Spyware – Understanding and Addressing the Risks
By Penny Reyes
“Spyware” is no longer simply a nuisance to enterprises. It is estimated that 90% of desktop PCs are infected with some form of “Spyware” (Source : US National Cyber Security Alliance). According to Gartner between 20 and 40% of enterprise helpdesk calls are now related to unwanted “Spyware” programs.
There are different classes or types of “Spyware”. These are summarised below.
· Tracking Cookies. Cookies are text files saved by the browser that allow tracking of user activity on a website. Users typically allow cookies as some sites won’t work without them or they are useful in that they store information about personal preferences, IP addresses, login information, user options and date and time stamp of the last time the site was visited. Cookies may also contain any information provided by a user during a particular visit – including any personal information provided in the course of completing forms. Cookies are at the most benign end of the “Spyware” spectrum.
· Adware. This form of “Spyware” is responsible for generating the by now familiar pop-up, pop-under, banner, floating and animated advertising seen whilst surfing the web. Adware typically uses advanced scripting that manipulates the browser by exploiting flaws in Java, ActiveX, the operating system and the browser itself. Adware may collect information for cookies and report information directly to sites on the Internet. On clicking-through ads additional cookies or utilities may be installed silently. Some adware makes changes to browser settings – resetting the homepage for example – or to the user system (including Windows registry changes). Often clicking on ‘No’ or ‘Cancel’ buttons within the advert result in the same code executing as if the user had clicked on ‘Yes’ or ‘OK’. Adware is the greyest area of “Spyware” – some Adware certainly should be considered as malicious ‘malware’.
· Scumware. Scumware modifies the contents of a web page adding hypertext links and alternative text. Scumware can also position competitive ads over the originals. Scumware can also install hidden or background processes and services and should therefore be considered as malware.
· Malware. Originally malware referred to viruses, worms and Trojan horses. The term also applies to the more disruptive forms of “Spyware”. Such programs might enable third parties to take control of microphones and web cams installed on a particular client, make changes to browser and systems settings, launch Web activity even when all browser sessions are shut down, install hidden or background processes and services. Keyloggers fall into this category. Malware is the most damaging of all types of “Spyware” from a risk perspective. It should be noted that this form of “Spyware” is increasingly being spread through Instant Messaging applications.
1.1 Different Variants, Different Risks
The different types of “Spyware” present different risks to enterprises. Cookies raise privacy concerns but are relatively low risk.
Adware can begin to impact heavily on productivity. Orthus are aware of several instances where close to 200 different pieces of Adware were present on a single client degrading performance to the point where the client was unusable. In addition to user productivity, productivity is affected through increased help desk calls and the time spent by help desk staff in cleaning up or re-building infected machines – which in turn further impacts user productivity whilst the infected machines are unavailable.
The risk of data leakage – of both personal and corporate information – is a very real threat with the most malicious type of “Spyware”.
Mitigating the Risk
The main technologies available to mitigate against the risks associated with “Spyware” within the enterprise environment are discussed below.
Mitigation techniques are two-tiered or two-part – at the gateway and at the desktop level.
At the desktop or client there are notably three technologies available to mitigate against the risks posed by “Spyware”. These are personal firewalls, dedicated anti-spyware programs, and traditional desktop anti-virus (AV) tools.
In some respects forms of “Spyware” strongly resemble viruses. They are uniquely identifiable, can be detected by scanning the client machine and are sometimes packaged as a set of files that can be removed to clean up the infected system. However many forms of “Spyware” do not reside on disk as persistent files – such as hostile ActiveX and Java applets. The motives, delivery mechanisms and often the removal of “Spyware” is different however from the protocols followed for viruses and worms.
“Spyware” is also different in that there is no one definition agreed on what constitutes “Spyware”. Some programs that might be classed as “Spyware” – such as Microsoft’s Windows Update Notifications – are useful, disclose their tracking capabilities, do not disrupt desktop operation impacting user productivity, and are distributed by responsible companies. “Spyware” therefore needs to be classified and identified by the actions it performs and the level of risk – complicating detection and removal, as the users must be given a choice over what is permitted.
AV vendors – notably Trend Micro, McAfee and Symantec – already have software that is very good at scanning files before they execute. The software also has mature enterprise management suites and the vendors have support teams in place to handle enterprise customers’ needs.
Independent reviews and tests show repeatedly that AV tools are not as good at catching “Spyware” as dedicated anti-spyware programs. Whilst AV tools may detect 99% of viruses this number falls considerably to perhaps 70% – when considering “Spyware” programs.
