Secrets and Spies
It might be hype of the month, but that doesn't mean it won't gobble up your customers. Simon Meredith investigates spyware in the second of our five-part security series
Spyware is everywhere and, while it is a real problem, the industry is talking it up to some degree. For example, cookies are counted as spyware by some vendors but others don't count them.
But, wherever you draw the boundaries, spyware is a big problem. IDC estimates that 67 per cent of all computers have some form of spyware and, while many of these are home PCs, the threat to business is considerable.
In March, a high-tech crime ring attempted to steal £220m from the London offices of Japanese banking group Sumitomo, using keylogging software. This type of spyware, designed to track every keystroke, is perhaps the most serious threat. It can pick up identities, passwords, credit card and PIN numbers.
Tracking software that follows your movements on the web is mostly used to identify potential customers, but could lead to a deluge of spam, which could in turn be ridden with viruses. Adware, which just flashes pop-ups or takes you to sites you don't want to visit, is relatively harmless, but it can be a nuisance, and can cause offence, as much of it is pornographic. Spyware can also affect performance by clogging up memory and disk space with junk.
Spyware can also lead to your PC or network being hi-jacked for use as a spam robot or zombie network. The aim is to infect and take control of as many machines as possible, and to build out of them a zombie network that can then be rented out to spammers. About half of all spam mail is thought to come from zombie networks.
Other types of spyware include what some call 'riskware', or legitimate programs that criminals use to gain entry to systems or steal information. Remote administration utilities, for example, could be used in this way, so companies that use hosted applications need to be on their guard against this threat.
While all of these variants can cause problems, it is the keylogger that causes most concern, as it has brought organised and intelligent criminals into the game. These pose much more of a challenge to security vendors than the nerds who have built and distributed viruses and worms up to now.
Most security vendors provide an anti-spyware option with their anti-virus and firewall packages, and this functionality will increasingly become a tick-box item. But spyware is a little different from viruses. It is very difficult to identify what you need to stop and what you need to let in.
While the malicious nature of a virus is fairly obvious and easily detected by software, spyware is stealthier, similar in that respect to Trojans. David Emm, senior technology consultant at Kaspersky Labs UK, says: "How do you distinguish, for example, between legitimate remote administration tools and a back-door Trojan? We can use our intelligence and intuition to assess whether a tool may be used in our environment with malicious intent, but it's not so easy for software to draw this distinction."
In other words, you need to be on the look-out for spyware or anything that could be spyware on the system. As with viruses, the nature of the beast is constantly changing and fusing with other threats. New techniques are used to try and break perimeter security and trick the intrusion detection and activity monitoring systems.
This is why, according to Bob Jones, chairman of appliance vendor Equiinet, services hold the most potential for the channel.
"The best reseller opportunity of all is to offer a form of managed and update service," he says. "Smaller businesses can then relax and focus on their own business issues, safe in the knowledge that they are being looked after. And it's a recurring revenue opportunity."
Just helping customers to keep their systems up to date presents a good opportunity, says Richard Stiennon, vice-president of threat research at Webroot Software.
"The sad state of affairs is that customers will have to maintain anti-virus, firewalls and anti-spyware. Resellers are in a position to be trusted advisers to their clients. As such, they can address the spyware issue today, saving their clients many headaches."
Many customers, he points out, do not realise the magnitude of the problem that they already have. By using audit tools, resellers can highlight this and provide appropriate solutions and services. This can also help to open up other potential sales of security products.
Mike Small, director of eTrust strategy at Computer Associates (CA), says: "Since the target of spyware is often to capture user IDs, using stronger authentication methods is also important. For example, one-time password systems, certificates, smart cards and biometrics are all good."
Mandeep Sandhu, technical consultant in the security business unit at Azlan, says that there are multiple opportunities associated with spyware. "You need appropriate technical and administrative controls. Anti-spyware supports gateway, server and desktop-level protection against known attacks. Hardening the servers and desktops, only allowing appropriate applications to execute, will guard against unknown spyware attacks," he says.
It may be necessary to lock down removable media, and to have good system management and backup-and recovery processes in place.
Dennis Szerszen, vice-president of marketing at SecureWave, says: "Resellers can help customers to overcome the hype cycle and equip themselves for the long haul."
He adds that the only effective way to deal with spyware is to use proactive lock-down measures. This means allowing only certain applications to be run. Locking down a network and white-listing can also help firms protect themselves against legal threats."
"Financial institutions now have a mountain of regulatory compliance issues which must be taken into account; white-listing can play a valuable role in preventing information leakage, enabling these firms to fulfil their legal obligations," says Szerszen.
If this is too stringent, the "default deny" approach can work, where the default in a system is to deny permission to run, but where administrators have the power to allow programs to be launched. In the end, it is all about policy management. Users could even be prevented from visiting certain types of web sites.
Customers may well need help with getting the policy right and with defining what is and is not spyware, what really constitutes a threat, and what should and should not be allowed to run. They will then need to deploy some kind of anti-spyware solution and apply their policies to it. This is not always a simple process, says Mike Smart, European product manager at SonicWall.
"Resellers need to educate users about the different ways of combating spyware and selecting the right fix. One solution may be better for one company than for another, or it may be better to deploy the solution for one department rather than across the whole organisation," he says.