Winners in the Spyware Wars

Cascading pop-ups. Web page re-directs. Crawling computer speeds. Anyone who’s been online has surely experienced the effects of spyware. A few years ago, organizations were mainly concerned with things like adware and cookies that track a user’s surfing habits. But spyware is becoming increasingly pernicious and sophisticated. Monitoring software, which is sometimes placed directly on computers and at other times is installed via Trojan horse or by automatic Web site download, can log keystrokes or send periodic screen shots back to attackers. Such applications, sometimes combined with “common word” technology, are increasingly stealing users’ financial and other personal information. According to a Kaspersky Lab report, keyloggers surged 500 percent in a recent three-and-a-half-year period.

To fight this ongoing threat, the major antispyware vendors have rolled out products that use heuristics and signatures to identify, then either block or disable spyware, essentially taking a “blacklisting” approach. However, as some IT security professionals discovered, there are other solutions.

In recent years, some software companies have started bucking this blacklisting approach, opting instead for a solution that “whitelists” the applications and executables that can run on workstations. In other cases, medium-sized businesses, which have typically relied on desktop security software and single-point network products, are finding they can afford more comprehensive perimeter solutions. Below, we look at how three organizations with widely differing computing environments took divergent approaches to bringing their spyware under control.

Bottom-up Strategy

In early 2006, the licenses on Symantec antivirus and antispyware solutions were coming up for renewal at First National Bank of Bosque County, Texas. Brent Rickels, vice president in charge of technology at the $86 million institution, wanted a stronger system. The bank was about to move from a mainly dial-up connection to a fully dedicated Internet connection, which would create the potential for spyware to become a more serious problem if not addressed.

Rickels had long questioned the effectiveness of traditional antispyware solutions. Compared to the ever-evolving spyware threat, many of the solutions “are still in their infancy,” he says. He looked at several alternatives, and eventually purchased Sanctuary Application Control from Lumension Security. It’s more secure because it blocks both known and unknown threats by taking a whitelisting approach, he says.

“While many enterprise products are improving their blocking technologies, if there’s a zero-day threat it’s going to slip by,” explains Rickels. Sanctuary’s whitelisting feature removes this concern.  “It’s a lot easier to know what you want to run than what you don’t,” he notes.

While this approach might create stronger overall protection, it does take a little extra effort to install and run. With assistance from Sanctuary engineers, building the whitelist took about a day. After installing the software on the server, Rickels scanned a PC he knew was clean. This created a list of permitted programs, he says, which he then sorted into categories that included Windows common files, Microsoft Office programs, and other applications. Individual users were then assigned rights.

The next step was to install the program’s client software on the approximately 45 desktops at the bank’s four locations, which took about three minutes per machine. Each time a desktop computer boots, it receives updates from the server.

Next, all bank hard drives were scanned, which created a more thorough list of programs authorized to be on the bank’s systems. The scan examines each executable, and, using a secure algorithm, calculates a unique digital signature, or hash, for each.

If a hacker tries to alter one of these programs to hide spyware within, the system will detect the change.

Rickels then left the solution in nonblocking mode for several days to get a better sense of all the programs that were running. Whenever one tried to execute on an individual desktop, the central database took note.

To demonstrate to bank employees how Sanctuary works, Rickels blocked Windows games from running. Employees trying to open them received a pop-up explaining that the applications were not allowed. Rickels decided against adding some employee screen savers to the whitelist. Other applications he didn’t include were peer-to-peer and instant messaging programs, which he deemed too great a risk in a financial institution environment. “As a bank, we want to be careful about what’s leaving,” he explains.

Sanctuary also provides an option (which Rickels hasn’t used) to let users authorize their own applications. When users attempt to run a new kind of executable, a dialog box offers the option to deny or accept it. If accepted, it is allowed to launch from then on. Authorization is reported to the administrator.

Recently, Rickels upgraded to Sanctuary 4.0, which has the additional feature of letting organizations set policies on devices, such as USB memory sticks, ZIP drives, personal digital assistants (PDAs), tape drives, secondary hard drives, floppy drives, scanners, and printers. Sanctuary Device Control, also sold as a standalone product, lets the administrator grant access by associating groups or users with specific devices or device classes. The feature also logs the programs installed or uninstalled and files transferred—added or sent to another computer or device. It also permits the setting of encryption policies for individual users and groups. It can either centrally encrypt removable media or enable encryption by users. “Controlling portable media is another way to limit spyware,” says Rickels.

Rickels scans the central database about once a week to look for issues, such as blocked applications that are trying to execute. It could be that an employee needs a new program, he says. While he had to make a few changes in the first few months, “we typically don’t have trouble with it now.”

One ongoing challenge of the product is downloading patches and application upgrades. Normally patches and upgrades from Microsoft can be installed automatically, he says. But the bank needs to scan them and add them to the whitelist before installing them. “That is probably the biggest hassle,” he says. But it takes only about one hour per month.

While Sanctuary blocks executables, it is just one part of the bank’s overall security structure. An antivirus product, run by the institution’s ISP, scans all incoming e-mail. Internet traffic is controlled by a firewall and a separate filtering product is used at the ports. “We block many Web sites,” says Rickels.

Cost. One-year licenses begin at about $45 per-seat, with a lower rate for larger numbers of licenses. A year of service is included.

Rickels says the solution is well worth it. It costs less than some of the antispyware and antivirus solutions he looked at. And the bank hasn’t had a single spyware incident since its installation. “As much as it would be nice, there isn’t just one solution that can solve all your security needs,” he says, “but Sanctuary comes pretty close.”