[ISN] Gartner: Relax about overhyped security threats

Thu Jun 9 01:15:08 EDT 2005

Forwarded from: security curmudgeon <jericho at attrition.org>

: Gartner: Relax about overhyped security threats
: http://www.fcw.com/article89119-06-07-05-Web
: 
: By Michael Arnone
: June. 7, 2005 
: 
: Don't believe the hype about some of the computer security threats 
: emphasized in industry and the media, two Gartner Research analysts said 
: today.

First paragraph and this is just a set up for fun replies and cries of
hypocrisy! I guess it is all in the wording though, as "nations ..  
conducting cyberwarfare" is very plausible, while "cyberterrorism" is
only theory? These are the same people who said this about
cyberterrorism: "To a large extent it comes down to motive.."

  http://www.zdnet.com.au/newstech/security/story/0,2000048600,20280859,00.htm
  Gartner's information security and risk research director has 
  dismissed cyber-terrorism as a "theory".  

  http://www.securitypipeline.com/news/showArticle.jhtml%3Bjsessionid=OB5UFEWRASQTMQSNDBGCKHQ?articleId=17301712
  Much like the nuclear threat during the Cold War in the last century,
  cyberwarfare is a potential catastrophe that the U.S. and other
  nations must be prepared to combat, Gartner Inc. said. Given the rate
  of adoption of Internet-based technology, nations will have the
  ability to conduct cyberwarfare by 2005.

  http://www.nwfusion.com/news/2004/0920gartsec.html
  The list of security items a company probably doesn't need within the
  next five years includes personal digital signatures, quantum key
  exchanges, passive intrusion detection, biometrics, tempest shielding
  (to protect some devices from emanating decipherable data), default
  passwords, or enterprise digital rights management outside of
  workgroups, according to Victor Wheatman, vice president and research
  area director at Gartner, based in Stamford, Conn.

With creative wording in mind, and Gartner's business model of pimping
"research", let's look at what they said.. and what they have said.

: The computer-security experts also advised their audience not to waste 
: time or money on products they don't need to meet federal regulations 
: and protect against malware on mobile devices.

If I am reading this right, Gartner says don't buy products/services that 
are not needed to meet federal regulations? Because federal regulations 
like HIPAA and SOX make systems secure? But more on that later..

: * Eavesdropping risks makes VOIP telephony too insecure to use.
: 
: Industry and the media overhype the danger of eavesdropping because it 
: is as easy to eavesdrop on voice packets in a network as on data 
: packets, Orans said. But eavesdropping is rare because perpetrators 
: must access an IP phone through the company's intranet, he said.

  http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1020417,00.html
  In fact, VoIP is opening new channels for nations and terrorists to 
  engage in cyberwarfare, Fraley wrote in a January 2004 research note for Gartner.

While not specific to VOIP and eavesdropping, Gartner sure as hell states 
that deploying VOIP can be a big blow to security:

  http://www.silicon.com/research/specialreports/voip/0,3800004463,39129635,00.htm
  "There are lots of concerns about security on VoIP," said Nick Jones [a 
  research vice-president for Gartner]. "Your security people may not 
  realise they are opening their network. You can't use deep packet 
  inspection. You just have to open up ports and hope everything is okay."

: * Malware on mobile devices will cause major business disruptions in 
:   the near future.
: 
: The hype about antivirus products to protect cell phones and PDAs has 
: been around since 2001, Pescatore said. But he said he predicted that 
: viruses and other malware used against wireless mobile devices won't 
: cost more than antivirus protections against them until the end of 
: 2007 at the earliest.

This is an interesting prediction when compared to another Gartner made:

  http://www.itwales.com/998551.htm
  Prediction: By 2008, the technological differences between PCs, mobile 
  devices, e-books, TVs and cellular phones will be eradicated

Also interesting when Gartner blurs the line further:

  http://www.senforce.com/pressrelease/pr-quad.htm
  Draper, Utah May 20, 2005 Senforce Technologies  Inc. , the leader in 
  location-aware endpoint security enforcement, today announced the 
  company was placed in the Visionaries quadrant of Gartner, Inc.s Magic 
  Quadrant for Personal Firewalls, 1H05*. Summarizing the report, Gartner 
  says Personal firewalls strengthen a company's perimeter defenses by 
  blocking attacks against individual workstations and mobile devices.

So if mobile devices are essentially becoming the same as any other
PC, and personal firewalls are key to protecting these devices,
doesn't that suggest the next big worm could cause just as much damage
to mobile devices as PCs? We know that they can cause more damage than
the cost of anti-virus.. simple logic says they can also do the same
to mobile devices.

: More Americans need to use smart phones and PDAs with always-on wireless 
: capability, Pescatore said. Only 3 percent of American users had such 
: items in 2004 and only 10 percent will have them by the end of 2005, 
: they said. Mobile malware won't become an issue until more than 30 
: percent of Americans have them, he said.

Is this because numbers define an 'issue'? If 999,999 people are hit
by a mobile device worm, no biggie. But if 1,000,000 are hit, then a
"million"  becomes a significant number and it is now an issue? Why
30%? This seems to be picking arbitrary numbers for importance,
something I read about in an old book about lying with statistics.

: * Compliance with government regulations equals security.
: 
: The increased federal regulation prompted by Sarbanes-Oxley and similar 
: legislation does not automatically lead to more security, Pescatore 
: said. Organizations accommodating the explosion of new reporting 
: requirements must ensure that their efforts lead to effective changes in 
: how they operate, he said.
: 
: "Investing in reporting over controls is security bulimia," Pescatore 
: said. "We vomited out all these results but now we're weaker," he said.
: 
: Organizations should use Sarbanes-Oxley and other legislation to justify 
: priority shifts in 2006, Pescatore said. He said he predicted that the 
: next round of regulatory legislation will concern identity theft.

Err wait, i'm confused! Gartner said:

  The computer-security experts also advised their audience not to waste  
  time or money on products they don't need to meet federal regulations 
  and protect against malware on mobile devices.

Am I reading this wrong? The double negatives in this sentance throw
me off I think... ?

: * Wireless hot spots are unsafe.
: 
: The threat of "evil twins" setting up rogue access points to fool 
: unsuspecting Internet users into thinking they are on real sites and 
: then divulging confidential information is a red herring, Orans said.

  http://www.macnewsworld.com/story/39872.html

  Wi-Fi Users Should Beware 'Evil Twins'

  The most recent cautionary advice came from UK researchers at Cranfield 
  University who indicated "evil twin" Wi-Fi or 802.11 wireless networks 
  may be used to pose as legitimate hot spots to steal passwords or other 
  personal information

  Ken Dulaney, Gartner Latest News about Gartner vice president of mobile 
  computing Can your network transform your business? See how AT&T can 
  help., told TechNewsWorld that the issue may have more significance with 
  the growing number of public Wi-Fi hot spots.

So is this an issue or not Gartner? Perhaps Orans and Dulaney need to
have a sit down to figure out the what the corporate line should be?