Quick Hits

Ten Emerging Threats Your Company May Not Know About

Some new attacks get a lot of attention. Here's a look at 10 that haven't, but ought to be on your radar
[The following is excerpted from "Ten Threats Your Company May Not Know About," a new report posted this week on Dark Reading's Vulnerabilities and Threats Tech Center.]

Security professionals are certainly not at a loss for things to worry about. Indeed, the list of threats to corporate systems and the data they contain is very long, and IT departments are constantly challenged in their efforts to mitigate these risks. Unfortunately, the security threats you know about are only the proverbial tip of the iceberg. Lying underneath the churning waves of business requirements and technology shifts is the bottom of the berg -- a threat that's scariest because it's largely unknown.

In this Dark Reading report, we examine the cybersecurity threats that are lying in wait -- the ones that are especially dangerous because there are unknown or little understood.

Some of these threats have been around for some time but are growing in the risk they present to businesses; others are newly emerging, often on the heels of new products or practices being adopted by the enterprise.

In all cases, however, enterprise IT professionals must work to develop their understanding of these threats, build a plan for guarding against them, and educate end users and executive management about the risk they present and how security best practices can and should be leaned on.

1. Embedded Systems
One of the biggest -- but perhaps best hidden -- emerging threats is embedded systems. Internet systems are increasingly embedded into devices and applications that we use every day -- not only in the workplace, but in our homes, as well. What many companies don't realize is that each of these seemingly innocuous systems is essentially an Internetf-facing server, and as such has everything an attacker would need to access the corporate network.

"From a network perspective, they are just another PC or another server," says Gunter Ollmann, CTO of security services provider IOActive. "If it can plug into your network, it is now a PC that's now attached to your network and is operating as a PC. They hold the functionality that is desirable for an attacker, either for a compromise or for navigating deeper into the organization's network."

If companies do realize that the embedded systems found in everything from smartphones to thermostats are dangerous, they may not know where they are all located or how to deal with patching should the need arise.

2. BYOD/Mobile
The ubiquity of mobile devices -- especially smartphones and tablets -- is creating significant change in the way we live and work. This, in turn, has created vast new threat vectors against which attackers can wage their cyber battles.

The BYOD -- or bring your own device -- model is very enticing for businesses looking both to cut costs and keep their employees happy. Employees have been using their own devices in the workplace for years, but the practice until recently was generally discouraged as a matter of policy. But as mobile devices have gotten more sophisticated and more widely used by employees in their personal lives, many organizations have decided that if you can't beat 'em, it makes sense to join 'em.

The trouble is, not every organization has taken the time and care to put mobile device management or other technology protections in place.

Experts agree that the security of BYOD programs can be achieved only through a combination of technology, policy and -- perhaps most importantly -- education. The last goes for both end users and IT staff.

3. App Stores
Experts who spoke with Dark Reading say there has never been a time when more applications have been loaded onto more devices than now. And with all this variety comes risk -- especially in the form of app stores.

Every major device maker has an app store, and mobile device choices are often made based in no small part on the number and quality of apps available for them. But apps -- and app stores -- differ in quality and the level to which apps are vetted.

Apple, for example, requires that apps be signed by the vendor and checked for policy and quality. Android apps, on the other hand, can be selfs-igned and require no policy and quality checks.

Many companies are battling app store dangers -- and exerting more control over the app development process -- by essentially opening their own app stores.

Gartner predicts that 25% of enterprises will have their own app stores within the next four years, stating that such stores address many of the governance and business-value issues that companies face when it comes to apps.

Security pros will need to make sure that apps that are accessing corporate systems are safe and updated. And for in-house apps, special care will need to be taken to ensure that no holes are introduced as the app is being developed. A new report from Cenzic indicates that 99% of tested applications are vulnerable to attack.

To see the other seven emerging threats -- and get some advice on what to do about them -- download the free report from Dark Reading.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.