07:09 AM
Dark Reading
Dark Reading
Quick Hits

Ten Emerging Threats Your Company May Not Know About

Some new attacks get a lot of attention. Here's a look at 10 that haven't, but ought to be on your radar

[The following is excerpted from "Ten Threats Your Company May Not Know About," a new report posted this week on Dark Reading's Vulnerabilities and Threats Tech Center.]

Security professionals are certainly not at a loss for things to worry about. Indeed, the list of threats to corporate systems and the data they contain is very long, and IT departments are constantly challenged in their efforts to mitigate these risks. Unfortunately, the security threats you know about are only the proverbial tip of the iceberg. Lying underneath the churning waves of business requirements and technology shifts is the bottom of the berg -- a threat that's scariest because it's largely unknown.

In this Dark Reading report, we examine the cybersecurity threats that are lying in wait -- the ones that are especially dangerous because there are unknown or little understood.

Some of these threats have been around for some time but are growing in the risk they present to businesses; others are newly emerging, often on the heels of new products or practices being adopted by the enterprise.

In all cases, however, enterprise IT professionals must work to develop their understanding of these threats, build a plan for guarding against them, and educate end users and executive management about the risk they present and how security best practices can and should be leaned on.

1. Embedded Systems
One of the biggest -- but perhaps best hidden -- emerging threats is embedded systems. Internet systems are increasingly embedded into devices and applications that we use every day -- not only in the workplace, but in our homes, as well. What many companies don't realize is that each of these seemingly innocuous systems is essentially an Internetf-facing server, and as such has everything an attacker would need to access the corporate network.

"From a network perspective, they are just another PC or another server," says Gunter Ollmann, CTO of security services provider IOActive. "If it can plug into your network, it is now a PC that's now attached to your network and is operating as a PC. They hold the functionality that is desirable for an attacker, either for a compromise or for navigating deeper into the organization's network."

If companies do realize that the embedded systems found in everything from smartphones to thermostats are dangerous, they may not know where they are all located or how to deal with patching should the need arise.

2. BYOD/Mobile
The ubiquity of mobile devices -- especially smartphones and tablets -- is creating significant change in the way we live and work. This, in turn, has created vast new threat vectors against which attackers can wage their cyber battles.

The BYOD -- or bring your own device -- model is very enticing for businesses looking both to cut costs and keep their employees happy. Employees have been using their own devices in the workplace for years, but the practice until recently was generally discouraged as a matter of policy. But as mobile devices have gotten more sophisticated and more widely used by employees in their personal lives, many organizations have decided that if you can't beat 'em, it makes sense to join 'em.

The trouble is, not every organization has taken the time and care to put mobile device management or other technology protections in place.

Experts agree that the security of BYOD programs can be achieved only through a combination of technology, policy and -- perhaps most importantly -- education. The last goes for both end users and IT staff.

3. App Stores
Experts who spoke with Dark Reading say there has never been a time when more applications have been loaded onto more devices than now. And with all this variety comes risk -- especially in the form of app stores.

Every major device maker has an app store, and mobile device choices are often made based in no small part on the number and quality of apps available for them. But apps -- and app stores -- differ in quality and the level to which apps are vetted.

Apple, for example, requires that apps be signed by the vendor and checked for policy and quality. Android apps, on the other hand, can be selfs-igned and require no policy and quality checks.

Many companies are battling app store dangers -- and exerting more control over the app development process -- by essentially opening their own app stores.

Gartner predicts that 25% of enterprises will have their own app stores within the next four years, stating that such stores address many of the governance and business-value issues that companies face when it comes to apps.

Security pros will need to make sure that apps that are accessing corporate systems are safe and updated. And for in-house apps, special care will need to be taken to ensure that no holes are introduced as the app is being developed. A new report from Cenzic indicates that 99% of tested applications are vulnerable to attack.

To see the other seven emerging threats -- and get some advice on what to do about them -- download the free report from Dark Reading.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/26/2013 | 11:27:56 PM
re: Ten Emerging Threats Your Company May Not Know About
As the article so brilliantly points out, one of the biggest tools for a secure BYOD environment is education. Our hospital put a BYOD policy in place to use Tigertext for HIPAA compliant text messaging, but the doctors still used their unsecure regular text messaging. Even though we had a good BYOD policy, it wasn't enough; we had to bring each doctor in to admin for 15 minutes of training and explaining the HIPAA issues and how to use the app correctly. Now we have about 95% of the doctors in compliance. One of the other things we are doing is making our own app for employees that uses the Tigertext Tigerconnect API as well a HIPAA email app to make it easier for employees to comply with the BYOD policy.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-06
Cross-site scripting (XSS) vulnerability in the template preview function in Foreman before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted provisioning template.

Published: 2015-07-06
Open redirect vulnerability in the Language Switcher Dropdown module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a block.

Published: 2015-07-06
Multiple cross-site scripting (XSS) vulnerabilities in the Tournament module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) account username, a (2) node title, or a (3) team entity title.

Published: 2015-07-06
Cross-site scripting (XSS) vulnerability in the Node Field module 7.x-2.x before 7.x-2.45 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors involving internal fields.

Published: 2015-07-06
Cross-site scripting (XSS) vulnerability in the Rules Link module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer rules links" permission to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the (1) question and (2...

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report