APTsurvey

In this, the first of a series of reader surveys on varying aspects of APT, we drill down to examine third-party applications.

Security Brief

Sponsored by

81%of those surveyed

said Java Runtime

Environment

was the third-

party application

that caused them

the most concern.

Third-party applications, particularly for mobile and bring-your-own-device (BYOD) users, are causing significant

concern for corporate security teams, SC Magazine learned from a new poll of its readers. While malware and advanced per-sistent threats (APTs) are high on the data security teams’ list of external risks, compa-nies are continuing to move applications to the cloud in large numbers, in part to transfer the security risk to service providers.

Of the 143 respondents to the survey, 57 percent were from companies with more than 1,000 employees. Of these, nearly three of four say they are shifting their focus from

operating system (OS)-based attacks to third-party apps. Two of three small- to midsized businesses – with fewer than 1,000 employees – also are refocusing their defenses on appli-cations rather than the OS.

Moving defenses to applications rather than the OS is consistent with the industry trend to application-based security. At the recent RSA Conference in San Francisco, application-based security products, such as those that infuse code into applications to defend against attacks, focused on proac-tive defenses while there was a lesser focus on traditional signature- and heuristic-based anti-virus software.

2www.scmagazine.com | © 2013 Haymarket Media, Inc.

How many third-party apps are on a typical endpoint in your organization?

1 - 5

6 - 10

10 - 15

15 - 20

More than20

23%6%

27%28%

21%22%

16%14%

13%30%

Under 1k employees

1k or more employees

Security Brief

APT survey Third-party applications can be a portal through which miscreants penetrate enterprise networks. What can be done to thwart these attacks? Stephen Lawton reports.

71%of those surveyed

said they believe

cyber criminals

are shifting their

efforts to

third-party

applications.

While large enterprises were more con-cerned about being the targets of APTs through third-party software than were small companies – 68 percent to 42 percent – data theft and financial fraud were con-sistent across all respondents as to what the attackers wanted to steal when they breach a corporate network.

Overall, nearly 60 percent of all respon-dents say they have the means to prevent un-authorized applications from being installed on their networks.

“Companies that believe their security cannot be breached are deluding themselves,” says Andrew Kellett, principal analyst for se-curity at London-based research firm Ovum. “Every organization should act as though they are an attack target and be constantly

3www.scmagazine.com | © 2013 Haymarket Media, Inc.

Which third-party apps cause the most concern for you?

Java Runtime Environment

(JRE)

Adobe Flash

Internet Explorer

Adobe Acrobat and

Reader

Google Chrome

Adobe ShockWave

Mozilla Firefox

Apple QuickTime

Real Player

Other

77%84%

76%75%

52%80%

55%60%

34%23%

Under 1k employees

1k or more employees

32%25%

31%21%

15%16%

18%14%

8%1%

APT survey

Security Brief

74%of those surveyed

said data theft

was their primary

concern about

vulnerabilities in

third-party apps.

4

vigilant when looking for malware activity. Recent security reports suggest that the time taken to identify a successful breach can be measured in months, rather than the hours, minutes or seconds it should take.”

Respondents to the SC Magazine survey said they believe the number one method for an attacker to launch an APT was through a mobile end-user device. However, Anton Chuvakin, Gartner’s research director for se-curity and risk management, says that current research says BYOD has yet to prove itself to be a major source of enterprise network breaches. While that could happen in the future, he says, that is not the case today. In fact, he characterized malware from Android and IOS devices as “extremely rare.”

But, not all experts agree. With BYOD and the consumerization of IT activities becom-ing well ingrained in the corporate culture, potential attack vectors are changing rapidly from where they were five years ago, says Jared Carstensen, manager of enterprise risk services at Deloitte in Dublin, Ireland, and au-thor of the book Cloud Computing: Assessing the Risks. “Attack techniques, mechanisms and the technology landscape continue at a

rate never before seen, and it is up to organi-zations to respond accordingly,” he says. “The growth of malicious apps and malware for mobile devices is staggering to say the least. Last year alone, more than 350,000 instances of malware and malicious software were iden-tified on mobile devices,” he says. “To put it in context, it took the PC market 14 years to get to that level.”

