How to Leverage ISO 27001 & PCI Compliance Programmes to Address Advanced Persistent ThreatsBy: Rory Innes
The recent discovery of the Flame Virus, widely thought to be part of a nation state Advanced Persistent Threat (APT) attack, has once again brought a real life example of APT threats in action. Many organisations we speak to are worried about Advanced Persistent Threats (APT) but don't know where to start. What do you do if you have intellectual property or confidential information that is valuable to skilled, well-funded threat actors who are 100% focused on getting it from you? Why not start with your compliance programmes like ISO27001 or Payment Card Industry (PCI Compliance)? Seem like an odd suggestion? Read on to find out how to use your compliance programmes to detect advanced persistent threats.
There is no silver bullet to help protect you against APT threats and the answer is layered network security with a strong focus on user education, vulnerability management and effective security monitoring, to ensure you have good visibility of what is happening on the network and can respond quickly.
Organisations that successfully achieve, manage and maintain, compliance against standards such as ISO27001 or PCI come out the other side with a good understanding of the value of the data they store, process and protect, the risks to these assets and a set of controls and processes for effectively reducing those risks. Many organisations are at risk from advanced persistent threats and so the risk of these APT attacks should be included in the process of risk assessment and deployment of controls that is part and parcel of gaining compliance against these PCI and ISO 27001 standards.
Formally registering APT threats as a risk to be treated in your ISO 27001 and PCI compliance programmes will ensure you explore the level of risk, the information at risk, the vulnerabilities that exist and what you need to do to bring that risk to an acceptable level. ISO 27001 and/or PCI compliance programmes are often the best levers for freeing up budget for controls that the IT security team know are vital, so formally including it means there is a much better chance of funding.
A key part of almost all ISO 27001 and PCI compliance programmes is user education. One of the most common threat vectors used by advanced persistent threat attacks is spear phishing (sending crafted, specific and highly tailored communications with the aim of installing malware to form an access point). See the link? User education is key to addressing this initial advanced persistent threat attack vector and you can include focus on this type of APT threat attack in your security improvement programme, on your way to achieving ISO 27001 and/or PCI compliance. This helps to ensure that the APT threat gets the focus, attention and funding it needs.
Security monitoring is another stalwart component of compliance frameworks and is it also key to detecting attempted APT threat attacks as well as those in progress. Whilst many organisations will process and store security log information, they do little or nothing proactively to analyse, detect and respond to events highlighted and do not invest enough in people and process to effectively respond to potential threats. This means that security incidents often go unnoticed or are found after the fact. Using your compliance mandates for ISO 27001 or PCI to focus on security monitoring not only gives you better visibility into your security landscape and ensures compliance, but it also helps you get the most out of the security controls you have put in place.
Advanced Persistent Threats are the new 'normal' for many organisations and there are a lot of, as Donald Rumsfeld would say, 'unknown unknowns' in this space. Organisations need to ensure they have a strong, layered approach to it security systems and embrace the annual compliance process to ensure they have the operational security controls and funding make sure they have the appropriate level of protection in place.