Gartner: Don't believe the tech security myths

A Gartner analyst has sought to debunk the most common security myths affecting the technology industry.

Research director Amrit Williams identified so-called threats to IP telephony, wireless technologies, the internet and business conduct and explained how they could be overcome at a Gartner security summit in Melbourne this week.

The first proposition he tackled was that "IP telephony was unsafe".

The threats are similar to those facing a data network, the main difference being the criticality of voice communications and the expectation of reliability.

So, Williams said, the answers are the same: guard the IP PBX with a firewall, an Intrusion Prevention System (IPS) and other products just as how a server is protected.

If mobile workers need "softphones" - software that simulates a real phone - ensure their notebooks are protected by personal firewalls and other mechanisms, he said.

"Encryption is probably overkill" for most organisations, he added.

The second proposition he tackled was that "mobile malware will cause widespread damage".

The analyst pointed out that smart phones and wireless-equipped personal digital assistants have not reached the critical mass necessary for malware to spread widely. The fact that several platforms are used in such devices also mitigates security concerns.

Users of mobile devices are not in the habit of sending executables to each other, he added. And he pointed out that new devices get new software - and users replace handsets frequently - so there is relatively little old software in the installed base.

Gartner believes there will be limited wireless malware activity next year but carrier networks should provide malware protection by 2007. As a stopgap measure, Williams said, processes for managing company- and employee-owned devices should be developed, and carriers should be required to describe their plans for 'in the cloud' network-based protection when responding to request for proposals.

He then moved on to debunk the view that "Warhol worms" will make the internet unusable for business traffic and VPNs (virtual private networks).

The idea that a worm could infect every vulnerable system on the internet within 15 minutes is a worrying proposition, as hardly anybody would have time to take defensive action. But the only worm that has spread very quickly was SQL Slammer, said Williams. In any case, he said, a worm attack was far more likely to cause a brownout rather than a complete blackout.

Gartner's position was that the internet would meet performance and security requirements for 70 per cent of business-to-business traffic and more than half of corporate WAN (wide area network) traffic.

Internet reliability might not be perfect but it is good enough for most purposes, Gartner said, citing research showing 89 per cent of organisations that have switched from frame relay or ATM (asynchronous transfer mode) to IP links were 'somewhat' or 'extremely' satisfied with the results.

On the proposition that regulatory compliance "equalled" security, he said the real threat is companies spend more on reporting than on security.

Focus on the critical security processes, identify products that implement your security architecture, and use regulations to justify priority acquisitions and to support your 2006 budget - and then repeat the process each year, he said.

Williams also suggested organisations should start preparing for the imposition of regulations relating to identity theft. "This is an important one", he said, as loss of personal data such as credit card numbers "is happening on almost a weekly basis".

The analyst’s final target was the notion that "wireless hotspots were unsafe".

There has been a lot of coverage of the 'evil twin' threat - whereby a malicious individual poses as a legitimate wireless provider to con users into connecting a wireless device to a rogue hotspot in order to gain access to their personal details - but Gartner viewed the problem as overstated. Endpoint software from AirDefense, AirMagnet and T-Mobile thwarts evil twins, said Williams, while VPNs prevent eavesdropping.

When combined with best practices for mobile endpoints, including disabling file and print sharing, and running personal firewalls, antivirus and intrusion prevention systems, there is no good reason to stop mobile workers from using hotspots, he said.

"Don't let these over-hyped threats prevent you from implementing important projects," Williams concluded.

Stephen Withers writes for ZDNet Australia