[ISN] Gartner: Relax about overhyped security threats

InfoSec News isn at c4i.org
Wed Jun 8 05:04:09 EDT 2005


By Michael Arnone
June. 7, 2005 

Don't believe the hype about some of the computer security threats 
emphasized in industry and the media, two Gartner Research analysts 
said today.

Lawrence Orans, a principal research analyst, and John Pescatore, vice 
president and research fellow, told attendees at the Gartner IT 
Security Summit in Washington, D.C., not to fear going ahead with 
projects that use voice over IP technology, Virtual Private Networks 
over the Internet and wireless hot spots.

The computer-security experts also advised their audience not to waste 
time or money on products they don't need to meet federal regulations 
and protect against malware on mobile devices.

The men debunked five popular security myths:

* Eavesdropping risks makes VOIP telephony too insecure to use.

Industry and the media overhype the danger of eavesdropping because it 
is as easy to eavesdrop on voice packets in a network as on data 
packets, Orans said. But eavesdropping is rare because perpetrators 
must access an IP phone through the company's intranet, he said.

Companies that follow best practices to protect their data should have 
no trouble protecting their Internet telephony operations, Orans said. 
Eavesdroppers can be caught easily by scanning the network for unusual 
behavior, he said.

Companies can encrypt their voice traffic to prevent trouble but is 
only necessary if they encrypt their data as well, he said. They can 
also use Internet-telephony handsets and tailor their firewalls to 
allow scanning, he said.

* Malware on mobile devices will cause major business disruptions in 
  the near future.

The hype about antivirus products to protect cell phones and PDAs has 
been around since 2001, Pescatore said. But he said he predicted that 
viruses and other malware used against wireless mobile devices won't 
cost more than antivirus protections against them until the end of 
2007 at the earliest.

More Americans need to use smart phones and PDAs with always-on 
wireless capability, Pescatore said. Only 3 percent of American users 
had such items in 2004 and only 10 percent will have them by the end 
of 2005, they said. Mobile malware won't become an issue until more 
than 30 percent of Americans have them, he said.

Additionally, mobile malware attacks won't become a real threat until 
the users of these wireless items commonly send locally executed 
software, he said.

Lastly, too many operating systems and applications are in use to 
allow a large-scale attack, Pescatore said. One phone operating system 
will need at least 50 percent of the market and two others have 20 
percent each to make such attacks feasible, he said. But "we may never 
reach the point where we don't have diversity in the cell phone 
operating system world," he said.

Antivirus software on a phone won't protect against attacks on the 
wireless network, Pescatore said. "The end-client solution for malware 
is doomed," he said. It's more effective to block viruses on the 
network, he said. A potential attack method, however, could be 
hijacking a telecom company's ability to automatically update users' 
phones' operating systems, he said.

Industry and government must create policies for using mobile devices 
and requiring network-based malware protection, Pescatore said.

* Viruses will not destroy the Internet.

Named after Andy Warhol's "15 minutes of fame" quip, a Warhol worm 
infects all vulnerable computers on the Internet within 15 minutes, 
Orans said. Only one such virus has appeared so far - the SQL Slammer 
worm in 2003, he said.

Slammer doubled the number of infected computers every 8.5 seconds, 
Orans said. The attack just clogged most Internet Service Providers 
and did not affect most of the backbone, he said. The worm replicated 
itself until it ran out of bandwidth to keep propagating, he said.

Companies and the government should feel confident that the Internet 
is powerful and robust enough to handle their Virtual Private 
Networks, Orans said. In next few years, he predicted that Internet 
will meet performance and security for 70 percent of business traffic 
and more than 50 percent of corporate wide-area-network traffic.

* Compliance with government regulations equals security.

The increased federal regulation prompted by Sarbanes-Oxley and 
similar legislation does not automatically lead to more security, 
Pescatore said. Organizations accommodating the explosion of new 
reporting requirements must ensure that their efforts lead to 
effective changes in how they operate, he said.

"Investing in reporting over controls is security bulimia," Pescatore 
said. "We vomited out all these results but now we're weaker," he 

Organizations should use Sarbanes-Oxley and other legislation to 
justify priority shifts in 2006, Pescatore said. He said he predicted 
that the next round of regulatory legislation will concern identity 

* Wireless hot spots are unsafe.

The threat of "evil twins" setting up rogue access points to fool 
unsuspecting Internet users into thinking they are on real sites and 
then divulging confidential information is a red herring, Orans said.

Users should use 802.1X protection, use token passwords instead of set 
ones, and use corporate VPNs for security, Orans said. Locations that 
offer hotspots should use software that monitors for evil twins and 
follow best practices for mobile end points, he said. Locations and 
users should also set up firewalls and turn off file- and 
print-sharing software in a wireless hot spot, he said.

An unofficial poll of audience members found that 32 percent of those 
attending the talk thought that regulatory compliance was the most 
important of the five threats.

More information about the ISN mailing list