While IT administrators often are off the mark when it comes to some of
their security concerns, they’re right on target when they list the top
threat to their networks — viruses and worms.
A recent survey of 133 major North American companies shows that IT
administrators and chief security officers are most concerned about worms
and viruses attacking their systems, according to Gartner, Inc., a major
industry analyst firm based in Stamford, Conn. And while analysts say
techies are smart to worry about malware, another Gartner report says
they’re sometimes off on the wrong track.
”When you look at what organizations struggle with day-to-day, viruses
and worms are definitely at the top of the list,” says Rich Mogull, a
research vice president at Gartner. ”Though insider threats and a few
other problems may be more devastating, if you don’t manage viruses and
worms, you’re not going to be able to carry out business on a daily
basis.”
Mogull says if you judge the threats by potential damage, then insider
threats might top the list. But those kinds of attacks, thankfully, are
less frequent. Worms and viruses top the list through sheer volume.
Ken Dunham, director of malicious code at iDefense, Inc., a security
intelligence company based in Reston, Va., says malware is highly
dangerous because it uses our own weaknesses against us.
”The reality is that malicious code is more about the exploitation of
corporate weaknesses,” says Dunham. ”You might have issues with a lack
of communication and unpatched systems. That makes malicious code a core
problem.”
Here is how the IT managers in Gartner’s survey rated the threats to
their organizations:
But Gartner analysts say at least one threat on that list shouldn’t be
there.
The analyst firm recently released a report noting the top five
over-hyped IT security threats. Some risks have been greatly exaggerated,
largely by security vendors looking to increase their bottom line, says
Mogull.
”The analysts who put that list together looked at hype and tried to
determine if the hype was equal to the threat,” says Mogull. In at least
five cases, Gartner analysts concluded that it was not.
Here is Gartner’s list of over-hyped IT threats:
and virtual private networks;
”Many businesses are delaying rolling out high productivity
technologies, such as wireless local area networks (WLANs) and IP
telephony systems, because they have seen so much hype about potential
threats,” says Lawrence Orans, principal analyst at Gartner.
”We’ve also seen the perceived need to spend on compliance reporting for
Sarbanes-Oxley hyped beyond any connection with the reality of the
legislation,” adds John Pescatore, vice president and Gartner Fellow, in
the written report.
Gartner’s Mogull says there are different issues behind each over-hyped
threat.
With hot spots, Mogull says there definitely is risk, but it’s not as
great as many people believe it to be. ”If you follow good security
practices, you don’t have to worry about that too much,” he says. ”If
you have an SSL or a VPN connection, like you would connecting to any
corporate network, they can’t sniff that traffic because it’s
encrypted.”
As for compliance issues, the investments that vendors are talking about
may far exceed your needs.
”It’s not that you don’t need to be compliant, but if you follow good
security practices, then you’re 90 percent compliant,” adds Mogull.
”Basically, what we’ve seen is that everyone in the world is trying to
jump on this compliant band wagon. In some cases, you may need to make
investments, but overall, we recommend you be smart about how you do
security, and you look at closing gaps. Don’t ignore compliance but be
aware that there’s an incredible amount of hype around it.”
When it comes to worrying about mobile devices and worms, Mogull and
other analysts at Gartner say not to worry nearly so much.
”There have been a couple viruses, but no mass propagation of malicious
code,” says Mogull. ”Anti-virus companies love to issue press releases
on this because there’s a lot more mobile devices than PCs in the
world… or at least there will be soon.
”IT should secure mobile devices but they shouldn’t be investing in
anti-virus software for PDAs,” adds Mogull. ”Focus on secure
connections and securing data in case a PDA is lost in an airport.”
What it comes down to is ignoring the hype.
”Beware of the hype. Understand what the real security issues area,”
adds Mogull. ”Just because there are a couple of news articles or a
billion vendors knocking down your door, it doesn’t mean it’s actually a
security problem for you.”
Dunham at iDefense says there’s an awful lot to worry about when it comes
to security, in general. It’s a matter of figuring out what to worry
about the most.
”As more and more threats emerge, it’s getting to be very complicated
and difficult for anybody to prioritize the greatest risks,” says
Dunham. ”They’re looking for ways to survive the daily deluge of
threats. It’s all about prioritization today.”