[ISN] Gartner: Relax about overhyped security threats
isn at c4i.org
Thu Jun 9 01:15:08 EDT 2005
Forwarded from: security curmudgeon <jericho at attrition.org>
: Gartner: Relax about overhyped security threats
: By Michael Arnone
: June. 7, 2005
: Don't believe the hype about some of the computer security threats
: emphasized in industry and the media, two Gartner Research analysts said
First paragraph and this is just a set up for fun replies and cries of
hypocrisy! I guess it is all in the wording though, as "nations ..
conducting cyberwarfare" is very plausible, while "cyberterrorism" is
only theory? These are the same people who said this about
cyberterrorism: "To a large extent it comes down to motive.."
Gartner's information security and risk research director has
dismissed cyber-terrorism as a "theory".
Much like the nuclear threat during the Cold War in the last century,
cyberwarfare is a potential catastrophe that the U.S. and other
nations must be prepared to combat, Gartner Inc. said. Given the rate
of adoption of Internet-based technology, nations will have the
ability to conduct cyberwarfare by 2005.
The list of security items a company probably doesn't need within the
next five years includes personal digital signatures, quantum key
exchanges, passive intrusion detection, biometrics, tempest shielding
(to protect some devices from emanating decipherable data), default
passwords, or enterprise digital rights management outside of
workgroups, according to Victor Wheatman, vice president and research
area director at Gartner, based in Stamford, Conn.
With creative wording in mind, and Gartner's business model of pimping
"research", let's look at what they said.. and what they have said.
: The computer-security experts also advised their audience not to waste
: time or money on products they don't need to meet federal regulations
: and protect against malware on mobile devices.
If I am reading this right, Gartner says don't buy products/services that
are not needed to meet federal regulations? Because federal regulations
like HIPAA and SOX make systems secure? But more on that later..
: * Eavesdropping risks makes VOIP telephony too insecure to use.
: Industry and the media overhype the danger of eavesdropping because it
: is as easy to eavesdrop on voice packets in a network as on data
: packets, Orans said. But eavesdropping is rare because perpetrators
: must access an IP phone through the company's intranet, he said.
In fact, VoIP is opening new channels for nations and terrorists to
engage in cyberwarfare, Fraley wrote in a January 2004 research note for Gartner.
While not specific to VOIP and eavesdropping, Gartner sure as hell states
that deploying VOIP can be a big blow to security:
"There are lots of concerns about security on VoIP," said Nick Jones [a
research vice-president for Gartner]. "Your security people may not
realise they are opening their network. You can't use deep packet
inspection. You just have to open up ports and hope everything is okay."
: * Malware on mobile devices will cause major business disruptions in
: the near future.
: The hype about antivirus products to protect cell phones and PDAs has
: been around since 2001, Pescatore said. But he said he predicted that
: viruses and other malware used against wireless mobile devices won't
: cost more than antivirus protections against them until the end of
: 2007 at the earliest.
This is an interesting prediction when compared to another Gartner made:
Prediction: By 2008, the technological differences between PCs, mobile
devices, e-books, TVs and cellular phones will be eradicated
Also interesting when Gartner blurs the line further:
Draper, Utah May 20, 2005 Senforce Technologies Inc. , the leader in
location-aware endpoint security enforcement, today announced the
company was placed in the Visionaries quadrant of Gartner, Inc.s Magic
Quadrant for Personal Firewalls, 1H05*. Summarizing the report, Gartner
says Personal firewalls strengthen a company's perimeter defenses by
blocking attacks against individual workstations and mobile devices.
So if mobile devices are essentially becoming the same as any other
PC, and personal firewalls are key to protecting these devices,
doesn't that suggest the next big worm could cause just as much damage
to mobile devices as PCs? We know that they can cause more damage than
the cost of anti-virus.. simple logic says they can also do the same
to mobile devices.
: More Americans need to use smart phones and PDAs with always-on wireless
: capability, Pescatore said. Only 3 percent of American users had such
: items in 2004 and only 10 percent will have them by the end of 2005,
: they said. Mobile malware won't become an issue until more than 30
: percent of Americans have them, he said.
Is this because numbers define an 'issue'? If 999,999 people are hit
by a mobile device worm, no biggie. But if 1,000,000 are hit, then a
"million" becomes a significant number and it is now an issue? Why
30%? This seems to be picking arbitrary numbers for importance,
something I read about in an old book about lying with statistics.
: * Compliance with government regulations equals security.
: The increased federal regulation prompted by Sarbanes-Oxley and similar
: legislation does not automatically lead to more security, Pescatore
: said. Organizations accommodating the explosion of new reporting
: requirements must ensure that their efforts lead to effective changes in
: how they operate, he said.
: "Investing in reporting over controls is security bulimia," Pescatore
: said. "We vomited out all these results but now we're weaker," he said.
: Organizations should use Sarbanes-Oxley and other legislation to justify
: priority shifts in 2006, Pescatore said. He said he predicted that the
: next round of regulatory legislation will concern identity theft.
Err wait, i'm confused! Gartner said:
The computer-security experts also advised their audience not to waste
time or money on products they don't need to meet federal regulations
and protect against malware on mobile devices.
Am I reading this wrong? The double negatives in this sentance throw
me off I think... ?
: * Wireless hot spots are unsafe.
: The threat of "evil twins" setting up rogue access points to fool
: unsuspecting Internet users into thinking they are on real sites and
: then divulging confidential information is a red herring, Orans said.
Wi-Fi Users Should Beware 'Evil Twins'
The most recent cautionary advice came from UK researchers at Cranfield
University who indicated "evil twin" Wi-Fi or 802.11 wireless networks
may be used to pose as legitimate hot spots to steal passwords or other
Ken Dulaney, Gartner Latest News about Gartner vice president of mobile
computing Can your network transform your business? See how AT&T can
help., told TechNewsWorld that the issue may have more significance with
the growing number of public Wi-Fi hot spots.
So is this an issue or not Gartner? Perhaps Orans and Dulaney need to
have a sit down to figure out the what the corporate line should be?
More information about the ISN