Winners in the Spyware Wars
CASCADING POP-UPS. Web page re-directs. Crawling computer speeds. Anyone who’s been online has surely experienced the effects of spyware. A few years ago, organizations were mainly concerned with things like adware and cookies that track a user’s surfing habits. But spyware is becoming increasingly pernicious and sophisticated. Monitoring software, which is sometimes placed directly on computers and at other times is installed via Trojan horse or by automatic Web site download, can log keystrokes or send periodic screen shots back to attackers. Such applications, sometimes combined with “common word” technology, are increasingly stealing users’ financial and other personal information. According to a Kaspersky Lab report, keyloggers surged 500 percent in a recent three-and-a-half-year period.
To fight this ongoing threat, the major antispyware vendors have rolled out products that use heuristics and signatures to identify, then either block or disable spyware, essentially taking a “blacklisting” approach. However, as some IT security professionals discovered, there are other solutions.
IN RECENT YEARS, some software companies have started bucking this blacklisting approach, opting instead for a solution that “whitelists” the applications and executables that can run on workstations. In other cases, medium-sized businesses, which have typically relied on desktop security software and single-point network products, are finding they can afford more comprehensive perimeter solutions. Below, we look at how three organizations with widely differing computing environments took divergent approaches to bringing their spyware under control.
In early 2006, the licenses on Symantec antivirus and antispyware solutions were coming up for renewal at First National Bank of Bosque County, Texas. Brent Rickels, vice president in charge of technology at the $86 million institution, wanted a stronger system. The bank was about to move from a mainly dial up connection to a fully dedicated Internet connection, which would create the potential for spyware to become a more serious problem if not addressed.
Rickels had long questioned the effectiveness of traditional antispyware solutions. Compared to the ever-evolving spyware threat, many of the solutions “are still in their infancy,” he says. He looked at several alternatives, and eventually purchased Sanctuary Application Control from Lumension Security. It’s more secure because it blocks both known and unknown threats by taking a whitelisting approach, he says.
“While many enterprise products are improving their blocking technologies, if there’s a zero-day threat it’s going to slip by,” explains Rickels. Sanctuary’s whitelisting feature removes this concern. “It’s a lot easier to know what you want to run than what you don’t,” he notes.
While this approach might create stronger overall protection, it does take a little extra effort to install and run. With assistance from Sanctuary engineers, building the whitelist took about a day. After installing the software on the server, Rickels scanned a PC he knew was clean. This created a list of permitted programs, he says, which he then sorted into categories that included Windows common files, Microsoft Office programs, and other applications. Individual users were then assigned rights.
The next step was to install the program’s client software on the approximately 45 desktops at the bank’s four locations, which took about three minutes per machine. Each time a desktop computer boots, it receives updates from the server.
Next, all bank hard drives were scanned, which created a more thorough list of programs authorized to be on the bank’s systems. The scan examines each executable, and, using a secure algorithm, calculates a unique digital signature, or hash, for each.
If a hacker tries to alter one of these programs to hide spyware within, the system will detect the change.
Rickels then left the solution in nonblocking mode for several days to get a better sense of all the programs that were running. Whenever one tried to execute on an individual desktop, the central database took note.
To demonstrate to bank employees how Sanctuary works, Rickels blocked Windows games from running. Employees trying to open them received a pop-up explaining that the applications were not allowed. Rickels decided against adding some employee screen savers to the whitelist. Other applications he didn’t include were peer-to-peer and instant messaging programs, which he deemed too great a risk in a financial institution environment. “As a bank, we want to be careful about what’s leaving,” he explains.
Sanctuary also provides an option (which Rickels hasn’t used) to let users authorize their own applications. When users attempt to run a new kind of executable, a dialog box offers the option to deny or accept it. If accepted, it is allowed to launch from then on. Authorization is reported to the administrator.
