In a closed-door summit on advanced persistent threats, CISOs, CIOs and CEOs revealed that their organizations had been breached at least once by sophisticated attackers intent on stealing sensitive information. Several admitted they wouldn't be able to tell if they had been attacked.
More than 100 C-level executives from major organizations attended the Summit on Advanced Persistent Threats in Washington, D.C., last July and candidly discussed what they were doing about cyber-security and targeted attacks, Eddie Schwartz, chief security of RSA Security, EMC's security division, told eWEEK. On Sept. 13, trade group TechAmerica and RSA released key findings summarizing the discussion between forum attendees. An in-depth report is expected in October.
Schwartz said he was surprised at how pervasive APT activity is. "Literally everyone had something to say," he said, noting that many of the executives discussed incidents they had not yet disclosed publicly even though customers may be affected.
"The frequency and volume of attacks have reached pandemic levels," Schwartz said.
Security professionals from government agencies and the private sector acknowledged that they must assume they are already compromised, Schwartz said. Organizations have to plan and act as though they already have a breach, and act accordingly to minimize the time the attackers are in the network undetected and to limit damage.
The perimeter defense, of trying to block all incoming threats, doesn't work when there are so many ways for attackers to get in, Schwartz said. Instead, an organization has to ensure the "crown jewels" are protected at all times, especially since attackers are now targeting "people" with spear phishing attacks instead of breaking into systems.
Schwartz knows what being in a "state of compromise" feels like. In March, RSA disclosed that unknown attackers had breached its systems and stolen sensitive information relating to its SecurID two-factor authentication technology. The information was later used to launch follow-up attacks on several defense contractors in May.
RSA talked about what had happened with the breach and also "listened to everyone else talk," Schwartz said, adding that being able to hear what other executives were doing and experiencing gave attendees some ideas on what to implement in their organization.
There was a significant "level of shared concerns" among the attendees, which was a clear indicator that these kinds of attacks, while not new, are more pervasive than originally perceived, Schwartz said. More organizations are experiencing attacks, and there is a "growing willingness" to talk about it, he added.
The bad guys are better at information sharing and much faster at analyzing data, Phil Bond, CEO of TechAmerica, told eWEEK. In contrast, companies have a hard time sharing information or discussing incidents with the larger community. In many cases, organizations may be held liable for information shared with third parties because it would violate privacy regulations, even if it were for security purposes, Bond said. There needs to be some tweaks in policy to make it easier for companies to share information with the security community and with the government.
Attendees also acknowledged that cyber-incidents shouldn't just be handled by the security team, but need to be embedded in the organization's overall strategy. Just as the executives plan for natural disasters and sudden downturns in the stock market, cyber-attacks need to be treated as a disaster and all major divisions need to be included in the preparation for defense and incident response, Schwartz said.
Organizations have all conducted some form of employee training or awareness programs, but the traditional programs are generally perceived as being a waste of money, according to Schwartz. Employees do not see the relevance of the training, and the programs do "not make them want to follow the rules," Schwartz added.
Some organizations are taking "forward-leaning approaches" to training, such as running scenario-based "war-games" style of training, where users are actually compromised and then called in to face the consequences, Schwartz said. The employees are shown exactly how a specific action, such as opening an unknown file, results in specific amount of money lost, employees laid off or even someone injured, he added.