Forwarded from: security curmudgeon <jericho@private> : Gartner: Relax about overhyped security threats : http://www.fcw.com/article89119-06-07-05-Web : : By Michael Arnone : June. 7, 2005 : : Don't believe the hype about some of the computer security threats : emphasized in industry and the media, two Gartner Research analysts said : today. First paragraph and this is just a set up for fun replies and cries of hypocrisy! I guess it is all in the wording though, as "nations .. conducting cyberwarfare" is very plausible, while "cyberterrorism" is only theory? These are the same people who said this about cyberterrorism: "To a large extent it comes down to motive.." http://www.zdnet.com.au/newstech/security/story/0,2000048600,20280859,00.htm Gartner's information security and risk research director has dismissed cyber-terrorism as a "theory". http://www.securitypipeline.com/news/showArticle.jhtml%3Bjsessionid=OB5UFEWRASQTMQSNDBGCKHQ?articleId=17301712 Much like the nuclear threat during the Cold War in the last century, cyberwarfare is a potential catastrophe that the U.S. and other nations must be prepared to combat, Gartner Inc. said. Given the rate of adoption of Internet-based technology, nations will have the ability to conduct cyberwarfare by 2005. http://www.nwfusion.com/news/2004/0920gartsec.html The list of security items a company probably doesn't need within the next five years includes personal digital signatures, quantum key exchanges, passive intrusion detection, biometrics, tempest shielding (to protect some devices from emanating decipherable data), default passwords, or enterprise digital rights management outside of workgroups, according to Victor Wheatman, vice president and research area director at Gartner, based in Stamford, Conn. With creative wording in mind, and Gartner's business model of pimping "research", let's look at what they said.. and what they have said. : The computer-security experts also advised their audience not to waste : time or money on products they don't need to meet federal regulations : and protect against malware on mobile devices. If I am reading this right, Gartner says don't buy products/services that are not needed to meet federal regulations? Because federal regulations like HIPAA and SOX make systems secure? But more on that later.. : * Eavesdropping risks makes VOIP telephony too insecure to use. : : Industry and the media overhype the danger of eavesdropping because it : is as easy to eavesdrop on voice packets in a network as on data : packets, Orans said. But eavesdropping is rare because perpetrators : must access an IP phone through the company's intranet, he said. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1020417,00.html In fact, VoIP is opening new channels for nations and terrorists to engage in cyberwarfare, Fraley wrote in a January 2004 research note for Gartner. While not specific to VOIP and eavesdropping, Gartner sure as hell states that deploying VOIP can be a big blow to security: http://www.silicon.com/research/specialreports/voip/0,3800004463,39129635,00.htm "There are lots of concerns about security on VoIP," said Nick Jones [a research vice-president for Gartner]. "Your security people may not realise they are opening their network. You can't use deep packet inspection. You just have to open up ports and hope everything is okay." : * Malware on mobile devices will cause major business disruptions in : the near future. : : The hype about antivirus products to protect cell phones and PDAs has : been around since 2001, Pescatore said. But he said he predicted that : viruses and other malware used against wireless mobile devices won't : cost more than antivirus protections against them until the end of : 2007 at the earliest. This is an interesting prediction when compared to another Gartner made: http://www.itwales.com/998551.htm Prediction: By 2008, the technological differences between PCs, mobile devices, e-books, TVs and cellular phones will be eradicated Also interesting when Gartner blurs the line further: http://www.senforce.com/pressrelease/pr-quad.htm Draper, Utah May 20, 2005 Senforce Technologies Inc. , the leader in location-aware endpoint security enforcement, today announced the company was placed in the Visionaries quadrant of Gartner, Inc.s Magic Quadrant for Personal Firewalls, 1H05*. Summarizing the report, Gartner says Personal firewalls strengthen a company's perimeter defenses by blocking attacks against individual workstations and mobile devices. So if mobile devices are essentially becoming the same as any other PC, and personal firewalls are key to protecting these devices, doesn't that suggest the next big worm could cause just as much damage to mobile devices as PCs? We know that they can cause more damage than the cost of anti-virus.. simple logic says they can also do the same to mobile devices. : More Americans need to use smart phones and PDAs with always-on wireless : capability, Pescatore said. Only 3 percent of American users had such : items in 2004 and only 10 percent will have them by the end of 2005, : they said. Mobile malware won't become an issue until more than 30 : percent of Americans have them, he said. Is this because numbers define an 'issue'? If 999,999 people are hit by a mobile device worm, no biggie. But if 1,000,000 are hit, then a "million" becomes a significant number and it is now an issue? Why 30%? This seems to be picking arbitrary numbers for importance, something I read about in an old book about lying with statistics. : * Compliance with government regulations equals security. : : The increased federal regulation prompted by Sarbanes-Oxley and similar : legislation does not automatically lead to more security, Pescatore : said. Organizations accommodating the explosion of new reporting : requirements must ensure that their efforts lead to effective changes in : how they operate, he said. : : "Investing in reporting over controls is security bulimia," Pescatore : said. "We vomited out all these results but now we're weaker," he said. : : Organizations should use Sarbanes-Oxley and other legislation to justify : priority shifts in 2006, Pescatore said. He said he predicted that the : next round of regulatory legislation will concern identity theft. Err wait, i'm confused! Gartner said: The computer-security experts also advised their audience not to waste time or money on products they don't need to meet federal regulations and protect against malware on mobile devices. Am I reading this wrong? The double negatives in this sentance throw me off I think... ? : * Wireless hot spots are unsafe. : : The threat of "evil twins" setting up rogue access points to fool : unsuspecting Internet users into thinking they are on real sites and : then divulging confidential information is a red herring, Orans said. http://www.macnewsworld.com/story/39872.html Wi-Fi Users Should Beware 'Evil Twins' The most recent cautionary advice came from UK researchers at Cranfield University who indicated "evil twin" Wi-Fi or 802.11 wireless networks may be used to pose as legitimate hot spots to steal passwords or other personal information Ken Dulaney, Gartner Latest News about Gartner vice president of mobile computing Can your network transform your business? See how AT&T can help., told TechNewsWorld that the issue may have more significance with the growing number of public Wi-Fi hot spots. So is this an issue or not Gartner? Perhaps Orans and Dulaney need to have a sit down to figure out the what the corporate line should be? _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 09 2005 - 01:10:16 PDT