Recently, Rickels upgraded to Sanctuary 4.0, which has the additional feature of letting organizations set policies on devices, such as USB memory sticks, ZIP drives, personal digital assistants (PDAs), tape drives, secondary hard drives, floppy drives, scanners, and printers. Sanctuary Device Control, also sold as a standalone product, lets the administrator grant access by associating groups or users with specific devices or device classes. The feature also logs the programs installed or uninstalled and files transferred—added or sent to another computer or device. It also permits the setting of encryption policies for individual users and groups. It can either centrally encrypt removable media or enable encryption by users. “Controlling portable media is another way to limit spyware,” says Rickels.
Rickels scans the central database about once a week to look for issues, such as blocked applications that are trying to execute. It could be that an employee needs a new program, he says. While he had to make a few changes in the first few months, “we typically don’t have trouble with it now.”
One ongoing challenge of the product is downloading patches and application upgrades. Normally patches and upgrades from Microsoft can be installed automatically, he says. But the bank needs to scan them and add them to the whitelist before installing them. “That is probably the biggest hassle,” he says. But it takes only about one hour per month.
While Sanctuary blocks executables, it is just one part of the bank’s overall security structure. An antivirus product, run by the institution’s ISP, scans all incoming e-mail. Internet traffic is controlled by a firewall and a separate filtering product is used at the ports. “We block many Web sites,” says Rickels.
Cost. One-year licenses begin at about $45 per-seat, with a lower rate for larger numbers of licenses. A year of service is included.
Rickels says the solution is well worth it. It costs less than some of the antispyware and antivirus solutions he looked at. And the bank hasn’t had a single spyware incident since its installation. “As much as it would be nice, there isn’t just one solution that can solve all your security needs,” he says, “but Sanctuary comes pretty close.”
Universities are known for free-thinking. And, compared to the highly regulated, locked-down financial services environment, they also tend to grant their computer users wide latitude in surfing the Web and downloading programs. California Polytechnic State University is no exception. Most computers grant users full administrative access, says Roger Padilla, who heads IT services on the institution’s San Luis Obispo campus.
About three to four years ago, the downside of such a policy became clear. The university had been using desktop spyware programs such as Adaware and Spybot-Search & Destroy. It also used a Symantec antivirus solution, which worked well against viruses but was limited in its spyware protection, Padilla says.
The central IT department at the 18,000-student campus felt overwhelmed, receiving about 40 to 50 machines per month that had either crashed or been rendered unusable by excessive pop-ups. About ten full-time staffers were spending about 250 hours monthly cleaning, re-imaging, and restoring machines to factory settings. Cleaning typically took four to five hours per computer, he says.
Padilla decided that the university needed a stronger and centrally managed antispyware program. He says the university looked at two well-known antispyware products but eventually selected Webroot Antispyware Corporate Edition with Antivirus. “It appeared to fit best in our environment,” he says.
It had less system overhead and seemed simpler to administer compared to some competing products. It also had strong spyware removal capabilities for alreadyinfected systems.
Webroot uses a host intrusion prevention system that prevents suspicious or malicious code from executing on the network. Additional behavioral genotyping technology deletes malicious code at the gateway and on file servers.
One challenge of large deployments is network access and the distribution of media. Padilla says the university has been able to conserve bandwidth by taking advantage of Webroot’s update distribution services. These have allowed him to schedule new spyware signature downloads in different departments at different times.
The software’s Web-based administration console gives real-time statistics on threat levels throughout the university environment. It provides an alert whenever a desktop has an issue that needs investigation. Administrators use it to configure and automate deployment of definitions, policies, and program updates throughout campus.
Scans can be launched or scheduled to run on a daily or weekly basis. Group settings can be fine-tuned. For example, scan times can be adjusted if some departments or labs can’t afford to be scanned at certain times.
The program scans client systems for malware listed on Webroot’s evolving database of threat definitions. If a match is found, the software quarantines the threat and notifies the administrator. Quarantining, which disables spyware functionality while giving the administrator the option to review and delete suspect files or safely restore them if they are uninfected, is essential to certain applications. Desirable files can be selected to “always keep” for specific users or groups.
