Gartner Affirms that Information Security Will Remain a Key Issue and Maps out the Challenges on the Horizon
Continuing cycles of new technology will keep information security high on the executive agenda
London, UK, 20 September 2004 — Despite claims from some quarters that security will cease to be a key issue over the next few years, Gartner stressed today that information security will remain a major executive concern for the foreseeable future. Opening the Gartner IT Security Summit to 650 attendees in London today, Gartner said the next five years will see new waves of technology rendering existing information security measures obsolete, increasing security exposures in both new and legacy environments.
Victor Wheatman, managing VP security at Gartner explained, "Whenever new technology is introduced or business fundamentals change, management's focus in terms of funding and resource allocation shifts from the old to the new, creating a security gap. In this way, each new wave of technology obliterates the security architecture appropriate to its predecessor, opening the enterprise up to an ever increasing raft of security risks."
Mr Wheatman went on to map out how, in recent years, key technologies have forced a constantly changing security environment. "In the same way that PCs broke the host-centric security model, networked PCs eroded the gains that had been won in securing individual desktops. Then we saw how distributed applications running across LANs reset security maturity to zero, while the inclusion of external networks as a part of the topology reset client/server security. More recently, wireless networking devices have tended to ship with security defaults off and are often installed outside the view of the IS organisation. Today we are seeing evolving web services allowing data to bypass firewalls and introduce yet another set of security issues."
A Safe Bet: Security Is Here to Stay
In addition to the constant cycles of technology change that has kept IT security managers working overtime in recent years, Gartner pointed to the cyber threats that will ensure information security threats remain constant over the next few years. Mr Wheatman said organisations need to evaluate the changing threat landscape in the context of their specific defensive requirements.
To enable security managers to evaluate the risks facing their enterprises, Gartner has developed a cyberthreat hype cycle, mapping out the threats that must be taken into consideration.
Cyberthreat Hype Cycle Step-By-Step
Zero-day attacks occur before patches and signatures are available.
Xeno (eXtended Enterprise Networks Overseas) threats are anticipated because of increased outsourcing.
Few viruses are found on personal devices, but it is only a matter of time before these become more exploited.
Spyware programs probe systems and report user behaviour to an advertiser or other party without the user's knowledge. This has risen higher than the chart now shows.
"Phishing" tricks users into revealing information such as passwords, user IDs or credit card details to masquerading sites.
Spam consumes resources and can lead to other problems.
Seeking any open port, instant messaging and other peer-to-peer programs can put networks and information at risk.
SPIM (unwanted commercial messages delivered via instant messaging) is just emerging.
Loss of confidence attributed to speculated cyberterrorism has peaked and, barring new physical attacks or further evidence of cyberterrorist activity, will remain static. Cyberterrorism hype causes more loss of confidence than actual attacks.
Organizations must protect wireless LANs, as they are prone to simple "find and mark" theft of service techniques that can lead to loss of confidential information if targeted systems are unprotected.
Hybrid worm threats have moved rapidly through the hyperbole.
Identity theft is a rampant and growing cybercrime.
Viruses remain a constant source of problems.
Domain Name Service vulnerabilities, social engineering and denial-of-service attacks are almost unfashionable in terms of hype, but remain dangerous threats that organizations must address.
For those who thought that the information security risks they have battled with in recent years were all but over, this may well be unwelcome news. However, Gartner remained confident that enterprises that continue to regard security as a key IT and business issue, and invest accordingly, will succeed in securing their businesses and those of their customers.
By way of conclusion, Mr Wheatman stated, "Perfect security is impossible, but continual scanning for new vulnerabilities and monitoring for new threats are critical and a much better investment than to passively sit back and wait to detect attacks. In security, the best defense is a good offense, and the more offensive you can be, the more secure you will be."
About Gartner:
Gartner, Inc. is the leading provider of
research and analysis on the global information technology industry. Gartner serves more
than 10,000 clients, including chief information officers and other senior IT executives
in corporations and government agencies, as well as technology companies and the
investment community. The Company focuses on delivering objective, in-depth analysis
and actionable advice to enable clients to make more informed business and technology
decisions. The Company's businesses consist of Gartner Intelligence, research and
events for IT professionals; Gartner Executive Programs, membership programs and peer
networking services; and Gartner Consulting, customized engagements with a specific
emphasis on outsourcing and IT management. Founded in 1979, Gartner is headquartered in
Stamford, Connecticut, and has 3,700 associates, including more than 1,000 research
analysts and consultants, in more than 75 locations worldwide. For more information,
visit www.gartner.com.
