Security threats are changing. They are becoming more persistent, virulent and debilitating. But strategies to control and counter these threats are also changing; evolving.
Two APTs that created ripples in the recent years are RSA SecurID Hack and Operation Aurora. Unfortunately, both these were state sponsored threats and cannot be classified with the normal types of threats that are faced by organisations in the course of computing over the Internet. RSA SecurID Hack is an APT that was released in 2011. This attack compromised systems that used RSA SecurID two factor authentication tokens to generate one time passwords.
Operation Aurora was an APT that stole sensitive intellectual property along with source codes from computing Giants like Google; Adobe. The attack was very sophisticated, coordinated and orchestrated. The attackers had immense technical skills and an ability to take advantage of weaknesses of the target organisation. The attacks also, are not short term with aim to capitalise on temporary windows of opportunity. They were threats that exploited vulnerabilities that had not yet been identified by the organisations themselves and were designed to unfold over a period of time (spanning years) using multiple vectors; combining a number of security breaches.
As a result, any traditional methods of securing the organisations data stores, fails in the face of an APT. Alternate strategies will have to be discovered and implemented. The security strategy will have to be more proactive and have the capability of detecting and preventing an APT even as the perpetrators attempt to reconnaissance the organisation for weaknesses.
Organisations and cloud services may have to institute a layered security. The layering will have to begin at the Perimeter. Shared accounts will have to be managed effectively by encrypting and securing passwords; creating complex passwords that are difficult to break; restricting access to administrative accounts and preventing password sharing by automatic login.
The next security layer should include server hardening. Server hosts should be protected with firewalls and definitions of high risk applications for exclusion. Sessions should be recorded; examined and unusual activities should be instantly highlighted for deeper investigation. Analytical tools should be made available to evaluate and examine these activities and track the time, date, source IP and user ID of the login. Phishing protection; anti-virus installation and employee education should follow.
In short, “defense in depth” security concepts should be implemented.