Padilla says the work to maintain the solution is nominal. It mainly involves reviewing reports, which can be customized to analyze spyware threats by workstation, group, type detected, and time. Settings, such as group configurations, occasionally need changing. He’s also been impressed with Webroot’s technical support. “We’re usually talking to someone within three minutes.”
A growing number of enterprise products are combining antispyware and antivirus capabilities, says Padilla. But he says he’s glad the university chose a product that, until recently, was focused principally on spyware. “While the spyware capabilities of many legacy antivirus products are improving, I doubt they’re at the stage where they’d be sufficient for our open environment,” he says.
While the university does not support student laptops, he says the campus has a mixed-use license agreement with Webroot and provides the consumer version of Spysweeper to students free of charge.
Padilla roughly estimates that, primarily for budget reasons, only about half of the California State University systems’ 23 campuses use a centralized antispyware or antivirus solution. But he says more campuses are beginning to do so.
Maybe they’re learning from California Polytechnic’s example. Since deployment, the central IT department receives one computer, if that, per month, he says. “It’s night and day.” The solution has helped identify and quarantine more than 100,000 potential spyware infections so far, he says.
Padilla also estimates that the product has saved the university about $50,000 a year in labor costs.
Cost. Webroot AntiSpyware Corporate Edition with Antivirus is licensed annually with the fee based on the number of users. Pricing, which includes a year of service, ranges from about $855 for 25 users to $6,800 for 250 users. Academic institutions receive additional discounts.
With vendors now bundling antispyware, antivirus, and other solutions into their products, companies can purchase highly comprehensive solutions at lower cost. That’s what Matthew Staver, IT manager at Torrance, California-based Pentel of America, says he discovered when his company sought out a stronger perimeter solution about a year ago.
The firm, which has about 200 full-time employees, began ramping up its security about two years ago. “We were having some spyware problems, and a virus got onto our system,” says Staver. At the time, the firm’s IT security structure consisted of a firewall and three other products. These included centrally managed desktop antispyware and antivirus software, a Web filtering solution, and an e-mail antivirus scanner.
Staver first decided to replace the firm’s antispyware and antivirus product. After looking at several products, he chose Trend Micro Office Scan. It’s been easy to use and has helped reduce spyware and other malware, says Staver. But about a year-and-a-half ago, Staver also began doing research on a new perimeter solution. Strengthening this layer is most important, he says. “It’s always better to stop things there than at the desktop.”
After some research, the company chose another Trend Micro product, called the InterScan Gateway Security Appliance (IGSA). Trend Micro touts it as a unified solution that combats spyware, viruses, and spam in addition to content filtering. It offered more comprehensive protection than the company’s Web-filtering product and its e-mail antivirus solution combined, says Staver. It scans more files, protocols, and transmission types.
While the old Web filtering tool would block known malicious sites, IGSA scans the sites that it permits for suspect executables. “It literally looks at every file that comes through it and checks it,” Staver explains.
Setting up IGSA took only about 15 minutes. “You plug it into the network router next to your firewall, do a couple of screen configurations, and you can pretty much forget it,” he says.
The product, which automatically updates definitions, does not require much ongoing work either. “It kind of runs itself,” he notes. That said, it does offer granular controls. The product lets him block, scan, or not scan many kinds of e-mail attachments, for instance.
Cost. The IGSA comes in six versions for 100, 200, 300, 600, 800 and 1,000 users. The IGSA 100, priced at $4,950, works out to less than $50 a seat.
Staver says the company hasn’t had any problems with spyware or viruses since installing the new security products. “The gateway security appliance, particularly, makes a huge difference…. We replaced two perimeter solutions with one that was more comprehensive,” he says. “And it cost less.”
John Wagley is an associate editor at Security Management.