Research director Amrit Williams identified so-called threats to IP telephony, wireless technologies, the Internet and business conduct and explained how they could be overcome at a Gartner security summit in Melbourne this week.
The first proposition he tackled was that "IP telephony was unsafe".
The threats are similar to those facing a data network, the main difference being the criticality of voice communications and the expectation of reliability.
So, Williams said, the answers are the same: guard the IP PBX with a firewall, an Intrusion Prevention System (IPS) and other products just as how a server is protected.
Safeguard your network by implementing quality of service features to guarantee throughput for voice traffic and guard the endpoints by using IP handsets, he added.
If mobile workers need "softphones"--software that simulates a real phone--ensure their notebooks are protected by personal firewalls and other mechanisms.
"Encryption is probably overkill" for most organisations, said Williams. If you don't encrypt your data, why would you need to encrypt voice traffic?
The second proposition he tackled was that "mobile malware will cause widespread damage".
The analyst pointed out several factors that would prevent this happening in the short term. First, smartphones and wireless-equipped personal digital assistants have not reached the critical mass necessary for malware to spread widely.
Secondly, several platforms are used in such devices, whereas Windows is used on around 90 percent of desktop systems. Additionally, users of mobile devices aren't in the habit of sending executables to each other, except perhaps in Japan.
Finally, new devices get new software--there's no need for developers to include support for obsolete hardware, and removing that code disposes of any vulnerabilities it may contain. Many people replace their handsets frequently, so there is relatively little old software in the installed base.
Gartner believes there will be limited wireless malware activity next year, but carrier networks should provide malware protection by 2007. So as a stopgap measure, Williams said, processes for managing company- and employee-owned devices should be developed, and carriers should be required to describe their plans for 'in the cloud' network-based protection when responding to request for proposals.
In the absence of that feature, customers could negotiate with their incumbent desktop security vendor for mobile device protection, "but it's unlikely you’re going to need that any time soon".
He also debunked the view that "Warhol worms" will make the Internet unusable for business traffic and VPNs (virtual private networks).
The idea that a worm could infect every vulnerable system on the Internet within 15 minutes is a worrying proposition, as hardly anybody would have time to take defensive action. But the only worm that has spread very quickly was SQL Slammer, said Williams. In any case, he said, a worm attack was far more likely to cause a brownout rather than a complete blackout.
Gartner's position was that the Internet would meet performance and security requirements for 70 percent of business-to-business traffic and more than half of corporate WAN (wide area network) traffic.
Internet reliability might not be perfect, but it is good enough for most purposes, Gartner said, citing research showing 89 percent of organisations that have switched from frame relay or ATM (asynchronous transfer mode) to IP links were ‘somewhat’ or ‘extremely’ satisfied with the results.
The researcher advised companies to identify sites suited to IP VPN connectivity, starting with smaller and less strategic locations, but to continue to ‘backhaul’ traffic to central access points in order to leverage existing centralised security investments such as URL filtering and IM security.
On the proposition that regulatory compliance “equalled” security, he said the real threat is companies spend more on reporting than on security.
"Being compliant doesn't mean being secure,” Williams warned. Most vendors pushing the compliance barrow just offer reporting, he said, warning that investment in that area as 'security bulimia'--you’ve spent the money, but you’re left in the same state as far as security is concerned.
"You have to align the compliance question with the security question" in order to keep the auditors happy and be secure, he said. So focus on the critical security processes, identify products that implement your security architecture, and use regulations to justify priority acquisitions and to support your 2006 budget--and then repeat the process each year.
Williams also suggested organisations should start preparing for the imposition of regulations relating to identity theft. "This is an important one," as loss of personal data such as credit card numbers "is happening on almost a weekly basis”.
The analyst’s final target was the notion that "wireless hotspots were unsafe".
There has been a lot of coverage of the ‘evil twin’ threat--whereby a malicious individual poses as a legitimate wireless provider to con users into connecting a wireless device to a rogue hotspot in order to gain access to their personal details--but Gartner viewed the problem as overstated. Endpoint software from AirDefense, AirMagnet and T-Mobile thwarts evil twins, said Williams, while VPNs prevent eavesdropping.
When combined with best practices for mobile endpoints, including disabling file and print sharing, and running personal firewalls, antivirus and intrusion prevention systems, there is no good reason to stop mobile workers from using hotspots, he said.
"Don't let these overhyped threats prevent you from implementing important projects," Williams concluded.
Play video
somehow I am inclined to agree with the speaker about the OverHype associated with the wireless security and VoIP security..regarding mobile security, may be there might be some valid reasons to get scared with the APs but recently i have been reading the news about the mobile viruses...Few AV vendors even approched the end users saying having a anti virus software on the handheld can secure the confidential data..When a user is informed and scared that his personnel data such as the contact numbers,bank pins(most of the users do save their pin numbers on phones..LoL) they tend to buy the product..but what kind of risk we are at really..why to follow it blidnly..all these viruses (except the newest virus which can spread via MMS) uses Bluetooth as the spreading media..where is the chance to get affected by a virus when there is hardly about 10% of total base has got Bluetooth..what kind of risk we are facing then...
In my experience I see many of the SMEs going for the security devices such as firewalls and antivirus gateways spending almost like more than 20% of their total IT budget..under any circumstances i see it as a ridiculous amount..IMHO a typical company needs to allocate about 4% for the same..why the overkill...
Posted by srikrishnak on Sunday, July 24 2005 09:59 PM