Symantec: APTs can afflict anyone

No company is small enough or any employee junior enough to escape from persistent cybercriminals capable of deploying advanced persistent threats (APTs) to get the information they seek, says one Symantec executive, thus debunking the myth that such threats only apply for enterprises and government agencies.

According to Ilias Chantzos, senior director of Symantec's government affairs programs for Europe, Middle East and Africa (EMEA) and Asia-Pacific and Japan (APJ) regions, small and midsize businesses (SMBs) are not immune to being victims of APT attacks. This is particularly so if they have valuable information stored or can be used as "stepping stones" for cybercriminals to reach larger organizations, he said.

His observations were corroborated by Symantec's Internet Security Threat Report 2011, which was released on Monday. In the report, it stated that 18 percent of APTs identified last year were targeted at companies with up to 250 employees, while half were aimed at organizations with less than 2,500 employees.

Junior employees were not spared either, Chantzos added, saying that those who do not have direct access to confidential information can still be targeted. The report showed that 42 percent of APTs were directed at executive-level, senior-level and research and development (R&D) staff, but 6 percent of victims also came from the human resource department.

Elaborating, he said these attacks might appear as innocuous as a recruitment officer receiving an e-mail from an unknown source with a virus-laden attachment titled "CV". Once downloaded and opened, the malware would infect the company's network as well as the printer if the document was printed. Most employees, he added, would not know they had been targeted by cybercriminals.

That said, the senior director also pointed out that the term APT has been "used and misused" too often to describe many things. "Just because something is terrible, doesn't mean it's an APT."

The security vendor defines APTs as different from other attacks as they use highly customized tools and intrusion techniques, and stealthy methods to reduce the risk of detection. Its aim is to gather high-value, national objectives such as military, political, or economic intelligence.

These attacks are usually well-funded and well-staffed, and can be operating with the support of military or state intelligent organizations, with organizations of strategic importance such as government agencies, defense contractors, high profile manufacturers and critical infrastructure the usual targets, it added.

Web-based attacks to increase
Chantzos also noted that while e-mail was the main platform used to transmit malware, cybercriminals are increasingly turning to Web-based attacks, driven by the increase in Web activities such as social networking sites and improved graphical interfaces.

For instance, some rogue app developers created Facebook "Unlike" plugins to capitalize on the rise of the social networking site's popularity. The plugin allows users to indicate they do not like a post on the site, but upon clicking it, will activate the malware and infect others in their online social circle, described the executive.

Thus, any organization with Web presence could be a target of such attacks, including government agencies, he added.

However, the senior director pointed out that for these public sector agencies, implementing a security process to guard against APTs is a long process. This is because they run in silos and have different security needs, which means they need to prioritize which data needs to be protected more than others. So for the Ministry of Health, it would need to put more effort in safeguarding citizens' health information than regulating employees' use of Facebook at work, for example, he said.

As such, government agencies need to know who will be targeting them and what needs to be protected in order to architect its security policies, he said. This would involve protecting the perimeters of their critical infrastructure and endpoint devices as well as control the data transmission between Web, e-mail and mobile devices.

APT attacks can also originate internally, so there needs to be an authentication system to know which users have accessed what data, when they did it and whether the data complies with access policies, Chantzos added.

These organizations will need to accept the possibility that such attacks might be successful too, he advised. Instead of thinking of security implementations as silver bullets, government agencies need to have a backup plan such as disaster recovery, mechanisms to manage and contain attacks, and archiving to ensure that it is still able to function in spite of an attack, he stressed.

The preparation would include educating employees on the necessary procedures in case of an attack, he said, adding that even the best technology would fail if people were unaware of these processes.