All the latest UK technology news, reviews and analysis
|
|
|
03 Mar 2010
Some of the leading researchers in the security industry have warned administrators about the dangers of over-hyping threats.
A panel of researchers at the RSA conference in San Francisco, including Dan Kaminsky of IOactive and Tom Cross of IBM X-Force, advised administrators to take warnings of impending security crises with a pinch of salt.
The panel discussed a number of recent high-profile cases, such as the 2008 DNS vulnerability and the recent outbreak of the Storm and Conficker botnets. In each case, the panellists outlined the need for a balance between explaining the risks and the probability of an attack.
Kaminsky offered his highly-publicised DNS flaw as a textbook case of the void between public perception and reality.
The researcher explained that, while the flaw was a significant threat, about two thirds of all DNS servers had been patched within one month of his original warning, in all likelihood leaving the vast majority of users protected.
Even when DNS servers are vulnerable to such a threat, Kaminsky said that the system is hardly a prime attack candidate. Malware writers are far more likely to opt for more common targets, such as flaws in Internet Explorer or vulnerabilities in PDF files, he explained.
"The bad guys that are out there are in business," added Cross. "They tend to build a business model around exploiting a certain type of vulnerability."
However, public attention is not always a bad thing. Researchers noted that the high-profile attacks on Google had forced some large companies to reassess and tighten their security practices.
Ultimately, companies need to distinguish between the threats that they can address and those that they cannot. In the meantime, firms should avoid panicking each time a new security issue arises.
"It is OK if bugs don't lead to the end of the world," said Kaminsky. " Sometimes there are big problems that we've dealt with, and that's OK."
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
/ Corporate Account Manager / Management Consultant...
Prince 2 Project Management Professional, Client Facing...
Solution Architect / Technical Project Manager / Corporate...
Solution Architect / Technical Project Manager / Corporate...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Irony of IOActive
I think its rather funny that somebody from IOActive is on a panel about hype in security. IOActive is the poster child for exaggerating security claims. Heck, you can swing a dead mouse without hitting some press release from them about how the smart grid is going to destroy the whole world.
Posted by: Tark Dom 18 Mar 2010