Last Updated on May 24, 2015

They are among us! ISACA has just released its Advanced Persistent Threat Awareness Report. The study presents the results of a survey undertaken by ISACA in the fourth quarter of 2012 with a sample of information security professionals including information security managers in different industries and organizations throughout the world (1,551 individuals globally, representing more than 20 industries).

The results of the survey are interesting to measure the level of awareness, but not so encouraging (and in several circumstances also contradictory) for other aspects:

• The survey results reveal that 25.1% of respondents are very familiar with APTs, although (somehow in contradiction with the previous statement), 53.4% of respondents indicated that they do not believe APTs differ from traditional threats.
• 89.7% of respondents believe that the use of social networking sites increases the likelihood of a successful APT attack.
• 87.3% think that BYOD, combined with rooting or jailbreaking makes a successful APT attack more likely.
• The biggest risk for the enterprise is the Loss of Intellectual Property (25.5%) and the Loss of Personal Information (23.6%). Reputational damage is the third biggest risk (20.5%).
• Only 21.6% of respondents reported having been subject to an APT attack, but 63% of them believes that it is only a matter of time before their enterprise is targeted.
• In any case, nearly 60% of respondents believe that they are ready to respond to APT attacks. Of those: 14% responded that they are “very prepared,” which indicated that they have a documented and tested plan in place for APT. Another 49.6% responded that they have an incident management plan although it does not specifically cover APT.

But in my opinion, the most surprising finding is the fact that, from a technological point of view, a very high percentage (above 90%) of surveyed responded that they are using antivirus and anti-malware and/or traditional network perimeter technologies to thwart APTs. Other kinds of technologies (Sandboxing, Event Correlation, Mobile or Traditional Endpoint Control, Remote access), have a much lower impact (below 60%).

Contradictory results that show a high awareness about Advanced Persistent Threats, but maybe more from a marketing point of view than from a substantial perspective. As a matter of fact more than one half of the sample does not consider APTs different from the other threats. This explains the high value of respondents who leverage traditional technologies to (believe to) thwart this class of threats.