APTs will help focus IT pros on the real issues, says security expert

The RSA data breach that resulted from an advanced persistent threat (APT) attack should help focus businesses on the need for resilience.

The RSA data breach that resulted from an advanced persistent threat (APT) attack should help focus businesses on the need for resilience, says John Walker, member of the security advisory group of the London chapter of ISACA.

"Security professional events and discussions tend to be focused on standards such as ISO 27001 and PCI DSS, but security professionals have to get closer to the real subject area because standards are irrelevant when corporate IT back doors are wide open," he says.

APTs in the spotlight

Walker is to lead a panel discussion on APTs at Infosecurity Europe 2011, which takes place at Earls Court, London, from 19-21 April.

Panellists, including Ionut Ionescu of Betfair, Mario Kempton of SOCA and Stephen Kerslake of Virgin Media, will discuss APTs and what contingencies organisations should be putting in place.

Walker says resilience of security infrastructures and components will be an important area of focus, as will real-world breaches resulting from successful APT attacks and, in particular, smartphone security.

A year ago, the big players were not interested in smartphone security because it had not hit the commercial headlines - Finjan , Kaspersky and Sophos were starting to dip their toes in - but this year it is on the radar because it has become more commercialised, he says.

Walker believes that smartphone security, like APTs, should be on the agenda of every business organisation.

"APTs are a significant issue, and an unwillingness to address this could indicate flaws in the current plan," he said.

A year ago, concerns raised around APTs were said to be nothing more than scaremongering, says Walker, but subsequent data breaches at RSA and other big companies as a result of such attacks have proved that opinion is flawed.

The right investment

Organisations are being targeted by APTs, and security professionals need to think about operational security in a new way, he says.

"It has to be a lot more honest. Possibly, if we have more honest reporting, we will not see big organisations getting into situations where there are gaping holes in their data security over an extended period of time despite significant resources at their disposal," said Walker.

Major organisations usually have major investments in security, but that investment is not always in the right place, he says.

According to Walker, businesses need to get away from the structure of auditing and reporting, which although important, has become a little top heavy.

"I would like to see more investment in the bottom end of the system, such as training for technicians who run security operations and exposure to what is being discussed in industry forums, instead of just the executives and senior managers," he says.

Organisations need good reporting to create an awareness of the real risks so they can assess how exposed they are and where they should spend their money, says Walker.

Information security professional also need to improve their awareness of the sector they are working in and the technology they are working around, he says.

"It is important that security professionals get a very good grasp on early notifications, not just from the suppliers but from organisations such as Secunia and the various forums, to know exactly what is happening," says Walker.

Read more on IT risk management