Carstensen likens the security industry to the fashion industry. “Each season has a new line of trends,” he says. “For years, enterpris-es and security professionals enforced stan-dardization as a method to simplify security practices. Suddenly we seem to have forgotten our role and tend to be more intent on ensur-ing that employees are satisfied [with BYOD]. We have essentially sacrificed our traditional practices and empowered the consumers ahead of business security.”

However, while malware for mobile devices is increasing, the Verizon 2012 Data Breach Investigations Report, a comprehensive study on data breaches and their causes, notes that just one percent of all breaches were from laptop and netbook devices owned by users. Smartphones did not even make the list.

“Some readers may find the lack of mobile devices, like tablets and smartphones,

www.scmagazine.com | © 2013 Haymarket Media, Inc.

Under 1k employees

Are cyber criminals shifting their efforts to third-party applications?

YES66%

UNSURE31%

NO3%

YES74%

UNSURE21%

NO5%

1k or more employees

APT survey

Security Brief

66%of those surveyed

said their company

has taken steps

to defend various

systems against

APTs.

5

surprising,” the report states. “We confess that we also expected a stronger trend to emerge, but so far it has not. To be clear, we have conducted forensic engagements on mobile devices (for malware, suspected misuse, tampering and more), but confirmed data compromises remain rare. We can’t help but think, however, that given the explosion of mobile users, applications, payments and more, things may pick up in the future.”

Neil MacDonald, a vice president, distin-guished analyst and a Gartner Fellow at Gart-ner, wrote on his company blog about issues with cloud-based security policy enforcement.

“If we don’t own the device or the network (think 3G, 4G, etc.), then we can’t always rely on traditional network and host-based secu-rity controls for protection.”

Vulnerable appsA little more than half of those surveyed in our study – 52 percent – said they are con-sidering banning third-party applications en-tirely. Almost half, 48 percent, said they don’t have full visibility into all of the third-party applications in their network, indicating that IT is not able to trace all of the programs run-ning on all networked devices. As a result, the survey respondents appear to be circumspect about allowing software on their network, particularly mission-critical applications over which they have no control or ability to en-sure application security.

The most frequently cited programs that are causing issues on networks are Adobe Flash and Acrobat, Java and Microsoft Internet Explorer. Other applications that received multiple mentions were Microsoft Office, VMware and Skype. Curiously, some data

www.scmagazine.com | © 2013 Haymarket Media, Inc.

Security training in many organiza-tions remains a backwater activity.”

– Andrew Kellett, principal analyst, Ovum

What attacks that leverage vulnerabilities in third-party apps most worry you?

Data theft

General malware infection

Advanced persistent

threats (APTs)

Financial fraud

Other

77%72%

79%57%

61%68%

42%47%

8%5%

Under 1k employees

1k or more employees

APT survey

Security Brief

51%of those surveyed

said their company

is best equipped

to defend against

internet-borne

malware.

security programs, including firewalls, pass-word protection applications and anti-virus software, also made the list of suspects.

“The reason that the top apps tend to at-tract the concerns and vulnerabilities are due to the fact that they are most widely used, most widely available and most reviewed, scrutinized and tested by attackers,” says Deloitte’s Carstensen. “The challenge is that significant portions of infrastructures and technology landscapes are based on these applications.”

It is not possible, he adds, to alter the whole environment without having impacts in the event that such vulnerabilities are ex-

posed. Indeed, vulnerabilities associated with platforms, operating systems and applications are always going to be at the fore of security, and it is up to the organization itself to iden-tify its core assets and systems and protect these accordingly, he says.

