IT Security Pros Worry About APTs, but Can't Change User Behavior

By Fahmida Y. Rashid  |  Posted 2011-08-31

IT Security Pros Worry About APTs, but Can't Change User Behavior

While security professionals are worried about targeted attacks against their company, IT professionals are not putting enough safeguards in place to defend against them, according to a new report. In many businesses, employees are allowed to indulge in risky IT security behavior even through it leads to data breaches from the outside.

About 60 percent of IT and security professionals in the United States, Canada and Europe claimed their main concern was being hit by an advanced persistent threat (APT), according to the Bit9 Endpoint Security Survey, released Aug. 30. Insider threats, such as an employee posting sensitive information to external sites such as WikiLeaks, were the second most important, at 28 percent.

Company executives were worried about targeted attacks, similar to the tactics used against RSA Security and some defense contractors earlier this year, the survey found.

The Bit9 report also found that 26 percent of organizations were worried about vendor partners being compromised, such as what happened with Epsilon and other smaller vendors earlier this year. Finally, a quarter of the respondents were worried about a cloud application breach, similar to what happened with various Sony properties this spring.

However, the survey found a significant disconnect between these concerns and what businesses were doing to protect themselves against dirty software or malware from infecting their systems.

Half the companies surveyed either had an open software environment, which allows employees to download and install whatever software they wanted, or relied on an "honor system" for employees to comply with written policy regarding unauthorized software applications.

These companies did not have any mechanisms in place to enforce their own security policies or monitor what was being installed. In fact, 51 percent of the companies had an open environment, Bit9 found. The most common unauthorized applications on endpoints were digital music sites like iTunes, social media and instant messaging software.

"Companies are increasingly worried about advanced persistent threat attacks, but they continue to engage in risky behaviors," said Tom Murphy, chief strategy officer of Bit9.

Executives Take a Hands-Off Approach


Almost 20 percent of IT executives admitted that unusual software found on the endpoint crashed company networks. Even so, more organizations appear to adopting less stringent policies regarding software downloads, Bit9 found. Executives have become "hands-off" in their software usage policy during the past three years, as the number of organizations with relaxed software rules increased 12 percent since 2010.

About 79 percent of the respondents said their organizations allowed employees to connect any kind of removable storage devices, including USB drives, to work computers. Nearly 30 percent said employees could use personal mobile devices to connect to the company Intranet site.

APTs are stealthy and often exploit zero-day vulnerabilities for which defenses are not currently available. However, as the recent analysis by F-Secure of the malicious spreadsheet that took down RSA revealed, the mechanism wasn't all the sophisticated. It wrapped an exploit in a creative way around a zero-day vulnerability.

Anup Ghosh, founder and CEO of Invincea, said customers are overly concerned about APTs.

"We're not that concerned with commercial malware; it is the APT stuff that scares us," said Ghosh, referring to his company's customers.

Organizations don't seem to "understand that virtually all malware has the potential to damage a company, to pilfer intellectual property, to expose their brand to irreparable harm, to cost them untold millions," said Ghosh.

"Malware used in most of the APT attacks we've seen recently isn't really all that nefarious; it's just the new stuff on the market," said Ghosh.

Bit9's findings about organizations not actually acting on their concerns are consistent with another report from Tenable Network Security. In a survey of security professionals who attended the Gartner Security and Risk Management Summit in June, Tenable found that while 90 percent of the professionals polled discussed large-scale, high-profile breaches with senior management, only 23 percent did anything beyond those talks. Nearly 85 percent of the attendees at the Gartner summit considered APTs a real concern, but only 28 percent pegged it as one of their top concerns for their business.

Ron Gula, CEO and CTO of Tenable, called the survey results a "clear sign" that the majority of security professionals are getting by on "just good enough security" that complies with an audit but doesn't actually provide meaningful security.



Rocket Fuel