Gartner Debunks Over-Hyped Security Threats

TPIRman writes "At Gartner's recent IT Security Summit, the research company's analysts identified five over-hyped security concerns. Among the supposed FUD are mobile malware, unsafe VoIP, and cracker-friendly wireless hotspots. Gartner, which has made a name for itself tracking hype, claims that irrational anxiety is holding back technologies that offer benefits greater than their security risks. A Techworld columnist argues, though, that Gartner is sending mixed messages."

"cracker-friendly wireless hotspots" ??

[RobotRunAmok]

And the hotspots less sympathetic to our racist neighbors south of the Mason-Dixon line? These are somehow more secure?

I'm so confused...

Re:"cracker-friendly wireless hotspots" ??

[STrinity]

Jimmy crack kernel and I don't care
Jimmy crack kernel and I don't care,
Jimmy crack kernel and I don't care,
McAfee's gone away.

Gartner, debunk yourself

[Gothmolly]

From the department of wishful thinking:
Gartner, please debunk yourself as anything other than a PHB-opinion-bolstering old boys club. I battle the Powers That Be here constantly - any proposal is met with "well what does Gartner say about it?". Take your magic quadrant, and... well, you know.
If everyone waits for everyone else's opinion before they can make a decision, no wonder we have organizations with forms to change forms, where Dilbert stories are all true, and employees read Slashdot all day instead of working (because 50% of their projects won't go anywhere, and the other 50% of their projects are pending some approval process or another).

Gartner is just a multiplicity of Dvoraks, all groupthinking what the Next Big Thing is.

Re:Gartner, debunk yourself

[Qzukk]

It seems to me that Gartner gets paid to say stuff like this. Someone hands them a stack of studies and some cash, and tells them to "spin this and make us look good."

The question here is whether in this case they were paid by the VoIP and mobile technology providers, to convince everyone that everything is alright and nobody needs to worry, or by the virus writers, to convince everyone that everything is alright and nobody needs to worry...

Re:Gartner, debunk yourself

[goldspider]

"If everyone waits for everyone else's opinion before they can make a decision, no wonder we have organizations with forms to change forms, where Dilbert stories are all true, and employees read Slashdot all day instead of working (because 50% of their projects won't go anywhere, and the other 50% of their projects are pending some approval process or another)."

You work for the federal government too??

Re:Gartner, debunk yourself

[Calyth]

Besides that, they're being way too optimistic.
Often company's setups are not as secure as they should be.
Sometimes is that people are too lazy. Or they're too occupied with things assigned by the powers above.
Example:
Company that I'm temporarily working in as a techie has approximately 80 machines, with a mix of Win2k and WinXP. I just found out yeseterday that 3 of the XP machines were still running Service Pack 1a. I don't want to come across as a self-promoting bastard, but none of the IT guys here bothered to figure them out, and patch them as soon as they can. Granted they're migrating from one accounting packages to another, but I thought SP2 has been out for a while.
Other times, they're limited by software. Example:
At the very least, the accountants in this companies must be Local Admins because one software they use would refuse to work without Admin rights, and it isn't just file permissions. I sure feel safe leaving the machines to accounts with Local Admin digging the internet to find Java games to play...
They said that enterprise that secure the VoIP servers would be ok. Well enterprices that would secure themselves would be ok to run most of the things they said, including Wireles that would allow laptop users anywhere in the building to login, but history has proven that IT people aren't as diligent as they are supposed to be. And I sure won't trust a wireless AP in a company with WEP being its only protection. But this company, being a small/medium business with 80 computers with the minimum P3 in their boxes would be a nice bot net.
Plenty of the points Gartner had tried to debunk are rightfully suspicious. Instead of appreciating those who warn us of potential problem, Gartner tries to paint them as zealots. What a shame.

Warhol

[MECC]

A "Warhol Worm" is a worm that infects all
vulnerable machines on the Internet within 15 minutes.

Warhol must be a new spelling for Windows...

Re:Warhol

[CardiganKiller]

Probably, they're both overhyped. Their aesthetics are similar. You take a good look at both of them and ask yourself, "Should I be enjoying this or something?".

Bring it on Warhol fans.

five under-hyped security concerns

[gmuslera]

1. Windows
2. Microsoft Windows
3. MS Windows
4. Windows(tm)
5. Windows family products

Re:Trust Gartner?

