By Michael Arnone
June. 7, 2005
Don't believe the hype about some of the computer security threats
emphasized in industry and the media, two Gartner Research analysts
Lawrence Orans, a principal research analyst, and John Pescatore, vice
president and research fellow, told attendees at the Gartner IT
Security Summit in Washington, D.C., not to fear going ahead with
projects that use voice over IP technology, Virtual Private Networks
over the Internet and wireless hot spots.
The computer-security experts also advised their audience not to waste
time or money on products they don't need to meet federal regulations
and protect against malware on mobile devices.
The men debunked five popular security myths:
* Eavesdropping risks makes VOIP telephony too insecure to use.
Industry and the media overhype the danger of eavesdropping because it
is as easy to eavesdrop on voice packets in a network as on data
packets, Orans said. But eavesdropping is rare because perpetrators
must access an IP phone through the company's intranet, he said.
Companies that follow best practices to protect their data should have
no trouble protecting their Internet telephony operations, Orans said.
Eavesdroppers can be caught easily by scanning the network for unusual
behavior, he said.
Companies can encrypt their voice traffic to prevent trouble but is
only necessary if they encrypt their data as well, he said. They can
also use Internet-telephony handsets and tailor their firewalls to
allow scanning, he said.
* Malware on mobile devices will cause major business disruptions in
the near future.
The hype about antivirus products to protect cell phones and PDAs has
been around since 2001, Pescatore said. But he said he predicted that
viruses and other malware used against wireless mobile devices won't
cost more than antivirus protections against them until the end of
2007 at the earliest.
More Americans need to use smart phones and PDAs with always-on
wireless capability, Pescatore said. Only 3 percent of American users
had such items in 2004 and only 10 percent will have them by the end
of 2005, they said. Mobile malware won't become an issue until more
than 30 percent of Americans have them, he said.
Additionally, mobile malware attacks won't become a real threat until
the users of these wireless items commonly send locally executed
software, he said.
Lastly, too many operating systems and applications are in use to
allow a large-scale attack, Pescatore said. One phone operating system
will need at least 50 percent of the market and two others have 20
percent each to make such attacks feasible, he said. But "we may never
reach the point where we don't have diversity in the cell phone
operating system world," he said.
Antivirus software on a phone won't protect against attacks on the
wireless network, Pescatore said. "The end-client solution for malware
is doomed," he said. It's more effective to block viruses on the
network, he said. A potential attack method, however, could be
hijacking a telecom company's ability to automatically update users'
phones' operating systems, he said.
Industry and government must create policies for using mobile devices
and requiring network-based malware protection, Pescatore said.
* Viruses will not destroy the Internet.
Named after Andy Warhol's "15 minutes of fame" quip, a Warhol worm
infects all vulnerable computers on the Internet within 15 minutes,
Orans said. Only one such virus has appeared so far - the SQL Slammer
worm in 2003, he said.
Slammer doubled the number of infected computers every 8.5 seconds,
Orans said. The attack just clogged most Internet Service Providers
and did not affect most of the backbone, he said. The worm replicated
itself until it ran out of bandwidth to keep propagating, he said.
Companies and the government should feel confident that the Internet
is powerful and robust enough to handle their Virtual Private
Networks, Orans said. In next few years, he predicted that Internet
will meet performance and security for 70 percent of business traffic
and more than 50 percent of corporate wide-area-network traffic.
* Compliance with government regulations equals security.
The increased federal regulation prompted by Sarbanes-Oxley and
similar legislation does not automatically lead to more security,
Pescatore said. Organizations accommodating the explosion of new
reporting requirements must ensure that their efforts lead to
effective changes in how they operate, he said.
"Investing in reporting over controls is security bulimia," Pescatore
said. "We vomited out all these results but now we're weaker," he
Organizations should use Sarbanes-Oxley and other legislation to
justify priority shifts in 2006, Pescatore said. He said he predicted
that the next round of regulatory legislation will concern identity
* Wireless hot spots are unsafe.
The threat of "evil twins" setting up rogue access points to fool
unsuspecting Internet users into thinking they are on real sites and
then divulging confidential information is a red herring, Orans said.
Users should use 802.1X protection, use token passwords instead of set
ones, and use corporate VPNs for security, Orans said. Locations that
offer hotspots should use software that monitors for evil twins and
follow best practices for mobile end points, he said. Locations and
users should also set up firewalls and turn off file- and
print-sharing software in a wireless hot spot, he said.
An unofficial poll of audience members found that 32 percent of those
attending the talk thought that regulatory compliance was the most
important of the five threats.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.