Security: Forget the Sheep, Mind the Bears!
Opinion: Remember the great PalmPilot worm? Neither do we.
Remember the original PalmPilot from the mid-'90s? It beat Apple's Newton and the bizarre Psion devices to become the first electronic organizer to really catch on, and even though it had no built in wireless or modem it was pretty cool and sold by the boatload.
Way back then, certain anti-virus vendors offered versions of their products which included an additional module to install on the PalmPilot to protect against malware. Hypothetical malware, you understand, because none existed at the time. Yes, you read that right. They sold products which protected against threats that did not exist. Talk about over-hyping a threat!
Ever noticed how often security scare stories appear in the press with ads for security products on the facing pages. And how often pieces predicting how a new piece of technology is going to cause endless security breaches quote "experts" you've never heard of until then. One might almost suspect they were just after the publicity.
These are things that make you go Mmmmmm. And quite rightly so. Let's face it: security vendors need security threats – the bigger the better – to help them sell their products. What do you mean it doesn't exist? If it's theoretical, it counts, and there's gold to be made from it!
And journalists have to write stories, and stories about security threats make great copy. If the threats never materialize, who cares? By then the scaremongering article will have been forgotten, and there'll be a new one to write about.
Spare a thought for the poor analysts. Many are highly intelligent, insightful people. But others simply want to make a name for themselves, and what better way than being quoted on the front page of an influential trade rag in an article about security?
When you consider it in that way, it's fairly obvious that some security threats are going to be over-hyped. Why does this matter? Because it you fall for the over-hype you may never implement technology which otherwise have given your organization a significant competitive advantage.
Take the "threat" that the widespread adoption of voice over IP technology is going to cause. "It's industry opportunists, analysts and the press saying that VoIP is going to cause problems, along with vendors touting their wares," says Lawrence Orans, a research director at Gartner Group. In particular, Orans highlights the over-hype surrounding SPIT – spam over internet telephony – which some commentators are warning about. If they are to be believed, VoIP will soon be overwhelmed by spam calls clogging up networks and voice mailboxes.
But a moment's reflection reveals that the threat posed by SPIT simply doesn't add up, Orans contends. Not only is it too expensive to send voice messages around the world using VoIP, due to termination charges when connecting to the PSTN, but more the point, voice as a spam medium just doesn't work. You can click on a link in a spam email if you are foolish enough to want to buy fake Viagra or take out a loan from a spammer, but who's going to make a call?
Or what about wireless access? It didn't take long after the introduction of the 802.11b standard before herds of journalists, analysts and vendors started wagging their fingers and warning how insecure it was. But, says John Pescatore, a Gartner vice president, what's relevant is how likely a wireless network security breach is and how easy is it to guard against it. When you put it like that, wireless networks suddenly don't look so vulnerable – especially when compared against conventional networks.
Here's why. Who can attack a conventional network? Any one of the 6 billion or so inhabitants of this planet who have access to the Internet, in Romania, Russia, Holland, wherever. But who can break into a WLAN? Only people who can get within about 100 yards of it. Even in densely populated cities like New York, this does not amount to many people at all. And how easy is it to secure a WLAN? If you switch on the security features of your access points, change the defaults and hide the SSID, you have pretty good security in most of today's consumer grade, let alone enterprise, access points.
Where are the real threats then? Generally, they are the old, boring and well understood ones, which journalists and analysts can't make a name for themselves by writing about any more. One of the biggest and most under-hyped, says Pescatore, is the humble Internet café or kiosk. Anyone using one of these risks having their passwords stolen and send to a mailbox somewhere in Eastern Europe by a keylogger program, and no network administrator can protect against confidential documents being left on these computers by busy executives after opening them as attachments. It's obvious, boring, under-hyped, and far more likely to happen than someone squatting on your office roof with a laptop trying to intercept your wireless packets or log on to your heavily protected access point.
At the end of the day, your job is to reduce the chances and impact of security breaches to acceptable levels, while ensuring that your organization gets maximum benefit from the technologies that are out there. Lax security means your organization will suffer, but so will falling for over-hype and tightening security so far your organization is stuck in the technological stone age. No-one in their right mind risks taking a shortcut across a forest full of big scary bears, but you're a fool if you're too timid to cut through a field of sheep because you've read somewhere that they might bite.