[AnonymousKev]

I have to agree, Mr. Pants. My previous employer paid the Gartner Group to research a particular subject. Their report indicated that our product was the best possible way of doing business. The next round of brochures had "Gartner Group reports indicate ..." in big bold letters. Six months and $26 million later, the company was sold for pennies on the dollar. Not just a miss, but a miss-by-a-mile.

Since then, anytime I see "Gartner Group" in print, my brain replaces it with "information prostitutes".

Depends on what you have to protect

[udderly]

I did not RTA, but it seems to me that your degree of paranoia should be relative to the importance of what you're protecting.

For instance, I don't use wireless on my work network because I have a lot of confidential client information to protect. But at home I like the convenience of being able to roam the house and yard.

Benefits of Technology?

[ThosLives]

The summary and article talk about

...holding back technologies that offer benefits greater than their security risks...

This leads to the question, "What do you mean by benefits of technology?"

This is actually a good question, especially in light of the security risk question. I think the only way to evaluate benefits of technology is to look at how much a technology reduces the cost of living and/or how much it improves quality of living. For instance, a plow greatly reduced the cost of living for farmers - they now had to spend less time plowing for a given amount of production. The invention of air conditioning increased quality of living quite a bit. It's a little more difficult to measure just what having VOIP, for instance, gives us. VOIP doesn't really reduce the cost of living, and it really doesn't improve the quality of living compared to POTS. Perhaps it does slightly reduce the costs, if VOIP is less expensive than POTS, because that means VOIP users spend less of their "time" paying for communications.

The risks need to be weighed against the benefit though. For instance, there's a greater risk of getting injured by a plow than by digging things by hand, but the benefit is huge. The way I think things should be examined is what is the added risk for added benefit?

My personal assessment is that VOIP or wireless hotspots, or whatever, are not going to improve my life quality over what it is now, nor will they reduce my cost of living significantly. So, if there is *any* added security risk, it's not even in my consideration.

Re:Benefits of Technology?

[tgd]

Um, plows didn't reduce the time spent plowing, they created the time spent plowing. Without a plow, how are you plowing? You can't plow without a plow.

They reduced the time spent planting, and allowed planting of fields with harder soil.

The Pot Calling The Kettle Black

[Old+VMS+Junkie]

Over-hyped? Garntner makes their living on hype generation. This is just another attempt at getting more people to subscribe to Gartner reports.

Re:Trust Gartner?

[grandmofftarkin]

the same people who said the AIDs virus wasn't a big deal

Care to back that up!?

Overhyped == "Hasn't happened to me Yet"

[GGardner]

I guess this is the definition of overhyped?

There is much truth...

to what Gartner is saying. I have worked in the IT security arena now for almost 5 years and I have noticed this very thing. Security companies, almost without exception, hype the threats to sell their wares. They sell wolf tickets at extremely high prices when 98% of all threats can be mitigated by using good processes and common sense. Remember what Bruce Schneier keeps harping on is true: SECURITY IS A PROCESS, NOT A PRODUCT. Until people get this mantra embedded in their thick skulls, they will continue to be duped by security vendors and their own fears.
Common sense is, unfortunately, not that common. Defense in depth security measures can be achived without spending a lot of money. BUT... your best security is useless if the people behind it are lacking in common sense.

Six wireless myths debunked

[jc2it]

The blog referenced in the slashdot post, by George Ou was very insightful. I don't know how many times I have heard of people implementing the MAC address filtering scheme. I always thought it was a stupid method of securing a network, because it is so simple copy the MAC address. What I had not realized is that I could so easily find out what a specific MAC address is. I had not thought of using a sniffer for this. I always assumed physical security would need to be breached to determine the MAC address of a preffered client. It makes sense though, for the wireless client to access a wireless AP they must broadcast the MAC address.

Summary

[823723423]

[1]
Gartner analysts project that through 2007, the Internet will meet performance and security requirements for all business-to-consumer traffic, 70 percent of business-to-business traffic and more than half of corporate wide area network (WAN) traffic.

[2]
"Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans," Mr. Orans said.

Source please?

[PIPBoy3000]

I've been Googling for the last fifteen minutes and couldn't find any reference about the Gartner Group downplaying AIDS.

whaaaat?

[ohzero]

Gartner debunked something? When did they become objective? This is the same Gartner that i've heard say "and for this consulting engagement price, i'm sure that our findings would favor your solution." Please. Any "research" they've done is obviously either just a mish mash of other people's findings, or it's sponsored by a vendor.

WTF!?!?!?

This is one of the most irresponsible statements I have ever heard.

