Executives Take a Hands-Off Approach
Almost 20 percent of IT executives admitted that unusual software found on the endpoint crashed company networks. Even so, more organizations appear to adopting less stringent policies regarding software downloads, Bit9 found. Executives have become "hands-off" in their software usage policy during the past three years, as the number of organizations with relaxed software rules increased 12 percent since 2010. About 79 percent of the respondents said their organizations allowed employees to connect any kind of removable storage devices, including USB drives, to work computers. Nearly 30 percent said employees could use personal mobile devices to connect to the company Intranet site.Anup Ghosh, founder and CEO of Invincea, said customers are overly concerned about APTs. "We're not that concerned with commercial malware; it is the APT stuff that scares us," said Ghosh, referring to his company's customers. Organizations don't seem to "understand that virtually all malware has the potential to damage a company, to pilfer intellectual property, to expose their brand to irreparable harm, to cost them untold millions," said Ghosh. "Malware used in most of the APT attacks we've seen recently isn't really all that nefarious; it's just the new stuff on the market," said Ghosh. Bit9's findings about organizations not actually acting on their concerns are consistent with another report from Tenable Network Security. In a survey of security professionals who attended the Gartner Security and Risk Management Summit in June, Tenable found that while 90 percent of the professionals polled discussed large-scale, high-profile breaches with senior management, only 23 percent did anything beyond those talks. Nearly 85 percent of the attendees at the Gartner summit considered APTs a real concern, but only 28 percent pegged it as one of their top concerns for their business. Ron Gula, CEO and CTO of Tenable, called the survey results a "clear sign" that the majority of security professionals are getting by on "just good enough security" that complies with an audit but doesn't actually provide meaningful security.
APTs are stealthy and often exploit zero-day vulnerabilities for which defenses are not currently available. However, as the recent analysis by F-Secure of the malicious spreadsheet that took down RSA revealed, the mechanism wasn't all the sophisticated. It wrapped an exploit in a creative way around a zero-day vulnerability.