IT and security professionals are fearful of targeted attacks against their company, but many are failing to put enough safeguards in place to defend against them, according to a new survey conducted by Waltham, Mass.-based whitelisting vendor, Bit9.
The Bit9 Endpoint Security Survey polled 765 IT and security professionals in the U.S., Canada and Europe. More than half the respondents (60%), claimed their main concern was being attacked by cybercriminals that use tactics similar to those used in the RSA SecurID breach. Insider threats came in second.
“With all the hacks this year, including Sony, which impacted millions of users and is considered to be among the largest breaches ever, it is interesting that the hacking method that concerns executives the most by a wide margin are the advanced persistent threat attacks,” said Dan Brown, director of security research at Bit9. “That shows just how serious APT attacks have become and how much damage they can cause enterprises and government agencies.”
Although security professionals claim they are most concerned about targeted attacks, 50% of the companies surveyed said they rely on the honor system for their employees to follow written policy to control and prevent unauthorized software, rather than enforcing it. The survey also found that 51% of the companies allow their users to download and install applications.
Brown said this isn’t an effective way to protect against downloading software. “Basically, companies are telling us they are most worried someone will break down their front door, but they haven’t taken the time to lock it either,” He said
In the RSA SecurID breach, attackers used a spear phishing attack on employees at RSA, sending an email that appeared to be from a co-worker. The attack tricked at least one employee to open an email attachment, executing malware that targeted an Adobe Flash zero-day vulnerability.
“Normally, when people think about hacks and IT security breaches, they think of these elaborate James Bond type of attacks involving deception, cracking encrypted codes, using fingerprints or retinal scans, and other wild methods,” explained Brown. “The RSA breach used a very simple attack plan that masked an elaborate scam. This attack showed IT executives they need to protect every endpoint or they could end up the next company that is hacked.”
Nineteen percent of those surveyed claimed their companies’ network had crashed due to unusual software on their endpoints, and 89% said the network had been down for less than two hours while 13% said it was down for longer than one business day.
According to Brown, not every enterprise will be the target of a malicious attack, but companies should still employ precautions, and according to the survey, not all businesses are doing that. The survey found that 74% of the companies allow software to be downloaded only if it’s approved by the business, while 17% allow software downloads.
In addition, 79% of respondents claimed their company allows employees to connect removable storage devices, such as USBs, to their work computers.
So how should enterprises respond to alleviate these threats that they’re facing? According to Brown, by using layered defenses or defense in depth. “It’s a little bit of motherhood and apple pie, but executives need to be aware there are newer attacks and methods out there and they need to protect against them with new security layers.