Malware is a core information security topic, something that virtually every security awareness program covers. As such, we update the NoticeBored malware module once a year to remind our audiences about the ever-present malware risks ... which means we have covered it several times already and, to be frank, we're getting ever so slightly bored by it! We try to find different angles every time to keep interest levels up: this year, thanks to a customer suggestion, we have focused on APTs - Advanced Persistent Threats - which combine sophisticated malware with other methods of penetrating targeted organizations, hence there are a few mentions of social engineering, hacking and physical intrusion as well as classic malware in the module.
A recent upsurge in reports, mostly from the US, about the Chinese state-sponsored spies and hackers is timely since APTs are undoubtedly part of their arsenal. However, Stuxnet (at least) was an APT attack allegedly sponsored or conducted by the US plus Israel. Other nations such as the French are known to be active in the same field, and I rather suspect many more are playing the game, just a bit more discreetly. In other words, I'm sure this is not solely a Chinese issue, and America is not the poor helpless victim some xenophobic US commentators imply.
[By the way, a lively debate around that topic might be a worthwhile awareness exercise in itself. Is the Chinese cyber-threat over-rated? Aren't we ignoring the fact that our most dangerous adversaries are the ones we don't even recognize as such? And what of our own governments: exactly how trustworthy are they?]
The severity of APT risks and the limitations of available information security controls (particularly if you don't have a bottomless pit of money!) makes this a rather dark and depressing topic for information security and risk management professionals. We have done our best to point out in the module that there are things organizations ought to be doing in relation to APTs, however, and those who do so will simultaneously improve their controls against ordinary malware and those other attack methods I noted above, even if they don't actually make much headway against APTs. Industrial espionage, commercial sabotage and information theft are issues that should concern us all. Being aware of the threat is the first step towards doing something about it, so get in touch to add APTs to your security awareness program's list of topics.