Spyware - covertly installed software that hijacks web browsers, invades Internet user privacy, displays unsolicited and offensive advertising, and impedes PC performance - is challenging spam and viruses for the top spot on IT worry lists. The threats and risks spyware poses to enterprise networks are considerable, and spyware remediation and countermeasures are now being regarded as critical to network security as antivirus and antispam measures.
How spyware threatens Enterprises
The most commonly cited spyware issues worrying enterprise IT staff are loss of productivity and increased helpdesk costs; liability associated with privacy violations; intellectual property theft, information and premature disclosure; and loss of credibility and damage to brand.
This example illustrates how rapidly spyware-induced productivity loss and helpdesk costs can accumulate. A user installs a free toolbar and web accelerator, and inadvertently installs spyware embedded in these freebies. The particular pests he has installed prove to be removal resistant: attempts to remove the pests damage critical operating system files - the Windows Registry, dynamic link libraries, TCP/IP configuration files - and render the PC inoperable. The user calls the help desk. Support staff invest an estimated 2-4 hours investigating, repairing or rebuilding the PC's primary partition, and restoring the user's local work environment (applications and data files).
If we assume the employee who's PC was compromised is unproductive during this repair time, the total time cost for this representative spyware incident is between ½ and one employee day. Let's assume (a) $50/hour weighted cost of an employee; (b) one percent infestation rate of this sort per employee per workday (260 workdays per year); and (c) an organization of 1000 employees (ten incidents per year): $50/hour x 4 hours x 2600 incidents equals $512,000 (double this if the time to restore the employee to productivity is 8 hours). This incident rate may actually be conservative: a recent AOL/NCSA Online Safety study reports that spyware was discovered in over 80% of users who volunteered determined that their computers scanned, and on average, over ninety (90) different spyware were discovered per infested PC. But even this simple scenario illustrates how losses due to spyware are quantifiable and potentially large.
Sam Curry, Computer Associates Vice President, eTrust Security Management, indicates that liability associated with unauthorized disclosure of personal information is one of the top concerns expressed by eTrust Pest Patrol Anti-Spyware customers. "Financial institutions worry about regulatory issues and their exposure to liability if customer-related and partner information is disclosed without consent." In the extreme, Curry, continues, "financials worry about direct findings in favor of parties injured from unauthorized disclosure and consequent punitive damages." Many such companies now offer free scans or download of antispyware software. Said Curry, "This is a B2C investment. Particular types of spyware - keyloggers, RATs (remote administration tools), browser hijackers - anything that makes customer think he's dealing with a bank when he is not, or violates privacy when the customer thinks he's safe - pose a serious threat of liability, and have a negative effect on the sign up rate for web-based services."
According to Aluria Software President Rick Carlson, "Concern over corporate espionage - theft of intellectual property - and unauthorized monitoring by disgruntled employees is rising. We have met with several enterprise customers who are encountering incidents where disgruntled employees install keyloggers to monitor their manager's activities." The threats from spying and prying activities such as these include unauthorized disclosure of payroll information, and can be as serious as premature disclosure of financial reports (quarterly earnings). Subsequent public disclosures of spyware incidents resulting in such "leaks" have serious legal consequences (litigation and indictments) and invariably mar company image, tarnish brand, or erode consumer confidence.
No Single, Simple Solution
Spyware is at least as tenacious as viruses and as omnipresent as spam. Current antivirus and antispam software detect and block only a small percentage of adware and pests (the majority of these fall into the category of keyloggers and similar trojan software employed by spyware, virus, and blended threat writers). Limiting computer and user configuration through group policy definition using an Active Directory helps, but spyware can't be permanently blocked or entirely eliminated in this manner. Spyware developers take great pains in writing software that break the conventional rules for installation. They utilize the administrative privileges assigned to web browsers and ignore the standard Microsoft API. They create extraneous Registry entries and substitute their own versions of important dynamic link libraries to obfuscate detection. Consequently, while your organization can implement some measures at firewalls and proxy servers, and you can reduce exposure to a degree using Group Policy Objects, most antispyware initiatives employ detection agents on desktop and laptop computers.
Good antispyware initiatives begin with education and policy. Explain the threats that spyware poses. Describe safe browsing practices in your Internet acceptable use policy. Provide guidelines to help employees distinguish between safe and deceptive advertising. Explain the importance of reading EULAs in weeding out adware from unencumbered free-, share-, and commercial-ware (or ban installation of free- and shareware on company PCs). Explicitly state that the policy applies to all computers that will connect to the company network, personal and company-owned.
