It’s time to consider overhyped security threats

WASHINGTON – Some security threats, including those aimed at IP telephony and mobile devices, are overblown, two Gartner analysts say, and they caution that misplaced security concerns may distract from fighting real problems.

Lawrence Orans, principal analyst at Gartner, and John Pescatore, vice president and Gartner fellow, say that while attacks on IP telephony and mobile devices may come eventually, current warnings about security problems are ahead of actual attacks.

Voice is no more insecure than e-mail, Orans said. “Securing IP telephony is very similar to securing a data-only network,” Orans said during a presentation this week at the Gartner IT Security Summit in Washington, D.C. “The fact that you could capture packets with e-mail isn’t being covered in the trade publications.”

Recent concerns about eavesdropping on IP telephony calls have discounted the fact that it’s nearly impossible to eavesdrop without being inside of the building where an IP call is initiated or received, with eavesdroppers needing access to the corporate LAN, he said. “It’s not really happening on any networks today,” he said.

Not everyone agreed with Gartner’s assessment, however. Companies deploying IP telephony or voice over IP services do need to pay attention to security, and users of IP telephony need to protect not only the end-device phones and IP servers, but also signaling and other voice equipment, said Stan Quintana, vice president of managed security services for AT&T. “It’s a slightly different, more complex equation than data networks,” he said.

The two Gartner analysts see large businesses delaying IT improvements such as wireless LANs because of “overhype” over security threats, they said.

Too much hype on some threats may distract businesses from focusing on other, real threats, added Tom Grubb, vice president of marketing for Vormetric, a data security vendor. This year, a series of massive data breaches at several large companies have occurred, and protecting against data theft, and protecting against insider threats, may be more important than worrying about issues such as malware for mobile devices, he said.

“I think their point was, these things may be threats, but you have to keep your eye on the ball,” added Grubb, who attended the Gartner summit.

ID theft and spyware are threats that have gotten a lot of attention lately because they are real, prevalent risks, added Richard Stiennon, vice president of threat research for Webroot Software, an antispyware software vendor.

Some security vendors have focused on malware for so-called smart phones and other mobile devices, but such devices run on a number of operating systems, unlike the Windows dominance on desktop and laptop computers, Pescatore said. Without a dominant mobile operating system for at least a couple of years, mobile viruses or worms will have a limited impact, he said.

“For any piece of software, somebody can write an attack,” Pescatore added. “The key issue is: can somebody write [a mobile attack] that will spread quickly and rapidly and cause more damage to your enterprise than it will cost you to prevent that damage?”

Some security software vendors have hyped mobile malware as a potential problem as a way to expand their business beyond the traditional desktop and laptop markets, Pescatore said. Only about 3 percent of consumers and workers have smart phones and PDAs (personal digital assistants) with always-on wireless connections right now, he added.

“You can see the glint in the antivirus vendors’ eyes when they think of the billion mobile phones out there,” added Webroot’s Stiennon.

A representative of antivirus vendor Symantec said the company isn’t trying to hype mobile device threats, but trying to educate users as mobile devices become capable of storing more information. While mobile device security isn’t a big issue now, that could change in coming years, said Vincent Weafer, senior director of Symantec Security Response.

“The risk changes dramatically in a short amount of time,” Weafer said.”What we’re trying to tell people is, if they’re deploying these devices, they should deploy them in the right way.”

Vormetric’s Grubb agreed that mobile malware shouldn’t be a top-priority concern for most large businesses, but mobile device security is becoming an issue. As more workers use more powerful mobile devices, companies need to be concerned with the physical security of mobile devices and about what mobile devices are downloading from their networks, he said.

Companies need to be concerned about what kinds of malware mobile devices can bring into a corporate network, added AT&T’s Quintana. “The convergence of our networks is a double-edged sword,” he said. “It’s providing a high level of risk. It’s not overhyped.”

Also on the list of overhyped security threats, according to Orans and Pescatore:

— Fast-moving worms that infect the entire Internet within minutes will make the Web unreliable for business traffic and virtual private networks (VPNs) . While the SQL slammer worm in 2003 did much of its damage within 15 minutes, that’s the only such example so far of a so-called Warhol worm, Orans said. The analysts predicted that the public Internet will continue to remain a low-cost, safe alternative to closed data networks, although they recommended companies consider using VPNs.

— Wireless hot spots are unsafe. While uneducated wireless users can fall victim to hackers, corporations have tools such as VPNs to protect wireless data, Pescatore said. Some wireless carriers and wireless security vendors also offer tools that validate an access point’s identity and reduces the risk of connecting to a hacker’s access point.

Targeted attacks on corporate networks, not picking off wireless user data, is where the money is, said Reed Taussig, chief executive officer of Vormetric. “That’s a much larger return on investment than sitting around Starbucks waiting for someone to enter a credit card at Amazon.com,” Taussig added. “Hanging around at Starbucks waiting for someone to make a mistake is the definition of a stupid criminal.”

— Finally, the Gartner analysts suggested that some vendors are hyping regulatory compliance as a way to achieve security. Regulations such as the U.S. Sarbanes-Oxley financial reporting rules are focused primarily on other issues besides IT, but many corporations remained concerned about compliance reporting, Pescatore said.

“[The hype] often distracts that spending into compliance reporting rather than increasing security,” he said.

Steve Roop, vice president of marketing for data loss prevention vendor Vontu agreed. “There’s a large number of solutions providers who claim that what they do is the silver bullet,” he said.