As more businesses rely on the internet for remote working and commerce, their risk of cyber attacks increases. Security experts report a greater-than 50% rise in digital attacks compared to last year, and the year hasn’t ended yet. One of the most insidious of all cyber attacks is the advanced persistent threat (APT) attack.

Advanced Persistent Threat (APT) Overview and Management

What Is Advanced Persistent Threat?

An advanced persistent threat is an attack in which an unauthorized user gains access to a system or network and remains there for an extended period of time without being detected. Instead of a haphazard phishing scheme, APT involves specific objectives that target networks to do long-term damage. APT attacks as they are now known to cyber security professionals began before 2005. Since that time, cyber security experts have had a chance to observe and identify APT threats and risks.

While APT attacks are highly customized to their intended targets, they all seem to follow a similar pattern. They all have clearly defined, tangible objectives. For instance, a cyber criminal can use spear phishing emails to gain access to a network, but those emails are just a means to an end. She really wants network access only long enough to input fake credentials into its login system. With her new login credentials, she can legitimately access the organization’s computer system shortly before it makes a lucrative initial public offering announcement.

Other characteristics of APT attacks include lengthy reconnaissance activities, high levels of skill, and numerous tools. It’s common for cyber criminals to invest months gathering intelligence about a target’s computer system prior to an attack. They show advanced skills throughout the attacks. You’ll notice people who are just as adept at pulling off social engineering scams as they are with crafting malicious code on the fly. While most conventional hackers rely on second-rate digital tools to cause mischief, APT cyber criminals use methods and tools that are mostly associated with government intelligence agencies. APT attacks are often carried out by groups of cyber criminals.

Examples of Advanced Persistent Threats

APT attacks happen for a variety of reasons. Cyber activists such as Anonymous can act on a rumor that a company isn’t being socially responsible and conduct a denial of service attack on the organization’s network. A government-sponsored cyber spy group could get orders to find and steal information regarding a breakthrough component that was developed by a manufacturing company in a foreign country.

Here are some real-world examples of APT attacks that have recently occured.

Iran has been under economic sanctions for decades, and the actions have taken a toll on the nation’s finances. According to an APT watchdog community, the Iranian government sponsored hackers to find vulnerable networks, infiltrate them, and sell access to those breached networks to other cyber criminals for a steady stream of passive income.

One of the reasons why Iran continues to be under economic sanctions is its nuclear program. Economic pressure hasn’t stopped Iran from developing nuclear products. As a result, the United States and Israel are believed to have co-developed a piece of malware that can spy on and sabotage industrial control systems at power plants to halt Iran’s nuclear power development efforts.

How Serious Are Advanced Persistent Threats?

The risk to computer systems is very high when cyber criminals employ APT attacks. The risk to an organization’s reputation is even higher. APT attacks that breach networks put everyone’s personal data at risk. Depending on the malware and attack methods, cyber criminals can access user names, customer contact information, and employee records. When an APT attack is socially or politically motivated, cyber bullies can make a company look irresponsible or unethical with planted evidence, and the company won’t have an opportunity to defend itself against the accusations.

When dealing with government-sponsored APT attacks, the stakes get even higher. Countries that gather and tally votes electronically can have election results skewed by foreign governments, rogue domestic enemies, or both. Unethical governments can also steal intellectual property from commercial enterprises in other countries to strengthen their own economies.

Is Your Organization at Risk for an APT Attack?

A variety of public and private-sector entities become targets of APT attacks. While financial institutions and technology companies are obviously at risk, APT cyber criminals most often attack organizations that receive, store, and transmit people’s personal information. Some of these organizations include telecommunications companies, medical facilities, and universities.

Your company is also at risk if it provides critical products and services to the public. One way to destabilize a region is to shut down its power grid. Using spear phishing emails and some clever social engineering techniques, cyber terrorists can infect systems with malware and stop power from reaching residents and business owners.

