IT security leaders should test responses to specific APT attack scenarios, such as one that targets credit card information, Stroud says in an interview with Information Security Media Group. He advises that an APT attack response test should address communicating with customers, triaging the computer environment and protecting the organization's reputation.
It's not just the IT security team that needs to be involved in APT attack response testing.
"This is the key aspect: The risk professional and the security professional and the business professional need to be joined at the hip, understand the scenario, understand how to act in an impressive way, go through the scenario, do the drill, have the plan written up," he says. "And, then you execute it, pull it out and absolutely leverage it."
In the interview, Stroud also discusses the just-published ISACA report, 2014 Advanced Persistent Threat Awareness, which is based on a survey of more than 1,200 IT security professionals. Among the points the study makes, and Stroud addresses:
- Correlations between enterprises' perceptions on whether they've been victimized by APTs and how they prepare for them;
- Why many information security professionals do not clearly understand APTs nor how to defend against them;
- How most organizations rely on firewalls and other perimeter defenses to protect systems from APTs, even though they aren't necessarily well-suited for preventing and mitigating such attacks.
Correlation Between Likelihood of and
Preparedness for an APT Attack
Technical Controls Used to Protect Against APT Attacks
Stroud became ISACA's international president earlier this year. Previous, he served on ISACA's Professional Influence and Advocacy Committee. A past international vice president of ISACA, he served on its professional influence and advocacy and framework committees. Stroud also is a governance evangelist as well as vice president of strategy, innovation and service management at CA Technologies.
Previously known as the Information Systems Audit and Control Association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.