8 Most Overlooked Security Threats

Businesses know the obvious security threats to watch for, but some of the biggest dangers may not be at the top of their minds.

There's always a new security threat to worry about, whether it's from the latest breach headline or a cyberattack on your business. It's almost impossible to keep track of every factor putting an organization at risk.

There is no avoiding the reality that cybercrime, or cyber espionage, will hit. Attackers are employing methods across the spectrum to deliver malware and steal credentials, from old vectors like malvertising to new ones like appliances connected to the Internet of Things.

Every security expert has a different perspective on which threats should be top of mind and which ones businesses aren't paying enough attention to. Here a few security pros weigh in on the threats flying under the enterprise security radar.

Kelly Sheridan is an Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Poor encryption practices

Businesses aren't overlooking encryption, but they are overlooking proper encryption practices. Most have mastered data encryption in transit but fail to secure data at rest, failing to give encryption its full value.

"If we don't have the security platform in place -- the key controls, identity access management -- encryption is nothing," says Hutchinson. Breakdowns in identity strategy and soft data management practices leave information at risk.

Sloppy key management also lowers the barrier to entry for cybercriminals. Many businesses store encryption keys on the same system as the data and give the keys to many employees. "When everyone has access to the keys, it's the same as not being locked," she adds.

Malvertising

Malvertising has fallen off the radar over the last year or so, says Jerome Segura, lead malware intelligence analyst at Malwarebytes. It remains a threat but for a new pool of targets.

Attackers previously targeted high-profile media sites with malware but learned those attacks generated a lot of attention, he explains. Now they've begun turning to smaller brand names with much traffic but less visibility: foreign websites and file-sharing sites, for example.

"Those typically also don't care as much about visitors as a more high-profile website would," Segura continues; as a result, malvertising often gets overlooked. "How much do you care about ensuring ads are clean and appropriate?"

Attackers primarily rely on malicious ads to generate revenue. Still, it's also used to collect identities or install malware that can be used to add a machine to a botnet in the future. Contractors are more likely to overlook malvertising compared with full-time employees who manage websites.

"A team that's not full-time on the project won't be as familiar from start to finish," says Logan Kipp, WordPress evangelist at SiteLock. "They often overlook [malicious ads] because they look like they belong," and unless they know to look at the source code, it won't seem suspicious.

Full-timers who maintain the app every day are more likely to notice if something is amiss. Businesses can mitigate the risk of malvertising by patching systems and using ad blockers.

Internet of Things

"If there's anything under the radar, it's IoT devices that people don’t think are IoT devices," says Jeremiah Grossman, chief of security strategy at SentinelOne.

When many people think of IoT devices, they think of smart accessories or connected appliances. "It's not necessarily all small devices," Grossman continues. "It's also the bigger things, like industrial control systems." He recalls Target's 2013 breach, which started with the infiltration of an HVAC system.

That said, businesses are also unaware of how new IoT devices outside critical infrastructure are putting them at risk, says Dawn-Marie Hutchinson, executive director of the Office of the CISO at Optiv.

Sixty-four percent of Americans work from home and their connected refrigerators, for example, can put corporate data at risk if hacked. But most people are unaware of the risk and don't properly secure their home networks -- a problem that extends to the enterprise.

"If your refrigerator is hackable, and it's on your network along with your laptop, what's protecting it?" she asks. Businesses know to protect their critical infrastructure, but they're less aware of how connected home appliances, baby monitors, and door locks affect security.

Part of the problem with IoT security is manufacturers don't provide long-term support, exposing technologies. From their perspective, says Segura, it makes more sense to discontinue a product after less than ten years because the cost of changing hardware is so high.

In-memory attacks

Grossman says in-memory attacks amount to 20- to 30% of the infections he sees every day. Attackers execute malware by having the victim launch it from a malicious Word or Excel document or via the browser on an infected webpage.

