In-Depth

Software Spies in the Enterprise

Talking Points
SPYWARE AT THE GATES

  • Although freeware often does the job, these tools are reactive and usually must be run manually.
  • Spyware robs bandwidth, cuts worker productivity, eats up help-desk time and may pirate confidential data.
  • Analysts say most enterprises will purchase anti-spyware software this year or upgrade their existing tools, making it the most popular security technology.

Spyware was driving the Richard Petty Driving Experience crazy. Named for NASCAR’s greatest driver, RPDE offers civilians a chance to either ride in or drive a detuned NASCAR racer at many of the same tracks the pros compete on. The company has six locations and about 200 end users—and according to IT manager Kevin Craig, a growing spyware problem was threatening to cause a speedway-size wreck.

“We saw every kind of spyware and adware you can think of,” Craig says. “Keystroke loggers, tracking cookies—one box had almost 1,000 cookies.” Naturally, performance problems ensued, as if end users had bolted a NASCAR-style restrictor plate over their Internet access. “Users would call and say [their PCs were] unusually slow,” Craig says. “The dead giveaway was that once they logged onto the Net, they couldn’t get anywhere. We’d use freeware apps to clean up the mess case by case, but we had no defense on the front lines.”

IT’s problem
Like RPDE, many businesses have found spyware has become an enterprise problem that demands a coordinated response from IT. It’s no longer sufficient to point end users toward a free download such as LavaSoft’s basic version of Ad-Aware. Although they get the job done, these tools are reactive and usually must be run manually.

Spyware robs bandwidth, cuts worker productivity and eats up help-desk time. Perhaps most insidious to business, however, is spyware’s potential impact on data security. Keystroke-logging spyware programs could be used to access corporate networks and pirate sensitive information.

To date, no major security breaches are known to have been caused this way, but due to increased regulatory oversight of private-sector data security, the threat alone has captured the attention of businesses. “Sarbanes-Oxley, the Identity Theft Penalty Enhancement Act [of 2004] and other regs say corporations have a responsibility to train and educate their employees on securing data,” says Robert Siciliano, principal at Boston-based IDTheftSecurity.com and author of The Safety Minute. “The government is saying to corporate America, ‘This is your problem.’”

Spyware is the bomb
Businesses have taken heed. According to Forrester Research, 65 percent of companies will purchase anti-spyware software this year (or upgrade their existing tools), which stands to make this 2005’s most popular security technology.

In response, vendors are preparing enterprise-grade anti-spyware tools, according to Gartner analyst Lydia Leong. She says Computer Associates International (PestPatrol) and Webroot Software (Spy Sweeper Enterprise), are the “only ones offering true enterprise solutions.” In a November 2004 report, Forrester’s David Friedlander adds WebSense Enterprise and Microsoft’s GIANT Anti-Spyware to that list. The key criterion in determining enterprise readiness, Leong says, is a centralized management console. “All the major anti-virus companies are working toward solutions” with such management features, she says.

Multiple fences
As best practices evolve in the spyware arena, businesses are being urged to develop multifaceted defenses that include firewalls and host-based intrusion prevention. At Blue Bell Creameries, for example, Systems Engineer Jeff Smestuen recently began using WebSense Enterprise to detect spyware on the creamery’s 750 PCs, although the company’s firewall, gateway sentinel and anti-virus software have been effective at keeping spyware out.

Blue Bell’s security approach begins even before traffic hits the company firewall, a NetScreen-50 from Juniper Networks. “We have [Internet provider] Sprint filtering our e-mail,” Smestuen says. “Right there, you stop people from going to a lot of junk links in e-mail, so you could call that a social-engineering defense.”

Before implementing WebSense, Smestuen found that Blue Bell’s Trend Micro anti-virus software flagged a significant number of potential spyware infections. “A lot of spyware has the same footprint as viruses,” Smestuen says—an observation confirmed by Gartner’s Leong and other analysts. “I run a central administration console. Before [implementing] WebSense, I used to find five to 25 viruses that were actually spyware each morning.” Smestuen had to delete those instances manually, he adds; the addition of WebSense has nearly eliminated this need.

Smestuen says his one frustration with WebSense is that on its management console, he “cannot see individual PCs, so I can’t scan at that level; it’s more of a gateway-level sentinel.” Before the purchase, he says, Blue Bell evaluated CA’s PestPatrol. That product was the equal of WebSense, Smestuen says, but significantly more expensive, “maybe $40,000 for our 750 users.”

At the Richard Petty Driving Experience, Craig opted to extend the company’s existing SurfControl anti-virus software with an anti-spyware plug-in that is free for the first year, then costs $9.50 per user in a 500-seat implementation. The new SurfControl Web Filter 5.0, which bundles anti-spyware and content-filtering capabilities, is priced at $19 per user. 

Resistance is sometimes futile
Organizations with a strong commitment to open information flow can be especially susceptible to spyware. Universities and research facilities probably top such a list—just ask Ed Bailey, IT director at the University of Florida in Gainesville. “Any effort to filter content in a university environment meets heavy resistance,” Bailey says, “and that means headaches for IT. We had tremendous problems with spyware. It’s gotten a lot worse than viruses.”

With about 350 desktops to support, Bailey’s staff found that spyware had so fouled many PCs that “it took hours just to fix a minor problem, and a lot of times it was so bad we were just doing a de-install/re-install of the whole OS.”

The university opted for Webroot’s Spy Sweeper Enterprise, and Bailey says it’s been a success: “On the desktops we’ve licensed [the product for], we now see no spyware at all.” Bolstering analysts’ description of Webroot as an enterprise-ready product, he points to its management tools as the big differentiator. “I can run reports on individual machines and on individual problem users,” Bailey says. “I can remotely scan a single PC.” Spy Sweeper Enterprise is priced at $18 per seat for a 2,500-seat deployment.

Defense holds the line
According to Gartner’s Leong, tools for both blocking and removing spyware are well on their way to becoming standard fare in any security vendor’s wares. Today, a full defense includes all the staples of business-grade security: host-based intrusion prevention, corporate and personal firewalls, content filtering (to the extent possible in your organization), Web browser security settings of medium or higher, strong patch management, anti-virus software, and now anti-spyware tools.

Although everyone agrees end users need to understand the risks posed by spyware—and thus by freelance downloads—IT managers and analysts, perhaps surprisingly, don’t view desktop lockdowns as a major part of the battle. It appears any sort of content filtering is a hot potato in most organizations, not just universities. “If a supervisor thinks he has a problem [with inappropriate Web surfing] with an individual user, he comes to IT and we can pull their log,” says RPDE’s Craig. “But for the most part, we’re not limiting Internet access.”

Forrester’s Friedlander adopts a similar view: “A fully locked down desktop…may not be feasible for knowledge workers,” he writes. “Thus, most firms should stick with the basics.”

Sidebar: Wares that wear on PCs
Sidebar: Spyware symptoms