Gartner Forecasts the Next Big Threats

Gartner calls it the “consumerization” of IT -- the inevitable spillover of social networks, Google apps, iPhones, and other mainstream technology tools into the enterprise. And with it comes a whole new generation of threats.

“We’re finding a lot of clients calling it a ‘Generation X/Generation Y problem,’” where young users who have grown up with social networks and smart phones expect to be able to use these tools not only at home, but at work, says John Pescatore, vice president and research fellow at Gartner. “The old IT model that tells you what you can do and use [technology-wise] is breaking.”

Pescatore will reveal some new threats Gartner expects to emerge as a result of this and other trends, such as the move to software as a service (SaaS), at next week’s Gartner Security Summit in Washington, D.C. Among the main threats on Gartner’s list: attacks on SaaS providers, social network subversion, and desktop utility application attacks, he says.

Meanwhile, Pescatore says the consumerization of IT came a lot faster than he expected. “We have more clients saying their clients are asking ‘why can’t we use Google apps?’” The conventional wisdom until recently would have been no dice on bringing in these unmanaged and potentially risky apps to the business. But now, all that is starting to change, he says.

The move to SaaS has made it more difficult for IT to protect its own. “It used to be that I bought up a CRM app, installed it on a server, patched it, and took care of it. I could protect it,” he says. Now SaaS providers are doing that for IT, which has its obvious advantages as well as some risk.

Gartner expects attackers to streamline their attacks on organizations, and SaaS is one form of shared apps that could be exploited, Pescatore says. “The attacker could go after Proctor & Gamble -- or salesforce.com, which P&G uses, as well as hundreds of others,” he says. “They are going after shared code – software as a service, etc. – to magnify the impact of the attack."

The recent salesforce.com phishing attack was just a peek at the kind of attacks that will emerge in this space, he says.

Social network subversion, meanwhile, is basically where an attacker would exploit the trust of a social networking user by posing as a “friend,” for example, while launching a malware attack or stealing credentials. Pescatore says that although many businesses today still shun Facebook, MySpace, YouTube, and Twitter use at the office, that soon will change as the new generation of employees expects to use these tools. “And attackers exploit trust. We used to trust email addresses, so viruses and worms took advantage of that... Now people trust their ‘friends’ list,” he says.

Look for more attacks on social networks like the one where hackers infected Alicia Keys’s MySpace account and served up malware to its visitors -- Trojans posing as video codecs that redirected user searches to malicious sites, for instance. “Those types of attacks are going to multiply,” Pescatore says.

Socially acceptable social networking at work will also open the door for what Gartner calls desktop utility app attacks, or widget/gadget attacks. These are the applets that MySpace and Facebook let users create and share with their friends, everything from a widget to a virtual cocktail, for instance, all of which would be infected or used maliciously -- exploiting the trust of the social network in order to spread.

The goal is to get users to unwittingly carry that malware back to their enterprises and provide an opening to the attacker there, for example, according to Pescatore.

Gartner also expects a rise in attacks on virtual server environments, as well as in wireless networks. Another ominous threat: “There will be more tools to reverse-engineer enterprise applications on Websites,” Pescatore says. “Within two- to three years, these reverse-engineering tools will be so easy to use that the next round of application-level attacks will be against every type of software you can think of.”

With employees jumping on and off the enterprise network on the road and at home and using various unmanaged devices, enterprises need to look at security as a service to better protect them and the company’s data, Pescatore says. “IT is going to SaaS, so they are going to need security-as-a-service to deal with the issue that their users aren’t always using IT-approved [equipment] and any time they connect to the Internet, we need to force them to apply to some security policy,” such as malware-filtering or a network access control service, he says.

Pescatore didn't provide specific timeframes for these next-generation threats, but he says they could hit anywhere from two to six years from now.

“Threat forecasting is fun – it’s like weather forecasting and about as precise as weather forecasting,” Pescatore says. “But the key is if the climate changes, we want to understand it.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.