Hard target: The APT scenario
Hard target: The APT scenario

Steep rise in attacks

Peter Morin, leader of the threat avoidance and incident response team at Bell Aliant in Halifax, Nova Scotia, says the number of attacks he sees on the Canadian telecommunications system has increased significantly during the past seven years and particularly in the past two years. He agrees that it is critical for companies to lock down their networks so that compromised data cannot be sent back to criminals' command-and-control servers.

However, while Morin acknowledges that finding compromised systems is difficult, there are ways to ensure that network traffic is protected. He recommends that security and network engineers study logs to look for common indicators of an intrusion, such as if internal traffic is being redirected to an unauthorized domain name system (DNS) server.

“If your network is configured so that systems talk to a DNS server on your network, there is no reason why they should be communicating with a DNS server in Russia,” he says.

However, Earl Boebert, a retired senior scientist from New Mexico-based Sandia National Labs and the inventor or co-inventor on 13 computer security patents, cautions that technological approaches, including a security information and event management (SIEM) system, might not stop the sophisticated adversary. “If I, as an attacker, control your system to the degree that some of these accounts indicate, then I will ‘train' your software and your administrators to accept something that, if I just threw it at them, would raise an alarm.”

In addition, education is critical to stopping attacks, Boebert says. Not only must employees be taught to understand how social engineering works, and be given directions on what is and is not considered safe computing practices, but outside investigators also should be informed of the attacks. While APTs are, by definition, custom built, understanding what is being targeted, where the attack is coming from and how it is being done can assist investigators to shut down the command-and-control centers.

Meanwhile, much of the talk about education centers around helping employees understand social engineering. While some email might look authentic, employees should not click on just any link because it could either cause malware to download onto the system or take the user to a website where malicious code is hosted, says Patricia Titus (left), [at the time of this interview] CISO for Unisys [currently she is CISO at Symantec]. But, she adds, education is not for employees alone.

After speaking at a data security awareness conference for the U.S. Department of Defense, Titus says a high-ranking military officer walked up to her and asked if she would put a copy of her presentation on his thumb drive. Titus looked at the officer, then the drive, then back at the officer, and asked: “Is this a test?” Attaching any USB-connected device, to a computer is an invitation for an attack, she says.

One common test of employees' understanding of the potential security breach posed by unauthorized storage devices is to dump thumb drives with identifying information into a company parking lot, she says. If an employee plugs one of these devices into their company computer, the IT department is alerted and the employee gets additional training on security threats.

Human nature, Titus says, is generally the weak link in a company's data security posture. One's culture is often based on helping people in need, she says, making social engineering an effective way to defeat security protections.

Companies need to “empower people to participate,” she says. Rather than punishing an employee who might stop a C-suite executive from entering a secure area without proper credentials, employees need to know that if they follow proper precautions, their actions will not cause reprisals.


Security tips: Top 10

Security is weakest at the human level. Therefore, organizations should:

  1. Implement consistent security awareness training with associated testing to gauge effectiveness.  
  2. Enforce security in all projects at the concept phase. Incorporating controls later in the implementation results in increased costs and less effective results.
  3. Develop procedures to ensure data stored on removable media devices is always encrypted. Delete files from flash drives as soon as possible.  
  4. Protect passwords, change them often and do not write them down and leave them unsecured.
  5. Develop an effective policy for use of social media to limit the potential loss of critical company information, while leveraging the marketing flare of social media.
  6. Review access control frequently to prevent “privilege creep.” This is critical as employee roles expand.
  7. Consider application whitelisting (allowing the use of good applications and prohibiting bad ones) for employees who routinely manage sensitive data.
  8. Conduct periodic risk assessments to manage security spending effectively. Apply controls based on risk to the business.
  9. Move to multifactor authentication where feasible.
  10. Use a program that either prevents or warns you about navigating to a known spyware site.

Source: Unisys