Attacks/Breaches
5/13/2013
07:09 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

Ten Emerging Threats Your Company May Not Know About

Some new attacks get a lot of attention. Here's a look at 10 that haven't, but ought to be on your radar

[The following is excerpted from "Ten Threats Your Company May Not Know About," a new report posted this week on Dark Reading's Vulnerabilities and Threats Tech Center.]

Security professionals are certainly not at a loss for things to worry about. Indeed, the list of threats to corporate systems and the data they contain is very long, and IT departments are constantly challenged in their efforts to mitigate these risks. Unfortunately, the security threats you know about are only the proverbial tip of the iceberg. Lying underneath the churning waves of business requirements and technology shifts is the bottom of the berg -- a threat that's scariest because it's largely unknown.

In this Dark Reading report, we examine the cybersecurity threats that are lying in wait -- the ones that are especially dangerous because there are unknown or little understood.

Some of these threats have been around for some time but are growing in the risk they present to businesses; others are newly emerging, often on the heels of new products or practices being adopted by the enterprise.

In all cases, however, enterprise IT professionals must work to develop their understanding of these threats, build a plan for guarding against them, and educate end users and executive management about the risk they present and how security best practices can and should be leaned on.

1. Embedded Systems
One of the biggest -- but perhaps best hidden -- emerging threats is embedded systems. Internet systems are increasingly embedded into devices and applications that we use every day -- not only in the workplace, but in our homes, as well. What many companies don't realize is that each of these seemingly innocuous systems is essentially an Internetf-facing server, and as such has everything an attacker would need to access the corporate network.

"From a network perspective, they are just another PC or another server," says Gunter Ollmann, CTO of security services provider IOActive. "If it can plug into your network, it is now a PC that's now attached to your network and is operating as a PC. They hold the functionality that is desirable for an attacker, either for a compromise or for navigating deeper into the organization's network."

If companies do realize that the embedded systems found in everything from smartphones to thermostats are dangerous, they may not know where they are all located or how to deal with patching should the need arise.

2. BYOD/Mobile
The ubiquity of mobile devices -- especially smartphones and tablets -- is creating significant change in the way we live and work. This, in turn, has created vast new threat vectors against which attackers can wage their cyber battles.

The BYOD -- or bring your own device -- model is very enticing for businesses looking both to cut costs and keep their employees happy. Employees have been using their own devices in the workplace for years, but the practice until recently was generally discouraged as a matter of policy. But as mobile devices have gotten more sophisticated and more widely used by employees in their personal lives, many organizations have decided that if you can't beat 'em, it makes sense to join 'em.

The trouble is, not every organization has taken the time and care to put mobile device management or other technology protections in place.

Experts agree that the security of BYOD programs can be achieved only through a combination of technology, policy and -- perhaps most importantly -- education. The last goes for both end users and IT staff.

3. App Stores
Experts who spoke with Dark Reading say there has never been a time when more applications have been loaded onto more devices than now. And with all this variety comes risk -- especially in the form of app stores.

Every major device maker has an app store, and mobile device choices are often made based in no small part on the number and quality of apps available for them. But apps -- and app stores -- differ in quality and the level to which apps are vetted.

Apple, for example, requires that apps be signed by the vendor and checked for policy and quality. Android apps, on the other hand, can be selfs-igned and require no policy and quality checks.

Many companies are battling app store dangers -- and exerting more control over the app development process -- by essentially opening their own app stores.

Gartner predicts that 25% of enterprises will have their own app stores within the next four years, stating that such stores address many of the governance and business-value issues that companies face when it comes to apps.

Security pros will need to make sure that apps that are accessing corporate systems are safe and updated. And for in-house apps, special care will need to be taken to ensure that no holes are introduced as the app is being developed. A new report from Cenzic indicates that 99% of tested applications are vulnerable to attack.

To see the other seven emerging threats -- and get some advice on what to do about them -- download the free report from Dark Reading.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
candacemcdowell8
50%
50%
candacemcdowell8,
User Rank: Apprentice
5/26/2013 | 11:27:56 PM
re: Ten Emerging Threats Your Company May Not Know About
As the article so brilliantly points out, one of the biggest tools for a secure BYOD environment is education. Our hospital put a BYOD policy in place to use Tigertext for HIPAA compliant text messaging, but the doctors still used their unsecure regular text messaging. Even though we had a good BYOD policy, it wasn't enough; we had to bring each doctor in to admin for 15 minutes of training and explaining the HIPAA issues and how to use the app correctly. Now we have about 95% of the doctors in compliance. One of the other things we are doing is making our own app for employees that uses the Tigertext Tigerconnect API as well a HIPAA email app to make it easier for employees to comply with the BYOD policy.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?