Flash, for instance, has a history of be-ing used to inject APTs into corporate net-works. When data security vendor RSA was breached in 2011, the attack started out as a spear phishing email that carried an infected spreadsheet that included an embedded Flash object that was configured to exploit a zero-day attack in the Flash Player. Once the Flash object ran, it installed the Poison Ivy RAT [remote administration tool] included inside the Flash object to guarantee further access to the attackers, and opened a back door into the RSA network, according to RSA’s own blog post about the incursion.

In a post on the official RSA blog, Uri Rivner, head of new technologies and identity protection, said: “The email was crafted well enough to trick one of the employees to re-trieve it from their Junk mail folder, and open the attached Excel file. It was a spreadsheet titled ‘2011 Recruitment plan.xls.’” Once the attack was launched, it focused on moving to

6www.scmagazine.com | © 2013 Haymarket Media, Inc.

Under 1k employees

Are APTs a major concern for you and your company?

1k or more employees

YES42%

YES68%

UNSURE19%

NO14%

UNSURE24%

NO34%

APT survey

Security Brief

Organizations will effectively be out of business if they do not protect

their information and assets accordingly.”

– Jared Carstensen, manager of enterprise risk services at Deloitte

73%of those surveyed

said zero-day

vulnerabilities

were their most

pressing concern

about attacks via

third-party apps.

employees with greater administrative rights in order to access more sensitive material.

More recently, Java also has been a cause for numerous updates due to zero-day vulner-abilities being identified. Each time a new build is released, the IT department needs to ensure that the changes will not break exist-ing Java-based applications, says Peter Morin, senior manager of IT security threat avoid-ance and response at Halifax, Nova Scotia-based Bell Aliant. Such analyses can take days of testing before the new build can be deployed, he says, so when there are multiple updates released in quick succession, compa-nies likely will not have the time to deploy the latest build, making them vulnerable to the newly found attack vectors.

Moving to the cloudRather than engaging corporate IT resources on constantly testing updates of vulnerable add-ins, such as Java, some companies are moving applications to the cloud, Morin says. By doing so, they can reduce capital expendi-tures and the amount of time it takes for the existing IT staff to manage various services.

The trade-off is contracting with a third party to be responsible for testing software changes to ensure applications work, but removing hands-on security from the corporate IT staff. It comes down, he says, to the historic battle between IT, which wants “big gear” to manage all of the infrastructure and security capabilities, including storage and applica-tions, and management’s desire to outsource capital expenditures.

While IT departments prefer to be able to ensure security and provide all user resources,

sometimes user needs conflict with IT policies. The problem, he says, occurs when employees cannot get the services they want from the com-pany’s IT department. If IT cannot provide an immediate solution, employees will go out to

the internet to get that capability, despite the potential security risks, Morin says.

Email is a good example. Some corporate Exchange servers will not allow the send-ing or receiving of files larger then 10 Mb. If someone has to send a very large file, it is

7www.scmagazine.com | © 2013 Haymarket Media, Inc.

Under 1k employees

Have you and your company taken steps to defend your various systems against APTs?

1k or more employees

YES65%

YES68%

UNSURE21%

NO11%

UNSURE16%

NO19%

APT survey

Security Brief

Peter Morin

52%of those surveyed

said their company

has not considered

banning the use

of third-party

apps to curb

malware.

easier to use a third-party service, such as Google Gmail, YouSendIt or Dropbox, than to request permission from IT for an excep-tion to the standard operating procedure.

As a result, it is possible that corporate data that might or might not be privileged “is liv-ing in Googleland,” Morin says.

As well, protecting cloud-based data from an APT launched against a cloud provider is challenging at best for corporate IT depart-ments. While companies can require only heavily encrypted data be stored on the cloud, the IT team should work with its SaaS pro-vider to ensure the provider has sufficient defenses in place, experts say.

“Security training in many organizations remains a backwater activity,” says Ovum’s Kellett. “Not enough attention is paid to the potential benefits. In SaaS relationships, ownership of security responsibilities is vitally

important. On the positive side, there is plenty of evidence to suggest that the leading SaaS providers are better at security than the average business organization.”

