Targeted attacks aimed at stealing data from companies continue to worry information-security professionals, as limited resources and complex technology continued to hobble their efforts to defend against the so-called advanced persistent threats (APTs), according to a survey released Dec. 3.
Companies discovered an average of nine successful targeted attacks in their networks in the past year and took an average of 225 days to detect the attacks, according to the survey of 755 IT and security professionals. Almost all the attacks incorporated malware and more than half used a phishing attack or other social engineering technique to compromise the network, according to the survey, published by the Ponemon Institute and funded by recent IBM acquisition Trusteer, an endpoint protection firm.
Most telling, 63 percent of the polled professionals discovered the sophisticated attacks by accident.
“Security folks see that this is an increasing problem, it is going to get worse, and they don’t have the appropriate technologies nor budget to detect and fight these things,” George Tubin, senior security strategist at Trusteer, told eWEEK.
Theft of data and trade secrets has become an increasing concern for security professionals, following a number of high-profile incidents in the past few years. In early 2010, Google announced that its network and those of more than two-dozen other companies had been breached by Chinese hackers using sophisticated attacks. The following year, security firm RSA revealed that attackers, also thought to be from China, had breached its systems, reportedly taking a database of secret codes that its SecurID technology used to generate pseudo-random keys.
Nation-state attackers are not the only ones to use sophisticated methods. Increasingly, cyber-criminals are employing social engineering and customized, or targeted, malware to compromise corporate networks.
While some attackers exploit unreported vulnerabilities in software, also known as “zero days,” to compromise their targets, most intruders can use recently discovered security issues, because companies are not effectively patching the vulnerabilities, according to the Ponemon report. Part of the reason is that security professionals have difficulties determining whether Oracle’s Java and Adobe’s Acrobat, two widely used programs, are fully patched. Three-quarters of companies continued to allow employees to use vulnerable programs, when security patches were unavailable.
“It’s the vulnerabilities in certain applications that the bad guys are using to install their malware,” Tubin said. “Adobe and Java and these popular applications are constantly having new vulnerabilities exposed, and that is allowing attackers an opportunity.”
Less than a third of security professionals believed that they had the budget to deal with advanced persistent threats, while only 35 percent of respondents said they had the personnel to deal with cyber threats, according to the survey.