Spyware is no longer just a petty nuisance, clogging enterprise desktops and access links -- it's also crimeware, driven by the desire for illicit profits. Gartner estimates that these financially motivated attacks will represent 70% of all network security incidents by 2010.
Winning the war against malicious spyware requires a layered defense applied at the desktop, server and network edge. Security professionals are already familiar with desktop antispyware programs, but consider also how
Here, there, everywhere
From pesky adware like ISTBar to stealthy attacks like Trojan-Backdoor-SecureMulti, spyware is now held responsible for one out of four help desk calls and half of the PC crashes reported to Microsoft. IDC estimates that more than 75% of corporate desktops get infected with spyware. According to antispyware vendor Webroot Software Inc., spyware-related downtime and cleanup costs corporations approximately $250 per user annually. Fighting spyware on the desktop requires new techniques and tools because not only has spyware evolved considerably in recent years, it also still behaves differently than viruses and worms. Many enterprise products (e.g., CA Inc.'s eTrust Pest Patrol, Lavasoft Ad-Aware Enterprise, Webroot Spy Sweeper Enterprise) focus exclusively on host spyware eradication. Antispyware programs are also being rolled into desktop security suites, such as Symantec Corp.'s Client Security, which combines host antivirus, antispyware, firewall and intrusion prevention. Microsoft has embedded basic antispyware defenses into its recently released Windows Vista operating system.
In most companies, desktop antispyware simply isn't good enough. Employees connect infected laptops to the corporate network; desktop software breaks or becomes out of date; visitors, contractors and home workers don't run your chosen antispyware program. Protecting an entire network against spyware really requires a network-based product that can be easily controlled by IT.
UTM appliances complement desktop antispyware by enforcing spyware policies at the network edge. Most UTM appliances, from companies like Cisco Systems Inc., Crossbeam Systems Inc., Juniper Networks Inc., Fortinet Inc., WatchGuard Technologies Inc., SonicWall Inc., and Secure Computing Corp., among others, consolidate firewall, intrusion prevention and antivirus scanning, and may provide additional security services, including VPN, Web filtering, antispam and antispyware.
Antispyware benefits from this unified approach, because network-based defenses can run the gamut from outbound request filtering -- functions one might ask of a firewall or Web filter -- to inbound content inspection, which can resemble intrusion prevention or even antivirus capabilities. Depending on the feature set, countermeasures that may be implemented on a UTM appliance include:
- Blocking outbound requests to risky Web sites: Many spyware infestations start when a user clicks on a malicious URL embedded in a Web page or a phishing email. UTM appliances can filter outbound HTTP traffic to block access to blacklisted domains and URLs that fall into banned categories (e.g., phishing, P2P file sharing and adware/spyware sites). Stopping a problem before it starts is generally less expensive than cleaning it up later. With tenacious spyware -- especially rootkits -- a complete system rebuild may be required to make a compromised host truly trustworthy again.
- Stripping banned objects from inbound messages: Although public blacklists and URL databases used by appliances are constantly updated, new spyware programs will slip through the cracks. Most UTM appliances can also be configured to block active content and banned MIME types carried by HTTP, FTP, POP and other protocols, including unsigned ActiveX controls, Java applets, VB scripts, and PC executables. This can be a bit tricky. For example, zip files are used to "hide" executables, or HTTP sessions are encrypted by SSL.
- Network-based spyware scanning: Some UTM appliances can look beyond message headers and content types, scanning inbound application payloads for known spyware. This technique is a logical extension of desktop antispyware scanning. Like desktop scanners, UTM appliances can use regularly updated signature databases and may take configurable actions -- dropping, cleaning, deleting, quarantining -- when spyware is detected.
- Back-channel blocking: Unlike desktop antispyware programs, UTM appliances cannot observe the local system behavior of spyware launched on a desktop. However, appliances are well-positioned to react immediately to spyware network behavior. Many UTM appliances can use malware databases to block known spyware back channels, such as outbound HTTP connections to adware servers, outbound non-bizware connections like instant messaging and "phone home" messages sent by remote control Trojans and keystroke loggers. They may generate alerts to help spot infected hosts, and even quarantine those hosts to prevent damage prior to remediation.
When it comes to fighting spyware, a single countermeasure won't do the trick; for example, UTM appliances cannot protect remote access devices when connected to external networks. Combining desktop and network antispyware covers both bases.
UTM appliances are extremely diverse and will continue to evolve along with spyware itself, so look very closely at any given product's feature set to determine how it can help you battle this scourge. Also give serious consideration to the impact that network antispyware may have on appliance capacity, throughput and message latency.
Weighing these factors, consider unified threat management to strengthen spyware defenses while reducing the operational and productivity burdens associated with this increasingly stealthy, malicious and expensive network threat.
About the author:
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. Before joining Core Competence, Lisa was a member of technical staff at Bell Communications Research where she won a president's award for her work on ATM network management.
This was first published in February 2009