpredictability. Depending on who you talk to, APTs can come from “state actors” or independent hackers, target email accounts remotely, or impersonate IT officers. They can also target any link in the information chain, with back office processing businesses often targeted, to gain access to client data. Given the range of targets and methods, many companies are, perhaps unsurprisingly, ill prepared.
“The resources employed inside organisations are not adequate to defend against the volume and nature of attacks coming in,” says Lawrence Pingree, director of security technology research at Gartner, an IT analyst company. “At many companies, breaches or attempted breaches can go undetected for months until a security team gets around to reviewing a backlog of cases, and it becomes clear an APT is taking place.”
The “new paradigm” of ATPs is putting pressure on companies to increase spending on technology security, in particular on detection and monitoring systems, which can immediately analyse attempted security breaches, and decide if they are linked.
Faced with this pressure, corporate IT officers can feel besieged. But that, in turn, is leading to something of a backlash.
“IT security companies have an interest in marketing APTs as a new kind of threat,” says Don Coglianese, North America security Officer at Capgemini, a consultancy. “But it’s not actually clear whether everything being labelled an APT is actually a targeted attack.”
Mr Coglianese, who is in charge of security for Capgemini’s internal computer network in the US, says the volume of attempted security breaches logged by the company’s monitoring systems has increased significantly in recent years. But despite reviewing attacks, he thinks the company is yet to be the target of what he would define as an APT.
Further questions arose after RSA, an information security provider, appeared to succumb to an APT itself last year. RSA tokens, which are used by employees of its clients to access their IT systems remotely, were linked to an attack on the system of Lockheed Martin, a defence contractor. The RSA breach appears to have changed the way some companies think about technology security services.
“For many companies,” says Chris Harget, a senior marketing manager at ActivIdentity, a competitor of RSA, which provides secure identity cards that control access to buildings and IT systems, “investing in technology security is about comfort, which means the assumption has often been that if you are spending more you are more secure.
“But, after RSA, some clients have asked more questions about how our products will protect them,” Mr Harget says.
That may pave the way for “second tier” technology security companies, that offer more affordable packages.
Other technology security companies are trying to reassure clients by downplaying the threat of APTs.
“APT is basically a definition that has emerged in the industry, to differentiate from early technology threats, which tended to be quite simple, in terms of what they targeted and how they were executed,” says Michael Callahan, vice-president of enterprise security products at Hewlett-Packard. “It’s important for clients to realise this is not something completely new or different.”
Arcsight, which is HP’s enterprise security business, gathers data on breaches to give clients a view of how they are being targeted.
But the company then asks clients to identify areas of the business where security is vital – payment transactions, or intellectual property for example – and then seeks to guarantee a minimum level of security in those areas.
This might sound like a sensible approach at a time when it is increasingly difficult to seal off a company from threats altogether. But other security providers are quick to counter that investors will not look kindly on public companies that concede ground on security in any part of the business.
Mr Harget says: “If you’re the chief financial officer of a publicly traded company and you have a fiduciary duty to your shareholders to take action to protect your intellectual property, you’re leaving yourself very vulnerable if you don’t make investments in security technology.”
Copyright The Financial Times Limited 2012.