Challenges for Detecting and Minimizing APT Risks

The subtle nature of APT attacks make them hard to detect, combat, and prevent. Cyber criminals who pull off APT attacks stalk their targets and take measured actions to gain information. Cyber security professionals only have a small window of opportunity to detect a threat and pursue protective actions. Once cyber criminals gain access to a network, they don’t follow the common script of conventional hackers. Their responses are highly adaptive, which means that IT staff members are unlikely to understand the nature of the attacks until the cyber criminals accomplish their objectives.

Most conventional hackers operate on limited budgets and steal personal information as a side hustle. Many cyber thieves who perpetrate APT attacks appear to be heavily funded. Deep pockets allow them to wage sophisticated warfare for longer periods of time. As a result, APT attacks lead to mass data theft that further erodes the security of a company, its employees, and its customers.

Ways to Secure Your Organization Against APT

An advanced persistent threat is an attack in which an unauthorized user gains access to a system or network and remains there for an extended period of time without being detected. Instead of treating APT attacks like conventional hacking schemes, you’ll need to know the lifecycle of APT attacks to safeguard your organization against them.

Here are the steps in the APT lifecycle:

– Select target based on objectives
– Introduce target to an organized team
– Get or develop tools
– Gather intelligence on target’s employees and network
– Do a test to guard against early detection
– Breach the system
– Collect data and transmit it externally
– Increase access and get legitimate log-in credentials
– Cover digital tracks to stay hidden

Having in-house or contract Identity and Access Management (IAM) professionals strengthen your company’s policies and protocols for network user access helps to stop APT cyber criminals at nearly every phase of the APT lifecycle. Installing firewalls and enabling email protections are standard practices for advanced threat protection (ATP). Many IAM professionals recommend ATP tools that support quarantining of suspicious files, data encryption, and IP blacklisting. They may also suggest that your organization conduct quarterly ATP security audits.


Cyber criminals who launch APT attacks are usually sophisticated programmers who are armed with an extensive arsenal of digital tools and intelligence data. While APT scenarios seem nearly impossible to guard against, there are protocols and tools that can help. Protection begins with knowing the typical APT lifecycle and applying the right mitigation strategies at each phase.

Facial recognition systems were the stuff of science fiction and spy novels just a few years ago. Now, the technology has been widely deployed, and privacy advocates are raising alarm bells. A facial recognition system captures a picture of a person’s face, analyzes the person’s profile, and uses algorithms to match it to other pictures and bits of information that are stored in massive data warehouses. While these systems offer clear benefits to businesses and government agencies, they present one of the biggest threats to privacy in modern history. Here are some ways that this technology is used today, the top privacy risks associated with facial recognition systems, and the legal challenges that organizations face when using these systems.

Privacy Implications of Using Facial Recognition Systems

Uses for Facial Recognition Systems in the Public and Private Sectors

Organizations that are driving demand for facial recognition systems include law enforcement agencies, technology companies, and retail establishments. Here are some ways that they benefit from the technology.

Improved Physical Security

When someone commits a crime, police officers have limited time to identify and capture the criminal. By using facial recognition systems, law enforcement agents can scan large crowds and pick up the trail of criminals before they skip out of town.

Human trafficking is a growing problem in many cities. Children and adults who go missing are often victims of elaborate trafficking operations. Police use facial recognition systems to find missing persons and arrest human traffickers. Many human trafficking victims cross the borders in the United States, which is one of the reasons why facial recognition systems are so popular with the U.S. Customs and Border Protection agency.

Convenient, Non-Contact Identification

Politics and public safety are often at odds in today’s society. When a law enforcement agent stops a person for questioning about a crime, no one really knows whether the stop is a case of biased profiling or a legitimate interrogation action. With facial recognition systems, police can quickly narrow down their search to a specific person. They don’t need to physically stop a group of look-alikes with intimidating, interrogation tactics just to find out that none of them were responsible for any crimes.

