Gartner: Five most overhyped security threats

Research director Amrit Williams identified so-called threats to IP telephony, wireless technologies, the Internet and business conduct and explained how they could be overcome at a Gartner security summit in Melbourne this week.

The first proposition he tackled was that "IP telephony was unsafe".

The threats are similar to those facing a data network, the main difference being the criticality of voice communications and the expectation of reliability.

So, Williams said, the answers are the same: guard the IP PBX with a firewall, an Intrusion Prevention System (IPS) and other products just as how a server is protected.

Safeguard your network by implementing quality of service features to guarantee throughput for voice traffic and guard the endpoints by using IP handsets, he added.

If mobile workers need "softphones" -- software that simulates a real phone -- ensure their notebooks are protected by personal firewalls and other mechanisms.

"Encryption is probably overkill" for most organisations, said Williams. If you don't encrypt your data, why would you need to encrypt voice traffic?

The second proposition he tackled was that "mobile malware will cause widespread damage".

The analyst pointed out several factors that would prevent this happening in the short term. First, smartphones and wireless-equipped personal digital assistants have not reached the critical mass necessary for malware to spread widely.

Secondly, several platforms are used in such devices, whereas Windows is used on around 90 percent of desktop systems. Additionally, users of mobile devices aren't in the habit of sending executables to each other, except perhaps in Japan.

Finally, new devices get new software -- there's no need for developers to include support for obsolete hardware, and removing that code disposes of any vulnerabilities it may contain. Many people replace their handsets frequently, so there is relatively little old software in the installed base.

Gartner believes there will be limited wireless malware activity next year, but carrier networks should provide malware protection by 2007. So as a stopgap measure, Williams said, processes for managing company- and employee-owned devices should be developed, and carriers should be required to describe their plans for 'in the cloud' network-based protection when responding to request for proposals.

In the absence of that feature, customers could negotiate with their incumbent desktop security vendor for mobile device protection, "but it's unlikely you're going to need that any time soon".

He also debunked the view that "Warhol worms" will make the Internet unusable for business traffic and VPNs (virtual private networks).

The idea that a worm could infect every vulnerable system on the Internet within 15 minutes is a worrying proposition, as hardly anybody would have time to take defensive action. But the only worm that has spread very quickly was SQL Slammer, said Williams. In any case, he said, a worm attack was far more likely to cause a brownout rather than a complete blackout.

Gartner's position was that the Internet would meet performance and security requirements for 70 percent of business-to-business traffic and more than half of corporate WAN (wide area network) traffic.

Internet reliability might not be perfect, but it is good enough for most purposes, Gartner said, citing research showing 89 percent of organisations that have switched from frame relay or ATM (asynchronous transfer mode) to IP links were 'somewhat' or 'extremely' satisfied with the results.

The researcher advised companies to identify sites suited to IP VPN connectivity, starting with smaller and less strategic locations, but to continue to 'backhaul' traffic to central access points in order to leverage existing centralised security investments such as URL filtering and IM security.

On the proposition that regulatory compliance -equalled" security, he said the real threat is companies spend more on reporting than on security.

"Being compliant doesn't mean being secure," Williams warned. Most vendors pushing the compliance barrow just offer reporting, he said, warning that investment in that area as 'security bulimia' -- you've spent the money, but you're left in the same state as far as security is concerned.

"You have to align the compliance question with the security question" in order to keep the auditors happy and be secure, he said. So focus on the critical security processes, identify products that implement your security architecture, and use regulations to justify priority acquisitions and to support your 2006 budget -- and then repeat the process each year.

Williams also suggested organisations should start preparing for the imposition of regulations relating to identity theft. "This is an important one," as loss of personal data such as credit card numbers "is happening on almost a weekly basis".

The analyst's final target was the notion that "wireless hotspots were unsafe".

There has been a lot of coverage of the 'evil twin' threat -- whereby a malicious individual poses as a legitimate wireless provider to con users into connecting a wireless device to a rogue hotspot in order to gain access to their personal details -- but Gartner viewed the problem as overstated. Endpoint software from AirDefense, AirMagnet and T-Mobile thwarts evil twins, said Williams, while VPNs prevent eavesdropping.

When combined with best practices for mobile endpoints, including disabling file and print sharing, and running personal firewalls, antivirus and intrusion prevention systems, there is no good reason to stop mobile workers from using hotspots, he said.

"Don't let these overhyped threats prevent you from implementing important projects," Williams concluded.