07:09 AM
Dark Reading
Dark Reading
Quick Hits
Connect Directly

Ten Emerging Threats Your Company May Not Know About

Some new attacks get a lot of attention. Here's a look at 10 that haven't, but ought to be on your radar

[The following is excerpted from "Ten Threats Your Company May Not Know About," a new report posted this week on Dark Reading's Vulnerabilities and Threats Tech Center.]

Security professionals are certainly not at a loss for things to worry about. Indeed, the list of threats to corporate systems and the data they contain is very long, and IT departments are constantly challenged in their efforts to mitigate these risks. Unfortunately, the security threats you know about are only the proverbial tip of the iceberg. Lying underneath the churning waves of business requirements and technology shifts is the bottom of the berg -- a threat that's scariest because it's largely unknown.

In this Dark Reading report, we examine the cybersecurity threats that are lying in wait -- the ones that are especially dangerous because there are unknown or little understood.

Some of these threats have been around for some time but are growing in the risk they present to businesses; others are newly emerging, often on the heels of new products or practices being adopted by the enterprise.

In all cases, however, enterprise IT professionals must work to develop their understanding of these threats, build a plan for guarding against them, and educate end users and executive management about the risk they present and how security best practices can and should be leaned on.

1. Embedded Systems
One of the biggest -- but perhaps best hidden -- emerging threats is embedded systems. Internet systems are increasingly embedded into devices and applications that we use every day -- not only in the workplace, but in our homes, as well. What many companies don't realize is that each of these seemingly innocuous systems is essentially an Internetf-facing server, and as such has everything an attacker would need to access the corporate network.

"From a network perspective, they are just another PC or another server," says Gunter Ollmann, CTO of security services provider IOActive. "If it can plug into your network, it is now a PC that's now attached to your network and is operating as a PC. They hold the functionality that is desirable for an attacker, either for a compromise or for navigating deeper into the organization's network."

If companies do realize that the embedded systems found in everything from smartphones to thermostats are dangerous, they may not know where they are all located or how to deal with patching should the need arise.

2. BYOD/Mobile
The ubiquity of mobile devices -- especially smartphones and tablets -- is creating significant change in the way we live and work. This, in turn, has created vast new threat vectors against which attackers can wage their cyber battles.

The BYOD -- or bring your own device -- model is very enticing for businesses looking both to cut costs and keep their employees happy. Employees have been using their own devices in the workplace for years, but the practice until recently was generally discouraged as a matter of policy. But as mobile devices have gotten more sophisticated and more widely used by employees in their personal lives, many organizations have decided that if you can't beat 'em, it makes sense to join 'em.

The trouble is, not every organization has taken the time and care to put mobile device management or other technology protections in place.

Experts agree that the security of BYOD programs can be achieved only through a combination of technology, policy and -- perhaps most importantly -- education. The last goes for both end users and IT staff.

3. App Stores
Experts who spoke with Dark Reading say there has never been a time when more applications have been loaded onto more devices than now. And with all this variety comes risk -- especially in the form of app stores.

Every major device maker has an app store, and mobile device choices are often made based in no small part on the number and quality of apps available for them. But apps -- and app stores -- differ in quality and the level to which apps are vetted.

Apple, for example, requires that apps be signed by the vendor and checked for policy and quality. Android apps, on the other hand, can be selfs-igned and require no policy and quality checks.

Many companies are battling app store dangers -- and exerting more control over the app development process -- by essentially opening their own app stores.

Gartner predicts that 25% of enterprises will have their own app stores within the next four years, stating that such stores address many of the governance and business-value issues that companies face when it comes to apps.

Security pros will need to make sure that apps that are accessing corporate systems are safe and updated. And for in-house apps, special care will need to be taken to ensure that no holes are introduced as the app is being developed. A new report from Cenzic indicates that 99% of tested applications are vulnerable to attack.

To see the other seven emerging threats -- and get some advice on what to do about them -- download the free report from Dark Reading.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/26/2013 | 11:27:56 PM
re: Ten Emerging Threats Your Company May Not Know About
As the article so brilliantly points out, one of the biggest tools for a secure BYOD environment is education. Our hospital put a BYOD policy in place to use Tigertext for HIPAA compliant text messaging, but the doctors still used their unsecure regular text messaging. Even though we had a good BYOD policy, it wasn't enough; we had to bring each doctor in to admin for 15 minutes of training and explaining the HIPAA issues and how to use the app correctly. Now we have about 95% of the doctors in compliance. One of the other things we are doing is making our own app for employees that uses the Tigertext Tigerconnect API as well a HIPAA email app to make it easier for employees to comply with the BYOD policy.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.