Top of the list is the fear that IP
telephony, also known as Voice over Internet
Protocol or VoIP, is unsafe. Not so, says Gartner. Security attacks
are rare for
IP
telephony.
Preventive measures for securing an
IP
telephony
environment are very similar to securing a data-only environment.
Eavesdropping is unlikely to happen since it requires local area
network (LAN)-based access to the intranet. The attackers must be
inside the company because they have to be on the same LAN as the
IP
telephone that is subject to the eavesdropping
attack.
According to Gartner, companies can encrypt voice traffic to
protect IP telephony eavesdropping, but typically it is not
required. It is no more difficult to eavesdrop on voice packets
than it is on data packets.
"Enterprises that diligently use security best practices to
protect their
IP
telephony servers should not let
these threats derail their plans," said Lawrence Orans, principal
analyst at Gartner. "For these enterprises, the benefits of
IP
telephony far outweigh any security risks."
The belief that mobile
malware will cause widespread damage has also been
exaggerated, according to Gartner. The firm expects that in most
cases, mobile viruses will be a niche nuisance in the foreseeable
future.
"Anti-virus vendors see huge potential profit opportunities in
selling security solutions to billions of cell phone and
PDA
users," said John Pescatore, vice president and
Gartner Fellow. "In particular, the anti-viral industry sees cell
phones as the way to grow sales outside of a flat, commoditised
PC
market. However, device-side anti-viruses for cell
phones will be completely ineffective."
"The most effective approach to blocking mobile malware will be
to block it in the network," Pescatore added. "Companies should ask
their wireless service providers to document existing and planned
capabilities. By the end of 2006, all wireless service providers
should be required to offer over-the-air mobile malware
protection."
Another exaggerated concern relates to Warhol Worms, worms with the
capability of infecting all vulnerable machines on the internet
within 15 minutes. The only observed example of this so far has
been the
SQL
Slammer worm, which hit the internet in
2003.
Hype suggests that these worms will make the internet unreliable
for business traffic and virtual private networks
(
VPN
s), but Gartner analysts project that through
2007, the internet will meet performance and security requirements
for all business-to-consumer traffic, 70% of business-to-business
traffic and more than half of corporate wide area network (WAN)
traffic.
"Every organisation should consider using internet
VPN
s, and most should adopt them in some way," said Mr
Orans. "Today's internet offers a low-cost, good-enough or better
option to the data networks of traditional global carriers."
The belief that regulatory compliance
equals security is also criticised by the analyst
firm.
Regulations often provide a means to obtain funding for
important security initiatives before incidents occur, but most
regulations lead to increased reporting rather than increased
levels of security, says Gartner.
"Regulations generally take more static looks at issues and
generally don’t lead to higher levels of security in proportion to
the spending required to meet the latter of the law," Orans
explained. "The best way to increase enterprise
IT
security is to buy and build software that has fewer
vulnerabilities, but there has been no regulatory focus on this
area. Companies should focus on building stronger security
processes, then document these processes to demonstrate regulatory
compliance."
Finally, Gartner highlights the theory that wireless hot spots are unsafe as
another example of an over-hyped security threat.
Uneducated consumers can fall prey to wireless hackers, but
enterprises can equip and educate their mobile workers with the
tools and knowledge to mitigate these threats and increase business
productivity via hot spot usage.
According to Gartner, mobile users should seek out 802.1X
protected access points because these points facilitate encryption
between the mobile endpoint and the access point. Users can also
use client-based software, such as solutions from AirDefense,
AirMagnet or T-Mobile’s Connection Manager, which can validate the
access point’s identity and thereby reduce the risk of connecting
to a hacker’s access point.
"Mobile users in hot spots should utilise their corporate VPN
connection to protect traffic as it travels through the internet,"
Mr Pescatore said. "Mobile users in hotspots should use personal
firewalls and turn off file/print sharing to protect their
endpoints from data theft."
