Gartner Debunks Over-Hyped Security Threats

TPIRman writes "At Gartner's recent IT Security Summit, the research company's analysts identified five over-hyped security concerns. Among the supposed FUD are mobile malware, unsafe VoIP, and cracker-friendly wireless hotspots. Gartner, which has made a name for itself tracking hype, claims that irrational anxiety is holding back technologies that offer benefits greater than their security risks. A Techworld columnist argues, though, that Gartner is sending mixed messages."

Gartner, debunk yourself

[Gothmolly]

From the department of wishful thinking:
Gartner, please debunk yourself as anything other than a PHB-opinion-bolstering old boys club. I battle the Powers That Be here constantly - any proposal is met with "well what does Gartner say about it?". Take your magic quadrant, and... well, you know.
If everyone waits for everyone else's opinion before they can make a decision, no wonder we have organizations with forms to change forms, where Dilbert stories are all true, and employees read Slashdot all day instead of working (because 50% of their projects won't go anywhere, and the other 50% of their projects are pending some approval process or another).

Gartner is just a multiplicity of Dvoraks, all groupthinking what the Next Big Thing is.

Re:Gartner, debunk yourself

[Calyth]

Besides that, they're being way too optimistic.
Often company's setups are not as secure as they should be.
Sometimes is that people are too lazy. Or they're too occupied with things assigned by the powers above.
Example:
Company that I'm temporarily working in as a techie has approximately 80 machines, with a mix of Win2k and WinXP. I just found out yeseterday that 3 of the XP machines were still running Service Pack 1a. I don't want to come across as a self-promoting bastard, but none of the IT guys here bothered to figure them out, and patch them as soon as they can. Granted they're migrating from one accounting packages to another, but I thought SP2 has been out for a while.
Other times, they're limited by software. Example:
At the very least, the accountants in this companies must be Local Admins because one software they use would refuse to work without Admin rights, and it isn't just file permissions. I sure feel safe leaving the machines to accounts with Local Admin digging the internet to find Java games to play...
They said that enterprise that secure the VoIP servers would be ok. Well enterprices that would secure themselves would be ok to run most of the things they said, including Wireles that would allow laptop users anywhere in the building to login, but history has proven that IT people aren't as diligent as they are supposed to be. And I sure won't trust a wireless AP in a company with WEP being its only protection. But this company, being a small/medium business with 80 computers with the minimum P3 in their boxes would be a nice bot net.
Plenty of the points Gartner had tried to debunk are rightfully suspicious. Instead of appreciating those who warn us of potential problem, Gartner tries to paint them as zealots. What a shame.

Depends on what you have to protect

[udderly]

I did not RTA, but it seems to me that your degree of paranoia should be relative to the importance of what you're protecting.

For instance, I don't use wireless on my work network because I have a lot of confidential client information to protect. But at home I like the convenience of being able to roam the house and yard.

Gartner is part of the grand design

[Adult+film+producer]

I've learned this over the last few years, the people running the show over at Gartner are nothing but world elitists that are more than happy to usher in the New World Order. They have a game plan and there's nothing we can do about it. Consider yourself nothing but cattle because that's what they consider you as. Gartner will be pushing for global RFID tagging programming for humans soon, they'll just say the benefits are similar to the global smallpox vaccine that the united nations forced onto the world earlier in the century. See, we all benefit from the new world order, it will prevent disease and famine..

I'm not down with that. I'm ready for them. I've got some serious shit going on down here. Mack-10, Uzi, flak jacket, and landmines. I'm going down in flames, they can steal my pride, but not my freedom! Fuck the man.

The Pot Calling The Kettle Black

[Old+VMS+Junkie]

Over-hyped? Garntner makes their living on hype generation. This is just another attempt at getting more people to subscribe to Gartner reports.

Overhyped == "Hasn't happened to me Yet"

[GGardner]

I guess this is the definition of overhyped?

