Is APT the new PCI?

Some suggest the vendor community is using the APT acronym so much it's losing all meaning like PCI before it. Sadly, they're right.

Two things bring this to mind: A George Hulme article on the Advanced Persistent Threat and a little exchange I'm watching on Twitter between 451 Group head security analyst Josh Corman and security-privacy-compliance expert David Mortman:

@joshcorman: PSA: When everything is an APT, nothing is. #TooEarlyForThisTweet?

@mortman: APT is the new PCI ... which was the new SOX, which was the new HIPAA, which was the new zomg H@(K3R7...

@joshcorman: Did you also notice? People say "APT" just like they'd say "Keyser Söze."The greatest trick the Devil ever pulled was convincing the world he didn't exist. And like that, poof. He's gone." Keyser Söze

@joshcorman: I'm not an "APT Denier" We just need to be sparing/accurate in it's use. And I prefer "Adaptive Persistent Adversary"

I blame the security vendors for this sort of thing. Whenever people start to get nervous about a particular threat or regulation, the vendors are like sharks who smell blood in the water. Next thing you know, EVERYTHING is a PCI or APT issue and EVERYONE seems to have a product for that.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

Along the way, the acronyms start to lose all meaning. They just float around like the little pasta letters in alphabet soup.

The point is made a number of times in George's article, which is about the re-emergence of the APT acronym in the face of the RSA breach. One security analyst told him:

"Everyone puts their own spin on the APT depending on whatever they're selling. If the vendor is in the social networking security space, they detail the APT as a social networking threat. If they're in anti-virus, they're play up the malware aspect of APT.In that sense, the security vendors are making the term meaningless."

In other words, when everything is an APT, nothing is.

I don't pretend to have the answers. But as someone who's been covering security for seven years, I've seen how slinging around certain words and acronyms can do more harm than good.

The best example is when every vendor who claimed to find a new threat would call it something starting in "ph" a la phishing, phreaking and phlooding. Of those three "ph" words I just mentioned, phishing is the only one I can define.

The acronyms are a lot more specific -- until vendors get their hands on them.

Joe Stewart, director of malware research for Dell SecureWorks' Counter Threat Unit, told George: "(APT)has been going on for so long now, if there was information these groups were after they probably got it a long time ago." Stewart and most experts defined the APT, when asked, as a highly skilled, motivated and financially backed attacker who is targeting a specific organization.

Some see APT as little more than marketing. "APT is part marketing FUD [the creation of Fear, Uncertainty and Doubt], and partly an attempt to categorize the increasing abilities of the attacker," says Pete Lindstrom, research director at research firm Spire Security. "In fact, it's looking like a brand-new excuse. It's just not as embarrassing to be breached by an APT as it is some scriptkiddie."

I don't pretend to have the solution to the acronym over-use problem. It's easy to see how this sort of thing happens.

We just need to be aware and minimize it.

Of course, that's easier said than done.

--Bill Brenner

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web