Absorb the devastating security news: in a very short span earlythis year it was revealed that the New York Times, Wall Street Journal and Washington Post had suffered significant websitepenetration by highly skilled hackers who are believed to beassociated with the government of China.

If you are not afraid, you aren't paying attention.

What is occurring is a rapid ramp up of sophistication of cyberattackers and, in many cases, they are seeming to get the jump onthose tasked with protecting sensitive websites.

In the case of the big media hacks, it appears the hackersentered the systems with specific shopping lists in hand, namely,they wanted information pertaining to possible coverage of thewealth accumulated by outgoing Premier Wen Jiabao — said to have raked in a family fortune around $2.7 billion.

The Chinese hackers, apparently, wanted advance notice of whatwas coming out in print and they also wanted to sift through thework files of reporters on the story.

Traditional hacking is opportunistic, hit and miss and run. Putup a show of defense and, in many instances, that's plenty tothwart an attacker.

Not so what security professionals call APTs – advancedpersistent threats. “They are low and slow. Very targeted. Hard todefend against” said IBM Vice President Marc van Zadelhoff.

The apparently Chinese attackers did not want entry into anynewspaper. They wanted to crack the leading media that shapetop-level U.S. opinion about China. That's what they targeted.That's what they broke into.

“These are very sophisticated attackers,” said MichelangeloSidagni, chief technology officer at NopSec, a New York securityfirm. “They got log-in information for many reporters.”

Mandiant – the security firm brought in by the Timesand the Post to unravel what was occurring inside theirsystems – has issued a glum take on the outlook for APTs emanatingfrom Beijing. (The free report is here.) It expects no reduction in APTs and they may in factincrease.

How did the Chinese hackers gain entry into well-protectedsystems? The old-fashioned way, said Sidagni, who indicated theyapparently used phishing attacks that baited target reporters into clicking onlinks they shouldn't have. “People think hacking is technical butthe weakest link usually is human.”

It might take many months of emails before a target clicks on abad link but, with APT, time is on the attackers' side. Patience is their virtueand, sooner or later, they believe they will gain entry.

Protecting against this starts by recognizing that traditionalanti-virus tools are near to worthless. “There are many ways tobypass them,” said Sidagni.

He urged institutions to seriously monitor their intrusion logs– sometimes ignored by many organizations, he said.

As for exactly what else credit unions can do to toughen theirbarriers to entry against APT attackers, Ken Baylor – a vicepresident at NSS Labs and a former vice president for security atWells Fargo – said, “It's not easy. Guarding against attackers withthese skills and focus requires a complete re-think ofsecurity.”

He ominously added that there is ample evidence that, already,nation state APT attackers are sniffing around inside financialinstitutions. So far, he stressed, they have perpetrated no fraudsthat have been detected “They seem focused on gatheringinformation,” he said, and elaborated it might, for instance, behunting for data about who is paying a certain politician howmuch.

But that could change. These attacks could morph into classicfraud and, right now, many financial institutions are poorlydefended against this.

Ask yourself: how well defended are you?

And know the security bar has been nudged ever higher.