There is much truth...

to what Gartner is saying. I have worked in the IT security arena now for almost 5 years and I have noticed this very thing. Security companies, almost without exception, hype the threats to sell their wares. They sell wolf tickets at extremely high prices when 98% of all threats can be mitigated by using good processes and common sense. Remember what Bruce Schneier keeps harping on is true: SECURITY IS A PROCESS, NOT A PRODUCT. Until people get this mantra embedded in their thick skulls, they will continue to be duped by security vendors and their own fears.
Common sense is, unfortunately, not that common. Defense in depth security measures can be achived without spending a lot of money. BUT... your best security is useless if the people behind it are lacking in common sense.

WTF!?!?!?

This is one of the most irresponsible statements I have ever heard.

1. VoIP is UNSAFE!
While Gartner contends that VoiP is safe because it is protected like all other data on the LAN, they fail to realize or point out that public internet usage of VoIP has now exceeded that of corporate use thanks to the likes of Vonage, SpeakEasy, Time Warner and Verizon who all offer ineternet based VoIP to millioins of subscribers. These subscribers ARE vulnerable to eavesdropping but, more importantly, they are vulnerable to Denial of Service(DoS) attacks. Thanks to VoIP, any script kiddy can turn off your phone service!

2. Wireless access IS UNSAFE!
Not only is there the massive and not entirely obvious risk of unencrypted information being transmitted over the air for anyone to see, there is also the increasing risk of hotspot phishing scams where fake hotspots are setup for collecting account information and passwords. Almost all public hotspots provide or require no encryption what-so-ever and most ISPs do not require encryption for things like POP3 access. But there are many other risks because of wireless as well.

To say that these risks are over hyped or do not exist is irresponsible. The deployment of these technologies should definitely be held up because they are unsafe!

Re:Mobile

AFAIK, Verizon and other BREW carriers are immune from this. It's hard enough to intentionally get unsigned code to run:

1. send phone to Qualcomm to be test enabled
2. be an authenticated developer and get a test sig for that specific phone (not model, phone)
3. connect to phone with cable and install code

You might be able to break bluetooth enough to bypass that last step, but as shipped they don't support the object exchange profile. (at last a benefit of that)

Crack your FUD, white boy!

[fm6]

The assumption that white southerners are all bigots is itself pretty bigoted.

I've always thought it was dumb to call a malicious hacker a "cracker". It makes a hash of the whole concept of "hacking", and it just confuses non-techies. Besides, it sounds silly.

Another word we need to get rid of: "FUD". Started out as Sun's way of saying that all criticism of Java was Microsoft propaganda. Then it became a way of dismissing anybody you disagreed with as being dishonest. Now this submitter is using it to mean "unfounded fear". It's always been bad jargon, now it's meaningless jargon! Time to drop it.

How about the under-hyped issues?

[rat_love_cat]

We're often blamed for over-hyping things, and sometimes with justification. However, there is under-hype as well: there are issues out there which are much less secure than people think.

One example is VPNs. Seen by most as improving security, and uncrackable due to strong encryption, but poor config and vendor flaws often make them the easiest way in.

Some of the things I've seen, even with large financials, are downright scary. This link gives some examples of the problems: http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaw s-Whitepaper.pdf

2 major benefits of VoIP

[davidwr]

VoIP or, more specifically, packetized voice data, has allowed telcos to internally cut costs, since they don't have to have one physical wire/radio-channel or fixed-fraction-thereof to carry a voice channel. This has not only brought the costs of domestic long-distance down to the $2/hr range before taxes, but it's also allowed "clear as a bell" long distance.

VoIP has allowed some customers to have free worldwide (where permitted by law) long distance between VoIP-equipped endpoints, and very low-cost (<$1/hr before taxes) long distance. This means you can talk to your son in Iraq or your family overseas a lot more often and for a lot longer than in "the old days," law permitting.

--
Note - some countries are VoIP hostile because it cuts into revenue for the local telco monopoly.