Technology Sectors
The APTs are coming, but are agencies ready?
 |
|
Peyton Engel |
Despite increased awareness about cybersecurity threats, there doesn't seem to be an end in sight.
The National Association of State Chief Information Officers reports that cyber threats are growing in numbers and severity, attacking state IT infrastructures on a daily basis. Similarly, federal agencies report a 650 percent increase in information security incidents during the past five years, according to the Government Accountability Office.
Increasingly, advanced persistent threats (APTs) are behind the attacks, which result in the loss of sensitive data. CDW-G recommends that agencies take steps to mitigate the impact of an APT, identify infection if an APT attack occurs and prescribe a cure.
Getting a handle on APTs
APTs bypass traditional methods of intrusion detection, leaving victims unaware that the network is compromised. Most alarmingly, APTs target endpoints of least resistance, such as multi-function printers and mobile devices. A multi-function printer, for example, may have a scanner that can email or drop to a file-sharing system. If the printer is compromised, the attacker gains access to the agency's email system or file server.
As if APTs weren’t worrisome enough, the proliferation of mobile devices makes agency IT managers' work even more challenging. Both public-sector employees and private-sector contractors' use of mobile devices to access work email and agency networks has dramatically increased in recent years. Mobile computing is a valuable productivity tool, but it means IT managers have the daunting task of securing more vulnerable endpoints than ever before.
Quite simply, the processes that secured employee workstations or laptops in the past are no longer realistic, given the sheer number of devices that touch the network. And how does an agency prevent something – such as APTs -- that it cannot easily detect?
Mitigate
Because an APT exploits its target’s weaknesses, data loss prevention (DLP) is key to APT protection. Like an automobile airbag, DLP diminishes the effects of an attack, as opposed to anti-lock brakes, which reduce the likelihood of a crash occurring in the first place.
DLP involves three steps to manage sensitive data:
- First, run a security assessment to understand your vulnerabilities, identify where sensitive data resides and understand who has access to sensitive files;
- Next, monitor the flow of confidential data to understand how sensitive data is handled and shared;
- Finally, develop a centralized management framework that enables IT managers to set and update access levels and permissions for users. For example, if five people have access to a sensitive file, but only two have ever accessed it, IT has reason to reconsider or remove access for the three people who provide an unnecessary target for infection.
Identify
While APTs are designed to be stealthy, once an attack occurs, agency IT managers can still take steps to detect them on the network. They should analyze network traffic to determine if systems are making unfamiliar connections outside of the network. Additionally, they can implement a proxy server, which will flag requests that violate security policies.
Prescribe
The first step to curing an infection is pinpointing each compromised machine. Agency IT managers should revisit the "Identify" tactics above to determine exactly which devices are involved in the incident. Next, IT managers need to develop a process for cleaning the system, which may involve applying patches or making system updates. It is important to understand that APTs are often multi-pronged, and it may take several cycles before a machine is completely clean. For this reason, it is critical that IT managers keep thorough records of what was found on each device, how it was cleaned and when it was cleaned to ensure that efforts are effective.
Peyton Engel is a technical architect at CDW-G. He can be reached at:
