Worried about sophisticated attacks, agencies ignore low-tech threats
- By William Jackson
- Aug 30, 2011
Sophisticated attacks using Advanced Persistent Threats are top of mind for nearly two-thirds of government IT officials in a recent security survey, but too little attention often is being paid to the low-hanging fruit being exploited by low-tech attacks.
“The results reinforce what we have known for a while,” said Dan Brown, director of security research for Bit9, the security company that did the survey. “The bar is not as high as we would like to think.”
The survey showed what Brown called “gaping holes” in security policy and practices that can let malicious code into an enterprise through unmanaged devices and downloading of applications.
Hackers gain access to RSA's SecurID security tokens
Flaw in advanced threats points to Chinese networks
Although most government organizations and defense contractors represented in the survey restrict some administrative rights of end users, 7 percent have no restrictions, and security too often relies on written policies without enforcement. As a result, two-thirds of respondents allow some downloading of software and 40 percent of them found spyware on computers. Nearly a third of them found known viruses and malware, as well as some zero-day exploits.
“What the folks in charge are most worried about is not what is typically used in attacks,” Brown said. “Most of the attacks do not use advanced techniques,” and can be easily guarded against.
The data comes from Bit9’s third annual survey on endpoint security, released Aug. 30. It includes responses from 765 IT and security professionals, 20 percent of them, or 158, working in government or with defense contractors. Government responses track closely with those of the private sector but tend to indicate government is more security conscious, with tighter restrictions on administrative rights for end users and more management of endpoints.
Advanced persistent threats, or APTs, have gotten a lot of attention over the last year because of a number of high-profile attacks against government and industry networks. APTs are stealthy and often exploit zero-day vulnerabilities for which defenses are not currently available.
But even sophisticated attacks often have unsophisticated components, Brown said. The complex Stuxnet worm apparently was first introduced on a USB drive, and the RSA breach and the well-publicized breaches of some Energy Department labs were initiated with spear-phishing attacks using social engineering to fool users.
Government systems are not without security. Seventy-eight percent of respondents said their organizations restrict administrative rights, usually with less than one fifth of users having full rights. Beyond that, however, security practices to protect endpoints become fragmented, and 66 percent of government respondents allow users to download software and install applications, compared with only 51 percent in the overall sample.
The most sophisticated APTs are complex enough and are so narrowly targeted that they represent major investments that are likely to be limited to well-funded organizations such as nations. So although they represent real threats, “the cost of the advanced attack is very high,” Brown said. “At some point there is a point of diminishing returns” for the attacker.
At the same time, similar results often can be obtained with inexpensive attacks exploiting known but unpatched vulnerabilities. This means that organizations often can get a better return on their security investments by focusing on the low-hanging fruit, such as managing devices, enforcing policy, and keeping software and patches updated.
“There are a lot of trade-offs for very high security,” Brown said. “The cost is high for defense as well as for attacking,” with advanced threats.
William Jackson is a Maryland-based freelance writer.