To panic or not to panic…
Recently, there has been a lot of hype in information security circles around the advanced persistent threat (APT) and the advanced evasion technique (AET), partly due to the high profile breaches we have seen this year. I will not offer a definition here as many industry experts have done an extremely good job of it (for example, see http://www.antievasion.com/faq) and I do not dispute the fact that these threats exist and sophisticated techniques are now being employed.
However, let’s remember one thing: AETs depend on a vulnerable system inside the target environment.
Let’s be clear, criminals generally don’t need to resort to APT and AET to infiltrate a vulnerable environment: The Verizon DBIR 2011 states that 87% of attacks could be prevented using simple, proactive measures.
APTs (through AETs) are likely to target organisations where they would achieve the most financial or political gain. In my book, this means that the first step would be to understand what the critical assets are and the second one to understand the infrastructure deployed for those critical assets. Predictably, as you may expect it coming from me, the third step should be to protect the assets based on a risk assessment reflecting the organisation’s risk appetite.
So whilst it is a good idea to check whether your intrusion prevention appliances are or will be anti-evasion ready and capable of receiving current AET patches and security updates continuously and dynamically (and again, a lot of good research has been done in this area), look inside first… Have you fixed the basics?
Author: Neira Jones, Head of Payment Security – Barclaycard
