Wednesday, December 11, 2024

Malware Named Top Threat, but Other Issues Over-Hyped

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

While IT administrators often are off the mark when it comes to some of

their security concerns, they’re right on target when they list the top

threat to their networks — viruses and worms.

A recent survey of 133 major North American companies shows that IT

administrators and chief security officers are most concerned about worms

and viruses attacking their systems, according to Gartner, Inc., a major

industry analyst firm based in Stamford, Conn. And while analysts say

techies are smart to worry about malware, another Gartner report says

they’re sometimes off on the wrong track.

”When you look at what organizations struggle with day-to-day, viruses

and worms are definitely at the top of the list,” says Rich Mogull, a

research vice president at Gartner. ”Though insider threats and a few

other problems may be more devastating, if you don’t manage viruses and

worms, you’re not going to be able to carry out business on a daily

basis.”

Mogull says if you judge the threats by potential damage, then insider

threats might top the list. But those kinds of attacks, thankfully, are

less frequent. Worms and viruses top the list through sheer volume.

Ken Dunham, director of malicious code at iDefense, Inc., a security

intelligence company based in Reston, Va., says malware is highly

dangerous because it uses our own weaknesses against us.

”The reality is that malicious code is more about the exploitation of

corporate weaknesses,” says Dunham. ”You might have issues with a lack

of communication and unpatched systems. That makes malicious code a core

problem.”

Here is how the IT managers in Gartner’s survey rated the threats to

their organizations:

  • Viruses and worms;
  • Outside hacking or cracking;
  • Identity theft and phishing;
  • Spyware;
  • Denial of service;
  • Spam;
  • Wireless and Mobile Device Viruses;
  • Insider Threats;
  • Zero-Day threats;
  • Social engineering, and
  • Cyber terrorism.

    But Gartner analysts say at least one threat on that list shouldn’t be

    there.

    The analyst firm recently released a report noting the top five

    over-hyped IT security threats. Some risks have been greatly exaggerated,

    largely by security vendors looking to increase their bottom line, says

    Mogull.

    ”The analysts who put that list together looked at hype and tried to

    determine if the hype was equal to the threat,” says Mogull. In at least

    five cases, Gartner analysts concluded that it was not.

    Here is Gartner’s list of over-hyped IT threats:

  • Internet Protocol (IP) telephony is unsafe;
  • Mobile malware will cause widespread damage;
  • ‘Warhol worms will make the Internet unreliable for business traffic

    and virtual private networks;

  • Regulatory compliance equals security, and
  • Wireless hotspots are unsafe.

    ”Many businesses are delaying rolling out high productivity

    technologies, such as wireless local area networks (WLANs) and IP

    telephony systems, because they have seen so much hype about potential

    threats,” says Lawrence Orans, principal analyst at Gartner.

    ”We’ve also seen the perceived need to spend on compliance reporting for

    Sarbanes-Oxley hyped beyond any connection with the reality of the

    legislation,” adds John Pescatore, vice president and Gartner Fellow, in

    the written report.

    Gartner’s Mogull says there are different issues behind each over-hyped

    threat.

    With hot spots, Mogull says there definitely is risk, but it’s not as

    great as many people believe it to be. ”If you follow good security

    practices, you don’t have to worry about that too much,” he says. ”If

    you have an SSL or a VPN connection, like you would connecting to any

    corporate network, they can’t sniff that traffic because it’s

    encrypted.”

    As for compliance issues, the investments that vendors are talking about

    may far exceed your needs.

    ”It’s not that you don’t need to be compliant, but if you follow good

    security practices, then you’re 90 percent compliant,” adds Mogull.

    ”Basically, what we’ve seen is that everyone in the world is trying to

    jump on this compliant band wagon. In some cases, you may need to make

    investments, but overall, we recommend you be smart about how you do

    security, and you look at closing gaps. Don’t ignore compliance but be

    aware that there’s an incredible amount of hype around it.”

    When it comes to worrying about mobile devices and worms, Mogull and

    other analysts at Gartner say not to worry nearly so much.

    ”There have been a couple viruses, but no mass propagation of malicious

    code,” says Mogull. ”Anti-virus companies love to issue press releases

    on this because there’s a lot more mobile devices than PCs in the

    world… or at least there will be soon.

    ”IT should secure mobile devices but they shouldn’t be investing in

    anti-virus software for PDAs,” adds Mogull. ”Focus on secure

    connections and securing data in case a PDA is lost in an airport.”

    What it comes down to is ignoring the hype.

    ”Beware of the hype. Understand what the real security issues area,”

    adds Mogull. ”Just because there are a couple of news articles or a

    billion vendors knocking down your door, it doesn’t mean it’s actually a

    security problem for you.”

    Dunham at iDefense says there’s an awful lot to worry about when it comes

    to security, in general. It’s a matter of figuring out what to worry

    about the most.

    ”As more and more threats emerge, it’s getting to be very complicated

    and difficult for anybody to prioritize the greatest risks,” says

    Dunham. ”They’re looking for ways to survive the daily deluge of

    threats. It’s all about prioritization today.”

  • Subscribe to Data Insider

    Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

    Similar articles

    Get the Free Newsletter!

    Subscribe to Data Insider for top news, trends & analysis

    Latest Articles