If possible, require that administrators perform all computer, user, and software configurations (using, for example, Group Policy Objects in the Active Directory). If you choose to allow user self-administration of PCs and laptops, prohibit and block direct download of software from non-company servers. Create a submission process so that employees can request new applications. Evaluate, approve, and where necessary, acquire site licenses for, new applications you confirm are safe and business-related prior and provide downloads for employees on intranet servers.
Identify a standard browser. Define the most secure configuration possible for that browser, and incorporate this policy into a group policy object (user configuration, administrative template for Internet Explorer, for example), or your standard desktop build and configuration. Several online resources describe secure browser settings, but the configuration that you choose to deploy ultimately depends on what active controls and mobile code your organization must permit to satisfy business needs.
Incorporate antispyware software into your standard desktop build. Today, antispyware is no less important than antivirus and personal firewall software. Evaluate several antispyware products to choose the best for your business. Be certain that the product can scan, detect, remove (quarantine) and block spyware. Be certain the user interface meets your definition of friendly and intuitive. Follow the advice of Microsoft and antispyware experts: if you are upgrading rather than performing clean installations, scan and remove spyware before you upgrade to Windows XP Service Pack 2, because several of the removal resistant spyware are known to cause SP2 installation to fail. (Experts recommend using more than one scan and removal tool to eliminate a higher percentage of pests from infected systems.) To complete the client-side security component, make antispyware an element of your network admission control strategy: if you prevent client computers from accessing your network until they meet antivirus protection criteria, implement the same stringent criteria for spyware.
Complement client-side antispyware measures with perimeter measures. Block users from downloading content you wish to prohibit by S/MIME type at firewalls or web proxies. Block ad servers at your firewall, or take this power user trick up a notch: instead of configuring a hosts file at every client with ad server domain names that resolve to localhost (127.0.0.1), incorporate these hostnames into your local DNS server. If you run or are investigating intrusion detection and prevention systems, ask your vendor what forms of spyware detection they are considering. Lastly, investigate emerging antispyware gateway technology as complement to your desktop protection. Like antivirus gateways, these are not substitutes for desktop antispyware protection, but rather an added layer of defense.
Relative to the number of antispyware vendors, a small number of companies currently offer centrally managed desktop spyware. The number of players is increasing, and many vendors will provide you with product timelines if you ask. Many antispyware vendors offer corporate, professional, or enterprise versions of desktop software. These often have more features than consumer or "personal editions". Complicating the field are rogue antispyware products, which practice deceptive advertising and report false positives to influence buyers into thinking the product is superior to the competition. Some rogue antispyware actually incorporate adware features in their free and trial versions.
Study the field carefully. Each organization will have different requirements for an antispyware solution, so your organization many not necessarily conclude that the best centrally managed solution available provides the spyware protection that you need. If you do choose a product that does not currently provide central management, look for antispyware solutions that can accommodate an administratively defined configuration that you can incorporate them into an Active Directory-driven software installation. If the product does not provide central administration of client logs, look for vendors willing to cooperate in helping you develop a method to collect logs for central IT analysis.
Take online product reviews with a grain of salt. The majority of these articles review consumer products, or professional products in deployments that aren't representative of large enterprise networks. A fair number of product reviews are of dubious origin, and some appear to be operated by companies that routinely appear on rogue lists for their deceptive advertising practices. If you can, test antispyware products yourself. Use your enterprise buying influence. Ask vendors to provide the resources to infest your standard build desktop with spyware under controlled lab conditions. Archive the partition (image) of this build, test multiple products against a baseline infested PC, and judge for yourself. Don't rely exclusively on the number of spyware pests a vendor claims to detect, as each vendor's method of determining what is and is not spyware is subjective. "Number of pests detected" is a terrible metric for AV and for antispyware. One product might identify every single file or registry entry or cookie as "one unit" of spyware, while another product might identify this entire set of symptoms caused by one pest as "one unit" of spyware. Rely instead on the presence of features that distinguish good products from poor: the ability to restore or rollback to a known recovery point; scan and event logging; automatic scan scheduling; pest database updates; scan component updates; disk and memory requirements; scan performance; and compatibility with your organization's standard applications and system configuration.
Aluria's Carlson says that, like spam, "spyware's here to stay because there's money behind it." Spyware should be a major consideration in your 2005 security planning, and should merit as much attention as viruses and spam. Spyware countermeasures begin at the desktop, and thus represent a meaningful investment in software and support. But spyware should be a relatively easy sell to management: have them install a few toolbars, a web accelerator, P2P application, or a free solitaire game, and they'll quickly get the message.
Originally published in Security Pipeline, reprinted courtesy of CMP Technology and Dark Reading