Gartner hits out at security hype

Enterprises are spending too much time and energy focusing on the wrong security issues as they buy into vendor hype designed to fuel fears and sell more products, Gartner warned on Thursday.

Rather than concentrate on doing the groundwork by undertaking vulnerability and patch management and ensuring that their servers are configured correctly, too many organisations get bogged down elsewhere, the analyst firm said.

According to John Pescatore, research director for internet security at Gartner, the biggest offender in terms of over-hyped IT security threats at the moment is compliance.

Although concerns amongst organisations on both sides of the Atlantic have hit fever pitch, a recent study by the US Securities and Exchange Commission indicated that less than half of one per cent of those companies audited in relation to Sarbannes-Oxley compliance suffered from deficient IT systems.

"The problems were mainly to do with people and processes rather than IT. The IT industry is trying to sell its products hard, but it’s not where the issue is at," Pescatore said.

Number two on the list is IP telephony and the menace of eavesdropping when Internet-based voice calls are taking place. In reality, however, such attacks are rare, not least because perpetrators have to be hooked up to the same local area network as the IP phone they are targeting.

"It’s pretty simple to use IP telephony securely using encryption technology, but the world won’t end if you don’t. The problem is if organisations fall for the hype and say, 'We’d better not do this at all because it’s insecure.' Their rivals will and they’ll gain competitive advantage," Pescatore said.

Last month, speaking at the VoIP for Business show in London, Nick Ogden of Voice Commerce Group dismissed some of the security risks associated with VoIP.

"If VoIP was being hacked, it would be on the front page of the newspapers. You'll always have the risk of a router being misconfigured -- but that's human error," said Ogden.

A third over-hyped hazard cited by Gartner is mobile viruses hitting devices such as PDAs and smartphones. Pescatore doesn’t expect this to pose a 'realistic' threat until the end of 2007 when always-on wireless appliances start to become widespread. Penetration of such devices is only expected to be about 10 per cent by the end of this year.

"Anti-virus vendors see huge potential profit opportunities in selling security solutions to billions of cell phone and PDA users. It sees cell phones, in particular, as the way to grow sales outside of a flat, commoditised PC market, but device-side anti-virus software will be completely ineffective," said Pescatore.

The best approach, he believes, is for service providers to block malware at the network-level and he expects this to become a widespread practice by the end of 2006.

Rather than trying to contain potential security problems by simply banning certain technologies that the business is likely to introduce by the back door anyway, Pescatore recommended that organisations take a proactive approach.

The first thing to focus on is vulnerability management because "no matter what the attack, there has to be a vulnerability in the system to take advantage of. The idea is if you’re going to swim in dangerous waters, ensure that you have no open wounds."

Key to this is ensuring that business-critical systems, especially if they are Microsoft Windows-based, are patched, up-to-date and configured properly.

"Check as often as you can to ensure that your systems are configured correctly. Both administrators and users make mistakes, but two out of three successful external attacks are due to mis-configured systems and hackers are constantly scanning the net on the lookout for this," he said.