Spyware howto
Date: November 18, 2005Source: searchsmb.techtarget.com
"The first day we put the Barracuda [Networks] box on the wire, we saw 10,000 spyware hits go through, and that's just in our headquarters," said Prentice, director of the non-profit's IT department. It was seeping in through the network gateway, 550 employee PCs and 100 more machines that are part of a nationwide pharmacy to help provide drugs to patients. No machine appeared safe.
"Certainly it's taking more and more of a toll," Prentice said of his organization's spyware problem. "We are a medical non-profit, where every available dollar goes toward research. We're not necessarily the fastest in the world to upgrade our machines in the field. We were getting to the point where machines couldn't handle the burden… especially given the age of some of the machines."
The good news, he said, is that Barracuda's Spyware Firewall has helped him to understand the scope of the problem and develop a successful defense-in-depth strategy to cleanse current machines and quash future outbreaks. This year, his staff also has upgraded about 300 machines, reducing the number of infestations.
Others in his situation are finding no shortage of weapons to do the same.
A recent SearchSecurity.com survey of 304 security professionals indicates a vast majority (64%) believe the best way to fight spyware is to deploy a combination of gateway and client-based software. They're also reexamining native browser security, tightening configurations and even opting for alternative applications like the much-ballyhooed Firefox. Respondents also said they've realized the importance of developing and enforcing acceptable usage policies for employees.
"We try to make them cautious about what they're downloading," said Pat Darienzo, manager of information security for the 10,000-employee KeySpan Energy Co., the largest energy company in the Northeast. In addition to employees, Darienzo has taken time to educate the company's 7,000 IT-supported clients in carefully reading end-user agreements before accepting downloads, a common tactic adware companies use to install questionable programs. The company also blocks suspicious attachments and limits Internet access. Darienzo also has integrated McAfee's antispyware tool into the company's existing antivirus software that is then managed centrally with ePolicy Orchestrator. Management, he emphasized, is key to combating spyware.
The mandatory security awareness training, combined with tools, is paying off at KeySpan. "Our spyware hasn't gotten dramatically worse," he noted. "It maybe has even gotten better in the past year or two."
No vendor has cornered the antispyware market. The wide array of offerings within the enterprise space makes it difficult for one company to dominate. Client-side antivirus vendors like McAfee, Symantec and Trend Micro certainly had an early edge, given their dominance in the AV enterprise space. But some users have questioned why their signature-based antivirus software failed to recognize malicious spyware for so long. Almost as many say they're using desktop- and server-based freeware from Spybot and Lavasoft as backup.
In the survey, half of respondents said they'd turn to best-of-breed antispyware vendors and/or AV providers to defend against future spyware. Another 43% would also build better defenses into browsers. But major security vendors are buying or teaming up with specialized companies to strengthen their competitiveness. That includes Microsoft, which this year acquired Giant's antispyware technology and created a community-based SpyNet to show it's serious about attacking spyware. It may pay off, given that a third of respondents said they'd rely on desktop application providers like the software giant to arm them in their spyware battles. Only 5% said they don't plan any of these approaches because they don't anticipate spyware being a problem for them.
Find it first
The first step to solving the problem is realizing you have one. That reality check comes once a detection tool is installed and the first scan is underway.
The vast majority (74%) of respondents said they incorporate antispyware technology in their security programs, including software or an appliance to capture culprits. Lavasoft's Adaware and Spybot Search &Destroy -- sometimes in combination -- run on many of those machines with another commercial utility to hedge threats. Prentice's organization, for instance, this year bought a license to run PC Tools' Spyware Doctor on work stations. The company, best known for its consumer antispyware tool, recently expanded into the enterprise space.
Whether installed on the gateway or workstation or server, users overall are satisfied with their choice of products. Almost everyone found at least some success at stopping infections. But everyone agrees the technologies still need improvement.
Until then, people like Prentice will run a variety of detection tools to improve their record. "You get some of these [heavily infested] machines and you run [PC Tools'] Spyware Doctor and it picks up some. Then you turn around and use Adaware, and it picks up some more. But there's still more on there, so you use Microsoft's tool and it picks up more. And you eventually get everything eliminated."
Barracuda's box, in Prentice's case, then monitors at the gateway for machines trying to hit spyware sites -- signaling PCs still aren't quite clean. But there's also a cost for such an exhaustive strategy. Some of these tools, alone or combined, can take up considerable memory or processing power when added to other network protections.
Manual labor
A standard course of action begins with a combination of registry hacks and file deletions to oust obvious malware. In some cases, it may involve rebooting a machine without logging in so you can clean up in a logged-out state. That helps, but sometimes you'll find stuff that embeds itself even deeper into the registry, such as linking into the notify chain under the operating system. "That one threw me for hours one day before we eventually located it," recalled Joe Finamore, IT director for the Wisconsin-based Marshfield Clinic chain. "Every time you track down the old tricks, they come up with new ones."
At the City of North Vancouver, IT manager Craig Hunter realized that spyware, especially the "performance eaters," had an easier time of it by exploiting unpatched systems. So his department, which oversees 400 employees at 350 workstations, has stepped up patching using the Windows SMS. They also routinely lock down firewalls. "Our habit is to only open a port upon absolute requirement, rather than keep them all open until told to close one," he said.
Hunter also uses a Websense content filter to block sites such as adult entertainment, violence and weaponry, militancy and racism. That's cut down on spyware infections, too. After a year of simple monitoring, Hunter's group has begun to turn up the spyware sensitivity incrementally. So far, nobody seems to be complaining.
Employees must shoulder some of the burden when it comes to accepting questionable attachments, downloading suspicious programs or signing off on user agreements without thoroughly reading them. "There's a greater awareness now from the user community that it's not that good out there. It's not so free and clear." Hunter went through his agency's human resource department for an endorsed list of sites to block by categories. HR then helped sell the list to directors. "So far that has been working OK, and people are more supportive of it than I would have thought," he said.
In addition, IT security staffs should carefully consider whether users need administrative privilege on their machines. Granted, some software can only be installed with that privilege enabled. But spyware makers are also counting on such permissive policy to social engineer someone into installing their programs.
You be the judge
There's another kind of user community at work on spyware, networks of enterprises that rate sites and programs for acceptability. Earlier this year, SearchSecurity.com devoted a two-part series to examining the pros and cons of these community-based spyware networks, in which users vote on their inclusion or exclusion of suspicious downloads online so that others may judge legitimacy. The only problem is the threshold for acceptance has gone way down as frustrations have shot through the roof. The result: upset employees demanding more flexibility.
KeySpan's Darienzo did something similar with spam, with mixed results. "We cracked down and executives said we were blocking too much, like their hobby magazines. Then we opened it a little bit and got complaints users were getting more spam. It's nice to have the functionality, but if spam increases a little bit, it's no big deal. Spyware is different. You can't let spyware in and say it's an acceptable amount."
Original article
Add comment
Email to a Friend
