Attacks/Breaches
5/13/2013
07:09 AM
Dark Reading
Dark Reading
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Ten Emerging Threats Your Company May Not Know About

Some new attacks get a lot of attention. Here's a look at 10 that haven't, but ought to be on your radar

[The following is excerpted from "Ten Threats Your Company May Not Know About," a new report posted this week on Dark Reading's Vulnerabilities and Threats Tech Center.]

Security professionals are certainly not at a loss for things to worry about. Indeed, the list of threats to corporate systems and the data they contain is very long, and IT departments are constantly challenged in their efforts to mitigate these risks. Unfortunately, the security threats you know about are only the proverbial tip of the iceberg. Lying underneath the churning waves of business requirements and technology shifts is the bottom of the berg -- a threat that's scariest because it's largely unknown.

In this Dark Reading report, we examine the cybersecurity threats that are lying in wait -- the ones that are especially dangerous because there are unknown or little understood.

Some of these threats have been around for some time but are growing in the risk they present to businesses; others are newly emerging, often on the heels of new products or practices being adopted by the enterprise.

In all cases, however, enterprise IT professionals must work to develop their understanding of these threats, build a plan for guarding against them, and educate end users and executive management about the risk they present and how security best practices can and should be leaned on.

1. Embedded Systems
One of the biggest -- but perhaps best hidden -- emerging threats is embedded systems. Internet systems are increasingly embedded into devices and applications that we use every day -- not only in the workplace, but in our homes, as well. What many companies don't realize is that each of these seemingly innocuous systems is essentially an Internetf-facing server, and as such has everything an attacker would need to access the corporate network.

"From a network perspective, they are just another PC or another server," says Gunter Ollmann, CTO of security services provider IOActive. "If it can plug into your network, it is now a PC that's now attached to your network and is operating as a PC. They hold the functionality that is desirable for an attacker, either for a compromise or for navigating deeper into the organization's network."

If companies do realize that the embedded systems found in everything from smartphones to thermostats are dangerous, they may not know where they are all located or how to deal with patching should the need arise.

2. BYOD/Mobile
The ubiquity of mobile devices -- especially smartphones and tablets -- is creating significant change in the way we live and work. This, in turn, has created vast new threat vectors against which attackers can wage their cyber battles.

The BYOD -- or bring your own device -- model is very enticing for businesses looking both to cut costs and keep their employees happy. Employees have been using their own devices in the workplace for years, but the practice until recently was generally discouraged as a matter of policy. But as mobile devices have gotten more sophisticated and more widely used by employees in their personal lives, many organizations have decided that if you can't beat 'em, it makes sense to join 'em.

The trouble is, not every organization has taken the time and care to put mobile device management or other technology protections in place.

Experts agree that the security of BYOD programs can be achieved only through a combination of technology, policy and -- perhaps most importantly -- education. The last goes for both end users and IT staff.

3. App Stores
Experts who spoke with Dark Reading say there has never been a time when more applications have been loaded onto more devices than now. And with all this variety comes risk -- especially in the form of app stores.

Every major device maker has an app store, and mobile device choices are often made based in no small part on the number and quality of apps available for them. But apps -- and app stores -- differ in quality and the level to which apps are vetted.

Apple, for example, requires that apps be signed by the vendor and checked for policy and quality. Android apps, on the other hand, can be selfs-igned and require no policy and quality checks.

Many companies are battling app store dangers -- and exerting more control over the app development process -- by essentially opening their own app stores.

Gartner predicts that 25% of enterprises will have their own app stores within the next four years, stating that such stores address many of the governance and business-value issues that companies face when it comes to apps.

Security pros will need to make sure that apps that are accessing corporate systems are safe and updated. And for in-house apps, special care will need to be taken to ensure that no holes are introduced as the app is being developed. A new report from Cenzic indicates that 99% of tested applications are vulnerable to attack.

To see the other seven emerging threats -- and get some advice on what to do about them -- download the free report from Dark Reading.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
candacemcdowell8
50%
50%
candacemcdowell8,
User Rank: Apprentice
5/26/2013 | 11:27:56 PM
re: Ten Emerging Threats Your Company May Not Know About
As the article so brilliantly points out, one of the biggest tools for a secure BYOD environment is education. Our hospital put a BYOD policy in place to use Tigertext for HIPAA compliant text messaging, but the doctors still used their unsecure regular text messaging. Even though we had a good BYOD policy, it wasn't enough; we had to bring each doctor in to admin for 15 minutes of training and explaining the HIPAA issues and how to use the app correctly. Now we have about 95% of the doctors in compliance. One of the other things we are doing is making our own app for employees that uses the Tigertext Tigerconnect API as well a HIPAA email app to make it easier for employees to comply with the BYOD policy.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.