Using the next releases of desktop AV tools to protect desktops against “Spyware” is extremely attractive to enterprises. There is no need to deploy yet another software agent on every machine within the desktop population, there is no need to monitor yet another ‘console’. AV already incorporates the management features that enterprises require – such as ‘headless operation’ and centralised reporting. Enterprises achieve greater consistency with standardisation on a smaller number of vendors, leading ultimately to cost efficiencies.
Dedicated Anti-Spyware Programs
There is an ever-increasing list of dedicated anti-spyware programs available from vendors including Ad-Aware from LavaSoft which is the most popular product with some 128 million downloads to date. Other notable products include SpyBot Search and Destroy, CounterSpy and Spyware Eliminator. Microsoft has also entered the market with Windows Antispyware following their acquisition of Giant Company Software.
Whilst dedicated anti-spyware programs are more effective today at detecting and removing Spyware than AV products this will change over the forthcoming quarters. Most of the dedicated anti-spyware offerings are available as free downloads aimed at consumers / individual users and not at large enterprises. Site licensing is rarely available for example. Some of the emerging vendors have enterprise offerings on their roadmaps. However these companies are small, lack corporate / financial stability in some cases, and typically do not have the support teams and infrastructure in place to handle large enterprise customers.
Orthus are of the view that many standalone dedicated anti-spyware programs will cease to exist in the relatively near future and the dedicated anti-spyware market will not be significant in years to come as established vendors offer integrated AV/anti-spyware/personal firewall products.
Just as AV tools now include some “Spyware” protection so many of the personal firewalls available offer a level of protection as well. These include McAfee, Check Point and Internet Security Systems (ISS) with the release of Proventia Desktop in March 2005. Sygate is following a similar path to Check Point and ISS.
Personal firewalls are recommended for particularly mobile clients that are regularly taken outside of the corporate perimeter and used to access corporate systems from DSL connections in the home and public WLAN hotspots, where typically direct Internet access is also allowed. They are also recommended for fixed desktop and mobile clients in smaller locations where there is little or no gateway level protection in place and where again direct Internet access is available from those locations.
Desktop protection is only half of the story when it comes to “Spyware” protection. Gateway level protection is also available.
Blue Coat offer a range of proxy appliances that, in conjunction with popular URL filtering solutions, offer a strong defence against “Spyware”. “Spyware” often secretly installs via “drive-by” installers, which install “Spyware” in the background without any user interaction. Blue Coat combats this with anti-spyware policy controls that inspect, filter and block web content associated with “Spyware” installation software. This preventive approach is critical when “Spyware” originates from an unknown web site – not yet categorised within URL filtering solutions – and when there is no known signature available to detect the malicious program.
Gateway protection incorporating a strong URL filtering solution is particularly good in preventing programs on infected systems from sending information back to “Spyware” sites, mitigating against the productivity impact of Adware but also the more serious privacy and data leakage concerns associated with more malicious code. URL filtering solutions also offer some protection from infection in the first place by preventing users from visiting known infected sites.
Gateway solutions typically incorporate logging and reporting features that can be used to identify infected systems thus facilitating a targeted “Spyware” clean-up periodically. This capability is also useful to target mobile clients (notebook PCs) that are not protected with Personal Firewalls that become infected whilst outside the corporate perimeter.
In light of the above Orthus suggest that enterprises take the following approach to mitigating the risks posed by “Spyware” today :
* deploy gateway “Spyware” protection to prevent back-channel communication by infected systems augmented with a leading URL filtering solution.
* use granular reporting capabilities from gateway solutions to identify infected systems and choose a dedicated anti-spyware tool to clean-up infected systems on a case-by-case / ad hoc basis.
* do not deploy dedicated anti-spyware programs across the desktop population – instead wait for AV vendors to add strong anti-spyware capabilities in future releases.
* force remote office branch office based systems to access the Internet via the corporate gateway (where gateway anti-spyware protection exists).
* for remote and mobile clients, in addition to AV, install a recognised personal firewall to increase protection.
Penny Reyes is an analyst at Orthus limited (http://www.orthus.com). Orthus is a leading provider of information risk professional services, helping orgnisations globally to measure, minimise and manage the information risks they face. Orthus provide end to end services for clients to comprehensivly address risk in their environments including Insider Threats, addressing issues including data leakage, sabotage and fraud; External Threats (http://www.orthus.com/dr_overview.htm) including wireless security, penetration testing, virtualisation security, vulnerability management and Secure Software Development Life-Cycle; Supply Chain Threats including securing cloud services and data processed by third parties; and Legal and Regulatory challenges including Payment Card Industry (PCI) Data Security Standard (DSS).