Strategic CIO // IT Strategy
Commentary
8/27/2014
09:06 AM
John P. Pironti
John P. Pironti
Commentary
Connect Directly
Twitter
RSS
E-Mail
100%
0%

APT Equals FUD

The term "advanced persistent threat" is the latest incarnation of fear, uncertainty, and doubt that plagues the security industry.

Use of the phrase advanced persistent threat (APT) in the security community is nothing more than a new angle for risk and security professionals to continue to use fear, uncertainty, and doubt (FUD) to try to force their own agendas upon their constituencies and the population at large.

Risk and security professionals often use FUD -- rather than actual data -- to persuade others to align with their point of view and take actions they prescribe, or to get budget.

Unfortunately, FUD also results in a lack of trust and confidence in security professionals by the business leaders, stakeholders, constituents, and customers they serve.

In recent years, the risk and security community has promoted the idea of limiting the broad and unchecked use of FUD in favor of a more data-driven and risk-balanced approach to communication and influence.

This data-driven, risk-balanced approach isn't sensational; it can be difficult and time-consuming, and it represents a journey rather than a quick fix. And yet until recently, it was starting to take hold. As a result, risk and security professionals were becoming more accepted rather than feared and shunned.

[Take your vulnerability management processes from reactive and inefficient to comprehensive and proactive with this Interop session: Key Elements Of A Vulnerability Management Program.]

Unfortunately, FUD still exists. Its latest incarnation is the APT buzzword. APT is widely used in the risk and security community and in media stories, and it is an element of many vendor marketing campaigns.

But APT doesn't represent a new, unique category of threats, or even an unexpected development in security and risk management.

The word "advanced" in APT implies new and never-before-encountered levels of threats, adversaries, and attacks. In fact, it's the defenders that have fallen behind.

The adversary community continues to evolve and refine its techniques and tactics. Attacks are more proficient and less obvious, and they employ multiple methods and mature rapidly.

In many cases, however, these attacks are considered advanced only because they have surpassed the abilities of the defenders to mitigate risks with traditional tools and techniques.

It would also be disingenuous for risk and security professionals to argue that they couldn't foresee such developments in the adversary community. So-called APTs are often permutations or derivatives of existing attack methods, tools, and techniques. In many cases, they have been postulated for some time by the risk and security community through threat and vulnerability research.

Threats to information and information infrastructure have always existed and will continue to exist as long as there are motivated and capable adversaries who can derive value from their activities.

Attack tools and tactics will evolve. So must our approach to security and risk management. The rise of the APT buzzword is no excuse for security professionals to fall back on bad FUD habits.

Join me and other security experts at Interop New York. The Risk Management and Security track will address a host of cutting-edge issues, including IoT security, managing third-party risks, cyberthreat intelligence, and more.

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

John P. Pironti is the President of IP Architects LLC. He has designed and implemented enterprise-wide electronic business solutions, information security and risk management strategies and programs, enterprise resilience capabilities, and threat and vulnerability management ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
zerox203
100%
0%
zerox203,
User Rank: Ninja
8/30/2014 | 3:34:07 AM
RE: APT Equals FUD
Thanks for this, John. I think people would rather not talk about security - on a basic level, it's not as 'fun' as talking about the latest gadget or 'X as a Service', and on a deeper level, as you point it, it's scary and can even breed mistrust and confusion. It's no wonder that people don't want to talk about it! But, it's important that we do, and I'm glad to see that Interop still has a whole track devoted to security and that we have accredited professionals like you willing to write articles like this and advise your peers on best practices.  You'll certainly get no argument from me for caling them out on FUD.

What you call FUD is no stranger to people from many industries, but when you're talking about information security there's a special way that you can make it sound scary. There what you call the 'known unknown' and the 'unknown unknown' - you can never know what you don't know, and nefarious people on the other side of the world could be up to anything. That's not a myth at all, either - there are some scary stories about government-sponsored espionage and worse. That being said, I agree that it's pretty unlikely these people are calling their work 'advanced persistent threats', and that means we probably shouldn't either. Let's focus on beefing up our security.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
8/28/2014 | 7:41:12 PM
Breach news equals FUD
@John: Today's news of JP Morgan Chase makes your post extremely well-timed. While I agree that FUD is not a sensible long-term approach to encouraging stepped up security efforts for businesses, I do wonder what it will take for greater investment to be made. For example, according to Bloomberg, "JPMorgan Chase spends about $200 million each year to protect itself from cyber attacks." That seems to me to be an alarmingly low figure for a company of this size that's handling global financial data for millions and millinos of individuals and corporations. Would greater investment in cyber security in general help organizations gain better footing against these attacks? And, if so, how do you advise CISOs and others to make the business case for such investment?
Transformative CIOs Organize for Success
Transformative CIOs Organize for Success
Trying to meet today’s business technology needs with yesterday’s IT organizational structure is like driving a Model T at the Indy 500. Time for a reset.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest Septermber 14, 2014
It doesn't matter whether your e-commerce D-Day is Black Friday, tax day, or some random Thursday when a post goes viral. Your websites need to be ready.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.