WASHINGTON - Some security threats, including those aimed at IP telephony and mobile devices, are overblown, two Gartner analysts
say, and they caution that misplaced security concerns may distract from fighting real problems.
Lawrence Orans, principal analyst at Gartner, and John Pescatore, vice president and Gartner fellow, say that while attacks
on IP telephony and mobile devices may come eventually, current warnings about security problems are ahead of actual attacks.
Voice is no more insecure than e-mail, Orans said. "Securing IP telephony is very similar to securing a data-only network,"
Orans said during a presentation this week at the Gartner IT Security Summit in Washington, D.C. "The fact that you could
capture packets with e-mail isn't being covered in the trade publications."
Recent concerns about eavesdropping on IP telephony calls have discounted the fact that it's nearly impossible to eavesdrop
without being inside of the building where an IP call is initiated or received, with eavesdroppers needing access to the corporate
LAN, he said. "It's not really happening on any networks today," he said.
Not everyone agreed with Gartner's assessment, however. Companies deploying IP telephony or voice over IP services do need
to pay attention to security, and users of IP telephony need to protect not only the end-device phones and IP servers, but
also signaling and other voice equipment, said Stan Quintana, vice president of managed security services for AT&T. "It's
a slightly different, more complex equation than data networks," he said.
The two Gartner analysts see large businesses delaying IT improvements such as wireless LANs because of "overhype" over security
threats, they said.
Too much hype on some threats may distract businesses from focusing on other, real threats, added Tom Grubb, vice president
of marketing for Vormetric, a data security vendor. This year, a series of massive data breaches at several large companies
have occurred, and protecting against data theft, and protecting against insider threats, may be more important than worrying
about issues such as malware for mobile devices, he said.
"I think their point was, these things may be threats, but you have to keep your eye on the ball," added Grubb, who attended
the Gartner summit.
ID theft and spyware are threats that have gotten a lot of attention lately because they are real, prevalent risks, added
Richard Stiennon, vice president of threat research for Webroot Software, an antispyware software vendor.
Some security vendors have focused on malware for so-called smart phones and other mobile devices, but such devices run on
a number of operating systems, unlike the Windows dominance on desktop and laptop computers, Pescatore said. Without a dominant
mobile operating system for at least a couple of years, mobile viruses or worms will have a limited impact, he said.
"For any piece of software, somebody can write an attack," Pescatore added. "The key issue is: can somebody write [a mobile
attack] that will spread quickly and rapidly and cause more damage to your enterprise than it will cost you to prevent that
damage?"
Some security software vendors have hyped mobile malware as a potential problem as a way to expand their business beyond the
traditional desktop and laptop markets, Pescatore said. Only about 3 percent of consumers and workers have smart phones and
PDAs (personal digital assistants) with always-on wireless connections right now, he added.
"You can see the glint in the antivirus vendors' eyes when they think of the billion mobile phones out there," added Webroot's
Stiennon.
A representative of antivirus vendor Symantec said the company isn't trying to hype mobile device threats, but trying to educate
users as mobile devices become capable of storing more information. While mobile device security isn't a big issue now, that
could change in coming years, said Vincent Weafer, senior director of Symantec Security Response.
"The risk changes dramatically in a short amount of time," Weafer said."What we're trying to tell people is, if they're deploying
these devices, they should deploy them in the right way."
Vormetric's Grubb agreed that mobile malware shouldn't be a top-priority concern for most large businesses, but mobile device
security is becoming an issue. As more workers use more powerful mobile devices, companies need to be concerned with the physical
security of mobile devices and about what mobile devices are downloading from their networks, he said.
Companies need to be concerned about what kinds of malware mobile devices can bring into a corporate network, added AT&T's
Quintana. "The convergence of our networks is a double-edged sword," he said. "It's providing a high level of risk. It's not
overhyped."
Also on the list of overhyped security threats, according to Orans and Pescatore:
-- Fast-moving worms that infect the entire Internet within minutes will make the Web unreliable for business traffic and
virtual private networks (VPNs) . While the SQL slammer worm in 2003 did much of its damage within 15 minutes, that's the
only such example so far of a so-called Warhol worm, Orans said. The analysts predicted that the public Internet will continue
to remain a low-cost, safe alternative to closed data networks, although they recommended companies consider using VPNs.
-- Wireless hot spots are unsafe. While uneducated wireless users can fall victim to hackers, corporations have tools such
as VPNs to protect wireless data, Pescatore said. Some wireless carriers and wireless security vendors also offer tools that
validate an access point’s identity and reduces the risk of connecting to a hacker’s access point.
Targeted attacks on corporate networks, not picking off wireless user data, is where the money is, said Reed Taussig, chief
executive officer of Vormetric. "That's a much larger return on investment than sitting around Starbucks waiting for someone
to enter a credit card at Amazon.com," Taussig added. "Hanging around at Starbucks waiting for someone to make a mistake is
the definition of a stupid criminal."
-- Finally, the Gartner analysts suggested that some vendors are hyping regulatory compliance as a way to achieve security.
Regulations such as the U.S. Sarbanes-Oxley financial reporting rules are focused primarily on other issues besides IT, but
many corporations remained concerned about compliance reporting, Pescatore said.
"[The hype] often distracts that spending into compliance reporting rather than increasing security," he said.
Steve Roop, vice president of marketing for data loss prevention vendor Vontu agreed. "There's a large number of solutions
providers who claim that what they do is the silver bullet," he said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
