With all of the coverage over the alleged China-sponsored attacks on Google, the topic of Advanced Persistent Threats (APT) has broken out to a much wider dialog within the information security community. Apart from from Richard Bejtlich’s excellent coverage on his blog, the excellent folks on the Security Metrics mailing list have also taken up the topic. Myself, I have yet to work myself into any sort of excitement, or even much of an accelerated pulse, over the worries that my organizations may have to contend with organized industrial espionage or nation-state associated actors.
This is not to say that these agents are not viable threats, for they most assuredly are. Likewise, some of my clients own or operate significant critical infrastructure assets which could be tempting targets for APT actors. At the same time, almost every organization I’ve seen has had far more significant challenges in how they govern their information related assets. With multi-million dollar projects failing to deliver value, weak internal controls contributing to poor asset operation, untold amounts of capital and personnel resources being squandered in black holes of unmeasured and unknown work projects, I’d happily trade that in for the luxury of worrying about how to defend against a rogue nation-state attempting to breach my systems.
As Oscar Wilde is often quoted, “You can always judge a man by the quality of his enemies.”