Gartner: Relax about overhyped security threats

Don’t believe the hype about some of the computer security threats emphasized in industry and the media, two Gartner Research analysts said today.

Lawrence Orans, a principal research analyst, and John Pescatore, vice president and research fellow, told attendees at the Gartner IT Security Summit in Washington, D.C., not to fear going ahead with projects that use voice over IP technology, Virtual Private Networks over the Internet and wireless hot spots.

The computer-security experts also advised their audience not to waste time or money on products they don’t need to meet federal regulations and protect against malware on mobile devices.

The men debunked five popular security myths:

* Eavesdropping risks makes VOIP telephony too insecure to use.

Industry and the media overhype the danger of eavesdropping because it is as easy to eavesdrop on voice packets in a network as on data packets, Orans said. But eavesdropping is rare because perpetrators must access an IP phone through the company’s intranet, he said.

Companies that follow best practices to protect their data should have no trouble protecting their Internet telephony operations, Orans said. Eavesdroppers can be caught easily by scanning the network for unusual behavior, he said.

Companies can encrypt their voice traffic to prevent trouble but is only necessary if they encrypt their data as well, he said. They can also use Internet-telephony handsets and tailor their firewalls to allow scanning, he said.

* Malware on mobile devices will cause major business disruptions in the near future.

The hype about antivirus products to protect cell phones and PDAs has been around since 2001, Pescatore said. But he said he predicted that viruses and other malware used against wireless mobile devices won’t cost more than antivirus protections against them until the end of 2007 at the earliest.

More Americans need to use smart phones and PDAs with always-on wireless capability, Pescatore said. Only 3 percent of American users had such items in 2004 and only 10 percent will have them by the end of 2005, they said. Mobile malware won’t become an issue until more than 30 percent of Americans have them, he said.

Additionally, mobile malware attacks won’t become a real threat until the users of these wireless items commonly send locally executed software, he said.

Lastly, too many operating systems and applications are in use to allow a large-scale attack, Pescatore said. One phone operating system will need at least 50 percent of the market and two others have 20 percent each to make such attacks feasible, he said. But “we may never reach the point where we don’t have diversity in the cell phone operating system world,” he said.

Antivirus software on a phone won’t protect against attacks on the wireless network, Pescatore said. “The end-client solution for malware is doomed,” he said. It’s more effective to block viruses on the network, he said. A potential attack method, however, could be hijacking a telecom company’s ability to automatically update users’ phones’ operating systems, he said.

Industry and government must create policies for using mobile devices and requiring network-based malware protection, Pescatore said.

* Viruses will not destroy the Internet.

Named after Andy Warhol’s “15 minutes of fame” quip, a Warhol worm infects all vulnerable computers on the Internet within 15 minutes, Orans said. Only one such virus has appeared so far – the SQL Slammer worm in 2003, he said.

Slammer doubled the number of infected computers every 8.5 seconds, Orans said. The attack just clogged most Internet Service Providers and did not affect most of the backbone, he said. The worm replicated itself until it ran out of bandwidth to keep propagating, he said.

Companies and the government should feel confident that the Internet is powerful and robust enough to handle their Virtual Private Networks, Orans said. In next few years, he predicted that Internet will meet performance and security for 70 percent of business traffic and more than 50 percent of corporate wide-area-network traffic.

* Compliance with government regulations equals security.

The increased federal regulation prompted by Sarbanes-Oxley and similar legislation does not automatically lead to more security, Pescatore said. Organizations accommodating the explosion of new reporting requirements must ensure that their efforts lead to effective changes in how they operate, he said.

“Investing in reporting over controls is security bulimia,” Pescatore said. “We vomited out all these results but now we’re weaker,” he said.

Organizations should use Sarbanes-Oxley and other legislation to justify priority shifts in 2006, Pescatore said. He said he predicted that the next round of regulatory legislation will concern identity theft.

* Wireless hot spots are unsafe.

The threat of "evil twins" setting up rogue access points to fool unsuspecting Internet users into thinking they are on real sites and then divulging confidential information is a red herring, Orans said.

Users should use 802.1X protection, use token passwords instead of set ones, and use corporate VPNs for security, Orans said. Locations that offer hotspots should use software that monitors for evil twins and follow best practices for mobile end points, he said. Locations and users should also set up firewalls and turn off file- and print-sharing software in a wireless hot spot, he said.

An unofficial poll of audience members found that 32 percent of those attending the talk thought that regulatory compliance was the most important of the five threats.