Gartner underscores five overblown threats

Two Gartner analysts debunk five overhyped security risks they claim are causing companies to miss out on some key emerging technologies.

They say a ship in a harbor is safe, but ships aren't meant to sit in the harbor. Two Gartner Inc. analysts maintain a similar mantra: Companies should fear the opportunities lost by not implementing some key emerging technologies more than their overhyped risks.

During its three-day IT Security Summit, analysts with the Stamford, Conn.-based research firm identified the five most overblown security threats to help companies decipher truth from hype.

Companies should not overreact to the following threats:

  • Internet Protocol telephony is unsafe.
  • Mobile malware will cause widespread damage.
  • "Warhol Worms" will make the Internet unreliable for business traffic and VPNs.
  • Regulatory compliance equals security.
  • Wireless hot spots are unsafe.

    "From a purely technical standpoint, you need to be concerned about all these things," said Lawrence Orans, principal analyst at Gartner. "But these are overhyped risks; we're encouraging companies to move ahead with implementing important projects, use common sense and best practices precautions, and don't spend time or money on things you don't need."

    According to Orans and John Pescatore, a vice president at Gartner, security attacks are actually rare occurrences for IP telephony. In fact, preventive measures for securing an IP telephony environment are akin to securing a data-only environment.

    The analysts' research found eavesdropping is the most overhyped IP telephony security risk. Orans and Pescatore advise companies to encrypt voice traffic to up the security ante.

    They said network and security managers should apply the same guidelines for encrypting voice traffic as they do data traffic because it is no more difficult to eavesdrop on voice packets than it is data packets.

    Gartner said mobile malware will primarily be a niche problem in the predictable future. Orans doesn't expect smartphones and PDAs with always-on wireless appliances to pose a "realistic" threat until the end of 2007, when he predicts widespread adoption of the technology.

    Warhol Worms can infect all vulnerable machines on the Internet within 15 minutes, such as the notorious "SQL Slammer" worm in 2003, according to Orans. However, he noted this is the only observed -- and exaggerated -- example of this type of worm.

    The analysts explained that regulations take a comparatively static look at issues and don't usually lead to higher levels of security.

    @11438 Orans said the best way to increase enterprise IT security is to buy and build software with innately less vulnerability. However, there has been no regulatory focus on this area as of yet. For now, he said, companies should focus on building stronger security processes and documenting the processes to later demonstrate regulatory compliance.

    The analysts claimed that through 2007 the Internet will meet performance and security requirements for 100% of business-to-consumer traffic, 70% of business-to-business traffic and more than half of corporate wide area network traffic.

    For wireless hot spots, Orans and Pescatore suggested mobile users implement 802.1X protected access points for facilitating encryption between mobile endpoints and the access point. Client-based software, such as offerings from AirDefense Inc. or AirMagnet Inc. or T-Mobile USA Inc.'s Connection Manager, can validate the access point's identity and ultimately reduce the risk of connecting to a hacker's access point.

  • Read more on Voice networking and VoIP