Malware Named Top Threat, but Other Issues Over-Hyped

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
While IT administrators often are off the mark when it comes to some oftheir security concerns, they're right on target when they list the topthreat to their networks -- viruses and worms.

A recent survey of 133 major North American companies shows that ITadministrators and chief security officers are most concerned about wormsand viruses attacking their systems, according to Gartner, Inc., a majorindustry analyst firm based in Stamford, Conn. And while analysts saytechies are smart to worry about malware, another Gartner report saysthey're sometimes off on the wrong track.

''When you look at what organizations struggle with day-to-day, virusesand worms are definitely at the top of the list,'' says Rich Mogull, aresearch vice president at Gartner. ''Though insider threats and a fewother problems may be more devastating, if you don't manage viruses andworms, you're not going to be able to carry out business on a dailybasis.''

Mogull says if you judge the threats by potential damage, then insiderthreats might top the list. But those kinds of attacks, thankfully, areless frequent. Worms and viruses top the list through sheer volume.

Ken Dunham, director of malicious code at iDefense, Inc., a securityintelligence company based in Reston, Va., says malware is highlydangerous because it uses our own weaknesses against us.

''The reality is that malicious code is more about the exploitation ofcorporate weaknesses,'' says Dunham. ''You might have issues with a lackof communication and unpatched systems. That makes malicious code a coreproblem.''

Here is how the IT managers in Gartner's survey rated the threats totheir organizations:

  • Viruses and worms;
  • Outside hacking or cracking;
  • Identity theft and phishing;
  • Spyware;
  • Denial of service;
  • Spam;
  • Wireless and Mobile Device Viruses;
  • Insider Threats;
  • Zero-Day threats;
  • Social engineering, and
  • Cyber terrorism.

    But Gartner analysts say at least one threat on that list shouldn't bethere.

    The analyst firm recently released a report noting the top fiveover-hyped IT security threats. Some risks have been greatly exaggerated,largely by security vendors looking to increase their bottom line, saysMogull.

    ''The analysts who put that list together looked at hype and tried todetermine if the hype was equal to the threat,'' says Mogull. In at leastfive cases, Gartner analysts concluded that it was not.

    Here is Gartner's list of over-hyped IT threats:

  • Internet Protocol (IP) telephony is unsafe;
  • Mobile malware will cause widespread damage;
  • 'Warhol worms will make the Internet unreliable for business trafficand virtual private networks;
  • Regulatory compliance equals security, and
  • Wireless hotspots are unsafe.

    ''Many businesses are delaying rolling out high productivitytechnologies, such as wireless local area networks (WLANs) and IPtelephony systems, because they have seen so much hype about potentialthreats,'' says Lawrence Orans, principal analyst at Gartner.

    ''We've also seen the perceived need to spend on compliance reporting forSarbanes-Oxley hyped beyond any connection with the reality of thelegislation,'' adds John Pescatore, vice president and Gartner Fellow, inthe written report.

    Gartner's Mogull says there are different issues behind each over-hypedthreat.

    With hot spots, Mogull says there definitely is risk, but it's not asgreat as many people believe it to be. ''If you follow good securitypractices, you don't have to worry about that too much,'' he says. ''Ifyou have an SSL or a VPN connection, like you would connecting to anycorporate network, they can't sniff that traffic because it'sencrypted.''

    As for compliance issues, the investments that vendors are talking aboutmay far exceed your needs.

    ''It's not that you don't need to be compliant, but if you follow goodsecurity practices, then you're 90 percent compliant,'' adds Mogull.''Basically, what we've seen is that everyone in the world is trying tojump on this compliant band wagon. In some cases, you may need to makeinvestments, but overall, we recommend you be smart about how you dosecurity, and you look at closing gaps. Don't ignore compliance but beaware that there's an incredible amount of hype around it.''

    When it comes to worrying about mobile devices and worms, Mogull andother analysts at Gartner say not to worry nearly so much.

    ''There have been a couple viruses, but no mass propagation of maliciouscode,'' says Mogull. ''Anti-virus companies love to issue press releaseson this because there's a lot more mobile devices than PCs in theworld... or at least there will be soon.

    ''IT should secure mobile devices but they shouldn't be investing inanti-virus software for PDAs,'' adds Mogull. ''Focus on secureconnections and securing data in case a PDA is lost in an airport.''

    What it comes down to is ignoring the hype.

    ''Beware of the hype. Understand what the real security issues area,''adds Mogull. ''Just because there are a couple of news articles or abillion vendors knocking down your door, it doesn't mean it's actually asecurity problem for you.''

    Dunham at iDefense says there's an awful lot to worry about when it comesto security, in general. It's a matter of figuring out what to worryabout the most.

    ''As more and more threats emerge, it's getting to be very complicatedand difficult for anybody to prioritize the greatest risks,'' saysDunham. ''They're looking for ways to survive the daily deluge ofthreats. It's all about prioritization today.''