However, the traditional APT attack – “low and slow, operating under the security radar” – is evolving, Kellett says. A new type of APT, sometimes referred to as an advanced volatile threat (AVT), begins with the attack living in live memory, then wiping its tracks as it moves deeper into the system. Unlike RAM-based viruses that were popular on PCs years ago (which could be eliminated by a simple reboot), this new approach counts on serv-ers running 24/7, without a reboot, to ensure the attack gets a chance to plant seeds deeper into the network. AVTs are capable of wiping away traces of their fingerprints before leaving and after removing the required intellectual property, Kellett says.

Host-based security that runs proactive analyses of live memory could provide real-

8www.scmagazine.com | © 2013 Haymarket Media, Inc.

What methods used by cyber attackers on your third-party apps most worry you?

Zero-day vulnerabilities

Installation of spyware

SQL injection

Known, unpatched

vulnerabilities

Cross-site scripting

Automated drive-by attacks

Other

68%77%

50%42%

50%36%

47%36%

35%35%

Under 1k employees

1k or more employees29%

35%

0%2%

APT survey

Security Brief

43%of those surveyed

said they believe

third-party apps

are not inherently

insecure.

time clues to breaches, but not all companies are employing such defensive measures.

Some 38 percent of all respondents to SC Magazine’s first of four APT surveys for 2013, each one focusing on a specific aspect of the phenomenon, said that third-party apps, including browsers, plug-ins, multime-dia software, productivity software, software-as-a-service (SaaS) and other cloud applica-tions, are inherently insecure.

When it comes to SaaS applications, at least some level of insecurity is by design, says Gartner’s Chuvakin. This insecurity is due to the inability for users to run security scans against SaaS applications, he says. By contract, running such scans generally will invalidate a license, so companies are required to take a SaaS vendor’s word that its sys-tems are secure. While a SaaS vendor might provide a customer with a report that verifies it meets a given security certification, client companies are not allowed to do penetration testing against the provider’s servers.

In many cases, says Bell Aliant’s Morin, a SaaS provider will not have its own data center and will instead contract with its own third-party cloud storage provider. In such cases, he says, the SaaS provider can only supply its customer with a promise from yet another third party that its servers are secure.

Of attacks that companies believe they are best equipped to defend against, internet-borne malware infections were cited by 47 percent of companies with more than 1,000 employees and 56 percent of smaller compa-nies. This was the only category where more than half of the total surveyed (51 percent) said they were ready to handle an attack. Malware infections from physical means, such as USB drives, memory cards or infect-ed CDs or DVDs, fell to 35 percent for larger companies, but resulted in a still substantial 47 percent for SMBs.

Neither group felt it was well prepared to defend against mobile end-user vulnerabili-

ties (17 percent and 24 percent, respectively) or third-party application vulnerabilities (12 percent and 23 percent, respectively.) Another area where all users felt vulnerable was from externally driven exploits, such as those from cloud providers and Wi-Fi compromises. Again, fewer than a quarter of the respon-dents felt they were prepared for such attacks.

Erin Jacobs, founding partner of Urbane Se-curity, a Chicago-based information security firm, says there is a disconnect between how

IT departments view at-tacks from mobile devices and how they view more traditional attacks. In the past, she says, users con-nected personal devices, such as USB drives and iPods, to their corporate-

connected computers. Today, she says, compa-nies are better able to defend against attacks from personal devices, including smartphones and tablets, because IT staffs have a better understanding of data security and many users better understand potential threats.

9www.scmagazine.com | © 2013 Haymarket Media, Inc.

The right choice: Selecting an applicationThe questions the IT staff at a company should ask prior to selecting an applica-tion include:

Is the data encrypted? If yes, where? •(At the source? In the cloud?) Where is the data stored? This could •be an issue in cases where a coun-try requires that private data of its residents cannot be stored outside its borders. Who has access to the encryption •key? How does the company secure end-•points when the data is outside the firewall? Data might originate on a smartphone or tablet computer.

