Playing Bond: Catching Spyware in the Act

By Laura Roe Stevens

A comprehensive strategy for security management has never been more critical for the enterprise. Antivirus software alone will not root out the most demanding of security breaches. Today, corporations are challenged by the heightened threat of spyware and its less-evil cousin, adware. Both intruders can creep in and remain undetected by the network while they reside on end users' computers.

Spyware finds its way to individual PCs or enterprise networks through loopholes found primarily in Microsoft's Internet Explorer browser protections (the company offers patches to combat the spyware). Once inside, this sophisticated bot may track keystrokes, steal passwords, "listen in" on instant messaging conversations, and spy on open applications. It can also allow unauthorized users to manipulate PCs remotely, downloading and installing software and accessing data stored on the computers it infects. At the enterprise level, competitive and sensitive information can be disclosed, potentially harming the enterprise's bottom line.

Spyware's advertising equivalent, adware, comes attached to Internet sites and can be downloaded unbeknownst to the end user. Some marketing companies use adware to operate like Internet private detectives -- allowing them to follow people as they surf the Web and gather information such as the Web sites they visit, ads they view, and goods they purchase. With this knowledge, companies can then send targeted pop-up ads, even getting around pop-up blockers. While this is intrusive, it isn't often perceived as quite as dangerous as spyware. However, for the enterprise, it can cause many problems, including reduced available bandwidth, loss of employee productivity, and an over-worked IT help desk department.

Spyware is an insidious, widespread problem. A recent Aberdeen Research report noted, "every PC in the world is now infected with spyware bots." What's more, these intruders can bypass firewalls and antivirus programs, rendering traditional security practices useless against them. A comprehensive strategy is required to fend off these malicious intruders.

Spyware's many ports of entry

Multiple anti-spyware products are now on the market, but until recently, most were designed for desktop users and not scalable to corporations. Enterprise anti-spyware products are now emerging as the spyware threat increases. Analysts strongly recommend that corporations purchase a product that can sweep the network daily for spyware, while also instituting a comprehensive strategy to protect the company from future break-ins. Even if the firewall is protected, there are multiple ways spyware can get into the enterprise -- including via telecommuting employees and disgruntled employees, who may infect their own PCs intentionally before leaving a company.

All ports of entry are vulnerable to spyware -- even loyal employees may unknowingly bring in spyware when downloading applications necessary to do their jobs. Forrester Research points out that employees may also drag in spyware when surfing the Web, particularly when visiting file-sharing sites, which are renowned for having ads with spyware.

Attacking spyware on the network

One way to combat this threat is to have a united front. Companies should create a centralized "security overseer" responsible for setting and managing security policies. This person would report to the CIO or CEO and would set enterprise-wide policies on Internet access and surfing behavior. This will reduce the likelihood of encountering spyware.

With recent federal regulations, the security chief can also file suit or report violators to the government. In October of 2004, the U.S. House of Representatives passed two anti-spyware bills, allowing large fines to be levied on companies found deploying spyware. The "Spy Block Act," now pending in the Senate, would require software companies to notify consumers of the fact that software is about to be downloaded onto their machines. Even without the support of this legislation, the U.S. Federal Trade Commission (FTC) has been able to crack down on spyware purveyors by citing deceptive-business laws. The FTC asked a federal court to shut down two companies owned by one New Hampshire businessman -- a marketing company that reportedly infected computers with spyware and sent out pop-up ads advertising the man's other company, which sold anti-spyware services.  

Once considered strictly a consumer issue, spyware is sneaking into the enterprise, eating up bandwidth, pumping out unwanted pop-ups, crashing employees' computers, and potentially posing a risk to sensitive and critical corporate data. Companies can and must develop strategies to protect valuable data and worker productivity.

Laura Roe Stevens is an Atlanta-based freelance writer who has covered business and technology for The New York Times, Los Angeles Times, and the Atlanta Business Chronicle.