Home & Office

Expert: Generic defense not good enough for APTs

Symantec exec urges comprehensive monitoring to better detect malicious activity, as new report reveals 2010 as the year of targeted attacks with security headliners such as Stuxnet.
Written by Tyler Thia, Contributor on

Most enterprises today have in place only generic security solutions, without real consideration for attacks such as advanced persistent threats (APT), according to a Symantec executive.

Kwee Anping, senior technical consultant of Symantec Singapore pointed out that most security solutions implemented protect mainly the infrastructure, which may expose gaps inviting easy attacks.

"[Enterprises] can't be anticipating these attacks from [a specific] individual or a group of people, so whatever they have put in place is generic to protect the infrastructure and information," he explained in a phone interview with ZDNet Asia.

The security expert said "as a guideline", Symantec has a recommended checklist of activities that enterprises can carry out, to try to circumvent or prevent APTs by having multiple mechanisms in place. The checklist includes monitoring logs of security systems, applications and even messages, which can contribute to the "fingerprint" of unusual activities going on within the corporate network.

Attackers, noted Kwee, usually target systems through entering multiple layers, so with a proper monitoring mechanism in place, IT staff will be able to effectively pin-point tell-tale signs should malicious activities arise.

However, enterprises may find this "difficult" to implement, as monitoring is still regarded as a cost center, which do not contribute directly to the profit.

"What they fail to see is by overlooking the need to monitor, a resulting security breach may cause the business' non-tangible assets such as reputation and customer confidence to suffer," he said. "There's still a huge gap that organizations need to do when it comes to monitoring."

As attacks become more targeted, Kwee also cautioned companies to step up education efforts on increasing their awareness against falling prey to social engineering, which is often the first level of intrusion.

Steep increase in malicious activities
A Symantec report released Monday revealed that 2010 was "the year of the targeted attacks", where Hydraq and Stuxnet leveraged zero-day vulnerabilities to attack critical infrastructure networks. Hydraq was mobilized in the Operation Aurora attacks on companies including Google early last year.

Multinational corporations, government agencies and a host of small companies were targeted, and many suffered breaches even with security measures in place, the vendor noted. <a href="http://www.zdnetasia.com/study-negligence-cause-of-most-data-breaches-62207621.htm">Data breaches</a> caused by hacking resulted in more than 260,000 identities being exposed per breach last year, nearly quadruple that of any other cause.

Shortened URLs commonly used on social media sites were a popular disguise for malware, Symantec said in the report, adding that millions of such links were posted in 2010 in attempts to trick victims into phishing and malware attacks.

Java was also a hotbed for attackers, where toolkits targeting its vulnerabilities were widely used by novices and experts. Toolkits accounted for 17 percent of all vulnerabilities affecting browser plug-ins, with the Phoenix toolkit the most commonly used, Symantec added.

Toolkits were also used to launch Web-based attacks. The security vendor reported that Web attacks on a daily basis in 2010 increased by 93 percent over 2009.

In addition, mobile platforms are "becoming ubiquitous" in the eyes of attackers, according to the report. Most attacks are in the form of Trojans posing as legitimate applications. Globally, there was a 42 percent increase in malware affecting these devices.

The study, which was compiled using data from 240, 000 sensors in 80 countries, also tallied an increase of 286 million new malicious threats as well as 6,253 vulnerabilities in 2010.

While Symantec was unable to provide figures specific to the Asia-Pacific region, it revealed that Singapore moved up the global ranking in terms of malicious activities recorded, from 41 in 2009 to 34 last year.

Forty-nine percent of the city-state's attacks were Trojan-based, as compared to 35 percent in the Asia-Pacific region including Japan. Viruses made up 7 percent of attacks in Singapore, as compared to 23 percent in the region.

Editorial standards