Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Spam and Viruses

Don't Let Spyware Give You the Slip

From the Editors of CIOSC

How big of a headache are spyware, adware, and bot infections for today's IT operations and security managers? According to the META Group, they are now a top concern, and the researcher estimates that cleaning infected clients can consume 20 percent or more of a help desk's overall effort. Spyware, which was a low-priority item on many IT security agendas a year ago, has quickly evolved from an annoyance to a substantial security and support burden. This article looks at the ways enterprises can evaluate security risks from spyware, and the means by which those risks can be mitigated.

The scope of the problem

Spyware gathers confidential information by logging keystrokes, performing screen captures, and monitoring email correspondence and Instant Messaging conversations. Once the information is obtained, spyware programs such as Gator, Hotbar, and Cydoor use various methods to provide the data to another party, often for monetary gain. Because spyware captures sensitive information before it is encrypted for transmission, it can bypass security measures and forward the text in an easily readable format.

Bots, such as Gaobot, Spybot, and RxBot, are programs that are covertly installed on a targeted system, allowing an unauthorized user to remotely control the computer for a wide variety of purposes. Attackers often coordinate large groups of bot-controlled systems, or bot networks, to scan for vulnerable systems and use them to increase the speed and breadth of their attacks. Bot networks create unique problems for organizations because they can be remotely upgraded with new exploits very quickly, potentially allowing attackers to outpace an organization's security efforts to patch vulnerable systems. According to the most recent edition of the Symantec Internet Security Threat Report, over the first six months of 2004, the number of monitored bots rose from less than 2,000 computers to more than 30,000.

Internet Service Provider (ISP) EarthLink recently announced that it detected approximately 116.5 million instances of spyware, adware, and other potentially unwanted software among its customers in 2004. The ISP's latest SpyAudit report, released earlier this month, found that instances of spyware monitoring software among its customers rose 230 percent last year.
 
Rating security risks

Some programs classified as spyware are commercially released programs that can be used in a variety of ways. Because some of these uses have the potential to introduce risks to the privacy, confidentiality, integrity, and availability of a system and personal information, users need the ability to detect them. In particular, organizations that must comply with various regulations -- such as HIPAA or Sarbanes-Oxley -- need to be sure that the protection of confidential information is consistent with the requirements of these acts.

A program is considered high risk if it attempts to conceal its presence -- for example, a program that hides from the Task Manager or does not have a user interface. Sending out confidential, sensitive information such as password, credit card data, or other personal information is deemed high-risk behavior as well. Likewise, a measurable impact on system stability or performance is classified as high risk (for example, opening multiple windows, or spawning processes). Programs that deliberately avoid being uninstalled are often characterized by watchdog processes that reinstall removed programs, duplicate file storage, or store files in unusual or hard to find areas; such functionality is considered to indicate high-risk behavior. Finally, programs are rated high risk if they possess functionality that conducts or assists in redirection of users to spoofed Web sites, or non-requested Web sites.

Programs having functionality that is shown to result in easily repairable damage or that track user actions are considered medium risk. The exhibition of pop-up windows or engaging partially in stealth mode is considered medium risk. Tracking Web browsing with no privacy policy (or one that conflicts with the program functionality) is also considered medium risk behavior.

Programs with functionality classified as low risk are those that track benign user action,have an End User License Agreement (EULA), and can be easily uninstalled. Such functionality has little or minimal privacy infringement.

Mitigating risks

The most effective way to reduce risks from programs classified as security risks is to use a complete security solution that deals with a wide range of threats. In particular, enterprises need a solution that categorizes programs according to their functionality and allows them to choose an acceptable risk level. Integrated technologies (antivirus, firewall, and intrusion protection) should work together to provide defense in depth. For example, while an antivirus solution works to protect a system against spyware, a firewall allows an organization to create a list of recipients of personal information and to block unwanted advertisements. Furthermore, when a firewall detects that an application is trying to establish an outbound network communication (as a spyware program would to relay information to the outside world) it should automatically close the port and prevent the transmission.

Other issues to consider: the number of spyware definitions supported by a particular solution, the process used for finding new spyware programs, and how the definitions are updated.

In addition to the use of strong technologies, there are policy measures that can help organizations reduce their risks. For example, make sure that you know and trust the authenticity of any software before you download it and install it. Read the EULAs of software programs to make sure you know what you are getting, and make sure that you understand, and agree with, the program's functionality. Examine EULAs carefully to make sure they are in agreement with your security policy. Also, as some spyware is installed using ActiveX controls, consider requiring a prompt for ActiveX to execute within Web browsers.

A burgeoning problem

Programs that are classified as security risks, including spyware, adware, and bots, have the potential to compromise personal information and privacy. These programs have a wide range of functionality and are increasing in prevalence globally.

As a result, Forrester Research Inc. now predicts that 65 percent of companies will either purchase or upgrade anti-spyware software this year, making it the most popular security technology of 2005. According to Forrester, spyware has surpassed spam and identity theft on the list of threats that security managers are most concerned about.

Clearly, tools designed to fend off this rising security threat will be closely scrutinized by enterprise buyers in 2005.

 

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"Wireless is a convenient and relatively inexpensive option for hospitals to deploy."
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.

© MMIX, CBS Broadcasting Inc. All Rights Reserved.