Advanced persistent threats (APT) are those threats that use complex methods to proactively infiltrate data and compromise the integrity of a network over an extended period of time. Initial entry into a network may be achieved through zero-day vulnerabilities, SQL injection, social engineering , or a combination of the three (Symantec, 2014). Once a breach has occurred, APTs may recompile malware code and utilize encryption to ensure that the infiltration persists, undetected (CSEC670, 2012).
Advanced Persistent Threats have a severe impact on cybersecurity in that they are very difficult, if not impossible, to get rid of. APTs may replicate or attach malicious code to other, usable applications in order to achieve its result (Kessler, 2013). APTs are an ideal method for gathering intelligence or intellectual data on individuals or organizations; a feat beneficial to industrial competitors. Operation Aurora was a prime example of an APT, where the networks and information systems of 30 U.S. companies, to include Google, Adobe, and Microsoft, were targeted. Aurora spread quickly, infiltrating peripheral applications and enabling it to access greater amounts of proprietary, financial, and personal identifiable information (Bradbury, 2010).
The mitigation of Advanced Persistent Threats will require comprehensive, multi-phased defenses. First and foremost, organizations must assess the risks and vulnerabilities associated with their network. Risk assessments aid company leadership in determining vulnerabilities and the severity of threat that vulnerability poses the organization as a whole. Access control is extremely critical. Organizations must place a firm focus on least privilege access and separation of duties. An extensive training program, educating users on operational security and the risks of social engineering will reinforce access policies (Smiraus & Jasek, 2011). Preventive measures, such as sensitive intrusion detection/prevention software and storing the organization’s most critical data separate from a public network will also lend to added defense against APTs.
Candy Seigl Wrote
One of the fastest growing areas of vulnerability with in the cybersecurity realm is the area of social networking. This is for a few big reasons. There is the technical aspect of it, and as with the rest of cyber space so it is with social networks, if there is way to transmit data from one person to another on the media, then there is a means to transmit bad code from one person to another as well, and what better way than along one of the most widely used and popularly shared websites of all time. Add to this that by the very nature of social media, it is a massive database for any would be cyber-criminal to data mine to their hearts content for whatever it is that is their poison, whether it be young children to seduce, government/military employees to extract information from, or who is going on vacation soon so they can steal the new TV they just posted. This is where the bigger issue of social networks comes into play, the human issue, the issue that cannot be mitigated very well. No matter how much educational material is put out about the caution to be taken with social media, the human psyche cannot seem to understand that the one that dies with the most facebook friends does not win; and that a facebook friend that you do not know in person is not a friend, their a liability. Besides the technical aspect of social media, and the nature of social media being a massive database of information that can be mined with the right tool sans a persons permission, the human aspect of putting too much information out there, being too friendly with too many people you don’t even know, and being easily coerced in an email, chat, or voip conversation to give out way too much personal, proprietary, confidential or classified information is very high. Entire battles, personal, family, business and yes…even corporate and governmental are played via social media. One of the most used tools of the intelligence sector of many countries is actually social media for intel gathering, which is how powerful a tool for extracting too much information it can be.
John Scot Wrote:
A global threat half away around the world has the same weight as one that originates across the street. Organizations are usually attack location agnostic in regard to mitigation policies. Organizations also need to take in account the possibility of the attack from within. For example as an organization grows, so does the risk that a disgruntled employee or business partner will gain access to sensitive information (Thorpe, 2006). Therefore typical organizational vulnerabilities matter more than whether or not they are on a “global level.” The following are some vulnerabilities an attacker might choose to exploit:
· Example of possible vulnerabilities exploited from within:
· Access and privileges vulnerabilities such as weak password management.
· Examples of vulnerabilities exploited from external sources:
· Exploitation of vulnerable workstations and/or servers not up-to-date on fixing bugs or updated OS security patches.
· Weak security policies that do not educate employees on phishing attempts or hidden malicious code in attachments.
· Examples of vulnerabilities from insufficient extranet security.
· Physical security vulnerabilities at data or server locations might result in resource or data loss.
· Network vulnerabilities such as insufficient firewall configurations
Three examples of security policies that would mitigate the above risks are:
1. A strong password management strategy
2. Operating system patch update management policy and plan
3. A workstation security policy that outlines measures to protect workstations.
Amy Martin Wrote:
A vulnerability assessment, according to Goodrich & Tamassia, is the practice of ascertaining flaws in any part of a cyber-system, flaws that if exploited may impact the security of the entire system, to include the operating system, the application software, programming language flaws or the configuration of network devices (2011). These are extremely important in the cyber-world to ascertain security exposures before would-be malicious attacks occur (Boyce, 2001). In addition, physical system components, access to system areas, portable media use and organizational policies are all areas examined during a vulnerability assessment. Assessments should occur on a routine basis. Large organizations should implement scan assessments monthly due to the sheer amount of network, social and personnel interactions that may occur on systems. Smaller organizations, however, should perform routine assessments quarterly.
The key steps of vulnerability assessments include weakness detection, isolation, notification and remediation (Vacca, 2009). Prior to detecting vulnerabilities, documentation must be in place and a process must occur for detection to occur. The documented plan clearly outlines the scope, prioritized schedule, personnel roles, implementation plan and change management process. Detection steps include system evaluations (port scanning, service scanning, network foot-printing, penetration testing, password cracking, social engineering), policy review and personnel interviews (Boyce, 2001). Upon detection, effected areas are to be isolated to safeguard against breaches during the assessment. After scans and review are completed, areas of vulnerabilities are clearly identified and reported to management and the responsible parties for evaluation. The vulnerability assessment report includes threat identification, vulnerability identifications, quantity and location of vulnerabilities. Additionally, the report contains an aggressive action plan for weakness remediation and mitigation (Parks, 2007). Without this type of reporting, reporting that is clear, concise and useful, the actual assessment is relatively worthless (Vacca, 2009). Finally, risk and cost impacts are evaluated, vulnerabilities addressed by whatever means an organization deems necessary and lawful.
It bears mentioning that the Gramm-Leach-Bliley Act (GLBA) dictates that all financial institutions protect customer data with secure systems and safeguards. In order to maintain the security of data, vulnerability assessments are essential to maintaining compliance of organizations with GLBA. There are also industry standards that require vulnerability testing in some areas such as that of DSS PCI – this ensures the protection of customer credit card data.