The multi-vectored nature of an AET (advanced evasion technique) attack means that organisation's need to improve on conventional IT security, warns Professor John Walker, a security expert and member of ISACA.
AETs are used to attack networks by combining several known evasion methodologies to create a new technique delivered over several layers of a network simultaneously, he explains – so increasing the risk that malicious code will be delivered without detection.
According to Professor Walker, who works with the Nottingham-Trent School of Computing and is CTO of Secure Bastion, while some hackers have figured out shell (command line) attack methodologies, AETs are not always that bad.
For him, in most cases, it's not a question of hackers being smart with their attacks, but more that the targets they choose are vulnerable due to insufficient security.
"In many cases, the first issue that is encountered is excessive privilege associated to systems that have not been locked down," explains Professor Walker.
"Even today, I am amazed at how many organisations allow their user base, or a large proportion of their user base, to have administrative access," he continues.
Once systems have been penetrated, he adds, attackers can poke around, seeking what may be achieved and/or invoked from the command line.
The recommendation, he says, is not to debate the topic of AETs, but rather to reconsider the protections that should be put in place.
Professor Walker also recommends that that the first step in combating AET attacks is to assume they will succeed and develop a security strategy to defend the IT resource from the inside.
Guidance on how enterprises can address these issues is available. ISACA's recently released COBIT 5 for Information Security was designed in response to demand for security guidance that integrates other major frameworks and standards.
For COBIT 5 and COBIT 5 for Information Security use the link below.