To prevent and protect – new approaches against spyware
Ninety two per cent of IT directors can’t be wrong. That’s the overwhelming majority of high-ranking IT professionals that see spyware as more than a nuisance to enterprises [Web@Work research, 2004]. Estimates even put the number of desktops affected by spyware as high as 90 per cent [US National Cyber Security Alliance].
Unwanted software is entering organisations through email accounts, web spam, browser downloads and shareware - enabling outsiders to obtain sensitive information about an organisation or an individual without their knowledge. This information is then being relayed to interested third parties. Users are often then bombarded with advertising, dramatically impairing infrastructure performance and user productivity. In some cases, the spyware may include key loggers that could lead to intellectual property theft and corporate espionage.
Typically, spyware enters a network when a user unwittingly downloads the program from the web. The user may agree to install a small utility that includes spyware as part of the download. However, organisations need not despair because the tools are available to combat this menace.
As with most ways of defending the network, a strong policy is needed. As staff can unwittingly download spyware when they acquire files off the web, defence must start with a process of education, with staff alerting IT as soon as they think they have invited anything suspect in.
This education will be similar to any communication companies should have had with staff over identifying viruses. There must be clear guidelines on what can and cannot be downloaded onto the network and also avoiding opening emails with attachments from sources they do not recognise.
Spyware has traditionally been combated with three approaches, including:
Spyware-specific desktop solutions: to scan, detect and clean systems Anti-virus solutions: these detect a subset of known spyware URL filtering: prevents users from going to known spyware sites but cannot block all sources as spyware has ever-changing, multiple points of origin
These approaches have all been good, but not entirely effective in combating the problem. Their focus has been primarily to detect spyware and subsequently remove it rather than stop attacks altogether. However, this means that an intrusion has already occurred and the menace exists within the network.
To understand why spyware is difficult to counter, it is worth recognising that much of it is driven by money, not the malicious viewpoint of most virus-writers.
Advertisers want to advertise their wares to millions of desktop PCs and small software vendors want to receive money for their utilities such as cursors, smiley-faces and "newsbars". Spyware companies put these two organisations together, the advertisers paying the spyware companies who in turn pay the software houses for each installation. The software utility comes bundled with spyware and the software houses then pay web sites (such as message boards) for hosting adverts for the utilities themselves.
So, as the money flows from the advertisers to the spyware providers and on to the software houses, it is in all their interests to place advertising for the "carrier" utilities and in no-ones interest to warn users clearly of the impact that the spyware may have on the PC, the user or the infrastructure.
This is why a better approach is to deal with spyware before it has a chance to infiltrate a system – by defending at the gateway.
By placing prevention at the gateway, proxy controls can prevent these drive-by installs, commonly the means of entry for spyware software.
One of the key problems for anti-spyware technologies is being able to identify malicious traffic. Some anti-virus systems include known spyware signatures, however they rarely list more than a small subset of total spyware threats. IT directors need to look for solutions that can block spyware even without a signature file.
URL filtering technology block access to known spyware sites, which means that new or unknown sites are not accounted for and, as such, are not identified as a threat.
With both of the previous technologies deployed, an organisation is starting to control known spyware and spyware coming from known sites, however we have the unknown spyware from unknown sites still infecting the network.
Further technologies can help here. One way would be to deploy a desktop-based application that attempts to restrict new software installations. The difficulties here are managing all the different desktops within the organisation, placing software that restricts user choice on each PC and the inevitable calls to the IT Support desk from users who want approval to install further applications, and as things such as browser plug-ins need to be installed, these calls can come fast and furiously.
Another alternative is to use a combination policy that brings in the URL filtering databases together with technologies that can recognise when a user is downloading an application. As an example, a policy could allow downloads of applications from known software vendors and a "white list" of business partners and disallow them from anywhere else.
Another key benefit of being able to watch PC activity at a gateway is being able to recognise when a system has been infected. By using a list of known spyware sites, management can see which PCs attempt to visit those sites and target those particular machines for clean-up. With gateway policies, it is possible to redirect the PC to the internal clean-up application when infection is noticed.
Technology is available that can enable IT directors to prevent spyware at the gateway and enjoy total control and visibility without any compromise in performance. Spyware prevention starts with a policy and ends with the latest proxy technology, leading to safer corporate and employee data, happier IT directors, higher productivity and, ultimately, increased profitability.
Nigel Hawthorn, European marketing director, Blue Coat Systems.