"It's known, but mostly only to the insiders," he says of fileless threats, which are the primary reason why antivirus measures don't work. AV systems operate by signature binaries; if there are no binaries in memory, there are no signatures.

"Fileless attacks are a much more difficult threat to catch because there's no trace on the disk," says Malwarebytes' Segura. In-memory attacks are interesting because delivery is extremely stealthy and chances of getting caught are slim. Once a machine is rebooted, the attack is gone.

"It's a good attack vector for most consumers and businesses, but an even better one when it comes to targeted attacks, when you want to leave a minimal footprint on the machine," he adds.

Grossman says businesses can defend against in-memory attacks by disabling macros on any endpoint or computer that doesn't need them; he notes that most do not.

Open-source app development widgets

"A few years ago, when we built an app, we thought about it," says BluVector CEO Kris Lovejoy. Now, the people building applications are third-party agencies with little security experience, and they're skipping the checkpoints and testing used in the past.

Developers build and test apps in development environments that are not secure, with tools that may be malicious. Attackers can target apps still in production, and even non-critical apps can be gateways to more sensitive information.

"People are using technologies built by the bad guys," she explains. "The way in which we buy and integrate software components has fundamentally changed."

Today's developers create applications with frameworks and widgets. They prefer open-source tools, and many of those components were built by threat actors. Many of them are looking for backdoors to steal employee information.

While developers don't necessarily need security training, they should work with the security teams to ensure they are doing the right thing. Lovejoy notes how automation can help developers make secure decisions without always being aware of it.

"Evil maid" attacks

As more people bring unencrypted corporate devices to home offices, cafes, hotels, airports, and other Internet-connected places, they increase the risk of attack. Grossman notes the danger of leaving a laptop unattended in a place where someone might be able to access it.

"When someone has physical access to your computer, they should be able to hack it unless you have full hard drive encryption," he says. "Evil maid" attacks, for example, target machines that have been left unattended for the purpose of stealing information or installing malware. They'll go unnoticed because the device isn't physically stolen.

There are other ways business travel can drive security risk, Grossman explains. Execs often log into their email accounts from computers at the business center of a conference hall or hotel. "There's no reason why those machines couldn't be passively monitoring everything you're entering," he notes.

Mobilization of data

More people rely on mobile devices to do their jobs, but businesses aren't taking steps to secure data stored on them. The growing mobilization of data is posing a threat.

"We're moving to a time where laptops are becoming passe," says Hutchinson. "People are working from smartphones, tablets … we have to access a lot of data on those devices, which are not built for data storage the way laptops are."

There's a lot of configuration management that has to be done to ensure users are storing data in the right place, and not in their personal iCloud accounts, Hutchinson continues.

It's not only corporate data at risk. Many end-users don't think twice about handing over social information, either. They enter data for freebies and discounts; they take silly quizzes like "What country should you live in?" and in doing so, give away their email addresses, usernames, and Facebook information. All this data becomes publicly available in a data breach.

Undereducated employees

Optiv's Hutchinson says a "fundamental lack of personal privacy and understanding of data security" is a threat not only overlooked in the business but in society as a whole.

Security is commonly considered a technology problem, not a problem for everyone in the business. Students are immersed in technology at a young age but don't get their first brush with cybersecurity practices until they're already part of the workforce.

"We graduate MBA students without an understanding of cybersecurity, and then we act surprised when the board doesn't understand cybersecurity," she says. As a result, everyone relies on the CISO for security -- and the CISO can't prevent all breaches alone.

"One of the reasons we need more security and privacy training early on is to help people understand how pervasive data can be and the impact it can have on your personal life if you don't protect it," says Lovejoy.

It's important to extend training to everyone in the organization. Hackers target lower-level employees who have access to sensitive information but have weaker security practices than executives who are more aware of risks.

"Nobody thinks they're accountable," says Hutchinson. "But every company is a technology company. Everything we do is online."