March 12, 2012
—
CSO
—
Every couple of years the security world faces its version of Jason or Freddie or Ghostface, some malevolent force that aims to end life as we know it. From the worm to the virus to the Trojan horse to phishing to SQL injection to the Zero Day Exploit, these serial killers build on one another and torture the dreams of CSOs.
Now, we face a malicious threat made worse by its malignant name: the Advanced Persistent Threat.
Clearly, the names of these security threats have gotten less interesting with time. But every CSO can spell APT. So can every security marketer, and they tend to stamp the label on everything in sight.
Partly that's because a string of high profile companies have suffered losses from APTs. Google, among the most vaunted names in technology, suffered an APT. RSA—a fabled name in security itself —confessed that some advanced and very persistent hackers not only threatened it but also made off with information related to its SecurID line of products. The Internet Security Alliance told companies in the defense industry that APTs were "a near-existential threat," back in 2009.
Despite such dire words, the defense industry persists, thrives even. And at least one CSO dismisses the term "APT" as a lot of marketing hype.
Continue reading this premium content and access hundreds more.
Sign up for FREE now!
March 12, 2012
—
CSO
—
Every couple of years the security world faces its version of Jason or Freddie or Ghostface, some malevolent force that aims to end life as we know it. From the worm to the virus to the Trojan horse to phishing to SQL injection to the Zero Day Exploit, these serial killers build on one another and torture the dreams of CSOs.
Now, we face a malicious threat made worse by its malignant name: the Advanced Persistent Threat.
Clearly, the names of these security threats have gotten less interesting with time. But every CSO can spell APT. So can every security marketer, and they tend to stamp the label on everything in sight.
Partly that's because a string of high profile companies have suffered losses from APTs. Google, among the most vaunted names in technology, suffered an APT. RSA—a fabled name in security itself —confessed that some advanced and very persistent hackers not only threatened it but also made off with information related to its SecurID line of products. The Internet Security Alliance told companies in the defense industry that APTs were "a near-existential threat," back in 2009.
Despite such dire words, the defense industry persists, thrives even. And at least one CSO dismisses the term "APT" as a lot of marketing hype.
"The phrases that security vendors want to scare you to death with are kind of new, but this is stuff you should've been worried about as a CSO eons ago," says Ken Pfeil, CSO at Pioneer Investments, an investment management firm in Boston.
[Also read Advanced Persistent Threats can be beaten, expert says]
Notice that Pfeil does not say advanced persistent threats don't exist. They do, and he thinks CSOs should be worried about them. What gets him going is the idea that there's a simple product one can buy to keep a company safe. When he talks with CSOs, he says, "a lot of them are not very technical, and they buy into vendor speak: 'If you buy this product it's going to protect you from APTs.'"
It's a natural human reaction to think that when a problem arises, a clever technologist will come up with a product to counteract it. Unfortunately, no single product can stop an advanced persistent threat. "What it means, in layman's terms, is, 'we got hacked,'" Pfeil says.
He says advanced persistent threat gives CSOs public relations cover; something like, "They used an advanced persistent threat to compromise some insecure channels to gain access to blah blah blah" sounds more forgivable than "we got hacked, and they got all our data."
What is an APT?
The National Institute of Standards and Technology provides a detailed definition:
"An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating (i.e., transporting it from internal networks to external servers) information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives."
You are previewing premium content. 
More Salted Hash with Bill Brenner
