To understand the present cybersecurity landscape, ISACA studies APTs in relation to previous types of threats. They are characterised by stealthiness, adaptability and persistence. For example, while traditional cyberthreats will try to exploit vulnerabilities and, when unsuccessful, move on to something less secure, APTs persist.
APTs are executed by determined groups that have the resources available to launch zero-day attacks on enterprises, making it hard to defend against them. More than one in five enterprises have experienced an APT attack, according to a recent global survey conducted by ISACA.
Spear phishing is a very common method used by those launching APTs as an entry point to an enterprise. Often, email filters are not effective enough to identify these well-designed communications, needing just a single user to be spoofed into clicking a link and opening an attachment for an APT to execute the first phase of an attack. Adding the human factor to a threat class that does not prey on known vulnerabilities makes prevention even more challenging.
This is also depicted in the European Network and Information Security Agency(ENISA) Threat Landscape 2013 Report, in which 'drive-by download' holds the first position in the top 15 threat list.
In such attacks, vulnerable sites are being infected by malicious code. When the users visit the infected sites, their devices are being scanned for vulnerabilities by the malicious code; and if found, malware is installed in the user device. The human factor in such attacks is visible both on the lack of awareness on the end user side and the owner of the vulnerable web site who did not address vulnerabilities.
Built from the ground up
As in in formation security, cybersecurity heavily depends on factors that reside on top of the technology layer. Thus, it is of crucial importance to create a holistic framework that takes every aspect into account. For our analysis, enablers from COBIT 5 are being deployed to explain the means for achieving a holistic approach. COBIT 5 is a framework for effectively governing and managing enterprise information and technology.
Creating a cybersecurity policy is a fundamental step for ensuring that the framework binds to business objectives. An analysis of business dependencies on the cyberspace, together with the adoption of a risk-based approach, is necessary to understand cybersecurity needs, identify weaknesses and controls, and set priorities.
The adoption of such an approach also guides the identification of the impact from cyberthreats and demonstrates the contribution of a cybersecurity program to the business. The policy should clearly state the cybersecurity objectives for the business, its scope, governance principles, applicability and commitment in supporting the initiative by management.
Creating the appropriate organisational structure is a crucial success factor. This can be achieved by defining cybersecurity management roles, the hierarchy and job descriptions within a cybersecurity department, and most importantly identifying interfaces with other corporate departments and assigning cybersecurity responsibilities.
The structure should be populated with professionals possessing the appropriate skills and competencies. The head of the department usually has a strategic role for ensuring that the cybersecurity strategy and its execution align with the business. Cybersecurity experts implement risk assessments, design technology architectures, monitor and operate controls, respond to incidents depending on their expertise. External parties should be identified, including cybercrime units and the authorities, as well as expert associations and groups for providing support, services and state-of-the-art knowledge in cybersecurity.
In addition to defining the structures, roles and responsibilities, detailed processes targeted to cybersecurity should be developed. Indicatively, this involves processes for managing the framework, identifying and addressing vulnerabilities, monitoring controls, analysing events, identifying, classifying and eradicating attacks, conducting investigations and/or forensics, managing crisis situations, and improving cybersecurity controls based on the lessons learned.
For example, the incident response process should take into account all required phases from preparation (e.g., building appropriate capabilities for incidence response) to immediate action planning and executing (e.g., decision making, communication channels), investigation (e.g., breach analysis, handling of evidence) and complete addressing of the attack and its root cause (e.g., improvements, further actions with the authorities).
The tech toolbox
Technology capabilities play a vital role in cybersecurity. Based on the results of risk assessment, appropriate technologies and methods should be selected, building preventive, detective and reactive capabilities at a network, operating system, database and application layer.
In technologies, on top of well-known preventive controls such as intrusion prevention systems, application and network level firewalls, and identity management systems, focus should be given on monitoring controls such as logs collection and analysis tools to provide the capability of providing quality information to the cybersecurity team versus huge amounts of data that could hide important information due to their size.
Especially in the case of APTs, strategies should focus on the timely identification of a breach and its eradication, since their continuously increasing sophistication and persistence increases the risk of bypassing prevention controls.
Finally, focus on the human factor should be a priority, ensuring that appropriate training and awareness programs are in place and that an intentional culture of security is in place. An attacker would obviously prefer the shorter path to a breach and usually the human factor gives this opportunity through incompliance, lack of awareness, attention and commitment to security.
Sourced from Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, a member of ISACA’s Strategic Advisory Council and group head of Information Security, Compliance and Innovation for INTRALOT GROUP