8 Most Overlooked Security Threats
Businesses know the obvious security threats to watch for, but some of the biggest dangers may not at top-of-mind.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt3ecd55b727e17661/64f0d8c16de1377ba6774287/overlooked-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
There's always a new security threat to worry about, whether it's from the latest breach headline or a cyberattack on your business. It's almost impossible to keep track of every factor putting an organization at risk.
There is no avoiding the reality that cybercrime, or cyber espionage, will hit. Attackers are employing methods across the spectrum to deliver malware and steal credentials, from old vectors like malvertising, to new ones like appliances connected to the Internet of Things.
Every security expert has a different perspective on which threats should be top of mind, and which ones businesses aren't paying enough attention to. Here a few security pros weigh in on the threats they thing are flying under the enterprise security radar.
Are there any threats you would add to this list? We'd like to keep the conversation going, so feel free to share your thoughts in the comments below.
Malvertising has fallen off the radar over the last year or so, says Jerome Segura, lead malware intelligence analyst at Malwarebytes. It still remains a threat, but for a new pool of targets.
Attackers previously targeted high-profile media sites with malware but learned those attacks generated a lot of attention, he explains. Now they've begun turning to smaller brand names with a lot of traffic but less visibility: foreign websites and file-sharing sites, for example.
"Those typically also don't care as much about visitors as a more high-profile website would," Segura continues; as a result, malvertising often gets overlooked. "How much do you care about making sure ads are clean and appropriate?"
Attackers primarily rely on malicious ads to generate revenue, but it's also used to collect identities or install malware that can be used to add a machine to a botnet in the future. Contractors are more likely to overlook malvertising compared with full-time employees who manage websites.
"A team that's not full time on the project won't be as familiar from start to finish," says Logan Kipp, WordPress evangelist at SiteLock. "They often overlook [malicious ads] because the look like they belong," and unless they know to look at the source code, it won't seem suspicious.
Full-timers who maintain the app every day are more likely to notice if something is amiss. Businesses can mitigate the risk of malvertising by patching systems and using ad blockers.
Businesses aren't overlooking encryption, but they are overlooking proper encryption practices. Most have mastered the encryption of data in transit but fail to secure data at rest, failing to give encryption its full value.
"If we don't have the security platform in place -- the key controls, identity access management -- encryption is nothing," says Hutchinson. Breakdowns in identity strategy and soft data management practices leave information at risk.
Sloppy key management also lowers the barrier to entry for cybercriminals. Many businesses store encryption keys on the same system as the data and give the keys to many employees. "When everyone has access to the keys, it's the same as not being locked," she adds.
Grossman says in-memory attacks amount to 20- to 30% of the infections he sees every day. Attackers execute malware by having the victim launch it from a malicious Word or Excel document, or via the browser on an infected webpage.
"It's known, but mostly only to the insiders," he says of fileless threats, which are the primary reason why antivirus measures don't work. AV systems operate by signaturing binaries; if there are no binaries in memory, then there are no signatures.
"Fileless attacks are a much more difficult threat to catch because there's no trace on the disk," says Malwarebytes' Segura. In-memory attacks are interesting because delivery is extremely stealthy and chances of getting caught are slim. Once a machine is rebooted, the attack is gone.
"It's a good attack vector for most consumers and businesses, but an even better one when it comes to targeted attacks, when you want to leave a minimal footprint on the machine," he adds.
Grossman says businesses can defend against in-memory attacks by disabling macros on any endpoint or computer that doesn't need them; he notes that most do not.
"A few years ago, when we built an app, we thought about it," says BluVector CEO Kris Lovejoy. Now, the people building applications are third-party agencies with little security experience, and they're skipping the checkpoints and testing used in the past.
Developers build and test apps in development environments that are not secure, with tools that may be malicious. Attackers can target apps still in production, and even non-critical apps can be gateways to more sensitive information.
"People are using technologies that were built by the bad guys," she explains. "The way in which we buy and integrate software components has fundamentally changed."
Today's developers create applications with frameworks and widgets. They prefer open-source tools, and a lot of those components were built by threat actors. Many of them are looking for backdoors to steal employee information.
While developers don't necessarily need security training, they should work with the security teams to ensure they are doing the right thing. Lovejoy notes how automation can help developers make secure decisions without always being aware of it.
As more people bring unencrypted corporate devices to home offices, cafes, hotels, airports, and other Internet-connected places, they increase the risk of attack. Grossman notes the danger of leaving a laptop unattended in a place where someone might be able to access it.
"When someone has physical access to your computer, they should be able to hack it unless you have full hard drive encryption," he says. "Evil maid" attacks, for example, target machines that have been left unattended for the purpose of stealing information or installing malware. They'll go unnoticed because the device isn't physically stolen.
There are other ways business travel can drive security risk, Grossman explains. Execs often log into their email accounts from computers at the business center of a conference hall or hotel. "There's no reason why those machines couldn't be passively monitoring everything you're entering," he notes.
Optiv's Hutchinson says a "fundamental lack of personal privacy and understanding of data security" is a threat not only overlooked in the business, but in society as a whole.
Security is commonly thought of as a technology problem, not a problem for everyone in the business. Students are immersed in technology at a young age but don't get their first brush with cybersecurity practices until they're already part of the workforce.
"We graduate MBA students without an understanding of cybersecurity, and then we act surprised when the board doesn't understand cybersecurity," she says. As a result, everyone relies on the CISO for security -- and the CISO can't prevent all breaches alone.
"One of the reasons why we need more security and privacy training early on is to help people understand how pervasive data can be and the impact it can have on your personal life if you don't protect it," says Lovejoy.
It's important to extend training to everyone in the organization. Hackers target lower-level employees who have access to sensitive information but weaker security practices than executives who are more aware of risks.
"Nobody thinks they're accountable," says Hutchinson. "But every company is a technology company. Everything we do is online."
Optiv's Hutchinson says a "fundamental lack of personal privacy and understanding of data security" is a threat not only overlooked in the business, but in society as a whole.
Security is commonly thought of as a technology problem, not a problem for everyone in the business. Students are immersed in technology at a young age but don't get their first brush with cybersecurity practices until they're already part of the workforce.
"We graduate MBA students without an understanding of cybersecurity, and then we act surprised when the board doesn't understand cybersecurity," she says. As a result, everyone relies on the CISO for security -- and the CISO can't prevent all breaches alone.
"One of the reasons why we need more security and privacy training early on is to help people understand how pervasive data can be and the impact it can have on your personal life if you don't protect it," says Lovejoy.
It's important to extend training to everyone in the organization. Hackers target lower-level employees who have access to sensitive information but weaker security practices than executives who are more aware of risks.
"Nobody thinks they're accountable," says Hutchinson. "But every company is a technology company. Everything we do is online."
There's always a new security threat to worry about, whether it's from the latest breach headline or a cyberattack on your business. It's almost impossible to keep track of every factor putting an organization at risk.
There is no avoiding the reality that cybercrime, or cyber espionage, will hit. Attackers are employing methods across the spectrum to deliver malware and steal credentials, from old vectors like malvertising, to new ones like appliances connected to the Internet of Things.
Every security expert has a different perspective on which threats should be top of mind, and which ones businesses aren't paying enough attention to. Here a few security pros weigh in on the threats they thing are flying under the enterprise security radar.
Are there any threats you would add to this list? We'd like to keep the conversation going, so feel free to share your thoughts in the comments below.
About the Author(s)
You May Also Like