Fighting Spyware

Contents

Introduction
Identifying the Culprit
How to Battle Spyware

Introduction

Spyware, adware, greyware, scumware . . . whatever you call it, you don’t want it on your employee’s computers.

The trouble started when Bill M., an employee at a major university, downloaded what he assumed was a required program for an online MBA class he was attending at night. The freeware program purported to improve performance when accessing e-learning courseware.

“Almost immediately, my computer became very unstable and acted funny, freezing, crashing, and maxing out the CPU.,” Bill says. “Every time I launched my Web browser, it would redirect my home page. When I’d attempt to perform a Google search, I’d land on unknown search results pages that were clearly designed to entice me to ‘Apply Now for a Student Credit Card,’ or ‘Earn a Diploma in Your Spare Time.’ It became impossible to do my job, and I lost countless hours as the computer continued to crash over and over again. It was like my computer had become possessed.”

Identifying the Culprit

The demon was spyware, or more specifically in this case, adware, a program bundled with freeware with the "spy" being a marketing company that makes a commission from serving ads or recording surfing habits for research purposes. A widespread and growing problem, 92 percent of IT managers report that spyware has infected their organizations, with an average of 29 percent workstations affected, according to a 2004 Harris poll. In addition to the hours of lost user productivity, once installed, adware is notoriously difficult to remove. Sometimes removal is impossible, as the offending culprit often invites more adware to install itself.

This was the case with Bill's computer. "Our IT administrator ran several spy-detection and removal tools on my computer. Some caught it, others did not," he says. "None of the products was able to remove the adware completely, as it had made thousands of changes to the registry and kept reinstalling. After spending more than 50 hours attempting to clean up the system, we finally gave up and scrapped the entire hard drive."

Was it a safety risk? Not necessarily. More reputable adware vendors are quick to point out that they no longer record surfing habits and relay the information to third-party researchers. Safety risk or no, this particular adware created productivity loss -- user productivity as well as IT support -- which is hard to ignore, especially when extrapolated across hundreds of workstations.

Although adware may be increasing support calls because it often makes its presence painfully known to the user, spyware, because it is purposefully designed to be stealthy and transparent while recording and relaying keystrokes, poses an undeniable, serious security risk.

Spyware's origins are in perfectly legitimate programs designed in the 1990s to monitor computer use. Marketed to parents to monitor minor children's online activities or to employers wishing to monitor employee computer use, many of these programs eventually touted "remote installation" -- the ability to install without having physical access to the monitored computer -- as a key feature.

The evolution of these programs, however, brought us to today's challenges. Hackers and identity thieves are increasingly developing and exploiting spyware programs that enable them to record passwords and other sensitive information such as credit card and Social Security numbers, as well as corporate secrets.

How to Battle Spyware

In the business environment, the best approach starts with a sound security policy that is communicated to employees and enforced by effective technologies:

Educate employees to understand the threat and to only download from trustworthy sites. Explain that there is no such thing as a "free lunch" -- that freeware probably comes at a cost to system integrity and stability -- and urge employees to always stop and read user-licensing agreements carefully.
Keep systems patched and up-to-date. Spyware often exploits vulnerabilities in outdated browsers and operating systems.
To guard against drive-by downloads, disable ActiveX and set Web browser security options to the highest level.
Block all suspicious outbound connections via the firewall.
Employ pop-up blockers.
Employ spyware-prevention technologies on the endpoint. Look for solutions, such as Cisco Security Agent, that not only detect infections, but aid in preventing installation. Or, if a system is already infected, the solution will block malicious activity according to your organization's security policy.

It's important that any antispyware product you choose provide comprehensive enterprise-management features. For example, Cisco Security Agent provides flexible policy control as well as application investigation, the ability to identify unauthorized or unknown applications that are installed or run on remote computers. This feature enables you to build a list of suspected spyware applications from throughout the enterprise for analysis. From this analysis, you can develop policies regarding what adware can and cannot do, such as automatically prohibiting the program from installing on additional computers, strictly limiting its behavior where it is already installed, or completely disabling it.

Next Steps: For additional details, read the white paper Cisco Security Agent: An Enterprise Solution for Protection Against Spyware and Adware or find additional information about Cisco Security Agent at http://www. cisco.com/go/csa.

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.