Biometric-Based Data Security

Cyber attacks are on the rise, and hackers take aim at financial technology (FinTech) companies the hardest. Besides encouraging users to create strong passwords and implementing two-step authentication methods for account access, FinTech companies turn to biometric-inspired data security solutions such as facial recognition systems to prevent fraud.

Customer-Centric Marketing

The retail market is more competitive than ever before. To gain an edge, many stores personalize advertisements and services to gain loyal customers. For instance, a person enters a store, and the retailer’s facial recognition system identifies the customer based on her facial contours. The system can link the person’s picture to other images and data in the person’s social media account. The information can be used to give the customer personalized messages about sale items that she likes and give her directions to those items while she shops in the store.

What Personal Data Is Collected?

Most people’s personal privacy doesn’t hinge on a single piece of data. When a system collects several pieces of data and combines them with other available information, the person risks exposure. Here are some of the data that facial recognition systems collect.

Facial Features

Facial recognition systems collect and store data on a person’s facial features primarily. This data is compared with other available data sets to create a visual portfolio of your unique profile.


Besides taking note of your facial features for instant identification, facial recognition systems can record your location data. This data is date stamped and can be used for illegal tracking purposes.

Facial Expressions

Facial recognition systems that are equipped with machine-learning and artificial intelligence technologies do more than just capture your mugshot. They can detect facial expressions and determine your state of mind at a given period of time.

What Are the Privacy Risks?

Taking someone’s picture without his or her consent and posting it online is considered an invasion of privacy. The use of facial recognition systems has far wider implications.

Technology Inaccuracy

While law enforcement agencies sing the praises of facial recognition systems as an easy way to identify crime suspects, recent research about these systems should make everyone take pause. According to a study that Wired published, facial recognition systems are not as effective at correctly identifying Black females as they are at identifying Caucasian women and men. For a Caucasian woman, these systems have a one in 10,000 chance for an error. A Black female has a one in 1,000 chance of being falsely identified by facial recognition systems.

Supports Illegal Searches

Police officers who use facial recognition systems to catch up to suspects could use a flawed product to gain probable cause for conducting an illegal search. If the person protests the illegal search on the spot, he or she could be arrested and jailed for disorderly conduct.

Collected Data Vulnerable to Cyber Attacks

It’s great that FinTech companies are beefing up their security with biometric data access. However, the collected data about a person’s unique face can be hacked and used to gain access to banking accounts and e-wallets.

Legal Challenges of Using Facial Recognition

The legal hurdles surrounding the use of facial recognition systems relate to the processing of this sensitive data without the public’s knowledge or consent. The very nature of some of the facial recognition activities warrant secrecy such as when a police officer is working on a human trafficking case. However, the secret use of facial recognition systems to collect and store data about the general public leaves the door open for misuse. Here are some examples of laws and legal cases that challenge the free collection, storage, and use of facial recognition data.

Regional and National Privacy Regulations

While the use of facial recognition systems are becoming more widespread in countries such as the United States, China, and Singapore, many countries are banning its use. European nations already have the General Data Protection Regulation that bans the processing of biometric facial recognition data without legal clearance and the consent of EU citizens. A Swedish school put the regulation to the test with a pilot study of student attendance that was conducted using facial recognition software. The school didn’t get permission from the students to perform the facial recognition activities, and it was fined over $20,000 for the infraction.

State Privacy Protection Laws and Bans

In 2015, Facebook was challenged with a lawsuit after it collected and stored facial recognition data without the consent of some Illinois Facebook users. Illinois has a decades-old law that prohibits the collection and storage of biometric data without the express consent of the person who’s under surveillance. While Facebook fought back, the tech giant lost in court and will pay half a billion dollars in settlement money to the Illinois users whose facial recognition data was stolen.

In many cases, cities are more proactive about stopping the use of facial recognition systems than most states. San Francisco, Oakland, and Boston have all banned the use of facial recognition software by city agencies, which include police departments.


Whether one likes it or not, facial recognition systems are here to stay. Now, legislative agencies must do the hard work and generate updated laws that catch up to a modern, technology-driven society.

Certified in Data Protection