APT survey

Security Brief

Erin Jacobs

36%of those surveyed

said identity

management

solutions have

been put in place in

their organization

to bolster defenses

against APTs.

10

While companies do a good job in monitor-ing the perimeter devices, more emphasis is being put on finding potential attacks within the network, she says. Unless you’re running virtual machines with a clean image deployed every night, attackers will be inside the net-work, she says. Defending against them at the perimeter will stop some attacks, but persis-tent attackers will get past edge defenses.

Unlike traditional defenses – such as perimeter monitoring or intrusion detec-tion software/intrusion prevention software (IDS/IPS) – application security is not a high priority for companies, she says. While IT departments understand infrastructure defenses, unfortunately, very few companies perform due diligence on third-party appli-cations, Jacobs says.

She calls it “risk transference,” where companies attempt to outsource risk to SaaS or similar providers. In some cases, IT depart-ments transfer the risk to the business side of the enterprise if departments, such as sales or marketing, prefer to use an SaaS application rather than a traditional, server-based pro-gram, she says.

Further, when it comes to third-party ap-plications, security is an afterthought, she says. This could change, she adds, if venture capitalists or other funders made security a priority, but most companies and their back-ers are more concerned with getting product out the door rather than building in appropri-ate and fully tested security.

While having a baseline of a clean network is essential for determining anomalies that might indicate a potential breach or worse, an

APT, many companies do not have adequate baselines because they do not realize they already are under attack, she says.

Additionally, companies often do an inad-equate job of pre-qualifying third-party ap-plications, says Cedric Jeannot, CEO of I Think Security Ltd., a data security consul-tancy based in Kitchener, Ontario. “Usually, they will choose a convenient app first and think about security next,” he says.

While the consensus of industry experts with whom we spoke believe that attackers already should be considered to be inside the network, it does not mean APTs exist in every network. Rather, they agree, compa-nies should develop as precise of a baseline for valid network activity and then look for anomalies that might indicate a breach.

“Organizations will effectively be out of business if they do not protect their infor-mation and assets accordingly,” Carstensen says. n

This APT survey was prepared for SC Magazine by C.A. Walker Research Solutions and it was sponsored by Lumension. Questions were emailed out to SC Magazine subscribers and Lumension clients between Feb. 6 and 16. Results were tallied from 143 respondents, and were not weighted. “Large” companies are 1,000 em-ployees or more and “Small” companies are less than 1,000 employees.

For more information about Security Briefs from SC Magazine, please contact Illena Armstrong, VP, editorial, at illena.armstrong@haymarketmedia.com.

www.scmagazine.com | © 2013 Haymarket Media, Inc.

APT survey

Security Brief

11

Lumension Security, a global leader in operational endpoint security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes vulnerability management, endpoint protection, data protection, and reporting and compliance offerings. Lumension is known for providing world-class customer support and services 24/7, 365 days a year.

For more information, visit www.lumension.com

Mas

thea

d EDITORIAL VP, editorial Illena Armstrong illena.armstrong@haymarketmedia.comexecutiVe editor Dan Kaplan dan.kaplan@haymarketmedia.com managing editor Greg Masters greg.masters@haymarketmedia.comDESIGN AND PRODUCTION art director Michael Strong michael.strong@haymarketmedia.comProduction manager Krassi Varbanov krassi.varbanov@haymarketmedia.com

U.S. SALESVP, sales David Steifman (646) 638-6008 david.steifman@haymarketmedia.com region sales director Mike Shemesh (646) 638-6016 mike.shemesh@haymarketmedia.comwest coast sales director Matthew Allington (415) 346-6460 matthew.allington@haymarketmedia.comaccount manager Dennis Koster (646) 638-6019 dennis.koster@haymarketmedia.com sales/editorial assistant Roo Howar (646) 638-6104 roo.howar@haymarketmedia.com

www.scmagazine.com | © 2013 Haymarket Media, Inc. Security Brief