1. VoIP is UNSAFE!
While Gartner contends that VoiP is safe because it is protected like all other data on the LAN, they fail to realize or point out that public internet usage of VoIP has now exceeded that of corporate use thanks to the likes of Vonage, SpeakEasy, Time Warner and Verizon who all offer ineternet based VoIP to millioins of subscribers. These subscribers ARE vulnerable to eavesdropping but, more importantly, they are vulnerable to Denial of Service(DoS) attacks. Thanks to VoIP, any script kiddy can turn off your phone service!

2. Wireless access IS UNSAFE!
Not only is there the massive and not entirely obvious risk of unencrypted information being transmitted over the air for anyone to see, there is also the increasing risk of hotspot phishing scams where fake hotspots are setup for collecting account information and passwords. Almost all public hotspots provide or require no encryption what-so-ever and most ISPs do not require encryption for things like POP3 access. But there are many other risks because of wireless as well.

To say that these risks are over hyped or do not exist is irresponsible. The deployment of these technologies should definitely be held up because they are unsafe!

Re:Trust Gartner?

[XMyth]

RTFC! He *DID* back it up.

(Before I get modded troll, it really is true)

Re:Why is my Linux broken?

[datadriven]

If you're gonna troll, choose a version of linux that was released a little more recently.

Gartner is bad. Their security summit is worse

[GodBlessTexas]

Last year, the only security training my company's Infosec director and manager took was to Gartner's Security Conference, but only because they paid for everything including travel and hotel costs because attendance is always low. When my boss got back, and she's not exactly a security expert by any sense of the word, she said it was horrible. That says a lot coming from someone as ignorant of security as her. She said people would show up, the presentations would start, and over the next hour or so people would file out the doors and never return. She said the rooms ended up being less thant 10% full by the end of the talks because no one wanted to hear them.

This company, which I left recently, based all of their decisions on Gartner's Magic Quadrant. Of course, it was always funny doing the conference calls with their analysts to discuss technologies we were interested in, and they could never go beyond the script they had prepared for the call. When my boss wanted to buy some form of HIDS, they basically did a call on why we should purchase Symantec's new product over Symantec's older product. Nevermind that there were better products from their own literature. The guy couldn't answer any question about the product that wasn't on the literature he'd sent or was reading from. It was depressing, because his opinion mattered more to my management than the opinions of those who would be using and monitoring the software and knew what our requirements were.

Re:Why is my Linux broken?

[varmittang]

Yeah, the the other guy said, Red Hat 7.1 came out in 4-16-2001. Maybe try the latest Fedora Core, that will be the latest Red Hat type distro you can get. After you try that, and still have all the same problems, then you can complain.

Aren't They?

[Comatose51]

Aren't they the same group of people who fired someone for suggesting that people switch to Firefox from IE because IE wasn't secure? This was before SP2 was out I believe. Maybe they thought that was hype too... A group that fires someone for speaking the truth makes me question their qualification as consultants.

How about the under-hyped issues?

[rat_love_cat]

We're often blamed for over-hyping things, and sometimes with justification. However, there is under-hype as well: there are issues out there which are much less secure than people think.

One example is VPNs. Seen by most as improving security, and uncrackable due to strong encryption, but poor config and vendor flaws often make them the easiest way in.

Some of the things I've seen, even with large financials, are downright scary. This link gives some examples of the problems: http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaw s-Whitepaper.pdf

Five reasons I'd love to work for Gartner

[pdmoderator]

1. I could buy an Armani suit and an MBA from a second-rate school and my customers would think that I posessed the Wisdom of the Ages.
   
2. No obligation to actually know what I was talking about or even be consistent. I could say anything I want, say something completely contradictory in six months, and they still would think I posessed the Wisdom of the Ages.
   
3. No messy problems of actually making stuff work.
   
4. Stock manipulation.
   
5. I wouldn't even have to think of five real reasons.
   

2 major benefits of VoIP

[davidwr]

VoIP or, more specifically, packetized voice data, has allowed telcos to internally cut costs, since they don't have to have one physical wire/radio-channel or fixed-fraction-thereof to carry a voice channel. This has not only brought the costs of domestic long-distance down to the $2/hr range before taxes, but it's also allowed "clear as a bell" long distance.

VoIP has allowed some customers to have free worldwide (where permitted by law) long distance between VoIP-equipped endpoints, and very low-cost (<$1/hr before taxes) long distance. This means you can talk to your son in Iraq or your family overseas a lot more often and for a lot longer than in "the old days," law permitting.

--
Note - some countries are VoIP hostile because it cuts into revenue for the local telco monopoly.