Top of the list is the fear that IP telephony, also known as Voice over Internet Protocol or VoIP, is unsafe. Not so, says Gartner. Security attacks are rare for IP telephony.
Preventive measures for securing an IP telephony environment are very similar to securing a data-only environment. Eavesdropping is unlikely to happen since it requires local area network (LAN)-based access to the intranet. The attackers must be inside the company because they have to be on the same LAN as the IP telephone that is subject to the eavesdropping attack.
According to Gartner, companies can encrypt voice traffic to protect IP telephony eavesdropping, but typically it is not required. It is no more difficult to eavesdrop on voice packets than it is on data packets.
"Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans," said Lawrence Orans, principal analyst at Gartner. "For these enterprises, the benefits of IP telephony far outweigh any security risks."
The belief that mobile malware will cause widespread damage has also been exaggerated, according to Gartner. The firm expects that in most cases, mobile viruses will be a niche nuisance in the foreseeable future.
"Anti-virus vendors see huge potential profit opportunities in selling security solutions to billions of cell phone and PDA users," said John Pescatore, vice president and Gartner Fellow. "In particular, the anti-viral industry sees cell phones as the way to grow sales outside of a flat, commoditised PC market. However, device-side anti-viruses for cell phones will be completely ineffective."
"The most effective approach to blocking mobile malware will be to block it in the network," Pescatore added. "Companies should ask their wireless service providers to document existing and planned capabilities. By the end of 2006, all wireless service providers should be required to offer over-the-air mobile malware protection."
Another exaggerated concern relates to Warhol Worms, worms with the capability of infecting all vulnerable machines on the internet within 15 minutes. The only observed example of this so far has been the SQL Slammer worm, which hit the internet in 2003.
Hype suggests that these worms will make the internet unreliable for business traffic and virtual private networks (VPNs), but Gartner analysts project that through 2007, the internet will meet performance and security requirements for all business-to-consumer traffic, 70% of business-to-business traffic and more than half of corporate wide area network (WAN) traffic.
"Every organisation should consider using internet VPNs, and most should adopt them in some way," said Mr Orans. "Today's internet offers a low-cost, good-enough or better option to the data networks of traditional global carriers."
The belief that regulatory compliance equals security is also criticised by the analyst firm.
Regulations often provide a means to obtain funding for important security initiatives before incidents occur, but most regulations lead to increased reporting rather than increased levels of security, says Gartner.
"Regulations generally take more static looks at issues and generally don’t lead to higher levels of security in proportion to the spending required to meet the latter of the law," Orans explained. "The best way to increase enterprise IT security is to buy and build software that has fewer vulnerabilities, but there has been no regulatory focus on this area. Companies should focus on building stronger security processes, then document these processes to demonstrate regulatory compliance."
Finally, Gartner highlights the theory that wireless hot spots are unsafe as another example of an over-hyped security threat.
Uneducated consumers can fall prey to wireless hackers, but enterprises can equip and educate their mobile workers with the tools and knowledge to mitigate these threats and increase business productivity via hot spot usage.
According to Gartner, mobile users should seek out 802.1X protected access points because these points facilitate encryption between the mobile endpoint and the access point. Users can also use client-based software, such as solutions from AirDefense, AirMagnet or T-Mobile’s Connection Manager, which can validate the access point’s identity and thereby reduce the risk of connecting to a hacker’s access point.
"Mobile users in hot spots should utilise their corporate VPN connection to protect traffic as it travels through the internet," Mr Pescatore said. "Mobile users in hotspots should use personal firewalls and turn off file/print sharing to protect their endpoints from data theft."
